IT博客-刘锐欢迎你的到来!-文章分类-华为网络技术

IT博客-刘锐欢迎你的到来!-文章分类-华为网络技术http://www.cnitblog.com/liserui/category/2458.html<P><IMG height=50 alt=ms_masthead_10x7a_ltr.jpg src="http://www.cnitblog.com/images/cnitblog_com/liserui/ms_masthead_10x7a_ltr.jpg" width=140 border=0>          <IMG height=70 alt=mcse.gif src="http://www.cnitblog.com/images/cnitblog_com/liserui/mcse.gif" width=150 border=0>              <IMG height=70 alt=mcp.gif src="http://www.cnitblog.com/images/cnitblog_com/liserui/mcp.gif" width=150 border=0>           <IMG height=60 alt=huawei.gif src="http://www.cnitblog.com/images/cnitblog_com/liserui/huawei.gif" width=100 border=0>              <IMG height=73 alt=logo.gif src="http://www.cnitblog.com/images/cnitblog_com/liserui/logo.gif" width=110 border=0></P> zh-cnThu, 29 Sep 2011 14:45:55 GMTThu, 29 Sep 2011 14:45:55 GMT60华为访问列表的一些资料http://www.cnitblog.com/liserui/articles/9548.htmlwww.liserui.cnitblog.comwww.liserui.cnitblog.comSat, 22 Apr 2006 12:24:00 GMThttp://www.cnitblog.com/liserui/articles/9548.htmlhttp://www.cnitblog.com/liserui/comments/9548.htmlhttp://www.cnitblog.com/liserui/articles/9548.html#Feedback0http://www.cnitblog.com/liserui/comments/commentRss/9548.htmlhttp://www.cnitblog.com/liserui/services/trackbacks/9548.html标准ACL：列表号1-99，只限制源地址
---------------------------------------------------------
[Router1]acl 1             --只允许一台主机的流量通过
[Router1-acl-1]rule permit source 192.168.0.99 0.0.0.0
[Router1-acl-1]rule deny source any

192.168.0.99 0.0.0.0可以简写为192.168.0.99 0或者192.168.0.99

[Router1]acl 2             --只允许一个网段的流量通过
[Router1-acl-2]rule permit source 192.168.0.99 0.0.0.255
[Router1-acl-2]rule deny source any

[Router1]acl 3             --拒绝一台主机的流量
[Router1-acl-3]rule deny source 192.168.0.99 0

[Router1]acl 4             --拒绝一个网段的流量
[Router1-acl-4]rule deny source 192.168.0.99 0.0.0.255

[Router1]int e0          --在接口上应用ACL和取消ACL的应用
[Router1-Ethernet0]firewall packet-filter 1 inbound
[Router1-Ethernet0]undo firewall packet-filter 1 inbound
[Router1-Ethernet0]firewall packet-filter 2 inbound
[Router1-Ethernet0]undo firewall packet-filter 2 in
[Router1-Ethernet0]firewall packet-filter 3 in
[Router1-Ethernet0]undo firewall packet-filter 3 in
[Router1-Ethernet0]firewall packet-filter 4 in
[Router1-Ethernet0]undo firewall packet-filter 4 in

[Router1]display acl       --显示所配置的所有ACL
[Router1]undo acl 4       --删除某一个ACL
============================================================================
扩展ACL：列表号100-199，可针对源地址、目标地址、协议、端口进行筛选
------------------------------------------------------------------
[RA]acl 110    --禁止主机99和所用网段间的ICMP流量,互相都PING不通
[RA-acl-100]rule deny icmp source 192.168.0.99 0 destination any

[RA]acl 111    --99 PING其它网段PING不通,其它网段可以PING通99
[RA-acl-101]rule deny icmp source 192.168.0.99 0 destination any icmp-type echo

[RA]acl 112    --99 能够PING通其它网段,其它网段PING不通99
[RA-acl-102]rule deny icmp source 192.168.0.99 0 destination any icmp-type echo-reply

[Router1]acl 101          --拒绝192.168.0.0网段到131.107.0.0网段的telnet流量
[Router1-acl-101]rule deny tcp source 192.168.0.99 0.0.0.255 des 131.107.0.0 0.0.255.255 eq telnet

[Router1]acl 102          --只允许一台主机到所有网段的Telnet流量
[Router1-acl-102]rule permit tcp source 192.168.0.99 0 des any eq 23
[Router1-acl-102]rule deny ip source any des any

[Router1]int e0
[Router1-Ethernet0]firewall packet-filter 100 in
[Router1-Ethernet0]undo firewall pack 100 in
[Router1-Ethernet0]firewall packet-filter 101 in
[Router1-Ethernet0]undo firewall pack 101 in
[Router1-Ethernet0]firewall packet-filter 102 in
[Router1-Ethernet0]undo firewall pack 102 in

[Router1]acl 103 --样例：只允许外网访问内网的WWW、FTP、DNS服务，其它流量拒绝
[Router1-acl-103]rule permit tcp source any des 192.168.0.0 0.0.0.255 eq www
[Router1-acl-103]rule permit tcp source any des 192.168.0.0 0.0.0.255 eq ftp
[Router1-acl-103]rule permit tcp source any des 192.168.0.0 0.0.0.255 eq 53
[Router1-acl-103]rule permit udp source any des 192.168.0.0 0.0.0.255 eq 53
[Router1-acl-103]rule deny ip source any des 192.168.0.0 0.0.0.255
[Router1-acl-103]quit
[Router1]int s0
[Router1-Serial0]firewall pack 103 in
====================================================================================
时间段的过滤：使ACL只在特定的时间生效
----------------------------------------------------
[Router1]clock 14:09:40 11 3 2005                --先调整路由器时钟
[Router1]display clock
  Current router time:14:09:50 Mar 11 2005
[Router1]timerang enable                         --启用时间段过滤
[Router1]settr 8:00 10:00 11:30 13:30 14:15 15:30  --设置时间段
[Router1]display timerang                         --显示所配置的时间段
  TimeRange packet-filtering enable.
  beginning of time range:
   08:00 - 10:00
   11:30 - 13:30
   14:15 - 15:30
  end of time range.
[Router1]display isintr             --显示当前是否在所配置的时间段内
[Router1]acl 1
[Router1-acl-1]rule special deny source 192.168.0.99 0  --special:规则在所设时间段内生效
[Router1-acl-1]rule normal deny source 192.168.0.100 0  --normal:规则在所设时间段外生效
[Router1-acl-1]quit
[Router1]interface ethernet 0
[Router1-Ethernet0]firewall packet-filter 1 inbound
====================================================================================
在同一个访问列表中的不同规则冲突：AUTO深度优先 CONFIG先加入的规则优先
------------------------------------------------------
[Router1]acl 10          --不指明时，缺省为AUTO

[Router1]acl 10 match-order auto    --ACL10主机99流量可以通过
[Router1-acl-10]rule deny source 192.168.0.99 0.0.0.255
[Router1-acl-10]rule permit source 192.168.0.99 0

[Router1]acl 11 match-order config --ACL11主机99流量不能通过
[Router1-acl-11]rule deny source 192.168.0.99 0.0.0.255
[Router1-acl-11]rule permit source 192.168.0.99 0

[Router1]int e0
[Router1-Ethernet0]firewall packet 10 in
[Router1-Ethernet0]undo firewall packet 10 in
[Router1-Ethernet0]firewall packet 11 in
[Router1-Ethernet0]undo firewall packet 11 in
=====================================================================================
在华为路由器的一个接口上可以同时应用多条ACL,如果
不同访问列表的规则发生冲突,列表号大的ACL所配置的规则优先
---------------------------------------------------
[RA]acl 1
[RA-acl-1]rule deny source 192.168.0.99 0
[RA-acl-1]quit

[RA]acl 2
[RA-acl-2]rule permit source 192.168.0.99 0
[RA-acl-2]rule deny source any
[RA-acl-2]quit

[RA]int e0
[RA-Ethernet0]firewall packet-filter 1 inbound
[RA-Ethernet0]firewall packet-filter 2 inbound  --结果因为ACL 2优先,所以99的流量被允许通过.
======================================================================================

www.liserui.cnitblog.com 2006-04-22 20:24 发表评论

]]>华为2621防病毒列表http://www.cnitblog.com/liserui/articles/9547.htmlwww.liserui.cnitblog.comwww.liserui.cnitblog.comSat, 22 Apr 2006 12:20:00 GMThttp://www.cnitblog.com/liserui/articles/9547.htmlhttp://www.cnitblog.com/liserui/comments/9547.htmlhttp://www.cnitblog.com/liserui/articles/9547.html#Feedback0http://www.cnitblog.com/liserui/comments/commentRss/9547.htmlhttp://www.cnitblog.com/liserui/services/trackbacks/9547.html rule normal deny udp source any destination any destination-port equal tftp
rule normal deny tcp source any destination any destination-port equal 135
rule normal deny udp source any destination any destination-port equal 135
rule normal deny udp source any destination any destination-port equal netbios-ns
rule normal deny udp source any destination any destination-port equal netbios-dgm
rule normal deny tcp source any destination any destination-port equal 139
rule normal deny udp source any destination any destination-port equal netbios-ssn
rule normal deny tcp source any destination any destination-port equal 445
rule normal deny udp source any destination any destination-port equal 445
rule normal deny udp source any destination any destination-port equal 539
rule normal deny udp source any destination any destination-port equal 593
rule normal deny tcp source any destination any destination-port equal 593
rule normal deny udp source any destination any destination-port equal 1434
rule normal deny tcp source any destination any destination-port equal 4444
rule normal deny tcp source any destination any destination-port equal 9996
rule normal deny tcp source any destination any destination-port equal 5554
rule normal deny udp source any destination any destination-port equal 5554
rule normal deny tcp source any destination any destination-port equal 137
rule normal deny tcp source any destination any destination-port equal 138
rule normal deny tcp source any destination any destination-port equal 1025
rule normal deny udp source any destination any destination-port equal 1025
rule normal deny tcp source any destination any destination-port equal 9995
rule normal deny udp source any destination any destination-port equal 9995
rule normal deny tcp source any destination any destination-port equal 1068
rule normal deny udp source any destination any destination-port equal 1068
rule normal deny tcp source any destination any destination-port equal 1023
rule normal deny udp source any destination any destination-port equal 1023

www.liserui.cnitblog.com 2006-04-22 20:20 发表评论

]]>网络中端到端流量的管理白皮书http://www.cnitblog.com/liserui/articles/9160.htmlwww.liserui.cnitblog.comwww.liserui.cnitblog.comThu, 13 Apr 2006 22:00:00 GMThttp://www.cnitblog.com/liserui/articles/9160.htmlhttp://www.cnitblog.com/liserui/comments/9160.htmlhttp://www.cnitblog.com/liserui/articles/9160.html#Feedback0http://www.cnitblog.com/liserui/comments/commentRss/9160.htmlhttp://www.cnitblog.com/liserui/services/trackbacks/9160.html阅读全文

www.liserui.cnitblog.com 2006-04-14 06:00 发表评论

]]>