三成交換完成命名式訪問控制列表(ACL)
一:實驗要求:
使用ACL訪問控制列表,禁止技術部成員訪問公司以外的所有服務,僅能訪問本公司內部www.51cto.com和ftp.51cto.com
使用ACL 訪問控制列表,禁止貴賓室的PC機訪問公司ftp.51cto.com,其他服務不受影響。
二:所需設備:
1臺三層交換作爲公司出口交換機 2臺二層交換機 2臺PC機 一個外網路由器和兩臺服務器
三:技術解釋:
訪問控制列表(ACL)是應用在路由器接口的指令列表(即規則)。這些指令列表用來告訴路由器,哪些數據可以轉發,哪些數據需要拒絕。
四:實驗拓撲:
五:實驗步驟:
1.開啓所有設備
2.優化模擬器
選擇R1路由器終端,終端特權模式下輸入
後,關閉終端,右擊設備選IDLE PC選擇帶*的,單擊OK完成優化
3.配置SW1的VLAN與TRUNK
SW1#conf t
SW1(config)#vlan 10
SW1(config-vlan)#vlan 20
SW1(config-vlan)#vlan 30
SW1(config-vlan)#int fa 1/1
SW1(config-if)#sw mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#int fa1/2
SW1(config-if)#switchportmode access
SW1(config-if)#switchport access vlan 20
SW1(config-if)#int fa 1/4
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 30
SW1(config-if)#int fa1/3
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#do show vlan-s b
VLAN NameStatusPorts
---- -------------------------------- --------- -------------------------------
1defaultactiveFa1/0, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
10VLAN0010activeFa1/1
20VLAN0020activeFa1/2
30VLAN0030activeFa1/4
40VLAN0040active
1002 fddi-defaultact/unsup
1003 token-ring-defaultact/unsup
1004 fddinet-defaultact/unsup
1005 trnet-defaultact/unsup
4.配置M1公司出口交換機的VLAN TRUNK IP 以及默認路由
M1#conf t
M1(config)#int fa 1/0
M1(config-if)#switchport mode trunk
M1(config-if)#switchport trunk encapsulation dot1q
M1(config-if)#vlan 10
M1(config-vlan)#vlan 20
M1(config-vlan)#vlan 30
M1(config-vlan)#int vlan 10
M1(config-if)#ip add 192.168.20.1 255.255.255.0
M1(config-if)#no shut
M1(config-if)#int vlan 20
M1(config-if)#ip add 192.168.20.1 255.255.255.0
M1(config-if)#int vlan 20
M1(config-if)#ip add 192.168.20.1 255.255.255.0
M1(config-if)#int vlan 10
M1(config-if)#ip add 192.168.10.1 255.255.255.0
M1(config-if)#no shut
M1(config-if)#int vlan 20
M1(config-if)#ip add 192.168.20.1 255.255.255.0
M1(config-if)#no shut
M1(config-if)#int vlan 30
M1(config-if)#ip add 192.168.30.1 255.255.255.0
M1(config-if)#no shut
M1(config)#int fa0/0
M1(config-if)#ip add 202.106.1.1 255.255.255.0
M1(config-if)#ip route 0.0.0.0 0.0.0.0 202.106.1.2
M1(config-if)#do show ip int b
InterfaceIP-AddressOK? Method StatusProtocol
FastEthernet0/0202.106.1.1YES manual upup
FastEthernet0/1unassignedYES unsetadministratively down down
FastEthernet1/0unassignedYES unsetupup
FastEthernet1/1unassignedYES unsetupdown
FastEthernet1/2unassignedYES unsetupdown
FastEthernet1/3unassignedYES unsetupdown
FastEthernet1/4unassignedYES unsetupdown
FastEthernet1/5unassignedYES unsetupdown
FastEthernet1/6unassignedYES unsetupdown
FastEthernet1/7unassignedYES unsetupdown
FastEthernet1/8unassignedYES unsetupdown
FastEthernet1/9unassignedYES unsetupdown
FastEthernet1/10unassignedYES unsetupdown
FastEthernet1/11unassignedYES unsetupdown
FastEthernet1/12unassignedYES unsetupdown
FastEthernet1/13unassignedYES unsetupdown
FastEthernet1/14unassignedYES unsetupdown
FastEthernet1/15unassignedYES unsetupdown
Vlan1unassignedYES unsetupup
Vlan10192.168.10.1YES manual upup
Vlan20192.168.20.1YES manual upup
Vlan30192.168.30.1YES manual upup
M1(config)#do show vlan-s b
VLAN NameStatusPorts
---- -------------------------------- --------- -------------------------------
1defaultactiveFa1/1, Fa1/2, Fa1/3, Fa1/4
Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
10VLAN0010active
20VLAN0020active
30VLAN0030active
40VLAN0040active
1002 fddi-defaultact/unsup
1003 token-ring-defaultact/unsup
1004 fddinet-defaultact/unsup
1005 trnet-defaultact/unsup
M1(config)#do show route
M1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 202.106.1.2 to network 0.0.0.0
C192.168.30.0/24 is directly connected, Vlan30
C192.168.10.0/24 is directly connected, Vlan10
C202.106.1.0/24 is directly connected, FastEthernet0/0
C192.168.20.0/24 is directly connected, Vlan20
S*0.0.0.0/0 [1/0] via 202.106.1.2
5.配置外網路由器的IP地址以及靜態路由
R1#conf t
R1(config)#int fa 0/0-
R1(config-if)#ip add 202.106.1.2 255.255.255.0
R1(config-if)#no shut
R1(config-if)#int fa 0/1
R1(config-if)#ip add 192.168.40.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#ip route 192.168.10.0 255.255.255.0 202.106.1.1
R1(config)#ip route 192.168.20.0 255.255.255.0 202.106.1.1
R1(config)#ip route 192.168.30.0 255.255.255.0 202.106.1.1
R1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
S192.168.30.0/24 [1/0] via 202.106.1.1
S192.168.10.0/24 [1/0] via 202.106.1.1
C192.168.40.0/24 is directly connected, FastEthernet0/1
C202.106.1.0/24 is directly connected, FastEthernet0/0
S192.168.20.0/24 [1/0] via 202.106.1.1
R1(config)#do show ip int b
InterfaceIP-AddressOK? Method StatusProtocol
FastEthernet0/0202.106.1.2YES manual upup
FastEthernet0/1192.168.40.1YES manual upup
6.配置IP地址
技術部PC機(C1)IP地址:
貴賓室PC機(C2)IP地址:
公司內部服務器(C3)IP 地址
外網服務器(C4) IP 地址
7.服務器測試
技術部測試公司WWW.51CTO.COM
技術部PC機測試公司ftp.51cto.com
技術部PC機測試外網www.waiwang.com
技術部PC機測試外網FTP.WAIWANG.COM
8.配置ACL信息
M1(config)#ip access-list extended ceshi
M1(config-ext-nacl)#deny ip host 192.168.10.10 host 192.168.40.10
M1(config-ext-nacl)#deny tcp host 192.168.20.10 host 192.168.30.10 eq 21
M1(config-ext-nacl)#permit tcp any any
M1#show access-lists
Extended IP access list ceshi
10 deny ip host 192.168.10.10 host 192.168.40.10
20 deny tcp host 192.168.20.10 host 192.168.30.10 eq ftp
30 permit tcp any any
Extended IP access list test
9.將ACL訪問控制列表應用到接口
M1#conf t
M1(config)#int fa1/0
M1(config-if)#ip access-group ceshi in
10.最後測試
技術部PC1測試www.51cto.com
技術部PC1測試ftp://www.51cto.com
技術部PC1測試www.waiwang.com
技術部PC1測試ftp://www.waiwang.com
由於本實驗起始構思不完善,PC2是使用VPCS配置的,本次貴賓室PC機無法完成測試。實驗就此中斷!
實驗完成
孤狼
2014年2月24日 23:30:46