实验二十八：高级的ACL包过滤

1、实验二十八：高级的ACL包过滤一、理论基础高级的ACL包过滤提供了更广阔的控制范围,这种扩展后的特性给了网络管理员更大的灵活性，可以灵活多变的设计ACL的测试条件。高级的ACL和基本的ACL之间的区别：1、基本的ACL只能根据数据包的源地址进行访问控制；2、高级的ACL却可以利用更多的信息，如目的地址，协议号等，对于TCP/UDP数据包,还可以根据端口号，对于ICMP包，则还可以根据ICMP报文类型进行访问控制。二、实验案例高级ACL包过滤的配置1、实验拓扑结构图：2、配置说明：Switch的E0/4一-PC1Switch的E0/8PC2Switch的E0/14PC3给QUIDWAYS3500

2、三层交换机做简单的配置:创建三个VLAN,即VLAN2,VLAN3,VLAN4,再分别给各个VLAN加个管理地址为：IP:192.168.1.1IP:192.168.2.1IP:192.168.3.1并且把子网掩码：255.255.255.0子网掩码：255.255.255.0子网掩码：255.255.255.0网关：192.168.1.1网关：192.168.2.1网关：192.168.3.1E0/1-E0/5加到VLAN2,PC1:192.168.1.15/24E0/6-E0/10加到VLAN3,PC2:192.168.2.15/24E0/11-E0/15加到VLAN4,PC3:192.1

3、68.3.15/243、具体配置:实验一：Quidwayvlan2Quidway-vlan2porteO/1toeO/5Quidway-vlan2quitQuidwayintvlan2Quidway-Vlan-interface2ipaddress192.168.1.1255.255.255.0Quidwayvlan3Quidway-vlan3porte0/6toe0/10Quidway-vlan3quitQuidwayintvlan3Quidway-Vlan-interface3ipaddress192.168.2.1255.255.255.0Quidwayvlan4Quidway-vlan

4、4porte0/11toe0/15Quidway-vlan4quitQuidwayintvlan4Quidway-Vlan-interface4ipaddress192.168.3.1255.255.255.0此时,PC1,PC2,PC3能够互相PING通.QuidwayaclnamesunkeadvancedQuidway-acl-adv-sunkerule10denyipsource192.168.3.150destination192.168.2.150Quidway-acl-adv-sunkeinte0/14Quidway-Ethernet0/14packet-filterinboun

5、dip-groupsunkeQuidway-Ethernet0/14quitQuidwaydiscursysnameQuidwayradiusschemesystemserver-typehuaweiprimaryauthentication127.0.0.11645primaryaccounting127.0.0.11646user-name-formatwithout-domaindomainsystemradius-schemesystemaccess-limitdisablestateactiveidle-cutdisableself-service-urldisablemesseng

6、ertimedisabledomaindefaultenablesystemlocal-servernas-ip127.0.0.1keyhuaweitemperature-limit02080aclnamesunkeadvancedrule10denyipsource192.168.3.150destination192.168.2.150vlan1vlan2vlan3vlan4interfaceVlan-interface2ipaddress192.168.1.1255.255.255.0interfaceVlan-interface3ipaddress192.168.2.1255.255.

7、255.0interfaceVlan-interface4ipaddress192.168.3.1255.255.255.0interfaceAux0/0interfaceEthernet0/1portaccessvlan2interfaceEthernet0/2portaccessvlan2interfaceEthernet0/3portaccessvlan2interfaceEthernet0/4portaccessvlan2interfaceEthernet0/5portaccessvlan2interfaceEthernet0/6portaccessvlan3interfaceEthe

8、rnet0/7portaccessvlan3interfaceEthernet0/8portaccessvlan3interfaceEthernet0/9portaccessvlan3interfaceEthernet0/10portaccessvlan3interfaceEthernet0/11portaccessvlan4interfaceEthernet0/12portaccessvlan4interfaceEthernet0/13portaccessvlan4interfaceEthernet0/14portaccessvlan4packetfilterinboundip-groups

9、unkerule10interfaceEthernet0/15portaccessvlan4interfaceEthernet0/16interfaceEthernet0/17interfaceEthernet0/18interfaceEthernetO/19interfaceEthernetO/20interfaceEthernetO/21interfaceEthernetO/22interfaceEthernetO/23interfaceEthernetO/24interfaceGigabitEthernetl/1interfaceGigabitEthernetl/2interfaceGi

10、gabitEthernetl/3interfaceGigabitEthernetl/4interfaceNULLOuser-interfaceaux0user-interfacevty04Return在交换机上使用高级ACL包过滤，下图可以看出，从PC3PingPC2的测试变化情况。岚3-Pspiyfrom192.168.2.15：bytes=32timelmsTTL=12?3ftepiyfpom192.168.2.15：bytes=32timelmsTTL=127from192.168.2.15：bytes=32timelmsTTL=127fieplyfpom192.168.2.15：byt

11、es=32timelmsTTL=127fieplyfrom192.168.2.15：bytes=32timelmsTTL=127from192.168.2.15：bytes=32timelmsTTL=127ftepiyfpom192.168.2.15：bytes=32timelmsTTL=127from192.168.2.15：bytes=32timelmsTTL=127fieplyfpom192.168.2.15：bytes=32timelmsTTL=127fieplyfrom192.168.2.15：bytes=32timelmsTTL=127from192.168.2.15：bytes=

12、32timelmsTTL=127ftepiyfpom192.168.2.15：bytes=32timelmsTTL=127from192.168.2.15：bytes=32timelmsTTL=127fieplyfpom192.168.2.15：bytes=32timelmsTTL=127fieplyfrom192.168.2.15：bytes=32timelmsTTL=127from192.168.2.15：bytes=32timelmsTTL=127ftepiyfpom192.168.2.15：bytes=32timelmsTTL=127Peplyfrom192.168.2.15：byte

13、s=32timelmsTTL=127Pepiyfpom192.168.2.15：bytes=32timelmsTTL=127Requesttimedout-Requesttimedout.Ftequesttimedout.实验二outITS灵配置创院长办公至：PC1的IP地址：192.168.1.2接父换机S3552的E0/4接口系部：PC2的IP地址:192.168.2.2接交换机S3552的E0/8接口财务部：PC3的IP地址：192.168.3.2接交换机S3552的E0/14接口具体配置：Quidwayclockdatetime19:20:202006/01/07Quidwaydist

14、imeallCurrenttimeis19:21:361-6-2006FridayQuidwaytime-rangesunke8:00to17:00satworking-day当当前时间不属于这个时间段时，可以通过图看出前后的测试变化）QuidwayaclnamesunkeadvancedQuidway-acl-adv-sunkerule1denyipsource192.168.2.20destination192.168.3.20time-rangesunkeQuidway-acl-adv-sunkerule2permitipsource192.168.1.20destination192.

15、168.3.20Quidway-acl-adv-sunkeinte0/8Quidway-Ethernet0/8packet-filterinboundip-groupsunkeQuidway-Ethernet0/8inte0/4Quidway-Ethernet0/4packet-filterinboundip-groupsunkediscursysnameQuidwayradiusschemesystemservertypehuaweiprimaryauthentication127.0.0.11645primaryaccounting127.0.0.11646user-name-format

16、withoutdomaindomainsystemradius-schemesystemaccess-limitdisablestateactiveidle-cutdisableself-service-urldisablemessengertimedisabledomaindefaultenablesystemlocal-servernas-ip127.0.0.1keyhuaweitemperature-limit02080time-rangesunke08:00to20:00Sataclnamesunkeadvancedrule1denyipsource192.168.2.20destin

17、ation192.168.3.20time-rangesunkerule2permitipsource192.168.1.20destination192.168.3.20vlan1vlan2vlan3vlan4interfaceVlan-interface2ipaddress192.168.1.1255.255.255.0interfaceVlan-interface3ipaddress192.168.2.1255.255.255.0interfaceVlan-interface4ipaddress192.168.3.1255.255.255.0interfaceAux0/0interfac

18、eEthernet0/1portaccessvlan2interfaceEthernetO/2portaccessvlan2interfaceEthernetO/3portaccessvlan2interfaceEthernetO/4portaccessvlan2packetfilterinboundip-groupsunkerule1packet-filterinboundip-groupsunkerule2interfaceEthernetO/5portaccessvlan2interfaceEthernetO/6portaccessvlan3interfaceEthernetO/7portaccessvlan3interfaceEthernetO/8portaccessvlan3packet-filterinboundip-groupsunkerule1packet-filterinboundip-groupsunkerule2interfaceEthernetO/9portaccessvlan3interfaceEthernetO/10portaccessvlan3interfaceEthernet0/Ilportaccessvlan4interfaceEthernet0/12portaccessvlan4interfaceE