访问控制列表（ACL）的基本服务安全应用！

<Quidway>system-view 三层交换机 HUAWEI Quidway S3526E

[Quidway]acl number 2002

[Quidway-acl-basic-2002]rule 5 permit source 192.168.101.99 0

[Quidway-acl-basic-2002]rule 10 deny source any

[Quidway-acl-basic-2002]quit

[Quidway]user-interface vty 0 4

[Quidway-ui-vty0-4]acl 2002 inbound

[Quidway]dis acl config all

Basic ACL 2002, 2 rules,

rule 10 deny (0 times matched)

rule 5 permit source 192.168.101.99 0 (0 times matched)

telnet两次

[Quidway]dis acl config all

Basic ACL 2002, 2 rules,

rule 10 deny (2 times matched)

rule 5 permit source 192.168.101.99 0 (0 times matched)

(注意：display cu 时如果看到的也是 deny在前，permit在后，要调整下先后顺序)

[Quidway]dis acl config all

Basic ACL 2002, 2 rules,

rule 5 permit source 192.168.101.99 0 (2 times matched)

rule 10 deny (2 times matched)

两次测试

[Quidway]local-user gjp

New local user added.

[Quidway-luser-gjp]password simple 123

[Quidway-luser-gjp]service-type ssh level 3

[Quidway]ssh user gjp authentication-type password

[Quidway]rsa local-key-pair create

The key name will be: Quidway_Host

% RSA keys defined for Quidway_Host already exist.

Confirm to replace them? [yes/no]:y

[Quidway]user-interface vty 0 4

[Quidway-ui-vty0-4]protocol inbound all

[Quidway]dis acl config all

rule 5 permit source 192.168.101.99 0 (5 times matched)

访问列表匹配项会再增 1

< SW1 >dir //二层交换机 HUAWEI Quidway S2000 Serials

Directory of unit1&gt;flash:/

1 (*) -rw- 4274300 Jun 24 2006 14:25:26 s2000hi-vrp310-r0008.bin

2 (*) -rw- 800571 Jan 01 2004 00:00:00 hw-http3.1.5-0041.web

3 (*) -rw- 1195 Apr 02 2000 01:41:54 f.cfg

4 -rw- 616 Apr 02 2000 02:30:39 f1.txt

7239 KB total (2274 KB free)

(*) -with main attribute (b) -with backup attribute

(*b) -with both main and backup attribute

[SW1]time-range wt 08:30 to 12:00 daily //一星期中的每一天

[SW1]time-range wt 14:00 to 18:00 daily

[SW1]dis time-range all

Current time is 00:00:26 Apr/2/2000 Sunday

Time-range : wt ( Inactive )

08:30 to 12:00 daily

14:00 to 18:00 daily

[SW1]dis clock

00:00:44 UTC Sun 04/02/2000

Time Zone : add 00:00:00

<SW1>clock datetime 17:27:00 08/07/2012 //注意模式

<SW1>dis clock

17:27:05 UTC Tue 08/07/2012

Time Zone : add 00:00:00

<SW1>dis time-range all

Current time is 17:27:29 Aug/7/2012 Tuesday

Time-range : wt ( Active )

08:30 to 12:00 daily

14:00 to 18:00 daily

[SW1]acl number 2000 后面可以选择深度优先（auto）或配置优先（conf）

[SW1-acl-basic-2000]rule 10 permit source 192.168.101.99 0 time-range wt //代表一台主机

[SW1-acl-basic-2000]rule 20 deny source any

[SW1-acl-basic-2000]quit

[SW1]dis acl all

Total ACL Number: 1

Basic ACL 2000, 2 rules

Acl's step is 1

rule 10 permit source 192.168.101.99 0 time-range wt(0 times matched) (Active)

rule 20 deny (0 times matched)

[SW1]dis tcp status

*: TCP MD5 Connection

TCPCB Local Add:port Foreign Add:port State

81dd54d4 0.0.0.0:22 0.0.0.0:0 Listening

81dd52c4 0.0.0.0:23 0.0.0.0:0 Listening

81de3bd4 0.0.0.0:80 0.0.0.0:0 Listening

[SW1]ip http acl 2000 //应用

[SW1]dis acl all

Total ACL Number: 1

Basic ACL 2000, 2 rules

Acl's step is 1

rule 10 permit source 192.168.101.99 0 time-range wt(44 times matched) (Active)

rule 20 deny (0 times matched)

虚拟机xp测试如下：

[SW1]dis acl all

Total ACL Number: 1

Basic ACL 2000, 2 rules

Acl's step is 1

rule 10 permit source 192.168.101.99 0 time-range wt(44 times matched) (Inactive)

rule 20 deny (3 times matched)

[SW1]dis clock

18:05:06 UTC Tue 08/07/2012 //时间不在我们设置的上班时间内

Time Zone : add 00:00:00

所允许的主机也不能正常工作！

<SW1>clock datetime 17:30:00 08/07/2012

本文转自 gjp0731 51CTO博客，原文链接:http://blog.51cto.com/guojiping/957472