华为--ACL访问控制列表你懂了吗，实验必看篇

一：实验目的

1.全网互通
2.ACL禁止vlan1与vlan20通信
3.用ACL扩展列表禁止AR1访问ftp服务器

二：实验环境

4台pc机
两台路由器
一台交换机
一台服务器

三：实验拓扑结构图

四：实验配置

4.1：全网互通

SW1
<Huawei>undo terminal monitor 
<Huawei>sys
[Huawei]sysn SW1
[SW1]user-interface console 0	
[SW1-ui-console0]idle-timeout 0 0
[SW1-ui-console0]q
[SW1]v b 10 20
[SW1]int e0/0/1
[SW1-Ethernet0/0/1]p l a 
[SW1-Ethernet0/0/1]p d v 10
[SW1-Ethernet0/0/1]int e0/0/2
[SW1-Ethernet0/0/2]p l a 
[SW1-Ethernet0/0/2]p d v 20
[SW1-Ethernet0/0/2]int e0/0/3
[SW1-Ethernet0/0/3]p l a
[SW1-Ethernet0/0/3]p d v 10
[SW1-Ethernet0/0/3]int e0/0/4
[SW1-Ethernet0/0/4]p l a
[SW1-Ethernet0/0/4]p d v 20
[SW1-Ethernet0/0/4]int g0/0/1
[SW1-GigabitEthernet0/0/1]p l t
[SW1-GigabitEthernet0/0/1]p t a v a

R1
<Huawei>undo terminal monitor 
<Huawei>sys
[Huawei]sysn R1
[R1]user-interface console 0
[R1-ui-console0]idle-timeout 0 0
[R1-ui-console0]q
[R1]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 12.1.1.1 24
[R1-GigabitEthernet0/0/1]int g0/0/0.10
[R1-GigabitEthernet0/0/0.10]ip add 192.168.10.1 24
[R1-GigabitEthernet0/0/0.10]dot1q termination vid 10
[R1-GigabitEthernet0/0/0.10]a b e
[R1-GigabitEthernet0/0/0.10]int g0/0/0.20
[R1-GigabitEthernet0/0/0.20]ip add 192.168.20.1 24
[R1-GigabitEthernet0/0/0.20]dot1q termination vid 20
[R1-GigabitEthernet0/0/0.20]a b e
[R1-GigabitEthernet0/0/0.20]q
[R1]ip route-static 0.0.0.0 0 12.1.1.2

R2
<Huawei>undo terminal monitor 
<Huawei>sys
[Huawei]sysn R2
[R2]user-interface console 0
[R2-ui-console0]idle-timeout 0 0
[R2-ui-console0]q
[R2]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 12.1.1.2 24
[R2-GigabitEthernet0/0/1]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 202.10.100.1 24
[R2-GigabitEthernet0/0/0]q
[R2]ip route-static 192.168.10.0 24 12.1.1.1
[R2]ip route-static 192.168.20.0 24 12.1.1.1

4.2：ACL禁止vlan1与vlan20通信

[R1]acl 2000
[R1-acl-basic-2000]rule deny source 192.168.10.0 0.0.0.255
[R1-acl-basic-2000]rule permit source any
[R1-acl-basic-2000]int g0/0/0.20
[R1-GigabitEthernet0/0/0.20]traffic-filter outbound acl 2000

4.3：用ACL扩展列表禁止AR1访问ftp服务器

这边用R1路由器进行模拟实验
[R2]acl 3000
[R2-acl-adv-3000]rule deny tcp source 12.1.1.1 0.0.0.0 destination 202.10.100.10
0 0.0.0.0 destination-port eq 21
[R2-acl-adv-3000]rule deny tcp source 12.1.1.1 0.0.0.0 destination 202.10.100.10
0 0.0.0.0 destination-port eq 20
[R2-acl-adv-3000]rule permit ip source any destination any
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]traffic-filter inbound acl 3000