命名访问控制列表需求允许vlan10中PC2主机可以访问PC1拒绝vlan10中其他主机访问PC1允许其他网段中的主机访问PC11、在GNS 3中构建拓扑实验,并在拓扑区域标出主机接口、IP地址、需求
.
命名访问控制列表
- 需求
- 允许vlan10中PC2主机可以访问PC1
- 拒绝vlan10中其他主机访问PC1
- 允许其他网段中的主机访问PC1
1、在GNS 3中构建拓扑实验,并在拓扑区域标出主机接口、IP地址、需求、网关等信息,如图所示:
2、开启全部设备,并先在交换设中配置vlan信息
sw#conf t //进入接口模式Enter configuration commands, one per line. End with CNTL/Z.sw(config)#vlan 10,20 //添加vlansw(config-vlan)#ex //退出vlan接口sw(config)#do show vlan-sw b //查看vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3 Fa1/4, Fa1/5, Fa1/6, Fa1/7 Fa1/8, Fa1/9, Fa1/10, Fa1/11 Fa1/12, Fa1/13, Fa1/14, Fa1/1510 VLAN0010 active 20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int range fa1/1 -2 //进入f1/1、f1/2接口模式sw(config-if-range)#sw mo acc sw(config-if-range)#sw access vlan 10 //将接口添加到vlan10中sw(config-if-range)#ex sw(config)#do show vlan-sw b //查看接口是否加入vlanVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5 Fa1/6, Fa1/7, Fa1/8, Fa1/9 Fa1/10, Fa1/11, Fa1/12, Fa1/13 Fa1/14, Fa1/1510 VLAN0010 active Fa1/1, Fa1/2 //成功添加20 VLAN0020 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int f1/3 //进入f1/3接口sw(config-if)#sw mo acc sw(config-if)#sw acc vlan 20 //将接口加入vlan20sw(config-if)#exsw(config)#do show vlan-sw b //查看VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6 Fa1/7, Fa1/8, Fa1/9, Fa1/10 Fa1/11, Fa1/12, Fa1/13, Fa1/14 Fa1/1510 VLAN0010 active Fa1/1, Fa1/220 VLAN0020 active Fa1/3 //成功添加1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int f1/0 //进入f1/0接口sw(config-if)#sw mo t //做trunk链路sw(config-if)#*Mar 1 00:06:52.483: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunksw(config-if)#sw t encapsulation dot1q //封装trunk协议sw(config-if)#exsw(config)#no ip routing //关闭路由功能3、进入三层交换设备,添加接口IP地址,
sw-3#conf t //进入全局模式Enter configuration commands, one per line. End with CNTL/Z.sw-3(config)#int f1/1 //进入f1/1接口sw-3(config-if)#no switchport //关闭交换功能*Mar 1 00:11:19.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to upsw-3(config-if)#ip add 192.168.100.1 255.255.255.0 //添加IP网关地址sw-3(config-if)#no shut //开启接口sw-3(config-if)#do show ip int b //查看Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up //成功添加IP网关地址 FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down sw-3(config-if)#exsw-3(config)#vlan 10,20 //添加vlansw-3(config-vlan)#int vlan 10 //进入vlan 10sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 //添加IP地址sw-3(config-if)#no shut //开启接口sw-3(config-if)#exsw-3(config)#int vlan 20 //进入vlan 20sw-3(config-if)#ip add 192.168.20.1 255.255.255.0 //添加IP地址sw-3(config-if)#no shut //开启接口sw-3(config-if)#exsw-3(config)#do show ip int b //查看Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up //成功添加IP网关地址 FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES unset up up Vlan10 192.168.10.1 YES manual up down //网关添加成功Vlan20 192.168.20.1 YES manual up down sw-3(config)#int f1/0 //进入f1/0接口sw-3(config-if)#sw mo t //制作trunk链路*Mar 1 00:16:07.979: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk*Mar 1 00:16:08.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up*Mar 1 00:16:08.483: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to upsw-3(config-if)#sw t encapsulation dot1q //封装trunk协议sw-3(config-if)#do show ip rout //查看路由表Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static routeGateway of last resort is not setC 192.168.10.0/24 is directly connected, Vlan10C 192.168.20.0/24 is directly connected, Vlan20 //成功添加路由表C 192.168.100.0/24 is directly connected, FastEthernet1/14、在PC机上分别配置IP地址,并测试四台PC机的互通性
PC1> ip 192.168.100.100 192.168.100.1Checking for duplicate address...PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1PC2> ip 192.168.10.10 192.168.10.1Checking for duplicate address...PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1PC3> ip 192.168.10.20 192.168.10.1Checking for duplicate address...PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1PC4> ip 192.168.20.20 192.168.20.1Checking for duplicate address...PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1PC2> ping 192.168.100.100192.168.100.100 icmp_seq=1 timeout192.168.100.100 icmp_seq=2 timeout84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=21.556 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=15.601 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=22.945 msPC2> ping 192.168.10.20 84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 msPC2> ping 192.168.20.2084 bytes from 192.168.20.20 icmp_seq=1 ttl=63 time=16.954 ms84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=20.944 ms84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=23.487 ms84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=13.997 ms84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=18.998 ms5、在三层交换设备中配置命令访问控制列表
sw-3(config-if)#exsw-3(config)#ip access-list standard kgc //配置命名访问控制列表sw-3(config-std-nacl)#permit host 192.168.10.10 //允许PC2主机访问sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒接10.0网段访问sw-3(config-std-nacl)#permit any //允许所有网段访问sw-3(config)#do show access-lists //查看列表Standard IP access list kgc 10 permit 192.168.10.10 20 deny 192.168.10.0, wildcard bits 0.0.0.255 //成功添加 30 permit anysw-3(config)#int f1/1 //进入f1/1接口sw-3(config-if)#ip access-group kgc out //在出口位置应用列表6、测试配置的命名访问控制列表是否生效
PC2> ping 192.168.100.100 //使用PC2测试与PC1通信,正常通信192.168.100.100 icmp_seq=1 timeout192.168.100.100 icmp_seq=2 timeout84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.957 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.958 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.953 msPC4> ping 192.168.100.100 //使用使用PC4测试与PC1通信,正常通信84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=19.021 ms84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=24.934 ms84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.957 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.960 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.023 msPC3> ping 192.168.100.100 //使用使用PC3测试与PC1通信时显示拒绝访问,配置成功*192.168.10.1 icmp_seq=1 ttl=255 time=8.033 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=2 ttl=255 time=12.965 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=3 ttl=255 time=11.004 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=4 ttl=255 time=10.998 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=5 ttl=255 time=12.966 ms (ICMP type:3, code:13, Communication administratively prohibited)7、通过序列号添加列表条目,使PC3也可以与PC1通信
sw-3(config-if)#exsw-3(config)#ip access-list standard kgc //配置命名访问控制列表sw-3(config-std-nacl)#12 permit host 192.168.10.20 //添加条目号为12的条目,允许PC3访问sw-3(config-std-nacl)#exsw-3(config)#do show access-lists //查看列表信息Standard IP access list kgc 10 permit 192.168.10.10 (5 matches) 12 permit 192.168.10.20 //成添加 20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches) 30 permit any (5 matches)8、测试是否配置成功
PC3> ping 192.168.100.100 //使用使用PC3测试与PC1通信,正常通信192.168.100.100 icmp_seq=1 timeout192.168.100.100 icmp_seq=2 timeout84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=22.997 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=21.008 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=15.957 ms9、删除添加的条目
sw-3(config)#ip access-list standard kgc //配置命名访问控制列表sw-3(config-std-nacl)#no 12 //删除列表中12的条目sw-3(config-std-nacl)#exsw-3(config)#do show access-lists //查看列表Standard IP access list kgc 10 permit 192.168.10.10 (5 matches) 20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches) 30 permit any (5 matches) //成功删除10、测试结果
PC3> ping 192.168.100.100*192.168.10.1 icmp_seq=1 ttl=255 time=8.973 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=2 ttl=255 time=4.981 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=3 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=4 ttl=255 time=8.552 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=5 ttl=255 time=2.993 ms (ICMP type:3, code:13, Communication administratively prohibited)