【思科】ACL综合实例应用

实验拓扑:

wKiom1QBp83BsrI9AAJF3J16uF0727.jpg

实验要求:

  1. 三台交换机划分3个vlan

  2. vlan成员可以上网,但是vlan10,vlan20不可以访问vlan30中的C3,但是可以访问其他服务器

  3. 上班时间员工不可以访问淘宝网(12.0.0.2)

  4. 允许某些员工只能访问指定网站,不能访问其他网站(以vlan10成员为例)


实验步骤:

  1. 配置R2,R3,R4,划分vlan

R2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#no ip routing

R2(config)#vlan 10,20,30

R2(config-vlan)#ex

R2(config)#int f1/1   

R2(config-if)#switchport access vlan 10

R2(config-if)#int f1/0

R2(config-if)#switchport mode trunk 



R3#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#no ip routing

R3(config)#vlan 10,20,30

R3(config-vlan)#ex

R3(config)#int f1/2 

R3(config-if)#switchport access vlan 20

R3(config-if)#int f1/0                 

R3(config-if)#switchport mode trunk 


R4#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R4(config)#no ip routing

R4(config)#vlan 10,20,30

R4(config-vlan)#ex

R4(config)#int f1/3

R4(config-if)#switchport access vlan 30

R4(config-if)#int f1/0                 

R4(config-if)#switchport mode trunk 


2.配置网关R1

R1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#ip routing

R1(config)#vlan 10,20,30 

R1(config-vlan)#ex

R1(config)#int f1/2

R1(config-if)#no sh

R1(config-if)#switchport mode trunk 

R1(config-if)#no sh                 

*Mar  1 00:09:09.947: %DTP-5-TRUNKPORTON: Port Fa1/2 has become dot1q trunk


R1(config-if)#int f1/3

R1(config-if)#no sh                 

R1(config-if)#switchport mode trunk             

*Mar  1 00:09:17.603: %DTP-5-TRUNKPORTON: Port Fa1/3 has become dot1q trunk


R1(config-if)#int f1/4

R1(config-if)#no sh                 

R1(config-if)#switchport mode trunk 

R1(config-if)#ex

*Mar  1 00:09:23.499: %DTP-5-TRUNKPORTON: Port Fa1/4 has become dot1q trunk


R1(config)#int vlan 10 

*Mar  1 00:09:37.339: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up

R1(config-if)#ip add 192.168.10.1 255.255.255.0

R1(config-if)#no sh


R1(config-if)#int vlan 20                      

R1(config-if)#ip add 192.168.10.1 255.255.255.0

*Mar  1 00:09:49.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up

R1(config-if)#ip add 192.168.20.1 255.255.255.0

R1(config-if)#no sh


R1(config-if)#int vlan 30                      

R1(config-if)#ip add 192.168.20.1 255.255.255.0

*Mar  1 00:09:57.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to up

R1(config-if)#ip add 192.168.30.1 255.255.255.0

R1(config-if)#no sh

此时,vlan10,20是可以访问vlan30的

wKioL1QBotCz2qHHAAB7gN3TbZg172.jpg


要使得C3不能被访问,需要定义ACL控制列表

R1(config)#ip access-list extended test

R1(config-ext-nacl)#deny ip ?      

  A.B.C.D  Source address

  any      Any source host

  host     A single source host


R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 host 192.168.30.30

R1(config-ext-nacl)#deny ip 192.168.20.0 0.0.0.255 host 192.168.30.30

R1(config-ext-nacl)#permit ip any any


需要应用在vlan30上

R1(config-if)#int vlan 30             

R1(config-if)#ip access-group test out

应用后,测试结果

wKiom1QBolnhMYAkAAGYkWJbWyk665.jpg已经不通了,达到目的。


3.配置R1和R6

需要vlan成员成员上网,需要在出口路由器上面做NAT。

首先配置R1

R1(config)#int f1/5

R1(config-if)#no switchport 

R1(config-if)#ip add 192.168.16.1 255.255.255.0

R1(config-if)#no sh

*Mar  1 00:26:09.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/5, changed state to up

R1(config-if)#ex

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.6    //这里别忘了指一条默认路由给出口路由器


配置R6

R6#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

R6(config)#int f0/1

R6(config-if)#ip add 192.168.16.6 255.255.255.0

R6(config-if)#no sh

R6(config-if)#ex

*Mar  1 00:15:42.207: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

*Mar  1 00:15:43.207: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

R6(config)#ip route 192.168.10.0 255.255.255.0 192.168.16.1

R6(config)#ip route 192.168.20.0 255.255.255.0 192.168.16.1

R6(config)#ip route 192.168.30.0 255.255.255.0 192.168.16.1        //回程路由也要指的

R6(config)#int f0/1

R6(config-if)#ip nat inside


*Mar  1 00:16:20.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

R6(config-if)#int f0/0

R6(config-if)#ip add 12.0.0.1 255.255.255.0

R6(config-if)#no sh              

*Mar  1 00:16:42.079: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

*Mar  1 00:16:43.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R6(config-if)#ip nat outside

R6(config-if)#ex


首先定义允许上网的内网网段

R6(config)#access-list 10 permit 192.168.10.0 0.0.0.255

R6(config)#access-list 10 permit 192.168.20.0 0.0.0.255

R6(config)#access-list 10 permit 192.168.30.0 0.0.0.255

查看一下

R6(config)#do show access-lists                            

Standard IP access list 10

    10 permit 192.168.10.0, wildcard bits 0.0.0.255

    20 permit 192.168.20.0, wildcard bits 0.0.0.255

    30 permit 192.168.30.0, wildcard bits 0.0.0.255

无误。利用外网口负载上网。

R6(config)#ip nat inside source list 10 int f0/0 overload 


实验要求上班时间不可以访问淘宝网,我用linux虚拟机来模拟,IP地址12.0.0.2

此时是可以上网的

wKioL1QBpVjDA1vXAAGGvLBpwEw590.jpg

在上班时间不能上淘宝,需要先定义时间列表,设上班时间为8:30-11:30 ,13:30-17:30

R6(config)#time-range work

R6(config-time-range)#periodic weekdays 8:30 to 11:30 

R6(config-time-range)#periodic weekdays 13:30 to 17:30

R6(config-time-range)#ex

R6(config)#end

*Mar  1 00:35:21.703: %SYS-5-CONFIG_I: Configured from console by console


R6#clock set 15:30:00 27 AUG 2014          //校正路由器时间


*Aug 27 15:30:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:36:01 UTC Fri Mar 1 2002 to 15:30:00 UTC Wed Aug 27 2014, configured from console by console.

R6#show clock

15:30:03.867 UTC Wed Aug 27 2014

R6#conf t    

Enter configuration commands, one per line.  End with CNTL/Z.


R6(config)#ip access-list extended nowww

R6(config-ext-nacl)#deny tcp any host 12.0.0.2 eq www time-range work  //定义上班时间不允许

R6(config-ext-nacl)#permit ip any any

应用在出口路由器的内网口

R6(config-if)#int f0/1                                                  

R6(config-if)#no ip access-group nowww in


这时候,测试下能上网否?

wKioL1QBpn6yyx-TAAIyE4BmZ-E869.jpg网已经断了。实验目的达到

最后,要使vlan10成员只能访问百度,假设IP为12.0.0.3,需要在R1上配置ACL访问控制列表。

R1(config)#ip access-list extended vlan10

R1(config-ext-nacl)#permit tcp ?

  A.B.C.D  Source address

  any      Any source host

  host     A single source host


R1(config-ext-nacl)#permit tcp host 192.168.10.10 host 12.0.0.3 eq www

R1(config-ext-nacl)#ex


在vlan10上面应用

R1(config)#int vlan 10

R1(config-if)#ip access-group vlan10 out 

实验完毕。


你可能感兴趣的:(acl,思科)