实验名称:华为ACL远程拒绝访问演示
实验需求:R5不能远程访问R6,但是可以ping通R6
实验拓扑:
配置思路:
- R5设置ip地址为192.168.12.1 24,R6设置ip地址为192.168.12.2 24
- 在R6设置ACL模式,拒绝R5远程访问R6条目,在R6的对应端口设置流向为拒绝R5进入
- 在R6设置远程登录密码
验证:在R5的用户模式下远程访问R6
PingR6
display acl {id/name/all} (查看ACL信息)
配置命令:
R5
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R5
[R5]int gi 0/0/0
[R5-GigabitEthernet0/0/0]undo shu
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R5-GigabitEthernet0/0/0]ip add 192.168.12.1 24
Dec 14 2017 12:19:01-08:00 R1 %%01IFNET/4/LINKSTATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R5-GigabitEthernet0/0/0]q
[R5]q
<R5>
<R5>telnet 192.168.12.2 (远程验证R6)
Press CTRL] to quit telnet mode
Trying 192.168.12.2 ...
Error: Can't connect to the remote host (拒绝主机访问)
<R5>ping 192.168.12.2 (ping通R6)
PING 192.168.12.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.12.2: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 192.168.12.2: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 192.168.12.2: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 192.168.12.2: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.12.2: bytes=56 Sequence=5 ttl=255 time=20 ms
R6
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R6
[R6]acl name deny-telnet (设置ACL名称为拒绝远程)
[R6-acl-adv-deny-telnet]rule deny tcp source 192.168.12.1 0 destination 192.168.
12.2 0 destination-port eq 23 (拒绝源ipR5的地址通配符源主机位随机高端端口不需要写与目标ipR6的地址通配符对应端口号必须写)
[R6-acl-adv-deny-telnet]q
[R6]int gi0/0/0
[R6-GigabitEthernet0/0/0]undo shu
Info: Interface GigabitEthernet0/0/0 is not shutdown.
[R6-GigabitEthernet0/0/0]ip address 192.168.12.2 24
Dec 14 2017 12:20:38-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R6-GigabitEthernet0/0/0]traffic-filter inbound acl 3999 (在gi/0/0/0端口设置拒绝进入流量)
[R6-GigabitEthernet0/0/0]q
本文转自 linuxpp 51CTO博客,原文链接:http://blog.51cto.com/13505118/2050583,如需转载请自行联系原作者