ACL访问控制列表配置实例(二)

ACL访问控制列表配置实例(二)

命名访问控制列表

需求 允许vlan10中PC2主机可以访问PC1 拒绝vlan10中其他主机访问PC1 允许其他网段中的主机访问PC1

1、在GNS 3中构建拓扑实验，并在拓扑区域标出主机接口、IP地址、需求、网关等信息，如图所示：

2、开启全部设备，并先在交换设中配置vlan信息

sw#conf t //进入接口模式 Enter configuration commands, one per line. End with CNTL/Z. sw(config)#vlan 10,20 //添加vlan sw(config-vlan)#ex //退出vlan接口 sw(config)#do show vlan-sw b //查看vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3 Fa1/4, Fa1/5, Fa1/6, Fa1/7 Fa1/8, Fa1/9, Fa1/10, Fa1/11 Fa1/12, Fa1/13, Fa1/14, Fa1/15 10 VLAN0010 active 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int range fa1/1 -2 //进入f1/1、f1/2接口模式 sw(config-if-range)#sw mo acc sw(config-if-range)#sw access vlan 10 //将接口添加到vlan10中 sw(config-if-range)#ex sw(config)#do show vlan-sw b //查看接口是否加入vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5 Fa1/6, Fa1/7, Fa1/8, Fa1/9 Fa1/10, Fa1/11, Fa1/12, Fa1/13 Fa1/14, Fa1/15 10 VLAN0010 active Fa1/1, Fa1/2 //成功添加 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int f1/3 //进入f1/3接口 sw(config-if)#sw mo acc sw(config-if)#sw acc vlan 20 //将接口加入vlan20 sw(config-if)#ex sw(config)#do show vlan-sw b //查看 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6 Fa1/7, Fa1/8, Fa1/9, Fa1/10 Fa1/11, Fa1/12, Fa1/13, Fa1/14 Fa1/15 10 VLAN0010 active Fa1/1, Fa1/2 20 VLAN0020 active Fa1/3 //成功添加 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int f1/0 //进入f1/0接口 sw(config-if)#sw mo t //做trunk链路 sw(config-if)# *Mar 1 00:06:52.483: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk sw(config-if)#sw t encapsulation dot1q //封装trunk协议 sw(config-if)#ex sw(config)#no ip routing //关闭路由功能

3、进入三层交换设备，添加接口IP地址，

sw-3#conf t //进入全局模式 Enter configuration commands, one per line. End with CNTL/Z. sw-3(config)#int f1/1 //进入f1/1接口 sw-3(config-if)#no switchport //关闭交换功能 *Mar 1 00:11:19.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up sw-3(config-if)#ip add 192.168.100.1 255.255.255.0 //添加IP网关地址 sw-3(config-if)#no shut //开启接口 sw-3(config-if)#do show ip int b //查看 Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up //成功添加IP网关地址 FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down sw-3(config-if)#ex sw-3(config)#vlan 10,20 //添加vlan sw-3(config-vlan)#int vlan 10 //进入vlan 10 sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 //添加IP地址 sw-3(config-if)#no shut //开启接口 sw-3(config-if)#ex sw-3(config)#int vlan 20 //进入vlan 20 sw-3(config-if)#ip add 192.168.20.1 255.255.255.0 //添加IP地址 sw-3(config-if)#no shut //开启接口 sw-3(config-if)#ex sw-3(config)#do show ip int b //查看 Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up //成功添加IP网关地址 FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES unset up up Vlan10 192.168.10.1 YES manual up down //网关添加成功 Vlan20 192.168.20.1 YES manual up down sw-3(config)#int f1/0 //进入f1/0接口 sw-3(config-if)#sw mo t //制作trunk链路 *Mar 1 00:16:07.979: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk *Mar 1 00:16:08.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up *Mar 1 00:16:08.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up sw-3(config-if)#sw t encapsulation dot1q //封装trunk协议 sw-3(config-if)#do show ip rout //查看路由表 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 192.168.10.0/24 is directly connected, Vlan10 C 192.168.20.0/24 is directly connected, Vlan20 //成功添加路由表 C 192.168.100.0/24 is directly connected, FastEthernet1/1

4、在PC机上分别配置IP地址，并测试四台PC机的互通性

PC1> ip 192.168.100.100 192.168.100.1 Checking for duplicate address... PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1

PC2> ip 192.168.10.10 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1

PC3> ip 192.168.10.20 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1

PC4> ip 192.168.20.20 192.168.20.1 Checking for duplicate address... PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1

PC2> ping 192.168.100.100 192.168.100.100 icmp_seq=1 timeout 192.168.100.100 icmp_seq=2 timeout 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=21.556 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=15.601 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=22.945 ms PC2> ping 192.168.10.20 84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms 84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms 84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms 84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms 84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 ms PC2> ping 192.168.20.20 84 bytes from 192.168.20.20 icmp_seq=1 ttl=63 time=16.954 ms 84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=20.944 ms 84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=23.487 ms 84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=13.997 ms 84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=18.998 ms

5、在三层交换设备中配置命令访问控制列表

sw-3(config-if)#ex sw-3(config)#ip access-list standard kgc //配置命名访问控制列表 sw-3(config-std-nacl)#permit host 192.168.10.10 //允许PC2主机访问 sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒接10.0网段访问 sw-3(config-std-nacl)#permit any //允许所有网段访问 sw-3(config)#do show access-lists //查看列表 Standard IP access list kgc 10 permit 192.168.10.10 20 deny 192.168.10.0, wildcard bits 0.0.0.255 //成功添加 30 permit any sw-3(config)#int f1/1 //进入f1/1接口 sw-3(config-if)#ip access-group kgc out //在出口位置应用列表

6、测试配置的命名访问控制列表是否生效

PC2> ping 192.168.100.100 //使用PC2测试与PC1通信，正常通信 192.168.100.100 icmp_seq=1 timeout 192.168.100.100 icmp_seq=2 timeout 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.957 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.958 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.953 ms

PC4> ping 192.168.100.100 //使用使用PC4测试与PC1通信，正常通信 84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=19.021 ms 84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=24.934 ms 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.957 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.960 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.023 ms

PC3> ping 192.168.100.100 //使用使用PC3测试与PC1通信时显示拒绝访问，配置成功 *192.168.10.1 icmp_seq=1 ttl=255 time=8.033 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=2 ttl=255 time=12.965 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=3 ttl=255 time=11.004 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=4 ttl=255 time=10.998 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=5 ttl=255 time=12.966 ms (ICMP type:3, code:13, Communication administratively prohibited)

7、通过序列号添加列表条目，使PC3也可以与PC1通信

sw-3(config-if)#ex sw-3(config)#ip access-list standard kgc //配置命名访问控制列表 sw-3(config-std-nacl)#12 permit host 192.168.10.20 //添加条目号为12的条目，允许PC3访问 sw-3(config-std-nacl)#ex sw-3(config)#do show access-lists //查看列表信息 Standard IP access list kgc 10 permit 192.168.10.10 (5 matches) 12 permit 192.168.10.20 //成添加 20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches) 30 permit any (5 matches)

8、测试是否配置成功

PC3> ping 192.168.100.100 //使用使用PC3测试与PC1通信，正常通信 192.168.100.100 icmp_seq=1 timeout 192.168.100.100 icmp_seq=2 timeout 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=22.997 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=21.008 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=15.957 ms

9、删除添加的条目

sw-3(config)#ip access-list standard kgc //配置命名访问控制列表 sw-3(config-std-nacl)#no 12 //删除列表中12的条目 sw-3(config-std-nacl)#ex sw-3(config)#do show access-lists //查看列表 Standard IP access list kgc 10 permit 192.168.10.10 (5 matches) 20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches) 30 permit any (5 matches) //成功删除

10、测试结果

PC3> ping 192.168.100.100 *192.168.10.1 icmp_seq=1 ttl=255 time=8.973 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=2 ttl=255 time=4.981 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=3 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=4 ttl=255 time=8.552 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=5 ttl=255 time=2.993 ms (ICMP type:3, code:13, Communication administratively prohibited)

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。