实验任务一:配置基本ACL
-
建立物理连接
-
配置ip地址及路由
-
Acl应用规划
[RTA]acl basic 2000
[RTA-acl-ipv4-basic-2000]rule 0 deny source 192.168.2.0 0.0.0.255
[RTA-GigabitEthernet0/0]packet-filter 2000 inbound
实验任务二:配置高级ACL
配置高级ACL并应用
[H3C-acl-ipv4-adv-3000]rule 0 deny tcp source 192.168.0.2 0.0.0.0 destination
192.168.2.1 0.0.0.255 destination-port eq ftp
[H3C-acl-ipv4-adv-3000]rule 5 permit ip source 192.168.0.2 0.0.0.0 destinatio
n 192.168.2.0 0.0.0.255
这样就可以禁用ftp但是不影响PCA到ftp服务器的可达性。
[H3C]display acl 3000//可以查看该规则匹配了多少次
Advanced IPv4 ACL 3000, 2 rules,
ACL's step is 5
rule 0 deny tcp source 192.168.0.2 0 destination 192.168.2.0 0.0.0.255 destination-port eq ftp
rule 5 permit ip source 192.168.0.2 0 destination 192.168.2.0 0.0.0.255
//可以查看包过滤应用在哪些接口
[H3C]display packet-filter interface inbound
Interface: GigabitEthernet0/0
Inbound policy:
IPv4 ACL 2000
//可以查看包过滤防火墙,该接口允许多少包通过,多少包拒绝
[H3C]display packet-filter statistics sum inbound 2000
Sum:
Inbound policy:
IPv4 ACL 2000
rule 0 deny source 192.168.0.2 0
Totally 0 packets permitted, 0 packets denied
Totally 0% permitted, 0% denied