【eNSP实战】使用ACL实现路由器安全

发布于:2025-03-15 ⋅ 阅读:(16) ⋅ 点赞:(0)

拓图
在这里插入图片描述

要求:

  1. 允许 10.0.0.0 网段 telent 登录AR1,不允许其他主机telnet登录路由器
  2. 设置接口如图所示

AR1接口配置

interface GigabitEthernet0/0/0
 ip address 30.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 30.0.0.2

AR2接口配置

interface GigabitEthernet0/0/0
 ip address 10.0.0.1 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2

AR3接口配置

interface GigabitEthernet0/0/0
 ip address 20.0.0.1 255.255.255.0 
#
ip route-static 0.0.0.0 0.0.0.0 20.0.0.2

AR4接口配置

interface GigabitEthernet0/0/0
 ip address 30.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.0.0.2 255.255.255.0 
#
interface GigabitEthernet1/0/0
 ip address 20.0.0.2 255.255.255.0 

下面开始配置ACL
在AR1路由器上配置策略ACL

[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 permit source 10.0.0.0 0.0.0.255
[AR1-acl-basic-2000]rule 10 deny
[AR1-acl-basic-2000]quit
[AR1]user-interface vty 0 4
[AR1-ui-vty0-4]authentication-mode password 
Please configure the login password (maximum length 16):abc123,
[AR1-ui-vty0-4]acl 2000 inbound 
[AR1-ui-vty0-4]quit

或者,在AR4路由器上配置策略ACL,然后把策略应用到出接口上

[AR4]acl 3000
[AR4-acl-adv-3000]rule 5 deny tcp source 20.0.0.0 0.0.0.255 destination-port eq telnet 
[AR4-acl-adv-3000]quit
[AR4]interface GigabitEthernet 0/0/0
[AR4-GigabitEthernet0/0/0]traffic-filter outbound acl 3000

至此ACL配置完成,下面测试AR2和AR3登录AR1
在这里插入图片描述
在这里插入图片描述


网站公告

今日签到

点亮在社区的每一天
去签到