标签:思科acl
实验拓扑:
实验要求:
三台交换机划分3个vlan
vlan成员可以上网,但是vlan10,vlan20不可以访问vlan30中的C3,但是可以访问其他服务器
上班时间员工不可以访问淘宝网(12.0.0.2)
允许某些员工只能访问指定网站,不能访问其他网站(以vlan10成员为例)
实验步骤:
配置R2,R3,R4,划分vlan
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no ip routing
R2(config)#vlan 10,20,30
R2(config-vlan)#ex
R2(config)#int f1/1
R2(config-if)#switchport access vlan 10
R2(config-if)#int f1/0
R2(config-if)#switchport mode trunk
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#no ip routing
R3(config)#vlan 10,20,30
R3(config-vlan)#ex
R3(config)#int f1/2
R3(config-if)#switchport access vlan 20
R3(config-if)#int f1/0
R3(config-if)#switchport mode trunk
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#no ip routing
R4(config)#vlan 10,20,30
R4(config-vlan)#ex
R4(config)#int f1/3
R4(config-if)#switchport access vlan 30
R4(config-if)#int f1/0
R4(config-if)#switchport mode trunk
2.配置网关R1
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip routing
R1(config)#vlan 10,20,30
R1(config-vlan)#ex
R1(config)#int f1/2
R1(config-if)#no sh
R1(config-if)#switchport mode trunk
R1(config-if)#no sh
*Mar 1 00:09:09.947: %DTP-5-TRUNKPORTON: Port Fa1/2 has become dot1q trunk
R1(config-if)#int f1/3
R1(config-if)#no sh
R1(config-if)#switchport mode trunk
*Mar 1 00:09:17.603: %DTP-5-TRUNKPORTON: Port Fa1/3 has become dot1q trunk
R1(config-if)#int f1/4
R1(config-if)#no sh
R1(config-if)#switchport mode trunk
R1(config-if)#ex
*Mar 1 00:09:23.499: %DTP-5-TRUNKPORTON: Port Fa1/4 has become dot1q trunk
R1(config)#int vlan 10
*Mar 1 00:09:37.339: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int vlan 20
R1(config-if)#ip add 192.168.10.1 255.255.255.0
*Mar 1 00:09:49.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int vlan 30
R1(config-if)#ip add 192.168.20.1 255.255.255.0
*Mar 1 00:09:57.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to up
R1(config-if)#ip add 192.168.30.1 255.255.255.0
R1(config-if)#no sh
此时,vlan10,20是可以访问vlan30的
要使得C3不能被访问,需要定义ACL控制列表
R1(config)#ip access-list extended test
R1(config-ext-nacl)#deny ip ?
A.B.C.D Source address
any Any source host
host A single source host
R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 host 192.168.30.30
R1(config-ext-nacl)#deny ip 192.168.20.0 0.0.0.255 host 192.168.30.30
R1(config-ext-nacl)#permit ip any any
需要应用在vlan30上
R1(config-if)#int vlan 30
R1(config-if)#ip access-group test out
应用后,测试结果
已经不通了,达到目的。
3.配置R1和R6
需要vlan成员成员上网,需要在出口路由器上面做NAT。
首先配置R1
R1(config)#int f1/5
R1(config-if)#no switchport
R1(config-if)#ip add 192.168.16.1 255.255.255.0
R1(config-if)#no sh
*Mar 1 00:26:09.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/5, changed state to up
R1(config-if)#ex
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.16.6 //这里别忘了指一条默认路由给出口路由器
配置R6
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#int f0/1
R6(config-if)#ip add 192.168.16.6 255.255.255.0
R6(config-if)#no sh
R6(config-if)#ex
*Mar 1 00:15:42.207: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:15:43.207: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R6(config)#ip route 192.168.10.0 255.255.255.0 192.168.16.1
R6(config)#ip route 192.168.20.0 255.255.255.0 192.168.16.1
R6(config)#ip route 192.168.30.0 255.255.255.0 192.168.16.1 //回程路由也要指的
R6(config)#int f0/1
R6(config-if)#ip nat inside
*Mar 1 00:16:20.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R6(config-if)#int f0/0
R6(config-if)#ip add 12.0.0.1 255.255.255.0
R6(config-if)#no sh
*Mar 1 00:16:42.079: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:16:43.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R6(config-if)#ip nat outside
R6(config-if)#ex
首先定义允许上网的内网网段
R6(config)#access-list 10 permit 192.168.10.0 0.0.0.255
R6(config)#access-list 10 permit 192.168.20.0 0.0.0.255
R6(config)#access-list 10 permit 192.168.30.0 0.0.0.255
查看一下
R6(config)#do show access-lists
Standard IP access list 10
10 permit 192.168.10.0, wildcard bits 0.0.0.255
20 permit 192.168.20.0, wildcard bits 0.0.0.255
30 permit 192.168.30.0, wildcard bits 0.0.0.255
无误。利用外网口负载上网。
R6(config)#ip nat inside source list 10 int f0/0 overload
实验要求上班时间不可以访问淘宝网,我用linux虚拟机来模拟,IP地址12.0.0.2
此时是可以上网的
在上班时间不能上淘宝,需要先定义时间列表,设上班时间为8:30-11:30 ,13:30-17:30
R6(config)#time-range work
R6(config-time-range)#periodic weekdays 8:30 to 11:30
R6(config-time-range)#periodic weekdays 13:30 to 17:30
R6(config-time-range)#ex
R6(config)#end
*Mar 1 00:35:21.703: %SYS-5-CONFIG_I: Configured from console by console
R6#clock set 15:30:00 27 AUG 2014 //校正路由器时间
*Aug 27 15:30:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:36:01 UTC Fri Mar 1 2002 to 15:30:00 UTC Wed Aug 27 2014, configured from console by console.
R6#show clock
15:30:03.867 UTC Wed Aug 27 2014
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#ip access-list extended nowww
R6(config-ext-nacl)#deny tcp any host 12.0.0.2 eq www time-range work //定义上班时间不允许
R6(config-ext-nacl)#permit ip any any
应用在出口路由器的内网口
R6(config-if)#int f0/1
R6(config-if)#no ip access-group nowww in
这时候,测试下能上网否?
网已经断了。实验目的达到
最后,要使vlan10成员只能访问百度,假设IP为12.0.0.3,需要在R1上配置ACL访问控制列表。
R1(config)#ip access-list extended vlan10
R1(config-ext-nacl)#permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
R1(config-ext-nacl)#permit tcp host 192.168.10.10 host 12.0.0.3 eq www
R1(config-ext-nacl)#ex
在vlan10上面应用
R1(config)#int vlan 10
R1(config-if)#ip access-group vlan10 out
实验完毕。
本文出自 “NE之路” 博客,请务必保留此出处http://332162926.blog.51cto.com/8831013/1546913
标签:思科acl
原文地址:http://332162926.blog.51cto.com/8831013/1546913
