基础过滤工具
在所有的路由器上运行OSPF协议,通告相应网段到0区域,
配置
AR3 ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 3.3.3.3 0.0.0.0 network 10.1.23.0 0.0.0.255 # AR2配置 ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 2.2.2.0 0.0.0.255 network 10.1.12.0 0.0.0.255 network 10.1.23.0 0.0.0.255 network 10.1.24.0 0.0.0.255 AR1配置 ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 1.1.1.1 0.0.0.0 network 10.1.12.0 0.0.0.255 AR4配置 ospf 1 router-id 4.4.4.4 area 0.0.0.0 network 4.4.4.4 0.0.0.0 network 10.1.24.0 0.0.0.255
在路由器AR4上配置telnet相关配置,配置密码为huawei
[AR1]user-interface vty 0 4 [AR1-ui-vty0-4]authentication-mode password Please configure the login password (maximum length 16):huawei
<AR3>telnet 1.1.1.1 Press CTRL_] to quit telnet mode Trying 1.1.1.1 ... Connected to 1.1.1.1 ... Login authentication Password:
这时发现只要路由可达的设备,并拥有密码,都可以访问R4路由器
AR1上创建ACL 200只允许2.2.2.2访问AR1,其余都禁止
acl number 2000 rule 5 permit source 2.2.2.2 0 rule 10 deny
user-interface vty 0 4 acl 2000 inbound 引用ACL 2000
此时就只有R2可以登录R1,其他路由器均无法登录R1
[AR1]dis acl 2000 Basic ACL 2000, 2 rules Acl's step is 5 rule 5 permit source 2.2.2.2 0 (1 matches) rule 10 deny (15 matches)
增加R3,让R3也可以登录R1
[AR1-acl-basic-2000]dis th [V200R003C00] # acl number 2000 rule 5 permit source 2.2.2.2 0 rule 6 permit source 3.3.3.3 0 rule 10 deny
<AR3>telnet -a 3.3.3.3 1.1.1.1 Press CTRL_] to quit telnet mode Trying 1.1.1.1 ... Connected to 1.1.1.1 ... Login authentication Password:
高级ACL
[AR1]dis acl 3000 Advanced ACL 3000, 1 rule Acl's step is 5 rule 5 permit tcp source 2.2.2.2 0 destination 1.1.1.1 0 (1 matches)
user-interface vty 0 4 acl 3000 inbound
配置前缀列表
[AR1-ospf-1]dis acl 2000 Basic ACL 2000, 2 rules Acl's step is 5 rule 5 deny source 10.1.23.0 0.0.0.255 (1 matches) rule 10 permit (8 matches) spf 1 router-id 1.1.1.1 filter-policy 2000 import