命名访问控制列表详解
admin
2023-03-30 10:21:08
0次
命名访问控制列表
本章目标:通过实验学会命名访问控制列表,添加访问控制,删除访问控制
实验图:
4台主机,一个二层交换机,一个三层交换机
sw1:划分VLAN,给VLAN配置接口,做trunk链路
sw2:划分vlan,通过接口给vlan配置虚拟地址,做trunk链路,做命名访问控制
,关闭交换端口变成三层端口。
pc1:192.168.10.10/24
pc2:192.168.10.20/24
pc3:192.168.20.20/24
pc4:192.168.100.100/24
一.给二层交换机配置VLAN,给vlan配置接口,做trunk链路
sw1#conf t
sw1(config)#vlan 10,20
sw1(config-vlan)#do show vlan-sw b //查看vlan详细信息
sw1(config-vlan)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int range fa1/1 -2
sw1(config-if-range)#sw mo acc //进入接口模式
sw1(config-if-range)#sw acc vlan 10 //配置vlan
sw1(config-if-range)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5
Fa1/6, Fa1/7, Fa1/8, Fa1/9
Fa1/10, Fa1/11, Fa1/12, Fa1/13
Fa1/14, Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/3
sw1(config-if)#sw mo acc
sw1(config-if)#sw acc vlan 20
sw1(config-if)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/0
sw1(config-if)#sw mo t
sw1(config-if)#sw t en dot
sw1(config-if)#ex
sw1(config)#no ip routing //关闭路由功能二.进入三层交换机,划分vlan,通过接口给vlan配置虚拟网址(需要关闭交换端口),配置trunk链路
sw2#conf t
sw2(config)#int f1/1
sw2(config-if)#no switchport //关闭交换端口
sw2(config-if)#ip add 192.168.100.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#do show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
sw2(config-if)#ex
sw2(config)#vlan 10,20
sw2(config-vlan)#ex
sw2(config)#int vlan 10
sw2(config-if)#ip add 192.168.10.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#ex
sw2(config)#int vlan 20
sw2(config-if)#ip add 192.168.20.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#ex
sw2(config)#do show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
Vlan10 192.168.10.1 YES manual up down
Vlan20 192.168.20.1 YES manual up down
sw2(config)#int f1/0
sw2(config-if)#sw mo t
sw2(config-if)#sw t en dot
sw2(config-if)#ex三.给每个主机配置IP地址和网关
PC4>
PC4> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1
PC1> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1
PC2>
PC2> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1
PC3> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1四.测试是不是全网互通
PC1> ping 192.168.100.100
168.100.100 icmp_seq=1 timeout
bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.997 ms
bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.984 ms
bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=16.953 ms
bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=20.978 ms
PC1> ping 192.168.10.20
bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.979 ms
bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms
PC1> ping 192.168.20.20
168.20.20 icmp_seq=1 timeout
bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=14.960 ms
bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=18.941 ms
bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=15.956 ms
bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=19.973 ms五.进入三层交换机配置命名访问控制列表
sw2(config)#ip access-list standard kgc //进入标准访问控制,命名叫kgc
sw2(config-std-nacl)#permit host 192.168.10.10 //允许10.10主机访问
sw2(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒绝10.0网段主机访问
sw2(config-std-nacl)#permit any //允许所有主机访问
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists //查看访问控制列表
Standard IP access list kgc
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 permit any
sw2(config)#int f1/1
sw2(config-if)#ip access-group kgc out //应用于接口,离限制最近的,如果我要设置为入,我需要设置三次,出就要一次就够了
sw2(config-if)#ex六.测试我们实验的需求是否生效
PC1> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=18.941 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.408 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=12.003 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.997 ms
PC3> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.942 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.992 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=13.963 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.925 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.940 ms
PC2> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=8.972 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=5.987 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=10.969 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=2.998 ms (ICMP type:3, code:13, Communication administratively prohibited)七.我们再加一条需求,我们有允许10.20主机可以去访问
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#12 permit host 192.168.10.20 //我们只能写10的上面或者10-20之间,我们要写到20下面就没有任何意义,
已经拒绝10.0网段的了再写10.20无意义。
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
12 permit 192.168.10.20
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)八.来测试PC2,10.20能不能访问pc4主机
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.970 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.950 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.008 ms
九.删除访问控制列表的一条,如果要删除整租ACL,no ip access-ist stand kgc
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#no 12
sw2(config-std-nacl)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)sw2(config)#no ip access-list standard kgc
sw2(config)#do show access-lists
sw2(config)#本章内容结束,谢谢收看
下一篇:k8s之helm
相关内容
热门资讯
中美联合侦破跨国走私贩毒案,抓...
4月初,中国公安部禁毒局和美国司法部缉毒署成功联合侦破郭某等人走私贩毒案,同步在中国辽宁、广东,美国...
多名网友收到广东地震局短信,官...
5月11日上午,多名广东网友发帖称,自己收到了广东地震局的短信,短信内容如下:【广东省地震局】温馨提...
130公斤黄金!特大走私团伙被...
去年3月,深圳海关在一次例行查验中,从三名旅客的行李箱内查获大量黄金手镯、戒指。这看似偶然的查获,背...
当患者开始自我诊断,谁来为他们...
打开社交软件,“科技减肥”的种草帖暗藏玄机,直播间里“不用运动、轻松躺瘦”的广告轮番刷屏。前脚向各类...
台电弃用于右任题词,沈富雄轰荒...
海峡导报综合报道 台电(台湾电力公司)招牌标志(Logo)字体已经从于右任版,更换成亲绿设计师聂永真...
107平,装下来大概需要多少钱...
这个话还需要您和设计师详细沟通下呢,因为每个人的需求不太一样,我随便给您报价也是对您的不负责任,您看...
800-800瓷砖一平方需要多...
一平方也就是1米×1米这么大个地方,那么800×800的瓷砖也就是0.8米左右的尺寸。这样换算起来就...
装修130平的房子需要多少费用
简约装修:每平米600至1000元,半包300至500元,130平米的房子装修,7.8至13万,半包...
16a转10a插座转换器安全吗
个人觉得16a转10a插座转换器并不怎么安全,因为16a的功率会比较大一些,如果使用一些大功率的电器...
空调多大匹数对应多少面积
问题:空调多大匹数对应多少面积回答:1、对于空调来说,如果选择匹数的话,一定要和房屋的面积成对等,一...