命名访问控制列表详解
admin
2023-03-30 10:21:08
0次
命名访问控制列表
本章目标:通过实验学会命名访问控制列表,添加访问控制,删除访问控制
实验图:
4台主机,一个二层交换机,一个三层交换机
sw1:划分VLAN,给VLAN配置接口,做trunk链路
sw2:划分vlan,通过接口给vlan配置虚拟地址,做trunk链路,做命名访问控制
,关闭交换端口变成三层端口。
pc1:192.168.10.10/24
pc2:192.168.10.20/24
pc3:192.168.20.20/24
pc4:192.168.100.100/24
一.给二层交换机配置VLAN,给vlan配置接口,做trunk链路
sw1#conf t
sw1(config)#vlan 10,20
sw1(config-vlan)#do show vlan-sw b //查看vlan详细信息
sw1(config-vlan)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int range fa1/1 -2
sw1(config-if-range)#sw mo acc //进入接口模式
sw1(config-if-range)#sw acc vlan 10 //配置vlan
sw1(config-if-range)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5
Fa1/6, Fa1/7, Fa1/8, Fa1/9
Fa1/10, Fa1/11, Fa1/12, Fa1/13
Fa1/14, Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/3
sw1(config-if)#sw mo acc
sw1(config-if)#sw acc vlan 20
sw1(config-if)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/0
sw1(config-if)#sw mo t
sw1(config-if)#sw t en dot
sw1(config-if)#ex
sw1(config)#no ip routing //关闭路由功能二.进入三层交换机,划分vlan,通过接口给vlan配置虚拟网址(需要关闭交换端口),配置trunk链路
sw2#conf t
sw2(config)#int f1/1
sw2(config-if)#no switchport //关闭交换端口
sw2(config-if)#ip add 192.168.100.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#do show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
sw2(config-if)#ex
sw2(config)#vlan 10,20
sw2(config-vlan)#ex
sw2(config)#int vlan 10
sw2(config-if)#ip add 192.168.10.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#ex
sw2(config)#int vlan 20
sw2(config-if)#ip add 192.168.20.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#ex
sw2(config)#do show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
Vlan10 192.168.10.1 YES manual up down
Vlan20 192.168.20.1 YES manual up down
sw2(config)#int f1/0
sw2(config-if)#sw mo t
sw2(config-if)#sw t en dot
sw2(config-if)#ex三.给每个主机配置IP地址和网关
PC4>
PC4> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1
PC1> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1
PC2>
PC2> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1
PC3> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1四.测试是不是全网互通
PC1> ping 192.168.100.100
168.100.100 icmp_seq=1 timeout
bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.997 ms
bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.984 ms
bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=16.953 ms
bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=20.978 ms
PC1> ping 192.168.10.20
bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.979 ms
bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms
PC1> ping 192.168.20.20
168.20.20 icmp_seq=1 timeout
bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=14.960 ms
bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=18.941 ms
bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=15.956 ms
bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=19.973 ms五.进入三层交换机配置命名访问控制列表
sw2(config)#ip access-list standard kgc //进入标准访问控制,命名叫kgc
sw2(config-std-nacl)#permit host 192.168.10.10 //允许10.10主机访问
sw2(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒绝10.0网段主机访问
sw2(config-std-nacl)#permit any //允许所有主机访问
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists //查看访问控制列表
Standard IP access list kgc
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 permit any
sw2(config)#int f1/1
sw2(config-if)#ip access-group kgc out //应用于接口,离限制最近的,如果我要设置为入,我需要设置三次,出就要一次就够了
sw2(config-if)#ex六.测试我们实验的需求是否生效
PC1> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=18.941 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.408 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=12.003 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.997 ms
PC3> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.942 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.992 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=13.963 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.925 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.940 ms
PC2> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=8.972 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=5.987 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=10.969 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=2.998 ms (ICMP type:3, code:13, Communication administratively prohibited)七.我们再加一条需求,我们有允许10.20主机可以去访问
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#12 permit host 192.168.10.20 //我们只能写10的上面或者10-20之间,我们要写到20下面就没有任何意义,
已经拒绝10.0网段的了再写10.20无意义。
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
12 permit 192.168.10.20
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)八.来测试PC2,10.20能不能访问pc4主机
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.970 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.950 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.008 ms
九.删除访问控制列表的一条,如果要删除整租ACL,no ip access-ist stand kgc
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#no 12
sw2(config-std-nacl)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)sw2(config)#no ip access-list standard kgc
sw2(config)#do show access-lists
sw2(config)#本章内容结束,谢谢收看
下一篇:k8s之helm
相关内容
热门资讯
【第一财经】“扣点点真的有挂吗...
【第一财经】“扣点点真的有挂吗?”(详细开挂教程)您好,扣点点这个游戏其实有挂的,确实是有挂的,需要...
【第一财经】“白金岛红拐弯到底...
有 亲,根据资深记者爆料白金岛红拐弯是可以开挂的,确实有挂(咨询软件无需...
今日重磅消息“红豆牛牛怎么开挂...
今日重磅消息“红豆牛牛怎么开挂?”(太坑了果然有挂)您好,红豆牛牛这个游戏其实有挂的,确实是有挂的,...
“安全智脑”移动端打造票务办理...
“打开手机APP,随时查询安全规程,现场审核工作票风险,这在以前是不可想象的。”12月3日,国网河南...
科技与烟火共生 2025,杭州...
科技与烟火共生 2025,杭州自带高光 2025年,“杭州六小龙”、浙BA、酒店外摆等火爆出圈,它们...
成都人工智能警务场景建设提速
本报记者 蒙婷婷 12月25日,由成都市公安局与成都市经信局联合主办的第二批次人工智能与机器人警务场...
【第一消息】“朋友贵州麻将是不...
有 亲,根据资深记者爆料朋友贵州麻将是可以开挂的,确实有挂(咨询软件无需...
我来教教您“白金岛麻将圈是不是...
有 亲,根据资深记者爆料白金岛麻将圈是可以开挂的,确实有挂(咨询软件无需...
【第一资讯】“开心打筒子到底有...
【第一资讯】“开心打筒子到底有挂吗?”(外卦神器下载)您好,开心打筒子这个游戏其实有挂的,确实是有挂...
今日重大消息“葫芦娃哥们怎么开...
家人们!今天小编来为大家解答葫芦娃哥们透视挂怎么安装这个问题咨询软件客服徽4282891的挂在哪里买...