# 网络系统集成基础（实验学时）——实验六 ## 实验内容： 1、访问控制列表ACL配置的内容和特点 2、基本ACL实验，建立拓扑（pc1+pc2）SW1>>R1>>R2>>SW2(pc3)，配置缺省路由，使pc1、pc2与pc3能相互通信。设置ACL，使pc1不能访问pc3（pc2可正常访问pc3）。 3、高级ACL实验，对前期实验公司网络设置的各部门，不允许生产部的电脑ping 公司web服务器，但可以访问网页。 4、对前期实验公司网络设置的各部门vlan，设置企业财务服务器，只允许财务 部门VLAN 的电脑访问 ## 实验知识点： acl 两种： - 基本acl（2000-2999）：只能匹配源ip地址。 - 高级acl（3000-3999）：可以匹配源ip、目标ip、源端口、目标端口等三层和四层的字段。 ## 实验报告： 要求独立完成，报告需包含模拟器配置文件 使用华为模拟器或思科模拟器完成 ## 1、访问控制列表ACL配置的内容和特点 访问控制列表(Access Control List， ACL)是一种基于包过滤的访问控制技术，它可以根据设定的条件对经过路由器或三层交换机的数据包进行过滤，允许其通过或丢弃。ACL 广泛应用于包过滤防火墙、流量分类、服务质量(QoS)等各个领域。以下是关于ACL配置内容和特点的详细介绍: ### 一、ACL的配置内容 #### 1. 基本ACL 基本ACL是最简单的ACL，通过源IP地址对数据包进行过滤。基本ACL的编号范围是2000-2999。 举例: 创建一个基本ACL 2000，允许源IP属于192.168.1.0/24网段的数据包通过: ```bash acl number 2000 rule permit source 192.168.1.0 0.0.0.255 ``` #### 2. 高级ACL 高级ACL可以根据源IP地址、目的IP地址、端口号、协议类型等多个条件对数据包进行过滤。高级ACL的编号范围是3000-3999。 举例: 创建了一个高级ACL 3000，允许源IP属于10.1.1.0/24网段访问目的IP为20.1.1.0/24网段的80端口(www)。 ```bash acl number 3000 rule permit tcp source 10.1.1.0 0.0.0.255 destination 20.1.1.0 0.0.0.255 destination-port eq www ``` #### 3. ACL的应用 定义好ACL后，需要将其应用到接口上，才能真正发挥作用。 ```bash interface GigabitEthernet 0/0/1 traffic-filter inbound acl 2000 ``` 上述命令表示将ACL 2000应用在GE0/0/1接口的入方向(inbound)上。数据包从该接口进入设备时，将按照ACL 2000中定义的规则进行过滤。 ### 二、ACL的特点 #### 1. 按照顺序匹配原则 系统按照ACL规则的配置顺序，从第一条规则开始逐条匹配。如果匹配某一条规则，则不再继续匹配下一条规则。因此，在配置ACL规则时，最后需要添加一条默认的permit或deny规则。 #### 2. 一个接口可以应用多个ACL 可以在接口的入方向和出方向同时应用ACL，但入方向和出方向只能各应用一个ACL。同一个ACL可以应用到多个接口。 #### 3. 一个ACL可包含多条规则 一个ACL可以包含多条permit或deny语句。匹配到permit，则允许数据包通过;匹配到deny，则丢弃数据包;如果都没有匹配到，则按照最后一条隐式deny any处理。 #### 4. 基于硬件转发 ACL匹配规则是在硬件芯片中执行的，不消耗CPU资源，转发性能高。 #### 5. ACL可以进行 高精度的流量访问控制，粒度可以细化到具体的IP、端口、 协议等信息。同时，ACL配置比较灵活，对网络管理员的技能要求较高。 #### 6. ACL不能验证数据包的完整性、可靠性，也无法防范各类网络攻击行为。在这些场景下需要配合其他安全防护手段一起使用，如IPS、防火墙等。 ACL凭借其灵活的匹配规则和硬件级的转发性能，在网络流量控制、安全访问控制等领域有着广泛的应用。掌握ACL的配置和应用，可以帮助网络管理员精细化管控网络流量，提高网络的安全性和可用性。同时在实际部署时，还要充分评估业务需求，合理规划ACL规则，避免 由于配置不当而影响网络性能。 ## 2、基本ACL实验，建立拓扑（pc1+pc2）SW1>>R1>>R2>>SW2(pc3)，配置缺省路由，使pc1、pc2与pc3能相互通信。设置ACL，使pc1不能访问pc3（pc2可正常访问pc3）。 ### 拓扑图  ### 配置路由 用了RIPV2。 #### AR1 ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip addr 12.1.1.1 24 [Huawei-GigabitEthernet0/0/0]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip addr 192.168.1.1 24 [Huawei-GigabitEthernet0/0/1]rip 1 [Huawei-rip-1]version 2 [Huawei-rip-1]network 192.168.1.0 [Huawei-rip-1]network 12.0.0.0 ``` #### AR2 ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip addr 12.1.1.2 24 [Huawei-GigabitEthernet0/0/0]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip addr 172.10.0.1 16 [Huawei-GigabitEthernet0/0/1] [Huawei-GigabitEthernet0/0/1]rip 1 [Huawei-rip-1]version 2 [Huawei-rip-1]network 172.10.0.0 [Huawei-rip-1]network 12.0.0.0 [Huawei-rip-1] ```  #### 如果缺省路由 AR1 ```bash [Huawei]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 ``` AR2 ```bash [Huawei]ip route-static 0.0.0.0 0.0.0.0 12.1.1.1 ```  ### 测试:使pc1、pc2与pc3能相互通信 #### PC2->PC1 ```bash PC>ipconfig Link local IPv6 address...........: fe80::5689:98ff:fe20:2dff IPv6 address......................: :: / 128 IPv6 gateway......................: :: IPv4 address......................: 192.168.1.11 Subnet mask.......................: 255.255.255.0 Gateway...........................: 192.168.1.1 Physical address..................: 54-89-98-20-2D-FF DNS server........................: PC>ping 192.168.1.10 Ping 192.168.1.10: 32 data bytes, Press Ctrl_C to break From 192.168.1.10: bytes=32 seq=1 ttl=128 time=31 ms From 192.168.1.10: bytes=32 seq=2 ttl=128 time=31 ms --- 192.168.1.10 ping statistics --- 2 packet(s) transmitted 2 packet(s) received 0.00% packet loss round-trip min/avg/max = 31/31/31 ms ```  #### PC2->PC3 ```bash PC>ping 172.10.0.10 Ping 172.10.0.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 172.10.0.10: bytes=32 seq=2 ttl=126 time=62 ms From 172.10.0.10: bytes=32 seq=3 ttl=126 time=78 ms From 172.10.0.10: bytes=32 seq=4 ttl=126 time=78 ms From 172.10.0.10: bytes=32 seq=5 ttl=126 time=79 ms --- 172.10.0.10 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/74/79 ms PC> ```  ### 设置ACL，使pc1不能访问pc3（pc2可正常访问pc3）。 > 基本ACL不能匹配目的IP R1或者R2上 ```bash [Huawei]acl 2000 # 创建一个基本ACL，编号为2000 [Huawei-acl-basic-2000]rule deny source 192.168.1.10 0 # 添加一条规则，拒绝源IP为192.168.1.10（PC1）的所有流量 这里0相当于0.0.0.0也就是所有流量 [Huawei-acl-basic-2000]rule permit source any # 允许其他所有流量 [Huawei-acl-basic-2000]quit [Huawei]int g0/0/1 # 进入连接SW3的接口 [Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 2000 # 在入方向应用ACL 2000 ```  #### 测试：使pc1不能访问pc3（pc2可正常访问pc3）。 ##### 当前PC2可以访问PC3 ```bash PC>ping 172.10.0.10 Ping 172.10.0.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 172.10.0.10: bytes=32 seq=2 ttl=126 time=62 ms From 172.10.0.10: bytes=32 seq=3 ttl=126 time=78 ms From 172.10.0.10: bytes=32 seq=4 ttl=126 time=79 ms From 172.10.0.10: bytes=32 seq=5 ttl=126 time=46 ms --- 172.10.0.10 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/66/79 ms PC> ```  ##### 当前PC1不能访问PC1 ```bash PC>ping 172.10.0.10 Ping 172.10.0.10: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! --- 172.10.0.10 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss ``` 路由器出口没有相关ICMP包，已经被拦截。  ## 3、高级ACL实验，对前期实验公司网络设置的各部门，不允许生产部的电脑ping 公司web服务器，但可以访问网页。 ### 拓扑图  ### 配置 #### Core  ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]vlan b 10 20 30 100 200 Info: This operation may take a few seconds. Please wait for a moment...done. [Huawei]int vlanif10 [Huawei-Vlanif10]ip addr 192.168.10.1 24 [Huawei-Vlanif10]int vlanif20 [Huawei-Vlanif20]ip addr 192.168.20.1 24 [Huawei-Vlanif20]int vlanif30 [Huawei-Vlanif30]ip addr 192.168.30.1 24 [Huawei-Vlanif30]int vlanif200 [Huawei-Vlanif200]ip addr 10.22.22.2 24 [Huawei-Vlanif200]int vlanif100 [Huawei-Vlanif100]ip addr 192.168.100.1 24 [Huawei]ip route-static 0.0.0.0 0.0.0.0 10.22.22.1 [Huawei]int g0/0/2 [Huawei-GigabitEthernet0/0/2]p l t [Huawei-GigabitEthernet0/0/2]p t a v a [Huawei-GigabitEthernet0/0/2]int g0/0/3 [Huawei-GigabitEthernet0/0/3]p l a [Huawei-GigabitEthernet0/0/3]p d v 20 ```  #### LSW2 ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]vlan b 10 20 30 100 200 Info: This operation may take a few seconds. Please wait for a moment...done. [Huawei]int e0/0/1 [Huawei-Ethernet0/0/1]p l t [Huawei-Ethernet0/0/1]p t a v a [Huawei-Ethernet0/0/1]int e0/0/5 [Huawei-Ethernet0/0/5]p l a [Huawei-Ethernet0/0/5]p d v 100 [Huawei-Ethernet0/0/5]int e0/0/2 [Huawei-Ethernet0/0/2]p l a [Huawei-Ethernet0/0/2]p d v 10 [Huawei-Ethernet0/0/2]int e0/0/3 [Huawei-Ethernet0/0/3]p l a [Huawei-Ethernet0/0/3]p d v 20 [Huawei-Ethernet0/0/3]int e0/0/4 [Huawei-Ethernet0/0/4]p l t [Huawei-Ethernet0/0/4]p t a v a ```  #### LSW3 ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]vlan b 10 20 30 100 200 Info: This operation may take a few seconds. Please wait for a moment...done. [Huawei]int e0/0/1 [Huawei-Ethernet0/0/1]p l t [Huawei-Ethernet0/0/1]p t a v a [Huawei-Ethernet0/0/1]int e0/0/2 [Huawei-Ethernet0/0/2]p l a [Huawei-Ethernet0/0/2]p d v 30 [Huawei-Ethernet0/0/2]int e0/0/3 [Huawei-Ethernet0/0/3]p l a [Huawei-Ethernet0/0/3]p d v 30 ``` #### AR1 ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]undo info-center enable Info: Information center is disabled. [Huawei]int g0/0/0 [Huawei-GigabitEthernet0/0/0]ip addr 10.22.22.1 24 [Huawei-GigabitEthernet0/0/0]int g0/0/1 [Huawei-GigabitEthernet0/0/1]ip addr 202.194.222.1 24 ``` ### 测试可以相互ping通 #### PC1->PC2 (VLAN10->VLAN20)  #### PC1->PC3 (VLAN10->VLAN30) ```bash PC>ping 192.168.30.10 Ping 192.168.30.10: 32 data bytes, Press Ctrl_C to break From 192.168.30.10: bytes=32 seq=1 ttl=127 time=172 ms From 192.168.30.10: bytes=32 seq=2 ttl=127 time=94 ms --- 192.168.30.10 ping statistics --- 2 packet(s) transmitted 2 packet(s) received 0.00% packet loss round-trip min/avg/max = 94/133/172 ms ```  #### PC1->公司服务器（VLAN10->VLAN100） ```bash PC>ping 192.168.100.250 Ping 192.168.100.250: 32 data bytes, Press Ctrl_C to break From 192.168.100.250: bytes=32 seq=1 ttl=254 time=94 ms --- 192.168.100.250 ping statistics --- 1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 94/94/94 ms ```  #### VLAN20->VLAN30 ```bash PC>ping 192.168.30.10 Ping 192.168.30.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 192.168.30.10: bytes=32 seq=2 ttl=127 time=109 ms From 192.168.30.10: bytes=32 seq=3 ttl=127 time=94 ms --- 192.168.30.10 ping statistics --- 3 packet(s) transmitted 2 packet(s) received 33.33% packet loss round-trip min/avg/max = 0/101/109 ms PC> ```  ### 高级ACL实验，对前期实验公司网络设置的各部门，不允许生产部的电脑ping 公司web服务器，但可以访问网页。 核心交换机core  ```bash [Huawei]acl 3000 # 创建高级ACL 3000 [Huawei-acl-adv-3000]rule deny icmp source 192.168.10.0 0.0.0.255 destination 192.168.100.250 0 # 拒绝生产部网段ping服务器 [Huawei-acl-adv-3000]rule permit ip source any destination any # 允许其他所有流量 [Huawei-acl-adv-3000]quit [Huawei]int Vlanif 100 # 进入服务器VLAN接口 [Huawei-Vlanif100]traffic-filter inbound acl 3000 # 在入方向应用ACL 3000 ``` #### 公司服务器配置 ##### 创建index.html  ##### 开启http服务器  #### 测试 ##### 不可以ping通 ```bash PC>ping 192.168.100.250 Ping 192.168.100.250: 32 data bytes, Press Ctrl_C to break Request timeout! Request timeout! Request timeout! Request timeout! Request timeout! ```  ##### 但是可以访问  成功访问！  ##### 其他VLAN依然可以ping通 VLAN30  VLAN20  ## 4、对前期实验公司网络设置的各部门vlan，设置企业财务服务器，只允许财务部门VLAN 的电脑访问 ### 配置：核心交换机 不能在核心上配置。 问题是这个ACL放在VLAN30入方向, 也就是从核心交换机去往财务部VLAN的方向。这个方向的数据包源地址都是192.168.30.0/24，而目的地址是VLAN30内的各个主机，所以并不会匹配规则。规则实际并没有生效。 **以下配置无效。** ```bash [Huawei]acl 3002 # 创建高级ACL 3002 [Huawei-acl-adv-3002]rule permit ip source 192.168.30.0 0.0.0.255 destination 192.168.30.250 0 # 允许财务部网段访问财务服务器 [Huawei-acl-adv-3002]rule deny ip source any destination 192.168.30.250 0 # 拒绝其他所有访问财务服务器的流量 [Huawei-acl-adv-3002]q [Huawei]int Vlanif 30 # 进入财务部VLAN接口 [Huawei-Vlanif30]traffic-filter inbound acl 3002 # 在入方向应用ACL 3002 ``` ### 配置：应该在LSW3上配置  ```bash <Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]acl 3003 [Huawei-acl-adv-3003]rule permit ip source 192.168.30.0 0.0.0.255 destination 19 2.168.30.250 0 [Huawei-acl-adv-3003]rule deny ip source any destination 192.168.30.250 0 [Huawei-acl-adv-3003]rule permit ip source any destination any [Huawei-acl-adv-3003]int e0/0/2 [Huawei-Ethernet0/0/2]traffic-filter inbound acl 3003 [Huawei-Ethernet0/0/2] [Huawei-Ethernet0/0/2]traffic-filter outbound acl 3003 ```  这样就可以啦。  ### 测试 #### VLAN10 -> VLAN30非服务器  #### VLAN10 -> VLAN30服务器 不可以访问  #### VLAN30->VLAN30服务器  ## 配置 ### 第一个拓扑图  #### R1 ```bash [Huawei-GigabitEthernet0/0/1]dis cu [V200R003C00] # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load portalpage.zip # drop illegal-mac alarm # undo info-center enable # set cpu-usage threshold 80 restore 75 # acl number 2000 rule 5 deny source 192.168.1.10 0 rule 10 permit # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 12.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 192.168.1.1 255.255.255.0 traffic-filter inbound acl 2000 # interface GigabitEthernet0/0/2 # interface NULL0 # rip 1 version 2 network 192.168.1.0 network 12.0.0.0 # ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 # user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20 # wlan ac # return [Huawei-GigabitEthernet0/0/1] ``` #### R2 ```bash [Huawei]dis current-configuration [V200R003C00] # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load portalpage.zip # drop illegal-mac alarm # undo info-center enable # set cpu-usage threshold 80 restore 75 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 12.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 172.10.0.1 255.255.0.0 # interface GigabitEthernet0/0/2 # interface NULL0 # rip 1 version 2 network 172.10.0.0 network 12.0.0.0 # ip route-static 0.0.0.0 0.0.0.0 12.1.1.1 # user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20 # wlan ac # return [Huawei] ``` ### 第二个拓扑图  #### AR1 ```bash [Huawei]dis current-configuration [V200R003C00] # snmp-agent local-engineid 800007DB03000000000000 snmp-agent # clock timezone China-Standard-Time minus 08:00:00 # portal local-server load portalpage.zip # drop illegal-mac alarm # undo info-center enable # set cpu-usage threshold 80 restore 75 # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$ local-user admin service-type http # firewall zone Local priority 15 # interface GigabitEthernet0/0/0 ip address 10.22.22.1 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 202.194.222.1 255.255.255.0 # interface GigabitEthernet0/0/2 # interface NULL0 # user-interface con 0 authentication-mode password user-interface vty 0 4 user-interface vty 16 20 # wlan ac # return [Huawei] ``` #### LSW1-核心交换机 core ```bash [Huawei]dis current-configuration # sysname Huawei # undo info-center enable # vlan batch 10 20 30 100 200 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # acl number 3000 acl number 3001 acl number 3002 acl number 3003 acl number 3004 acl name all 3999 # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface Vlanif10 ip address 192.168.10.1 255.255.255.0 # interface Vlanif20 ip address 192.168.20.1 255.255.255.0 # interface Vlanif30 ip address 192.168.30.1 255.255.255.0 # interface Vlanif100 ip address 192.168.100.1 255.255.255.0 # interface Vlanif200 ip address 10.22.22.2 255.255.255.0 # interface MEth0/0/1 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet0/0/3 port link-type access port default vlan 200 # interface GigabitEthernet0/0/4 # interface GigabitEthernet0/0/5 ... # interface GigabitEthernet0/0/24 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 10.22.22.1 # user-interface con 0 user-interface vty 0 4 # return [Huawei] [Huawei] ``` #### LSW2 ```bash [Huawei]dis current-configuration # sysname Huawei # undo info-center enable # vlan batch 10 20 30 100 200 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface MEth0/0/1 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface Ethernet0/0/2 port link-type access port default vlan 10 # interface Ethernet0/0/3 port link-type access port default vlan 20 # interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface Ethernet0/0/5 port link-type access port default vlan 100 # interface Ethernet0/0/6 # ... # interface Ethernet0/0/22 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # user-interface con 0 user-interface vty 0 4 # return [Huawei] ``` #### LSW3 ```bash [Huawei-Ethernet0/0/2]dis current-configuration # sysname Huawei # undo info-center enable # vlan batch 10 20 30 100 200 # cluster enable ntdp enable ndp enable # drop illegal-mac alarm # diffserv domain default # acl number 3003 rule 5 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.30.250 0 rule 10 deny ip destination 192.168.30.250 0 rule 15 permit ip # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password simple admin local-user admin service-type http # interface Vlanif1 # interface MEth0/0/1 # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface Ethernet0/0/2 port link-type access port default vlan 30 traffic-filter inbound acl 3003 traffic-filter outbound acl 3003 # interface Ethernet0/0/3 port link-type access port default vlan 30 # interface Ethernet0/0/4 # ... # interface Ethernet0/0/22 # interface GigabitEthernet0/0/1 # interface GigabitEthernet0/0/2 # interface NULL0 # user-interface con 0 user-interface vty 0 4 # return [Huawei-Ethernet0/0/2] [Huawei-Ethernet0/0/2] ``` ## 0XFF: 文件下载 包含http。  t1-t2  t3-t4  <https://p.dabbit.net/blog/pic_bed/sharex/_pn-2024-06-11-10-36-57_Gilamonster_Lopsided_Perky.7z>