作者:兔砸网工-梁晨
1.实验需求
- PC1和Client1能正常访问PC2。
- Client1可以访问Server1的HTTP服务,但不能访问FTP服务,也不能Ping通Server1。
实验拓扑如下:
2.实验思路
1.AR1和AR2配置IP地址。
2.AR1和AR2配置动态路由实现全网通信。
3.配置ACL访问控制列表,实现实验需求,并在接口应用ACL。
3.实验步骤
步骤一 在AR1和AR2上为接口配置IP地址
AR1配置IP地址
<AR1>system-view
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1] ip address 10.1.12.1 255.255.255.0
[AR1]interface GigabitEthernet0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.254 255.255.255.0
AR2配置IP地址
<AR2>system-view
[AR2]interface GigabitEthernet0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.1.12.2 255.255.255.0
[AR2]interface GigabitEthernet0/0/1
[AR2-GigabitEthernet0/0/1]ip address 192.168.2.254 255.255.255.0
[AR2]interface GigabitEthernet0/0/2
[AR2-GigabitEthernet0/0/2]ip address 192.168.3.254 255.255.255.0
步骤二 在AR1和AR2上配置动态路由OSPF实现全网通信
AR1使能OSPF并宣告网段
[AR1]ospf 1
[AR1-ospf-1] area 0.0.0.0
[AR1-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[AR1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255
AR2使能OSPF并宣告网段
[AR2]ospf 1
[AR2-ospf-1]area 0.0.0.0
[AR2-ospf-1-area-0.0.0.0]network 10.1.12.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.2.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]network 192.168.3.0 0.0.0.255
步骤三:在AR1和AR2上配置ACL访问控制列表,实现实验需求,并在接口应用ACL
AR1创建ACL列表并在接口应用
[AR1]acl number 3000
[AR1-acl-adv-3000]rule 5 permit tcp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255 destination-port eq www
[AR1-acl-adv-3000]rule 10 deny tcp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255 destination-port eq ftp
[AR1-acl-adv-3000]rule 15 deny tcp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255 destination-port eq ftp-data
[AR1-acl-adv-3000]rule 20 deny icmp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255
[AR1]interface GigabitEthernet0/0/1
[AR1-GigabitEthernet0/0/1]traffic-filter outbound acl 3000
[AR1-GigabitEthernet0/0/1]quit
AR2创建ACL列表并在接口应用
[AR2]acl number 2000
[AR2-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[AR2]acl number 2001
[AR2-acl-basic-2001]rule 5 deny source 192.168.1.1 0
[AR2]interface GigabitEthernet0/0/0
[AR2-GigabitEthernet0/0/0]traffic-filter inbound acl 2000
[AR2]interface GigabitEthernet0/0/2
[AR2-GigabitEthernet0/0/2]traffic-filter outbound acl 2001
[AR2-GigabitEthernet0/0/2] qiut
4.实验结果
验证1:部署OSPF动态路由后,实现全网通信,PC1可以访问PC2和Server1
验证2:客户端可以访问服务器的务和HTTP服务
验证3:AR1配置ACL访问控制列表并在接口应用后,客户端无法访问服务器的FTP服务,以访问服务器的HTTP服务,但无法ping通服务器的IP地址。
验证4:AR2配置ACL访问控制列表并在接口应用后,PC1可以访问PC2,但无法访问服务器,客户端可以访问PC2。
5.配置命令参考
AR1
sysname AR1
interface GigabitEthernet0/0/1
ip address 10.1.12.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 192.168.1.254 255.255.255.0
ospf 1
area 0.0.0.0
network 10.1.12.0 0.0.0.255
network 192.168.1.0 0.0.0.255
acl number 3000
rule 5 permit tcp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255 destination-port eq www
rule 10 deny tcp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255 destination-port eq ftp
rule 15 deny tcp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255 destination-port eq ftp-data
rule 20 deny icmp source 192.168.1.2 0 destination 192.168.3.0 0.0.0.255
interface GigabitEthernet0/0/1
traffic-filter outbound acl 3000
AR2
sysname AR2
interface GigabitEthernet0/0/0
ip address 10.1.12.2 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.2.254 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.3.254 255.255.255.0
ospf 1
area 0.0.0.0
network 10.1.12.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
acl number 2000
rule 5 permit source 192.168.1.0 0.0.0.255
acl number 2001
rule 5 deny source 192.168.1.1 0
interface GigabitEthernet0/0/0
traffic-filter inbound acl 2000
interface GigabitEthernet0/0/2
traffic-filter outbound acl 2001