實驗二十八:高級的ACL包過濾_第1頁
實驗二十八:高級的ACL包過濾_第2頁
實驗二十八:高級的ACL包過濾_第3頁
實驗二十八:高級的ACL包過濾_第4頁
實驗二十八:高級的ACL包過濾_第5頁
已閱讀5頁,還剩3頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領

文檔簡介

1、實驗二十八:高級的ACL包過濾一、 理論基礎高級的ACL包過濾提供了更廣闊的控制范圍,這種擴展后的特性給了網(wǎng)絡管理員更大的靈活性,可以靈活多變的設計ACL的測試條件。高級的ACL和基本的ACL之間的區(qū)別:1、基本的ACL只能根據(jù)數(shù)據(jù)包的源地址進行訪問控制;2、高級的ACL卻可以利用更多的信息,如目的地址,協(xié)議號等,對于TCP/UDP數(shù)據(jù)包,還可以根據(jù)端口號,對于ICMP包,則還可以根據(jù)ICMP報文類型進行訪問控制。二、 實驗案例高級ACL包過濾的配置1、實驗拓撲結構圖: 2、配置說明:Switch的E0/4<->PC1Switch的E0/8<->PC2Switch的E0

2、/14<->PC3給QUIDWAY S3500三層交換機做簡單的配置:創(chuàng)建三個VLAN,即VLAN2,VLAN3,VLAN4,再分別給各個VLAN加個管理地址為:IP:192.168.1.1 子網(wǎng)掩碼:255.255.255.0IP:192.168.2.1 子網(wǎng)掩碼:255.255.255.0IP:192.168.3.1 子網(wǎng)掩碼:255.255.255.0并且把E0/1-E0/5加到VLAN2,PC1:192.168.1.15/24 網(wǎng)關:192.168.1.1E0/6-E0/10加到VLAN3,PC2:192.168.2.15/24 網(wǎng)關:192.168.2.1E0/11-E0

3、/15加到VLAN4,PC3:192.168.3.15/24 網(wǎng)關:192.168.3.13、具體配置:實驗一:Quidwayvlan 2Quidway-vlan2port e0/1 to e0/5Quidway-vlan2quitQuidwayint vlan 2Quidway-Vlan-interface2ip address 192.168.1.1 255.255.255.0Quidwayvlan 3Quidway-vlan3port e0/6 to e0/10Quidway-vlan3quitQuidwayint vlan 3Quidway-Vlan-interface3ip addr

4、ess 192.168.2.1 255.255.255.0Quidwayvlan 4Quidway-vlan4port e0/11 to e0/15Quidway-vlan4quitQuidwayint vlan 4Quidway-Vlan-interface4ip address 192.168.3.1 255.255.255.0此時,PC1,PC2,PC3能夠互相PING通.Quidwayacl name sunke advancedQuidway-acl-adv-sunkerule 10 deny ip source 192.168.3.15 0 destination 192.168.

5、2.15 0Quidway-acl-adv-sunkeint e0/14Quidway-Ethernet0/14packet-filter inbound ip-group sunkeQuidway-Ethernet0/14quitQuidwaydis cur sysname Quidwayradius scheme system server-type huawei primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domaindomain syst

6、em radius-scheme system access-limit disable state active idle-cut disable self-service-url disable messenger time disable domain default enable system local-server nas-ip 127.0.0.1 key huawei temperature-limit 0 20 80acl name sunke advanced rule 10 deny ip source 192.168.3.15 0 destination 192.168.

7、2.15 0vlan 1vlan 2vlan 3vlan 4interface Vlan-interface2 ip address 192.168.1.1 255.255.255.0interface Vlan-interface3 ip address 192.168.2.1 255.255.255.0interface Vlan-interface4 ip address 192.168.3.1 255.255.255.0interface Aux0/0interface Ethernet0/1 port access vlan 2interface Ethernet0/2 port a

8、ccess vlan 2interface Ethernet0/3 port access vlan 2interface Ethernet0/4 port access vlan 2interface Ethernet0/5 port access vlan 2interface Ethernet0/6 port access vlan 3interface Ethernet0/7 port access vlan 3interface Ethernet0/8 port access vlan 3interface Ethernet0/9 port access vlan 3interfac

9、e Ethernet0/10 port access vlan 3interface Ethernet0/11 port access vlan 4interface Ethernet0/12 port access vlan 4interface Ethernet0/13 port access vlan 4interface Ethernet0/14 port access vlan 4 packet-filter inbound ip-group sunke rule 10interface Ethernet0/15 port access vlan 4interface Etherne

10、t0/16interface Ethernet0/17interface Ethernet0/18interface Ethernet0/19interface Ethernet0/20interface Ethernet0/21interface Ethernet0/22interface Ethernet0/23interface Ethernet0/24interface GigabitEthernet1/1interface GigabitEthernet1/2interface GigabitEthernet1/3interface GigabitEthernet1/4interfa

11、ce NULL0user-interface aux 0user-interface vty 0 4Return在交換機上使用高級ACL包過濾,下圖可以看出,從PC3 Ping PC2的測試變化情況。實驗二:配置說明:院長辦公室:PC1的IP地址:192.168.1.2 接交換機S3552的E0/4接口系部: PC2的IP地址:192.168.2.2 接交換機S3552的E0/8接口財務部: PC3的IP地址:192.168.3.2 接交換機S3552的E0/14接口具體配置:<Quidway>clock datetime 19:20:20 2006/01/07<Quidwa

12、y>dis time allCurrent time is 19:21:36 1-6-2006 FridayQuidwaytime-range sunke 8:00 to 17:00 sat working-day(當當前時間不屬于這個時間段時,可以通過圖看出前后的測試變化)Quidwayacl name sunke advancedQuidway-acl-adv-sunkerule 1 deny ip source 192.168.2.2 0 destination 192.168.3.2 0 time-range sunkeQuidway-acl-adv-sunkerule 2 pe

13、rmit ip source 192.168.1.2 0 destination 192.168.3.2 0Quidway-acl-adv-sunkeint e0/8Quidway-Ethernet0/8packet-filter inbound ip-group sunkeQuidway-Ethernet0/8int e0/4Quidway-Ethernet0/4packet-filter inbound ip-group sunke<Quidway>dis cur sysname Quidwayradius scheme system server-type huawei pr

14、imary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domaindomain system radius-scheme system access-limit disable state active idle-cut disable self-service-url disable messenger time disable domain default enable system local-server nas-ip 127.0.0.1 key hu

15、awei temperature-limit 0 20 80 time-range sunke 08:00 to 20:00 Satacl name sunke advanced rule 1 deny ip source 192.168.2.2 0 destination 192.168.3.2 0 time-range sunke rule 2 permit ip source 192.168.1.2 0 destination 192.168.3.2 0vlan 1vlan 2vlan 3vlan 4interface Vlan-interface2 ip address 192.168

16、.1.1 255.255.255.0interface Vlan-interface3 ip address 192.168.2.1 255.255.255.0interface Vlan-interface4 ip address 192.168.3.1 255.255.255.0interface Aux0/0interface Ethernet0/1 port access vlan 2interface Ethernet0/2 port access vlan 2interface Ethernet0/3 port access vlan 2interface Ethernet0/4

17、port access vlan 2 packet-filter inbound ip-group sunke rule 1 packet-filter inbound ip-group sunke rule 2interface Ethernet0/5 port access vlan 2interface Ethernet0/6 port access vlan 3interface Ethernet0/7 port access vlan 3interface Ethernet0/8 port access vlan 3 packet-filter inbound ip-group su

18、nke rule 1 packet-filter inbound ip-group sunke rule 2interface Ethernet0/9 port access vlan 3interface Ethernet0/10 port access vlan 3interface Ethernet0/11 port access vlan 4interface Ethernet0/12 port access vlan 4interface Ethernet0/13 port access vlan 4interface Ethernet0/14 port access vlan 4interface Ethernet0/15 port access vl

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經權益所有人同意不得將文件中的內容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
  • 6. 下載文件中如有侵權或不適當內容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論