【eNSP实战】使用ACL实现路由器安全
拓图
要求:
- 允许 10.0.0.0 网段 telent 登录AR1,不允许其他主机telnet登录路由器
- 设置接口如图所示
AR1接口配置
interface GigabitEthernet0/0/0
ip address 30.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 30.0.0.2
AR2接口配置
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2
AR3接口配置
interface GigabitEthernet0/0/0
ip address 20.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 20.0.0.2
AR4接口配置
interface GigabitEthernet0/0/0
ip address 30.0.0.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.0.2 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 20.0.0.2 255.255.255.0
下面开始配置ACL
在AR1路由器上配置策略ACL
[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 permit source 10.0.0.0 0.0.0.255
[AR1-acl-basic-2000]rule 10 deny
[AR1-acl-basic-2000]quit
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4]authentication-mode password
Please configure the login password (maximum length 16):abc123,
[AR1-ui-vty0-4]acl 2000 inbound
[AR1-ui-vty0-4]quit
或者,在AR4路由器上配置策略ACL,然后把策略应用到出接口上
[AR4]acl 3000
[AR4-acl-adv-3000]rule 5 deny tcp source 20.0.0.0 0.0.0.255 destination-port eq telnet
[AR4-acl-adv-3000]quit
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]traffic-filter outbound acl 3000
至此ACL配置完成,下面测试AR2和AR3登录AR1
