ACL 基本擴展
1.實驗拓撲:
使用ENSP模擬器(版本V100R002C00 1.2.00.350)
2.實驗需求
1:給R1做一個dhcp地址池
2:做基本的和擴展的NAT
3:用vm8綁在2008上
3.實驗配置
給網卡設ip
基本
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 192.168.10.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.20.1 24
[Huawei]dhcp enable 做地址池
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]dhcp select interface 放入0/0/1接口
2008收到地址
Huawei]acl 2014
[Huawei-acl-basic-2014]rule deny source 192.168.10.252 0 讓10.252不能上
[Huawei-acl-basic-2014]rule permit source any
dis this
[Huawei-acl-basic-2014]rule 6 deny source 192.168.10.253 0 中間添加一個6
[Huawei-acl-basic-2014]dis this
Huawei-acl-basic-2014]undo rule 6 直接加上6就能刪了
[Huawei-acl-basic-2014]dis this
[Huawei-acl-basic-2014]int g0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 2014
[Huawei-GigabitEthernet0/0/0]display acl all
[Huawei-GigabitEthernet0/0/0]un traffic-filter outbound
q
擴展
[Huawei]undo acl 2014
[Huawei]acl 3014
[Huawei-acl-adv-3014]rule deny tcp source 192.168.10.0 0.0.0.255 destination 192.168.20.8 0 destination-port eq 80 10.0網段不能通過20.8獲取www
[Huawei-acl-adv-3014]rule permit ip source any destination any
Huawei-acl-adv-3014]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3014
[Huawei-GigabitEthernet0/0/1]dis acl all
配置時間
[Huawei]time-range work 8:00 to 11:30 working-day 建立時間組
[Huawei-acl-adv-3014]rule deny tcp source 192.168.10.0 0.0.0.255 destination 192.168.20.8 0 destination-port eq 80 time-range ftp-access 加上時間組
user-int vty 0 4
acl 3014 inbound 設在這裏安全
