命名訪問控制列表詳解
命名訪問控制列表
本章目標:經過實驗學會命名訪問控制列表,添加訪問控制,刪除訪問控制
實驗圖:
4臺主機,一個二層交換機,一個三層交換機
sw1:劃分VLAN,給VLAN配置接口,作trunk鏈路
sw2:劃分vlan,經過接口給vlan配置虛擬地址,作trunk鏈路,作命名訪問控制
,關閉交換端口變成三層端口。
pc1:192.168.10.10/24
pc2:192.168.10.20/24
pc3:192.168.20.20/24
pc4:192.168.100.100/24ide
一.給二層交換機配置VLAN,給vlan配置接口,作trunk鏈路
sw1#conf t
sw1(config)#vlan 10,20
sw1(config-vlan)#do show vlan-sw b //查看vlan詳細信息
sw1(config-vlan)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int range fa1/1 -2
sw1(config-if-range)#sw mo acc //進入接口模式
sw1(config-if-range)#sw acc vlan 10 //配置vlan
sw1(config-if-range)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5
Fa1/6, Fa1/7, Fa1/8, Fa1/9
Fa1/10, Fa1/11, Fa1/12, Fa1/13
Fa1/14, Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/3
sw1(config-if)#sw mo acc
sw1(config-if)#sw acc vlan 20
sw1(config-if)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/0
sw1(config-if)#sw mo t
sw1(config-if)#sw t en dot
sw1(config-if)#ex
sw1(config)#no ip routing //關閉路由功能
二.進入三層交換機,劃分vlan,經過接口給vlan配置虛擬網址(須要關閉交換端口),配置trunk鏈路
sw2#conf t sw2(config)#int f1/1 sw2(config-if)#no switchport //關閉交換端口 sw2(config-if)#ip add 192.168.100.1 255.255.255.0 sw2(config-if)#no shut sw2(config-if)#do show ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES unset up up sw2(config-if)#ex sw2(config)#vlan 10,20 sw2(config-vlan)#ex sw2(config)#int vlan 10 sw2(config-if)#ip add 192.168.10.1 255.255.255.0 sw2(config-if)#no shut sw2(config-if)#ex sw2(config)#int vlan 20 sw2(config-if)#ip add 192.168.20.1 255.255.255.0 sw2(config-if)#no shut sw2(config-if)#ex sw2(config)#do show ip int b Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down FastEthernet1/0 unassigned YES unset up up FastEthernet1/1 192.168.100.1 YES manual up up FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up down FastEthernet1/4 unassigned YES unset up down FastEthernet1/5 unassigned YES unset up down FastEthernet1/6 unassigned YES unset up down FastEthernet1/7 unassigned YES unset up down FastEthernet1/8 unassigned YES unset up down FastEthernet1/9 unassigned YES unset up down FastEthernet1/10 unassigned YES unset up down FastEthernet1/11 unassigned YES unset up down FastEthernet1/12 unassigned YES unset up down FastEthernet1/13 unassigned YES unset up down FastEthernet1/14 unassigned YES unset up down FastEthernet1/15 unassigned YES unset up down Vlan1 unassigned YES unset up up Vlan10 192.168.10.1 YES manual up down Vlan20 192.168.20.1 YES manual up down sw2(config)#int f1/0 sw2(config-if)#sw mo t sw2(config-if)#sw t en dot sw2(config-if)#ex
三.給每一個主機配置IP地址和網關
PC4> PC4> ip 192.168.100.100 192.168.100.1 Checking for duplicate address... PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1 PC1> ip 192.168.10.10 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1 PC2> PC2> ip 192.168.10.20 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1 PC3> ip 192.168.20.20 192.168.20.1 Checking for duplicate address... PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1
四.測試是否是全網互通
PC1> ping 192.168.100.100 168.100.100 icmp_seq=1 timeout bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.997 ms bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.984 ms bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=16.953 ms bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=20.978 ms PC1> ping 192.168.10.20 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.979 ms bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms PC1> ping 192.168.20.20 168.20.20 icmp_seq=1 timeout bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=14.960 ms bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=18.941 ms bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=15.956 ms bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=19.973 ms
五.進入三層交換機配置命名訪問控制列表
sw2(config)#ip access-list standard kgc //進入標準訪問控制,命名叫kgc
sw2(config-std-nacl)#permit host 192.168.10.10 //容許10.10主機訪問
sw2(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒絕10.0網段主機訪問
sw2(config-std-nacl)#permit any //容許全部主機訪問
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists //查看訪問控制列表
Standard IP access list kgc
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 permit any
sw2(config)#int f1/1
sw2(config-if)#ip access-group kgc out //應用於接口,離限制最近的,若是我要設置爲入,我須要設置三次,出就要一次就夠了
sw2(config-if)#ex
六.測試咱們實驗的需求是否生效
PC1> ping 192.168.100.100 84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=18.941 ms 84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.408 ms 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=12.003 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.997 ms PC3> ping 192.168.100.100 84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.942 ms 84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.992 ms 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=13.963 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.925 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.940 ms PC2> ping 192.168.100.100 *192.168.10.1 icmp_seq=1 ttl=255 time=8.972 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=2 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=3 ttl=255 time=5.987 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=4 ttl=255 time=10.969 ms (ICMP type:3, code:13, Communication administratively prohibited) *192.168.10.1 icmp_seq=5 ttl=255 time=2.998 ms (ICMP type:3, code:13, Communication administratively prohibited)
七.咱們再加一條需求,咱們有容許10.20主機能夠去訪問
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#12 permit host 192.168.10.20 //咱們只能寫10的上面或者10-20之間,咱們要寫到20下面就沒有任何意義,
已經拒絕10.0網段的了再寫10.20無心義。
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
12 permit 192.168.10.20
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
八.來測試PC2,10.20能不能訪問pc4主機
PC2> ping 192.168.100.100 192.168.100.100 icmp_seq=1 timeout 192.168.100.100 icmp_seq=2 timeout 84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.970 ms 84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.950 ms 84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.008 ms
九.刪除訪問控制列表的一條,若是要刪除整租ACL,no ip access-ist stand kgc
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#no 12
sw2(config-std-nacl)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
sw2(config)#no ip access-list standard kgc sw2(config)#do show access-lists sw2(config)#
本章內容結束,謝謝收看
相關文章
- 1. ACL命名訪問控制列表
- 2. 訪問控制列表 配置:命名訪問控制列表配置
- 3. ACL訪問控制列表——命名訪問控制列表(實操!!!)
- 4. ACL——命令訪問控制列表
- 5. ACL訪問控制列表(標準性、擴展性、命名性)
- 6. 命名性訪問控制列表的配置實驗
- 7. ACL訪問控制列表之命名篇(實踐)
- 8. 訪問控制列表--擴展ACL、命名的ACL
- 9. 訪問控制列表ACL
- 10. Linux 訪問控制列表
- 更多相關文章...
- • Swift 訪問控制 - Swift 教程
- • ARP協議的工作機制詳解 - TCP/IP教程
- • Flink 數據傳輸及反壓詳解
- • Docker 清理命令
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. Duang!超快Wi-Fi來襲
- 2. 機器學習-補充03 神經網絡之**函數(Activation Function)
- 3. git上開源maven項目部署 多module maven項目(多module maven+redis+tomcat+mysql)後臺部署流程學習記錄
- 4. ecliple-tomcat部署maven項目方式之一
- 5. eclipse新導入的項目經常可以看到「XX cannot be resolved to a type」的報錯信息
- 6. Spark RDD的依賴於DAG的工作原理
- 7. VMware安裝CentOS-8教程詳解
- 8. YDOOK:Java 項目 Spring 項目導入基本四大 jar 包 導入依賴,怎樣在 IDEA 的項目結構中導入 jar 包 導入依賴
- 9. 簡單方法使得putty(windows10上)可以免密登錄樹莓派
- 10. idea怎麼用本地maven
歡迎關注本站公眾號,獲取更多信息
相關文章