实验名称:简单ACL控制实验
实验拓扑:
实验要求:
模拟一个简单的公司内部网络
WG用一个路由器来模拟。
-路由器R1 只允许WG远程登陆
-YF和CW之间不能互通,但都可以和WG互通
-WG和YF可以访问Client1
-YF和CW只能访问server的www服务
-只有WG才能访问server1的所有服务
-网关设置都为.254
实验步骤:
1、先按照图中的地址,进行配置。并做通链路。
#R1
interface GigabitEthernet0/0/0
ip address 1.1.1.254 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.12.1 255.255.255.252
interface GigabitEthernet0/0/2
ip address 192.168.13.1 255.255.255.252
ip route-static 192.168.1.0 255.255.255.0 192.168.13.2
ip route-static 192.168.10.0 255.255.255.0 192.168.12.2
ip route-static 192.168.20.0 255.255.255.0 192.168.12.2
ip route-static 192.168.30.0 255.255.255.0 192.168.13.2
#R2
interface GigabitEthernet0/0/0
ip address 192.168.12.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 192.168.10.254 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.20.254 255.255.255.0ip route-static 1.1.1.0 255.255.255.0 192.168.12.1
ip route-static 192.168.1.0 255.255.255.0 192.168.12.1
ip route-static 192.168.13.0 255.255.255.252 192.168.12.1
ip route-static 192.168.30.0 255.255.255.0 192.168.12.1
#R3
interface GigabitEthernet0/0/0
ip address 192.168.13.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 192.168.30.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.1.254 255.255.255.0
ip route-static 1.1.1.0 255.255.255.0 192.168.13.1
ip route-static 192.168.10.0 255.255.255.0 192.168.13.1
ip route-static 192.168.12.0 255.255.255.252 192.168.13.1
ip route-static 192.168.20.0 255.255.255.0 192.168.13.1
#wg
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 192.168.10.254
检查互通之后
2、进行控制访问ACL的配置
#R1:
-配置telnet
-仅能允许WG访问telnet
acl 2000
rule permit source 192.168.10.1 0
rule deny source any
telnet server enable
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
aaa
local-user tedu password cipher tedu
local-user tedu server-type telnet
#R2:
YF主机访问控制
-YF和CW之间互能互通
-YF可以和WG和Client1 互通
-YF 只能访问Server1的www服务
acl 3000
rule 5 permit ip source 192.168.20.1 0 destination 192.168.10.1 0
rule 10 permit ip source 192.168.20.1 0 destination 1.1.1.1 0
rule 15 permit tcp source 192.168.20.1 0 destination 192.168.1.1 0 destination-port eq www
interface g0/0/2
traffic-filter inbound acl 3000
#R3
CW主机访问控制
-CW和YF、client1 之间不能互通
-CW可以和WG互通
-CW只能访问server1 的www服务
acl 3000
rule permit ip source 192.168.30.1 0 destination 192.168.10.1 0
rule permit tcp source 192.168.30.1 0 destination 192.168.1.1 0 destination-port eq 80
rule deny ip source any
interface g0/0/1
traffic-filter inbound acl 3000
3、验证
原文地址:http://blog.51cto.com/14029008/2334325