您好,欢迎来到网暖!

当前位置:网暖 » 站长资讯 » 建站基础 » 网络技术 » 文章详细 订阅RssFeed

命名访问控制列表详解

来源:网络整理 浏览:214次 时间:2020-04-07

命名访问控制列表详解

命名访问控制列表本章目标:通过实验学会命名访问控制列表,添加访问控制,删除访问控制实验图:

命名访问控制列表详解

4台主机,一个二层交换机,一个三层交换机
sw1:划分VLAN,给VLAN配置接口,做trunk链路
sw2:划分vlan,通过接口给vlan配置虚拟地址,做trunk链路,做命名访问控制
,关闭交换端口变成三层端口。
pc1:192.168.10.10/24
pc2:192.168.10.20/24
pc3:192.168.20.20/24
pc4:192.168.100.100/24

一.给二层交换机配置VLAN,给vlan配置接口,做trunk链路
sw1#conf tsw1(config)#vlan 10,20sw1(config-vlan)#do show vlan-sw b  //查看vlan详细信息sw1(config-vlan)#exsw1(config)#do show vlan-sw bVLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/0, Fa1/1, Fa1/2, Fa1/3                                                Fa1/4, Fa1/5, Fa1/6, Fa1/7                                                Fa1/8, Fa1/9, Fa1/10, Fa1/11                                                Fa1/12, Fa1/13, Fa1/14, Fa1/1510   VLAN0010                         active    20   VLAN0020                         active    1002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup sw1(config)#int range fa1/1 -2sw1(config-if-range)#sw mo acc         //进入接口模式sw1(config-if-range)#sw acc vlan 10  //配置vlansw1(config-if-range)#exsw1(config)#do show vlan-sw b VLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/0, Fa1/3, Fa1/4, Fa1/5                                                Fa1/6, Fa1/7, Fa1/8, Fa1/9                                                Fa1/10, Fa1/11, Fa1/12, Fa1/13                                                Fa1/14, Fa1/1510   VLAN0010                         active    Fa1/1, Fa1/220   VLAN0020                         active    1002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup sw1(config)#int f1/3sw1(config-if)#sw mo acc sw1(config-if)#sw acc vlan 20sw1(config-if)#exsw1(config)#do show vlan-sw bVLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/0, Fa1/4, Fa1/5, Fa1/6                                                Fa1/7, Fa1/8, Fa1/9, Fa1/10                                                Fa1/11, Fa1/12, Fa1/13, Fa1/14                                                Fa1/1510   VLAN0010                         active    Fa1/1, Fa1/220   VLAN0020                         active    Fa1/31002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup sw1(config)#int f1/0sw1(config-if)#sw mo tsw1(config-if)#sw t en dotsw1(config-if)#exsw1(config)#no ip routing  //关闭路由功能
二.进入三层交换机,划分vlan,通过接口给vlan配置虚拟网址(需要关闭交换端口),配置trunk链路
sw2#conf tsw2(config)#int f1/1sw2(config-if)#no switchport //关闭交换端口sw2(config-if)#ip add 192.168.100.1 255.255.255.0sw2(config-if)#no shutsw2(config-if)#do show ip int bInterface                  IP-Address      OK? Method Status                ProtocolFastEthernet0/0            unassigned      YES unset  administratively down down    FastEthernet0/1            unassigned      YES unset  administratively down down    FastEthernet1/0            unassigned      YES unset  up                    up      FastEthernet1/1            192.168.100.1   YES manual up                    up      FastEthernet1/2            unassigned      YES unset  up                    down    FastEthernet1/3            unassigned      YES unset  up                    down    FastEthernet1/4            unassigned      YES unset  up                    down    FastEthernet1/5            unassigned      YES unset  up                    down    FastEthernet1/6            unassigned      YES unset  up                    down    FastEthernet1/7            unassigned      YES unset  up                    down    FastEthernet1/8            unassigned      YES unset  up                    down    FastEthernet1/9            unassigned      YES unset  up                    down    FastEthernet1/10           unassigned      YES unset  up                    down    FastEthernet1/11           unassigned      YES unset  up                    down    FastEthernet1/12           unassigned      YES unset  up                    down    FastEthernet1/13           unassigned      YES unset  up                    down    FastEthernet1/14           unassigned      YES unset  up                    down    FastEthernet1/15           unassigned      YES unset  up                    down    Vlan1                      unassigned      YES unset  up                    up      sw2(config-if)#ex sw2(config)#vlan 10,20sw2(config-vlan)#exsw2(config)#int vlan 10sw2(config-if)#ip add 192.168.10.1 255.255.255.0sw2(config-if)#no shutsw2(config-if)#exsw2(config)#int vlan 20sw2(config-if)#ip add 192.168.20.1 255.255.255.0sw2(config-if)#no shutsw2(config-if)#exsw2(config)#do show ip int bInterface                  IP-Address      OK? Method Status                ProtocolFastEthernet0/0            unassigned      YES unset  administratively down down    FastEthernet0/1            unassigned      YES unset  administratively down down    FastEthernet1/0            unassigned      YES unset  up                    up      FastEthernet1/1            192.168.100.1   YES manual up                    up      FastEthernet1/2            unassigned      YES unset  up                    down    FastEthernet1/3            unassigned      YES unset  up                    down    FastEthernet1/4            unassigned      YES unset  up                    down    FastEthernet1/5            unassigned      YES unset  up                    down    FastEthernet1/6            unassigned      YES unset  up                    down    FastEthernet1/7            unassigned      YES unset  up                    down    FastEthernet1/8            unassigned      YES unset  up                    down    FastEthernet1/9            unassigned      YES unset  up                    down    FastEthernet1/10           unassigned      YES unset  up                    down    FastEthernet1/11           unassigned      YES unset  up                    down    FastEthernet1/12           unassigned      YES unset  up                    down    FastEthernet1/13           unassigned      YES unset  up                    down    FastEthernet1/14           unassigned      YES unset  up                    down    FastEthernet1/15           unassigned      YES unset  up                    down    Vlan1                      unassigned      YES unset  up                    up      Vlan10                     192.168.10.1    YES manual up                    down    Vlan20                     192.168.20.1    YES manual up                    down    sw2(config)#int f1/0sw2(config-if)#sw mo tsw2(config-if)#sw t en dotsw2(config-if)#ex
三.给每个主机配置IP地址和网关
PC4> PC4> ip 192.168.100.100 192.168.100.1Checking for duplicate address...PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1PC1> ip 192.168.10.10 192.168.10.1Checking for duplicate address...PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1PC2> PC2> ip 192.168.10.20 192.168.10.1Checking for duplicate address...PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1PC3> ip 192.168.20.20 192.168.20.1Checking for duplicate address...PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1
四.测试是不是全网互通
PC1> ping 192.168.100.100168.100.100 icmp_seq=1 timeoutbytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.997 msbytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.984 msbytes from 192.168.100.100 icmp_seq=4 ttl=63 time=16.953 msbytes from 192.168.100.100 icmp_seq=5 ttl=63 time=20.978 msPC1> ping 192.168.10.20bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 msbytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 msbytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.979 msbytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 msPC1> ping 192.168.20.20168.20.20 icmp_seq=1 timeoutbytes from 192.168.20.20 icmp_seq=2 ttl=63 time=14.960 msbytes from 192.168.20.20 icmp_seq=3 ttl=63 time=18.941 msbytes from 192.168.20.20 icmp_seq=4 ttl=63 time=15.956 msbytes from 192.168.20.20 icmp_seq=5 ttl=63 time=19.973 ms
五.进入三层交换机配置命名访问控制列表
sw2(config)#ip access-list standard kgc  //进入标准访问控制,命名叫kgcsw2(config-std-nacl)#permit host 192.168.10.10  //允许10.10主机访问sw2(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒绝10.0网段主机访问sw2(config-std-nacl)#permit any  //允许所有主机访问sw2(config-std-nacl)#exsw2(config)#do show access-lists    //查看访问控制列表Standard IP access list kgc    10 permit 192.168.10.10    20 deny   192.168.10.0, wildcard bits 0.0.0.255    30 permit anysw2(config)#int f1/1sw2(config-if)#ip access-group kgc out  //应用于接口,离限制最近的,如果我要设置为入,我需要设置三次,出就要一次就够了sw2(config-if)#ex
六.测试我们实验的需求是否生效
PC1> ping 192.168.100.10084 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=18.941 ms84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.408 ms84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=12.003 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.997 msPC3> ping 192.168.100.10084 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.942 ms84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.992 ms84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=13.963 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.925 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.940 msPC2> ping 192.168.100.100*192.168.10.1 icmp_seq=1 ttl=255 time=8.972 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=2 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=3 ttl=255 time=5.987 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=4 ttl=255 time=10.969 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=5 ttl=255 time=2.998 ms (ICMP type:3, code:13, Communication administratively prohibited)
七.我们再加一条需求,我们有允许10.20主机可以去访问
sw2(config)#ip access-list standard kgcsw2(config-std-nacl)#12 permit host 192.168.10.20  //我们只能写10的上面或者10-20之间,我们要写到20下面就没有任何意义,已经拒绝10.0网段的了再写10.20无意义。sw2(config-std-nacl)#exsw2(config)#do show access-listsStandard IP access list kgc    10 permit 192.168.10.10 (8 matches)    12 permit 192.168.10.20    20 deny   192.168.10.0, wildcard bits 0.0.0.255 (10 matches)    30 permit any (5 matches)
八.来测试PC2,10.20能不能访问pc4主机
PC2> ping 192.168.100.100192.168.100.100 icmp_seq=1 timeout192.168.100.100 icmp_seq=2 timeout84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.970 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.950 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.008 ms
九.删除访问控制列表的一条,如果要删除整租ACL,no ip access-ist stand kgc
sw2(config)#ip access-list standard kgcsw2(config-std-nacl)#no 12sw2(config-std-nacl)#do show access-lists                                  Standard IP access list kgc    10 permit 192.168.10.10 (8 matches)    20 deny   192.168.10.0, wildcard bits 0.0.0.255 (10 matches)    30 permit any (5 matches)
sw2(config)#no ip access-list standard kgc            sw2(config)#do show access-lists          sw2(config)#
本章内容结束,谢谢收看

推荐站点

  • 腾讯腾讯

    腾讯网(www.QQ.com)是中国浏览量最大的中文门户网站,是腾讯公司推出的集新闻信息、互动社区、娱乐产品和基础服务为一体的大型综合门户网站。腾讯网服务于全球华人用户,致力成为最具传播力和互动性,权威、主流、时尚的互联网媒体平台。通过强大的实时新闻和全面深入的信息资讯服务,为中国数以亿计的互联网用户提供富有创意的网上新生活。

    www.qq.com
  • 搜狐搜狐

    搜狐网是全球最大的中文门户网站,为用户提供24小时不间断的最新资讯,及搜索、邮件等网络服务。内容包括全球热点事件、突发新闻、时事评论、热播影视剧、体育赛事、行业动态、生活服务信息,以及论坛、博客、微博、我的搜狐等互动空间。

    www.sohu.com
  • 网易网易

    网易是中国领先的互联网技术公司,为用户提供免费邮箱、游戏、搜索引擎服务,开设新闻、娱乐、体育等30多个内容频道,及博客、视频、论坛等互动交流,网聚人的力量。

    www.163.com
  • 新浪新浪

    新浪网为全球用户24小时提供全面及时的中文资讯,内容覆盖国内外突发新闻事件、体坛赛事、娱乐时尚、产业资讯、实用信息等,设有新闻、体育、娱乐、财经、科技、房产、汽车等30多个内容频道,同时开设博客、视频、论坛等自由互动交流空间。

    www.sina.com.cn
  • 百度一下百度一下

    百度一下,你就知道

    www.baidu.com