⑸配置21-24_ACL_时间ACL_策略路由_VRRP

※配置21.ACL

 

配置目标:①仅"IT"可telnet到Router,其他拒绝;②仅192.168.1.0网段不可访问服务器,其他允许;③"IT"仅可访问服务器telnet服务,其他均拒绝.

除Router外,其他设备端口IP配置略.

 

[Router]telnet server enable

[Router]user-interface vty 0 4

[Router-ui-vty0-4]authentication-mode password

Please configure the login password (maximum length 16):huawei

[Router]int g0/0/0

[Router-GigabitEthernet0/0/0]ip address 192.168.0.1 24

[Router-GigabitEthernet0/0/0]int g0/0/1

[Router-GigabitEthernet0/0/1]ip address 192.168.1.1 24

[Router-GigabitEthernet0/0/1]int g0/0/2

[Router-GigabitEthernet0/0/2]ip add 192.168.2.1 24

[Router-GigabitEthernet0/0/2]int g2/0/0

[Router-GigabitEthernet2/0/0]ip add 192.168.3.1 24

[Router-GigabitEthernet2/0/0]int g3/0/0

[Router-GigabitEthernet3/0/0]ip add 192.168.4.1 24

[Router-GigabitEthernet3/0/0]quit

配置目标:①仅"IT"可telnet到Router,其他拒绝

[Router]acl number 2000

[Router-acl-basic-2000]rule permit source 192.168.0.0 0.0.0.255

[Router-acl-basic-2000]rule deny source any

[Router-acl-basic-2000]quit

启用配置↓

[Router]user-interface vty 0 4 应用到虚拟接口,接口号0到4

[Router-ui-vty0-4]acl 2000 inbound 虚拟端口启用ACL命令

[Router-ui-vty0-4]quit

配置目标:②仅192.168.1.0网段不可访问服务器,其他允许

[Router]acl 2001

[Router-acl-basic-2001]rule deny source 192.168.1.0 0.0.0.255

[Router-acl-basic-2001]rule permit source any

[Router-acl-basic-2001]quit

启用配置↓

[Router]int g3/0/0 应用到物理接口(本次适合离目标最近接口)

[Router-GigabitEthernet3/0/0]traffic-filter outbound acl 2001 物理端口启用ACL命令,流量过滤类型-出接口 /'fɪltɚ/过滤

配置目标:③"IT"等设备,仅可访问服务器telnet服务,其他均拒绝.

[Router]acl 3000

[Router-acl-adv-3000]rule permit tcp source any destination 192.168.4.2 0 destination-port eq telnet 允许telnet到×××的过 #source any可省略;telnet可换成23(端口号)

[Router-acl-adv-3000]rule deny ip source any destination 192.168.4.2 0 其他到×××的协议流量统统拒绝

[Router-acl-adv-3000]quit

启用配置↓

[Router]int g0/0/0 应用到物理接口(本次适合离源最近接口)

[Router-GigabitEthernet0/0/0]traffic-filter inbound acl 3000 物理端口启用ACL命令,流量过滤类型-进接口

查询命令:

[Router]display acl 2000

Basic ACL 2000, 2 rules

Acl's step is 5

rule 5 permit source 192.168.0.0 0.0.0.255 (1 matches)

rule 10 deny (6 matches)

自反ACL:

 

※配置22.基于时间的ACL及策略

目标:销售部门,工作日8点到18点不可访问server(工资查询服务器),财务部门不受限制

方法1.路由器加装交换机接口,启用vlanif三层接口,在三层接口启用ACL完成

[R1]time-range satime 8:00 to 18:00 ?

<0-6> Day of the week(0 is Sunday)

Fri Friday

Mon Monday

Sat Saturday

Sun Sunday

Thu Thursday

Tue Tuesday

Wed Wednesday

daily Every day of the week

off-day Saturday and Sunday

working-day Monday to Friday

[R1]time-range satime 8:00 to 18:00 working-day 创建时间范围,命名为satime /rendʒ/范围

[R1]acl 3000

[R1-acl-adv-3000]rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.2 0 time-range satime 在时间段范围内

[R1-acl-adv-3000]rule permit ip source any destination any 华为可以不写,默认允许其他

 

[R1-acl-adv-3000]int vlanif 20

[R1-Vlanif20]traffic-filter inbound acl 3000

注:

交换机接口不可配IP地址,只能配vlanif接口,配了之后,老子发现各个网段居然通了,搞得跟路由器一样了

路由器各接口可配ip地址,且直连设备互ping均通

查询命令:

[R1]display acl 3000

Advanced ACL 3000, 2 rules

Acl's step is 5

rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.2 0 time-range satime Inactive / active (/ɪn'æktɪv/ 闲置无效 /æktɪv/ 有效 )

rule 10 permit ip

方法2.基于acl流策略实现

[R1]traffic classifier a 定义流分类名称为"a" /'klæsɪfaɪɚ/分类

[R1-classifier-a]if-match acl 3000 分类为:如果匹配了acl3000 /mætʃ/匹配

[R1-classifier-a]quit

 

[R1]traffic behavior b 定义流行为名称为"b" /bɪ'hevjɚ/行为

[R1-behavior-b]deny 行为是:拒绝

[R1-behavior-b]quit

 

[R1]traffic policy c 定义流策略名称为"c" /'pɑləsi/策略,政策

[R1-trafficpolicy-c]classifier a behavior b 策略为:流分类a情况下实施流行为b

[R1-trafficpolicy-c]quit

 

[R1]int vlanif 20

[R1-Vlanif20]traffic-policy c inbound 实施流策略c,在入口处

[R1-Vlanif20]quit

或在二层物理接口配置,效果一样

[R1]int e6/0/1

[R1-Ethernet6/0/1]traffic-policy c inbound

[R1-Ethernet6/0/1]quit

注:

这个较复杂,是教程上的方法

查看命令

<R1>display traffic-policy applied-record 查看流策略应用记录 /ə'plaɪd/应用 /rɪˈkɔrd/记录

<R1>display traffic-policy applied-record c

-------------------------------------------------

Policy Name: c

Policy Index: 0

Classifier:a Behavior:b

-------------------------------------------------

*interface Vlanif20

traffic-policy c inbound

slot 0 : success

Classifier: a

Operator: OR

Rule(s) :

if-match acl 3000

Behavior: b

Deny

*interface Ethernet6/0/1

traffic-policy c inbound

slot 6 : success

Classifier: a

Operator: OR

Rule(s) :

if-match acl 3000

Behavior: b

Deny

-------------------------------------------------

Policy total applied times: 2.

※配置23.策略路由

IP接口配置,略,实现目的:企业网内部2个网段分别走不同运营商

 

[R1]acl 2016

[R1-acl-basic-2016]rule permit source 172.16.0.0 0.0.255.255

[R1-acl-basic-2016]acl 2017

[R1-acl-basic-2017]rule permit source 172.17.0.0 0.0.255.255

[R1-acl-basic-2017]quit

 

[R1]traffic classifier a1 流分类

[R1-classifier-a1]if-match acl 2016 如果匹配

[R1-classifier-a1]quit

[R1]traffic classifier a2

[R1-classifier-a2]if-match acl 2017

[R1-classifier-a2]quit

 

[R1]traffic behavior b1 流行为

[R1-behavior-b1]redirect ip-nexthop 100.120.111.10 重定向下一跳

[R1-behavior-b1]quit

[R1]traffic behavior b2

[R1-behavior-b2]redirect ip-nexthop 200.123.125.130

[R1-behavior-b2]quit

 

[R1]traffic policy p 流策略

[R1-trafficpolicy-p]classifier a1 behavior b1 分类a1应用行为b1

[R1-trafficpolicy-p]classifier a2 behavior b2

[R1-trafficpolicy-p]quit

 

[R1]int e6/0/0

[R1-Ethernet6/0/0]traffic-policy p inbound 接口应用策略 "P"

[R1-Ethernet6/0/0]quit

※配置24.VRRP(虚拟路由冗余协议/虚拟网关冗余协议 Virtual Router Redundancy Protocol)

目的:双网关,抢占模式,自动优先级

[R1]int g0/0/1

[R1-GigabitEthernet0/0/1]ip add 1.1.1.1 24

[R1-GigabitEthernet0/0/1]quit

[R1]ospf 1 router-id 1.1.1.1

[R1-ospf-1]area 0

[R1-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

[R1-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[R1-ospf-1-area-0.0.0.0]quit

[R1]int g0/0/0 进接口,准备配置vrrp

[R1-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.1 vrrp虚拟路由器标识符为1,虚拟IP地址为192.168.1.1

[R1-GigabitEthernet0/0/0]vrrp vrid 1 priority 120 虚拟路由器标识符为1的vrrp.优先级为120

[R1-GigabitEthernet0/0/0]vrrp vrid 1 preempt timer delay 2 虚拟路由器标识符为1的vrrp,开启抢占模式,抢占延时为2秒 /,primpt/抢占

[R1-GigabitEthernet0/0/0]vrrp vrid 1 track interface g0/0/1 reduced 30 虚拟路由器标识符为1的vrrp,对g0/0/1接口进行追踪,发现不通,立即将优先级减少30 /træk/追踪 /rɪ'djʊst/减少

 

[R2]int g0/0/1

[R2-GigabitEthernet0/0/1]ip add 2.1.1.1 24

[R2]ospf router-id 2.2.2.2

[R2-ospf-1]area 0

[R2-ospf-1-area-0.0.0.0]network 2.1.1.0 0.0.0.255

[R2-ospf-1-area-0.0.0.0]network 192.168.1.0 0.0.0.255

[R2-ospf-1-area-0.0.0.0]quit

[R2]int g0/0/0

[R2-GigabitEthernet0/0/0]vrrp vrid 1 virtual-ip 192.168.1.1

[R2-GigabitEthernet0/0/0]vrrp vrid 1 priority 100 虚拟路由器标识符为1的vrrp.优先级为100 (作为buckup,优先级一定要比master小,这里小20,R1-vrrp追踪不通,优先级降30时,即90,比100小,可立即由buckup变成master)

[R1-GigabitEthernet0/0/0]vrrp vrid 1 preempt timer delay 2 虚拟路由器标识符为1的vrrp,开启抢占模式,抢占延时为2秒 /,primpt/抢占

[R1-GigabitEthernet0/0/0]vrrp vrid 1 track interface g0/0/1 reduced 30 虚拟路由器标识符为1的vrrp,对g0/0/1接口进行追踪,发现不通,立即将优先级减少30 /træk/追踪 /rɪ'djʊst/减少

[R3]int g0/0/0

[R3-GigabitEthernet0/0/0]ip add 1.1.1.2 24

[R3-GigabitEthernet0/0/0]int g0/0/1

[R3-GigabitEthernet0/0/1]ip add 2.1.1.2 24

[R3-GigabitEthernet0/0/1]int loopback 0

[R3-LoopBack0]ip add 3.3.3.3 24

[R3-LoopBack0]quit

[R3]ospf router-id 3.3.3.3

[R3-ospf-1]area 0

[R3-ospf-1-area-0.0.0.0]network 1.1.1.0 0.0.0.255

[R3-ospf-1-area-0.0.0.0]network 2.1.1.0 0.0.0.255

[R3-ospf-1-area-0.0.0.0]quit

[R3-ospf-1]area 1

[R3-ospf-1-area-0.0.0.1]network 3.3.3.3 0.0.0.255

[R3-ospf-1-area-0.0.0.1]quit

查询命令:

[R1]dis vrrp

GigabitEthernet0/0/0 | Virtual Router 1

State : Master

Virtual IP : 192.168.1.1

Master IP : 192.168.1.10

PriorityRun : 120

PriorityConfig : 120

MasterPriority : 120

Preempt : YES Delay Time : 2 s

TimerRun : 1 s

TimerConfig : 1 s

Auth type : NONE

Virtual MAC : 0000-5e00-0101

Check TTL : YES

Config type : normal-vrrp

Backup-forward : disabled

Track IF : GigabitEthernet0/0/1 Priority reduced : 30

IF state : UP

Create time : 2018-04-18 23:47:40 UTC-08:00

Last change time : 2018-04-19 00:06:40 UTC-08:00

[R2]dis vrrp

GigabitEthernet0/0/0 | Virtual Router 1

State : Backup

Virtual IP : 192.168.1.1

Master IP : 192.168.1.10

PriorityRun : 100

PriorityConfig : 100

MasterPriority : 120

Preempt : YES Delay Time : 2 s

TimerRun : 1 s

TimerConfig : 1 s

Auth type : NONE

Virtual MAC : 0000-5e00-0101

Check TTL : YES

Config type : normal-vrrp

Backup-forward : disabled

Track IF : GigabitEthernet0/0/1 Priority reduced : 30

IF state : UP

Create time : 2018-04-18 23:53:14 UTC-08:00

Last change time : 2018-04-19 00:05:02 UTC-08:00

测试方法:

ping 3.3.3.3 -c 1000

关闭R1物理端口,display vrrp查看"State"信息