ACL 基本扩展
1.实验拓扑:
使用ENSP模拟器(版本V100R002C00 1.2.00.350)
2.实验需求
1:给R1做一个dhcp地址池
2:做基本的和扩展的NAT
3:用vm8绑在2008上
3.实验配置
给网卡设ip
基本
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 192.168.10.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 192.168.20.1 24
[Huawei]dhcp enable 做地址池
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]dhcp select interface 放入0/0/1接口
2008收到地址
Huawei]acl 2014
[Huawei-acl-basic-2014]rule deny source 192.168.10.252 0 让10.252不能上
[Huawei-acl-basic-2014]rule permit source any
dis this
[Huawei-acl-basic-2014]rule 6 deny source 192.168.10.253 0 中间添加一个6
[Huawei-acl-basic-2014]dis this
Huawei-acl-basic-2014]undo rule 6 直接加上6就能删了
[Huawei-acl-basic-2014]dis this
[Huawei-acl-basic-2014]int g0/0/0
[Huawei-GigabitEthernet0/0/0]traffic-filter outbound acl 2014
[Huawei-GigabitEthernet0/0/0]display acl all
[Huawei-GigabitEthernet0/0/0]un traffic-filter outbound
q
扩展
[Huawei]undo acl 2014
[Huawei]acl 3014
[Huawei-acl-adv-3014]rule deny tcp source 192.168.10.0 0.0.0.255 destination 192.168.20.8 0 destination-port eq 80 10.0网段不能通过20.8获取www
[Huawei-acl-adv-3014]rule permit ip source any destination any
Huawei-acl-adv-3014]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3014
[Huawei-GigabitEthernet0/0/1]dis acl all
配置时间
[Huawei]time-range work 8:00 to 11:30 working-day 建立时间组
[Huawei-acl-adv-3014]rule deny tcp source 192.168.10.0 0.0.0.255 destination 192.168.20.8 0 destination-port eq 80 time-range ftp-access 加上时间组
user-int vty 0 4
acl 3014 inbound 设在这里安全
原文:http://funinghua.blog.51cto.com/9125449/1584424