实例一:标准访问控制列表的配置
拓扑图如下:
通过配置标准访问列表,禁止PC1主机访问PC3主机。
(1)进行sw的配置如下:
SW#configure terminal //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
SW(config)#no ip routing //关闭路由功能
SW(config)#int f1/0 //进入接口模式
SW(config-if)#speed 100 //设置速率为100M
SW(config-if)#duplex full //设置全双工
SW(config-if)#exit //退出
SW(config)#
*Mar 1 00:12:46.291: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
SW(config)#
(2)进行R1的配置如下:
R1#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip add 192.168.10.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
*Mar 1 00:12:48.579: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:12:49.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f0/1 //进入接口模式
R1(config-if)#ip add 192.168.20.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:13:15.063: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:13:16.063: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#exit //退出
(3)分别给PC1、PC2、PC3配置IP地址
PC1>
PC1> ip 192.168.10.2 192.168.10.1 //配置IP和网关
Checking for duplicate address...
PC1 : 192.168.10.2 255.255.255.0 gateway 192.168.10.1
PC1>
PC2>
PC2> ip 192.168.10.3 192.168.10.1 //配置IP和网关
Checking for duplicate address...
PC1 : 192.168.10.3 255.255.255.0 gateway 192.168.10.1
PC2>
PC3>
PC3> ip 192.168.20.2 192.168.20.1 //配置IP和网关
Checking for duplicate address...
PC1 : 192.168.20.2 255.255.255.0 gateway 192.168.20.1
PC3>
(4)分别用PC1、PC2去pingPC3,都能互通。
PC1> ping 192.168.20.2
192.168.20.2 icmp_seq=1 timeout
84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=12.961 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=17.258 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=12.084 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=18.257 ms
PC1>
PC2> ping 192.168.20.2
84 bytes from 192.168.20.2 icmp_seq=1 ttl=63 time=19.947 ms
84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=11.270 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=14.618 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=20.939 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=12.970 ms
PC2>
(5)在R1上配置标准访问控制列表,拒绝PC1访问PC3
R1(config)#access-list 1 deny host 192.168.10.2 //配置标准访问控制列表拒绝PC1的IP地址
R1(config)#access-list 1 permit any //允许所有IP访问
R1(config)#do show access-list //查看访问控制列表信息
Standard IP access list 1
10 deny 192.168.10.2
20 permit any
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip access-group 1 in //将ACL应用到接口(入口)
R1(config-if)#exit //退出
R1(config)#
(6)再次分别用PC1、PC2去pingPC3,由于设置了访问控制列表,PC1已经不能与PC3互通。
PC1> ping 192.168.20.2
*192.168.10.1 icmp_seq=1 ttl=255 time=9.120 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=5.016 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=11.325 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=2.000 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=5.111 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC1>
PC2> ping 192.168.20.2
192.168.20.2 icmp_seq=1 timeout
192.168.20.2 icmp_seq=2 timeout
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=16.961 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=21.994 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=17.097 ms
PC2>
实例二:拓展访问控制列表的配置
拓扑图如下:
通过拓展访问控制列表,允许win10-1访问Linux的web服务,禁止win10-1访问Linux的其它服务,允许win10-1访问192.168.2.0/24网段。
(1)进入Linux系统,安装FTP与HTTP服务。
[[email protected] ~]#yum install vsftpd httpd -y
(2)配置Linux系统的ens33网卡配置文件,设置静态IP地址。
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[[email protected] ~]# service network restart
Restarting network (via systemctl): [ 确定 ]
[[email protected] ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::3a2f:c8ce:9161:cf9d prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:09:24:8e txqueuelen 1000 (Ethernet)
RX packets 10882 bytes 12892735 (12.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1708 bytes 131835 (128.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(3)在http的站点内添加一个网站文件,ftp服务站点添加一个文件,同时开启两个服务,关闭防火墙和增强性安全功能,扫描端口看服务是否开启成功。
[[email protected] ~]# vim /var/www/html/index.html
[[email protected] ~]# cat /var/www/html/index.html
<h1> this is test web </h1>
[[email protected] ~]#
[[email protected] ~]# echo "this is ftp" > /var/ftp/ftp_test.txt
[[email protected] ~]# ls /var/ftp/
ftp_test.txt pub
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# systemctl start vsftpd
[[email protected] ~]# systemctl stop firewalld.service
[[email protected] ~]# setenforce 0
[[email protected] ~]#
[[email protected] ~]# netstat -ntap | egrep ‘(21|80)‘
tcp6 0 0 :::80 :::* LISTEN 51680/httpd
tcp6 0 0 :::21 :::* LISTEN 51844/vsftpd
[[email protected] ~]#
(4)分别将Linux系统绑定VMnet2网卡,win10-1主机绑定VMnet1网卡,win10-2主机绑定VMnet3网卡。
(5)分别给win10-1主机与win10-2主机配置IP地址、子网掩码、和网关。
(6)分别关闭win10-1主机与win10-2主机的防火墙。
(7)对R1进行基本配置。
R1#conf t //切换全局模式
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:17:49.615: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:17:50.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f0/1 //进入接口模式
R1(config-if)#ip add 192.168.100.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:18:27.591: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:18:28.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#int f1/0 //进入接口模式
R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:19:31.295: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:19:32.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1(config-if)#exit
R1(config)#do show ip route //查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0
C 192.168.100.0/24 is directly connected, FastEthernet0/1
R1(config)#
(8)此时用win10-1主机分别去ping另外两台主机的IP都能互通。
(9)用win10-1主机去访问Linux系统的http服务于ftp服务都能成功。
(10)用win10-2主机去访问Linux系统的http服务于ftp服务也都能成功。
(11)在R1上配置拓展访问控制列表。
R1(config)#
R1(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.100.100 eq www //允许win10-1访问Linux系统的http服务
R1(config)#access-list 100 deny ip host 192.168.1.2 host 192.168.100.100 //拒绝win10-1访问Linux系统的所有服务
R1(config)#access-list 100 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255 //允许win10-1主机访问192.168.2.0网段所有服务
R1(config)#do show access-lists //查看ACL控制列表
Extended IP access list 100
10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
20 deny ip host 192.168.1.2 host 192.168.100.100
30 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip access-group 100 in //将ACL应用到接口(入口)
R1(config-if)#exit //退出
R1(config)#
(12)我们先清除win10-1主机浏览器的缓存,再用win10-1主机访问Linux系统的http服务,可以访问。但再去访问ftp时,已经不能访问了。因为我们的ACL控制列表只允许访问http服务。
(13)我们再用win10-1主机分别去ping另外两台主机,只能与win10-2主机互通,因为ACL访问控制列表允许win10-1主机访问192.168.2.0网段的所有服务。
实例三:命名访问控制列表的配置
拓扑图如下:
通过命名访问控制列表,允许vlan10中的PC2主机可以访问PC1主机,拒绝vlan10中其它主机访问PC1主机,允许其它所有网段中主机访问PC1主机。
(1)进行sw的相关配置。
sw#conf t //切换全局模式
Enter configuration commands, one per line. End with CNTL/Z.
sw(config)#no ip routing //关闭路由功能
sw(config)#vlan 10,20 //创建vlan
sw(config-vlan)#exit //退出
sw(config)#int range f1/1 -2 //进入接口f1/1、f1/2
sw(config-if-range)#sw mo acc //接口模式设为access模式
sw(config-if-range)#sw acc vlan 10 //将接口添加到vlan10
sw(config-if-range)#exit //退出
sw(config)#int f1/3 //进入接口f1/3
sw(config-if)#sw mo acc //接口模式设为access模式
sw(config-if)#sw acc vlan 20 //将接口添加到vlan20
sw(config-if)#exit //退出
sw(config)#do show vlan-sw b //查看vlan表
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw(config)#int f1/0 //进入接口f1/0
sw(config-if)#sw mo t //设置接口模式为trunk模式
*Mar 1 00:03:20.511: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
sw(config-if)#sw t en dot1 //设置数据封装类型为dot1q
sw(config-if)#exit //退出
(2)进行sw-3的基础配置。
sw-3#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
sw-3(config)#int f1/1 //进入接口
sw-3(config-if)#no switchport //接口转为二层接口
*Mar 1 00:05:39.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
sw-3(config-if)#ip add 192.168.100.1 255.255.255.0 //配置IP地址和子网掩码
sw-3(config-if)#no shut //开启接口
sw-3(config-if)#exit //退出
sw-3(config)#vlan 10,20 //创建vlan
sw-3(config-vlan)#exit //退出
sw-3(config)#int vlan 10 //进入vlan10
sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 //配置IP地址和子网掩码
sw-3(config-if)#no shut //开启vlan
sw-3(config-if)#exit //退出
sw-3(config)#int vlan 20 //进入vlan20
sw-3(config-if)#ip add 192.168.20.1 255.255.255.0 //配置IP地址和子网掩码
sw-3(config-if)#no shut //开启vlan
sw-3(config-if)#exit //退出
sw-3(config)#int f1/0 //进入接口
sw-3(config-if)#sw mo t //设置接口模式为trunk模式
*Mar 1 00:08:40.075: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
*Mar 1 00:08:40.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
*Mar 1 00:08:40.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
sw-3(config-if)#sw t en dot1 //设置数据封装类型为dot1q
sw-3(config-if)#exit //退出
sw-3(config)#do show ip route //查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20
C 192.168.100.0/24 is directly connected, FastEthernet1/1
sw-3(config)#
(3)分别给PC1、PC2、PC3、PC4主机配置IP地址。
PC1>
PC1> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1
PC1>
PC2>
PC2> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1
PC2>
PC3>
PC3> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1
PC3>
PC4>
PC4> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1
PC4>
(4)用PC2主机去ping其它所有主机,都能互通。
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=11.281 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.939 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=13.957 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=14.960 ms
PC2> ping 192.168.10.20
84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.642 ms
84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 ms
PC2> ping 192.168.20.20
192.168.20.20 icmp_seq=1 timeout
84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=17.046 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=12.324 ms
84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=17.953 ms
84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=15.786 ms
PC2>
(5)在sw-3上配置命名访问控制列表。
sw-3(config)#
sw-3(config)#ip access-list standard test0 //添加命名访问控制列表test0
sw-3(config-std-nacl)#permit host 192.168.10.10 //允许PC2主机IP通过
sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒绝192.168.10.0网段所有IP通过
sw-3(config-std-nacl)#permit any //允许所有
sw-3(config-std-nacl)#exit //退出
sw-3(config)#do show access-lists //查看ACL列表
Standard IP access list test0
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 permit any
sw-3(config)#int f1/1 //进入接口
sw-3(config-if)#ip access-group test0 out //将ACL应用到接口(出口)
sw-3(config-if)#exit //退出
sw-3(config)#
(6)用PC2、PC3、PC4主机分别去ping主机PC1的IP地址。PC3主机不能与PC1互通,因为192.168.10.0网段只有PC2主机IP能通过sw-3.
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.944 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=19.954 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=11.286 ms
PC2>
PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=9.073 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=9.978 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=11.641 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=1.995 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=1.713 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC3>
PC4> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.944 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=17.947 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=19.947 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.075 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=19.639 ms
PC4>
(7)我们在test0命名访问控制列表中,添加允许PC3的IP地址访问PC的规则,再用PC3去ping主机PC1,结果可以互通。
sw-3(config)#
sw-3(config)#ip access-list standard test0 //进入ACL的子模式
sw-3(config-std-nacl)#12 permit host 192.168.10.20 //添加允许规则
sw-3(config-std-nacl)#exit //退出
sw-3(config)#do show access-lists //查看ACL列表
Standard IP access list test0
10 permit 192.168.10.10 (5 matches)
12 permit 192.168.10.20
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
sw-3(config)#
PC3> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=17.954 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=15.538 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=15.956 ms
PC3>
(8)将上一步添加的允许规则删除,再用PC3去ping主机PC1,结果又不能互通。
sw-3(config)#
sw-3(config)#ip access-list standard test0 //进入ACL列表子模式
sw-3(config-std-nacl)#no 12 //删除编号为12的规则
sw-3(config-std-nacl)#exit //退出
sw-3(config)#do show access-lists //查看ACL列表
Standard IP access list test0
10 permit 192.168.10.10 (5 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
sw-3(config)#
PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=9.578 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=3.993 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=1.692 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=2.686 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=14.020 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC3>
原文地址:https://blog.51cto.com/14449541/2444011