命名訪問控制列表
- 需求
- 允許vlan10中PC2主機可以訪問PC1
- 拒絕vlan10中其他主機訪問PC1
- 允許其他網段中的主機訪問PC1
1、在GNS 3中構建拓撲實驗,並在拓撲區域標出主機接口、IP地址、需求、網關等信息,如圖所示:
2、開啓全部設備,並先在交換設中配置vlan信息
sw#conf t //進入接口模式
Enter configuration commands, one per line. End with CNTL/Z.
sw(config)#vlan 10,20 //添加vlan
sw(config-vlan)#ex //退出vlan接口
sw(config)#do show vlan-sw b //查看vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw(config)#int range fa1/1 -2 //進入f1/1、f1/2接口模式
sw(config-if-range)#sw mo acc
sw(config-if-range)#sw access vlan 10 //將接口添加到vlan10中
sw(config-if-range)#ex
sw(config)#do show vlan-sw b //查看接口是否加入vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5
Fa1/6, Fa1/7, Fa1/8, Fa1/9
Fa1/10, Fa1/11, Fa1/12, Fa1/13
Fa1/14, Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2 //成功添加
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw(config)#int f1/3 //進入f1/3接口
sw(config-if)#sw mo acc
sw(config-if)#sw acc vlan 20 //將接口加入vlan20
sw(config-if)#ex
sw(config)#do show vlan-sw b //查看
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3 //成功添加
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw(config)#int f1/0 //進入f1/0接口
sw(config-if)#sw mo t //做trunk鏈路
sw(config-if)#
*Mar 1 00:06:52.483: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
sw(config-if)#sw t encapsulation dot1q //封裝trunk協議
sw(config-if)#ex
sw(config)#no ip routing //關閉路由功能3、進入三層交換設備,添加接口IP地址,
sw-3#conf t //進入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
sw-3(config)#int f1/1 //進入f1/1接口
sw-3(config-if)#no switchport //關閉交換功能
*Mar 1 00:11:19.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
sw-3(config-if)#ip add 192.168.100.1 255.255.255.0 //添加IP網關地址
sw-3(config-if)#no shut //開啓接口
sw-3(config-if)#do show ip int b //查看
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up //成功添加IP網關地址
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
sw-3(config-if)#ex
sw-3(config)#vlan 10,20 //添加vlan
sw-3(config-vlan)#int vlan 10 //進入vlan 10
sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 //添加IP地址
sw-3(config-if)#no shut //開啓接口
sw-3(config-if)#ex
sw-3(config)#int vlan 20 //進入vlan 20
sw-3(config-if)#ip add 192.168.20.1 255.255.255.0 //添加IP地址
sw-3(config-if)#no shut //開啓接口
sw-3(config-if)#ex
sw-3(config)#do show ip int b //查看
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up //成功添加IP網關地址
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
Vlan10 192.168.10.1 YES manual up down //網關添加成功
Vlan20 192.168.20.1 YES manual up down
sw-3(config)#int f1/0 //進入f1/0接口
sw-3(config-if)#sw mo t //製作trunk鏈路
*Mar 1 00:16:07.979: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
*Mar 1 00:16:08.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
*Mar 1 00:16:08.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
sw-3(config-if)#sw t encapsulation dot1q //封裝trunk協議
sw-3(config-if)#do show ip rout //查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20 //成功添加路由表
C 192.168.100.0/24 is directly connected, FastEthernet1/14、在PC機上分別配置IP地址,並測試四臺PC機的互通性
PC1> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1PC2> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1PC3> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1PC4> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=21.556 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=15.601 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=22.945 ms
PC2> ping 192.168.10.20
84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 ms
PC2> ping 192.168.20.20
84 bytes from 192.168.20.20 icmp_seq=1 ttl=63 time=16.954 ms
84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=20.944 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=23.487 ms
84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=13.997 ms
84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=18.998 ms5、在三層交換設備中配置命令訪問控制列表
sw-3(config-if)#ex
sw-3(config)#ip access-list standard kgc //配置命名訪問控制列表
sw-3(config-std-nacl)#permit host 192.168.10.10 //允許PC2主機訪問
sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒接10.0網段訪問
sw-3(config-std-nacl)#permit any //允許所有網段訪問
sw-3(config)#do show access-lists //查看列表
Standard IP access list kgc
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255 //成功添加
30 permit any
sw-3(config)#int f1/1 //進入f1/1接口
sw-3(config-if)#ip access-group kgc out //在出口位置應用列表6、測試配置的命名訪問控制列表是否生效
PC2> ping 192.168.100.100 //使用PC2測試與PC1通信,正常通信
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.957 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.958 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.953 msPC4> ping 192.168.100.100 //使用使用PC4測試與PC1通信,正常通信
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=19.021 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=24.934 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.957 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.960 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.023 ms
PC3> ping 192.168.100.100 //使用使用PC3測試與PC1通信時顯示拒絕訪問,配置成功
*192.168.10.1 icmp_seq=1 ttl=255 time=8.033 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=12.965 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=11.004 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=10.998 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=12.966 ms (ICMP type:3, code:13, Communication administratively prohibited)7、通過序列號添加列表條目,使PC3也可以與PC1通信
sw-3(config-if)#ex
sw-3(config)#ip access-list standard kgc //配置命名訪問控制列表
sw-3(config-std-nacl)#12 permit host 192.168.10.20 //添加條目號爲12的條目,允許PC3訪問
sw-3(config-std-nacl)#ex
sw-3(config)#do show access-lists //查看列表信息
Standard IP access list kgc
10 permit 192.168.10.10 (5 matches)
12 permit 192.168.10.20 //成添加
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)8、測試是否配置成功
PC3> ping 192.168.100.100 //使用使用PC3測試與PC1通信,正常通信
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=22.997 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=21.008 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=15.957 ms
9、刪除添加的條目
sw-3(config)#ip access-list standard kgc //配置命名訪問控制列表
sw-3(config-std-nacl)#no 12 //刪除列表中12的條目
sw-3(config-std-nacl)#ex
sw-3(config)#do show access-lists //查看列表
Standard IP access list kgc
10 permit 192.168.10.10 (5 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches) //成功刪除10、測試結果
PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=8.973 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=4.981 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=8.552 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=2.993 ms (ICMP type:3, code:13, Communication administratively prohibited)