命名访问控制列表详解

命名访问控制列表详解

命名访问控制列表

本章目标：通过实验学会命名访问控制列表，添加访问控制，删除访问控制

实验图：

4台主机，一个二层交换机，一个三层交换机sw1:划分VLAN,给VLAN配置接口，做trunk链路sw2:划分vlan,通过接口给vlan配置虚拟地址，做trunk链路，做命名访问控制，关闭交换端口变成三层端口。pc1:192.168.10.10/24pc2:192.168.10.20/24pc3:192.168.20.20/24pc4:192.168.100.100/24

一.给二层交换机配置VLAN,给vlan配置接口,做trunk链路

sw1#conf t sw1(config)#vlan 10,20 sw1(config-vlan)#do show vlan-sw b //查看vlan详细信息 sw1(config-vlan)#ex sw1(config)#do show vlan-sw b VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3 Fa1/4, Fa1/5, Fa1/6, Fa1/7 Fa1/8, Fa1/9, Fa1/10, Fa1/11 Fa1/12, Fa1/13, Fa1/14, Fa1/15 10 VLAN0010 active 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw1(config)#int range fa1/1 -2 sw1(config-if-range)#sw mo acc //进入接口模式 sw1(config-if-range)#sw acc vlan 10 //配置vlan sw1(config-if-range)#ex sw1(config)#do show vlan-sw b VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5 Fa1/6, Fa1/7, Fa1/8, Fa1/9 Fa1/10, Fa1/11, Fa1/12, Fa1/13 Fa1/14, Fa1/15 10 VLAN0010 active Fa1/1, Fa1/2 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw1(config)#int f1/3 sw1(config-if)#sw mo acc sw1(config-if)#sw acc vlan 20 sw1(config-if)#ex sw1(config)#do show vlan-sw b VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6 Fa1/7, Fa1/8, Fa1/9, Fa1/10 Fa1/11, Fa1/12, Fa1/13, Fa1/14 Fa1/15 10 VLAN0010 active Fa1/1, Fa1/2 20 VLAN0020 active Fa1/3 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw1(config)#int f1/0 sw1(config-if)#sw mo t sw1(config-if)#sw t en dot sw1(config-if)#ex sw1(config)#no ip routing //关闭路由功能

二.进入三层交换机，划分vlan,通过接口给vlan配置虚拟网址（需要关闭交换端口）,配置trunk链路

sw2#conf t sw2(config)#int f1/1 sw2(config-if)#no switchport //关闭交换端口 sw2(config-if)#ip add 192.168.100.1 255.255.255.0 sw2(config-if)#no shut sw2(config-if)#do show ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES unset up up sw2(config-if)#ex sw2(config)#vlan 10,20 sw2(config-vlan)#ex sw2(config)#int vlan 10 sw2(config-if)#ip add 192.168.10.1 255.255.255.0 sw2(config-if)#no shut sw2(config-if)#ex sw2(config)#int vlan 20 sw2(config-if)#ip add 192.168.20.1 255.255.255.0 sw2(config-if)#no shut sw2(config-if)#ex sw2(config)#do show ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES unset up up Vlan10 192.168.10.1 YES manual up down Vlan20 192.168.20.1 YES manual up down sw2(config)#int f1/0 sw2(config-if)#sw mo t sw2(config-if)#sw t en dot sw2(config-if)#ex

三.给每个主机配置IP地址和网关

PC4> PC4> ip 192.168.100.100 192.168.100.1 Checking for duplicate address... PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1 PC1> ip 192.168.10.10 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1 PC2> PC2> ip 192.168.10.20 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1 PC3> ip 192.168.20.20 192.168.20.1 Checking for duplicate address... PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1

四.测试是不是全网互通

PC1> ping 192.168.100.100 168.100.100 icmp_seq=1 timeout bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.997 ms bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.984 ms bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=16.953 ms bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=20.978 ms PC1> ping 192.168.10.20 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.979 ms bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms PC1> ping 192.168.20.20 168.20.20 icmp_seq=1 timeout bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=14.960 ms bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=18.941 ms bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=15.956 ms bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=19.973 ms

五.进入三层交换机配置命名访问控制列表

sw2(config)#ip access-list standard kgc //进入标准访问控制，命名叫kgc sw2(config-std-nacl)#permit host 192.168.10.10 //允许10.10主机访问 sw2(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒绝10.0网段主机访问 sw2(config-std-nacl)#permit any //允许所有主机访问 sw2(config-std-nacl)#ex sw2(config)#do show access-lists //查看访问控制列表 Standard IP access list kgc 10 permit 192.168.10.10 20 deny 192.168.10.0, wildcard bits 0.0.0.255 30 permit any sw2(config)#int f1/1 sw2(config-if)#ip access-group kgc out //应用于接口，离限制最近的，如果我要设置为入，我需要设置三次，出就要一次就够了 sw2(config-if)#ex

六.测试我们实验的需求是否生效

PC1> ping 192.168.100.100 84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=18.941 ms 84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.408 ms 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=12.003 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.997 ms PC3> ping 192.168.100.100 84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.942 ms 84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.992 ms 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=13.963 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.925 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.940 ms PC2> ping 192.168.100.100 *192.168.10.1 icmp_seq=1 ttl=255 time=8.972 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=2 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=3 ttl=255 time=5.987 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=4 ttl=255 time=10.969 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=5 ttl=255 time=2.998 ms (ICMP type:3, code:13, Communication administratively prohibited)

七.我们再加一条需求，我们有允许10.20主机可以去访问

sw2(config)#ip access-list standard kgc sw2(config-std-nacl)#12 permit host 192.168.10.20 //我们只能写10的上面或者10-20之间，我们要写到20下面就没有任何意义， 已经拒绝10.0网段的了再写10.20无意义。 sw2(config-std-nacl)#ex sw2(config)#do show access-lists Standard IP access list kgc 10 permit 192.168.10.10 (8 matches) 12 permit 192.168.10.20 20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches) 30 permit any (5 matches)

八.来测试PC2,10.20能不能访问pc4主机

PC2> ping 192.168.100.100 192.168.100.100 icmp_seq=1 timeout 192.168.100.100 icmp_seq=2 timeout 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.970 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.950 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.008 ms

九.删除访问控制列表的一条，如果要删除整租ACL，no ip access-ist stand kgc

sw2(config)#ip access-list standard kgc sw2(config-std-nacl)#no 12 sw2(config-std-nacl)#do show access-lists Standard IP access list kgc 10 permit 192.168.10.10 (8 matches) 20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches) 30 permit any (5 matches)

sw2(config)#no ip access-list standard kgc sw2(config)#do show access-lists sw2(config)#

本章内容结束，谢谢收看

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。