一、实验描述

企业部署了三个网络,其中R2连接的是公司总部网络,R1和R3分别为两个不同分支网络的设备,这三台路由器通过广域网相连。你需要控制员工使用Telnet和FTP服务的权限,R1所在分支的员工只允许访问公司总部网络中的Telnet服务器,R3所在分支的员工只允许访问FTP服务器。

二、实验目的

掌握高级ACL的配置方法 掌握ACL在接口下的应用方法

三、实验环境

ENSP

四、工具材料

ENSP

五、实验步骤

ensp s3700如何将端口添加vlan_Ethernet

 

步骤一 实验环境准备

如果本任务中您使用的是空配置设备,需要从步骤1开始配置,然后跳过步骤2。如果使用的设备包含上一个实验的配置,请直接从步骤2开始配置。

[Huawei]sysname R1


 [Huawei]sysname R2


 [Huawei]sysname R3


 [Huawei]sysname S1 [S1]vlan 4
 [S1-vlan4]quit [S1]interface vlanif 4
 [S1-Vlanif4]ip address 10.0.4.254 24


 [Huawei]sysname S2 [S2]vlan 6
 [S2-vlan6]quit [S2]interface vlanif 6
 [S2-Vlanif6]ip address 10.0.6.254 24

步骤二 清除设备上原有的配置
 删除设备上的OSPF配置、PPPoE拨号接口以及R2上的PPPoE服务器虚拟模板的配置。
 [R1]ospf
 [R1-ospf-1]area 0
 [R1-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255 [R1-ospf-1-area-0.0.0.0]quit
 [R1-ospf-1]quit
 [R1]undo ip route-static 0.0.0.0 0 [R1]interface GigabitEthernet 0/0/0
 [R1-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1 [R1]interface Dialer 1
 [R1-Dialer1]undo dialer user 
[R1]undo interface Dialer 1 
[R1]dialer-rule
[R1-dialer-rule]undo dialer-rule 1


 [R2]ospf
 [R2-ospf-1]area 0
 [R2-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255  
[R2-ospf-1-area-0.0.0.0]quit
 [R2-ospf-1]quit
 [R2]interface GigabitEthernet 0/0/0
 [R2-GigabitEthernet0/0/0]undo pppoe-server bind
 Warning:All PPPoE sessions on this interface will be deleted, continue?[Y/N]:y [R2-GigabitEthernet0/0/0]quit
 [R2]undo interface Virtual-Template 1 [R2]undo ip pool pool1
 [R2]aaa
 [R2-aaa]undo local-user huawei1 [R2-aaa]undo local-user huawei2

 [R3]ospf
 [R3-ospf-1]area 0
 [R3-ospf-1-area-0.0.0.0]undo network 10.0.0.0 0.255.255.255 [R3-ospf-1-area-0.0.0.0]quit
 [R3-ospf-1]quit
 [R3]undo ip route-static 0.0.0.0 0 [R3]interface GigabitEthernet 0/0/0
 [R3-GigabitEthernet0/0/0]undo pppoe-client dial-bundle-number 1 [R3-GigabitEthernet0/0/0]quit
 [R3]interface Dialer 1
 [R3-Dialer1]undo dialer user [R3-Dialer1]quit
 [R3]undo interface Dialer 1 [R3]dialer-rule
 [R3-dialer-rule]undo dialer-rule 1

步骤三 配置 IP 地址
 按照拓扑图中所示网络的地址进行IP编址的配置。
 [R1]interface GigabitEthernet 0/0/0[R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24


 [R2]interface GigabitEthernet 0/0/0
 [R2-GigabitEthernet0/0/0]ip address 10.0.13.2 24[R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1 
[R2-GigabitEthernet0/0/1]ip address 10.0.4.2 24
[R2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2 
 
[R2-GigabitEthernet0/0/2]ip address 10.0.6.2 24

 [R3]interface GigabitEthernet 0/0/0
 [R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24


 配置S1和S2连接路由器的端口为Trunk端口,并通过修改PVID使物理端口加入三层VLANIF逻辑接口。
 [S1]interface GigabitEthernet 0/0/2
 [S1-GigabitEthernet0/0/2]port link-type trunk
 [S1-GigabitEthernet0/0/2]port trunk allow-pass vlan all [S1-GigabitEthernet0/0/2]port trunk pvid vlan 4
 [S1-GigabitEthernet0/0/2]quit


 [S2]interface GigabitEthernet 0/0/2
 [S2-GigabitEthernet0/0/2]port link-type trunk
 [S2-GigabitEthernet0/0/2]port trunk allow-pass vlan all [S2-GigabitEthernet0/0/2]port trunk pvid vlan 6
 [S2-GigabitEthernet0/0/2]quit

步骤四 配置 OSPF 使网络互通
 在R1、R2和R3上配置OSPF,三台设备均在区域0中,并发布各自的直连网段信息。
 [R1]ospf
 [R1-ospf-1]area 0

ensp s3700如何将端口添加vlan_R3_02

[R2-ospf-1-area-0.0.0.0]network 10.0.6.0 0.0.0.255


 [R3]ospf
 [R3-ospf-1]area 0
 [R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255


 在S1和S2上配置缺省静态路由,指定下一跳为各自连接的路由器网关。
 [S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
 [S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.2



 检测网络的连通性。
 <R1>ping 10.0.4.254
 PING 10.0.4.254: 56 data bytes, press CTRL_C to break
 Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=253 time=2 ms Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=253 time=10 ms 
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=253 time=1 ms 
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=2 ms 
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=253 time=2 ms
 --- 10.0.4.254 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received 0.00% packet loss
 round-trip min/avg/max = 1/3/10 ms


 <R1>ping 10.0.6.254
 PING 10.0.6.254: 56 data bytes, press CTRL_C to break
 Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=253 time=10 ms Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=253 time=2 ms 
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=253 time=2 ms 
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=253 time=10 ms 
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=253 time=2 ms
 --- 10.0.6.254 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received 0.00% packet loss
 round-trip min/avg/max = 2/5/10 ms<R3>ping 10.0.4.254
 PING 10.0.4.254: 56 data bytes, press CTRL_C to breakReply from 10.0.4.254: bytes=56 Sequence=1 ttl=253 time=10 ms 
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=253 time=2 ms 
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=253 time=2 ms 
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=253 time=10 ms 
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=253 time=2 ms
--- 10.0.4.254 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received 0.00% packet loss
 round-trip min/avg/max = 2/5/10 ms


 <R3>ping 10.0.6.254
 PING 10.0.6.254: 56 data bytes, press CTRL_C to break
 Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=253 time=10 ms  
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=253 time=2 ms 
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=253 time=2 ms 
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=253 time=10 ms 
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=253 time=2 ms
 --- 10.0.6.254 ping statistics ---
 5 packet(s) transmitted
 5 packet(s) received 0.00% packet loss
 round-trip min/avg/max = 2/5/10 ms

步骤五 配置ACL 过滤报文
 将S1配置为Telnet服务器。
 [S1]telnet server enable [S1]user-interface vty 0 4
 [S1-ui-vty0-4]protocol inbound all
 [S1-ui-vty0-4]authentication-mode password
 [S1-ui-vty0-4]set authentication password cipher huawei123


 将S2配置为FTP服务器。
 [S2]ftp server enable [S2]aaa 
[S2-aaa]local-user huawei password cipher huawei123 
[S2-aaa]local-user huawei privilege level 3
[S2-aaa]local-user huawei service-type ftp
 [S2-aaa]local-user huawei ftp-directory flash:/


 在R2上配置ACL,只允许R1访问Telnet服务器,只允许R3访问FTP服务器。
 [R2]acl 3000
 [R2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination
 10.0.4.254 0.0.0.0 destination-port eq 23
 [R2-acl-adv-3000]rule 10 permit tcp source 10.0.13.3 0.0.0.0 destination
 10.0.6.254 0.0.0.0 destination-port range 20 21  
[R2-acl-adv-3000]rule 15 permit ospf
 [R2-acl-adv-3000]rule 20 deny ip source any [R2-acl-adv-3000]quit

 在R2的G0/0/0接口应用ACL。
 [R2]interface GigabitEthernet0/0/0
 [R2-GigabitEthernet0/0/0]traffic-filter inbound acl 3000


 验证ACL的应用结果。
 <R1>telnet 10.0.4.254
 Press CTRL_] to quit telnet mode Trying 10.0.4.254 ...
 Connected to 10.0.4.254 ... Login authentication Password:
 Info: The max number of VTY users is 5, and the number of current VTY users on line is 1.
 <S1>


 注意:执行quit命令,可以结束Telnet会话。
 <R1>ftp 10.0.6.254
 Trying 10.0.6.254 ...
 Press CTRL+K to abort
 Error: Failed to connect to the remote host.


 注意:FTP连接的响应时间约为60秒。
 <R3>telnet 10.0.4.254Press CTRL_] to quit telnet mode Trying 10.0.4.254 ...
 Error: Can't connect to the remote host


 <R3>ftp 10.0.6.254
 Trying 10.0.6.254 ...
 Press CTRL+K to abort Connected to 10.0.6.254.
 220 FTP service ready. User(10.0.6.254:(none)):huawei
 331 Password required for huawei. Enter password:
 230 User logged in. [R3-ftp]注意:可以执行bye命令,关闭FTP连接。
 
附加练习:分析并验证
 为什么FTP要求ACL定义两个端口?
 应在源端网络还是目标网络配置基本和高级ACL,为什么? 
配置文件
 <R1>display current-configuration [V200R007C00SPC600]
 #
 sysname R1 #
 aaa
 authentication-scheme default authorization-scheme default accounting-scheme default domain default
 domain default_admin
 local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$ local-user admin service-type http
 local-user huawei password cipher %$%$B:%I)Io0H8)[%SB[idM3C/!#%$%$ local-user huawei service-type ppp
 #interface GigabitEthernet0/0/0
 ip address 10.0.13.1 255.255.255.0 #
 ospf 1 router-id 10.0.1.1
 area 0.0.0.0
 network 10.0.13.0 0.0.0.255
 #
 return


 <R2>display current-configuration [V200R007C00SPC600]
 #
 sysname R2 #
 acl number 3000
 rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port eq telnet
 rule 10 permit tcp source 10.0.13.3 0 destination 10.0.6.254 0 destination-port range ftp-data ftp
 rule 15 permit ospf rule 20 deny ip
 #
 interface GigabitEthernet0/0/0
 ip address 10.0.13.2 255.255.255.0
 traffic-filter inbound acl 3000 #
 interface GigabitEthernet0/0/1
 ip address 10.0.4.2 255.255.255.0 #
 interface GigabitEthernet0/0/2
 ip address 10.0.6.2 255.255.255.0 #
 ospf 1 router-id 10.0.2.2
 area 0.0.0.0

 network 10.0.4.0 0.0.0.255
 network 10.0.6.0 0.0.0.255
 network 10.0.13.0 0.0.0.255
 #
 return<R3>display current-configuration [V200R007C00SPC600]
 #
 sysname R3 #
 interface GigabitEthernet0/0/0
 ip address 10.0.13.3 255.255.255.0 #
 ospf 1 router-id 10.0.3.3
 area 0.0.0.0
 network 10.0.13.0 0.0.0.255
 #
 return


 <S1>display current-configuration
 !Software Version V200R008C00SPC500 #
 sysname S1 #
 vlan batch 3 to 4 #
 telnet server enable #
 interface Vlanif4
 ip address 10.0.4.254 255.255.255.0 #
 interface GigabitEthernet0/0/2 port link-type trunk
 port trunk pvid vlan 4
 port trunk allow-pass vlan 2 to 4094 #
 ip route-static 0.0.0.0 0.0.0.0 10.0.4.2 #
 user-interface con 0
 user-interface vty 0 4 authentication-mode password
 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
 Protocol inbound all # 
return


 <S2>display current-configuration
 !Software Version V200R008C00SPC500 #
 sysname S2 #
 FTP server enable #
 vlan batch 6 #
 aaa
 authentication-scheme default authorization-scheme default accounting-scheme default domain default
 domain default_admin
 local-user admin password simple admin local-user admin service-type http
 local-user huawei password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
 Local-user huawei privilege level 3 local-user huawei ftp-directory flash:/ local-user huawei service-type ftp
 #
 interface Vlanif6
 ip address 10.0.6.254 255.255.255.0 #interface GigabitEthernet0/0/2 
port link-type trunk
port trunk pvid vlan 6
 port trunk allow-pass vlan 2 to 4094 #
 ip route-static 0.0.0.0 0.0.0.0 10.0.6.2 #
 return