命名訪問控制列表詳解
渾江ssl適用于網(wǎng)站、小程序/APP、API接口等需要進行數(shù)據(jù)傳輸應(yīng)用場景,ssl證書未來市場廣闊!成為創(chuàng)新互聯(lián)建站的ssl證書銷售渠道,可以享受市場價格4-6折優(yōu)惠!如果有意向歡迎電話聯(lián)系或者加微信:028-86922220(備注:SSL證書合作)期待與您的合作!
命名訪問控制列表
本章目標(biāo):通過實驗學(xué)會命名訪問控制列表,添加訪問控制,刪除訪問控制
實驗圖:
4臺主機,一個二層交換機,一個三層交換機
sw1:劃分VLAN,給VLAN配置接口,做trunk鏈路
sw2:劃分vlan,通過接口給vlan配置虛擬地址,做trunk鏈路,做命名訪問控制
,關(guān)閉交換端口變成三層端口。
pc1:192.168.10.10/24
pc2:192.168.10.20/24
pc3:192.168.20.20/24
pc4:192.168.100.100/24
一.給二層交換機配置VLAN,給vlan配置接口,做trunk鏈路
sw1#conf t
sw1(config)#vlan 10,20
sw1(config-vlan)#do show vlan-sw b //查看vlan詳細(xì)信息
sw1(config-vlan)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/1, Fa1/2, Fa1/3
Fa1/4, Fa1/5, Fa1/6, Fa1/7
Fa1/8, Fa1/9, Fa1/10, Fa1/11
Fa1/12, Fa1/13, Fa1/14, Fa1/15
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int range fa1/1 -2
sw1(config-if-range)#sw mo acc //進入接口模式
sw1(config-if-range)#sw acc vlan 10 //配置vlan
sw1(config-if-range)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/3, Fa1/4, Fa1/5
Fa1/6, Fa1/7, Fa1/8, Fa1/9
Fa1/10, Fa1/11, Fa1/12, Fa1/13
Fa1/14, Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/3
sw1(config-if)#sw mo acc
sw1(config-if)#sw acc vlan 20
sw1(config-if)#ex
sw1(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw1(config)#int f1/0
sw1(config-if)#sw mo t
sw1(config-if)#sw t en dot
sw1(config-if)#ex
sw1(config)#no ip routing //關(guān)閉路由功能二.進入三層交換機,劃分vlan,通過接口給vlan配置虛擬網(wǎng)址(需要關(guān)閉交換端口),配置trunk鏈路
sw2#conf t
sw2(config)#int f1/1
sw2(config-if)#no switchport //關(guān)閉交換端口
sw2(config-if)#ip add 192.168.100.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#do show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
sw2(config-if)#ex
sw2(config)#vlan 10,20
sw2(config-vlan)#ex
sw2(config)#int vlan 10
sw2(config-if)#ip add 192.168.10.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#ex
sw2(config)#int vlan 20
sw2(config-if)#ip add 192.168.20.1 255.255.255.0
sw2(config-if)#no shut
sw2(config-if)#ex
sw2(config)#do show ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
FastEthernet1/0 unassigned YES unset up up
FastEthernet1/1 192.168.100.1 YES manual up up
FastEthernet1/2 unassigned YES unset up down
FastEthernet1/3 unassigned YES unset up down
FastEthernet1/4 unassigned YES unset up down
FastEthernet1/5 unassigned YES unset up down
FastEthernet1/6 unassigned YES unset up down
FastEthernet1/7 unassigned YES unset up down
FastEthernet1/8 unassigned YES unset up down
FastEthernet1/9 unassigned YES unset up down
FastEthernet1/10 unassigned YES unset up down
FastEthernet1/11 unassigned YES unset up down
FastEthernet1/12 unassigned YES unset up down
FastEthernet1/13 unassigned YES unset up down
FastEthernet1/14 unassigned YES unset up down
FastEthernet1/15 unassigned YES unset up down
Vlan1 unassigned YES unset up up
Vlan10 192.168.10.1 YES manual up down
Vlan20 192.168.20.1 YES manual up down
sw2(config)#int f1/0
sw2(config-if)#sw mo t
sw2(config-if)#sw t en dot
sw2(config-if)#ex三.給每個主機配置IP地址和網(wǎng)關(guān)
PC4>
PC4> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1
PC1> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1
PC2>
PC2> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1
PC3> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1四.測試是不是全網(wǎng)互通
PC1> ping 192.168.100.100
168.100.100 icmp_seq=1 timeout
bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.997 ms
bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.984 ms
bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=16.953 ms
bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=20.978 ms
PC1> ping 192.168.10.20
bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.979 ms
bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms
PC1> ping 192.168.20.20
168.20.20 icmp_seq=1 timeout
bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=14.960 ms
bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=18.941 ms
bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=15.956 ms
bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=19.973 ms五.進入三層交換機配置命名訪問控制列表
sw2(config)#ip access-list standard kgc //進入標(biāo)準(zhǔn)訪問控制,命名叫kgc
sw2(config-std-nacl)#permit host 192.168.10.10 //允許10.10主機訪問
sw2(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒絕10.0網(wǎng)段主機訪問
sw2(config-std-nacl)#permit any //允許所有主機訪問
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists //查看訪問控制列表
Standard IP access list kgc
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 permit any
sw2(config)#int f1/1
sw2(config-if)#ip access-group kgc out //應(yīng)用于接口,離限制最近的,如果我要設(shè)置為入,我需要設(shè)置三次,出就要一次就夠了
sw2(config-if)#ex六.測試我們實驗的需求是否生效
PC1> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=18.941 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.408 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=12.003 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.997 ms
PC3> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.942 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=14.992 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=13.963 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=14.925 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.940 ms
PC2> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=8.972 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=10.971 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=5.987 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=10.969 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=2.998 ms (ICMP type:3, code:13, Communication administratively prohibited)七.我們再加一條需求,我們有允許10.20主機可以去訪問
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#12 permit host 192.168.10.20 //我們只能寫10的上面或者10-20之間,我們要寫到20下面就沒有任何意義,
已經(jīng)拒絕10.0網(wǎng)段的了再寫10.20無意義。
sw2(config-std-nacl)#ex
sw2(config)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
12 permit 192.168.10.20
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)八.來測試PC2,10.20能不能訪問pc4主機
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.970 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.950 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.008 ms
九.刪除訪問控制列表的一條,如果要刪除整租ACL,no ip access-ist stand kgc
sw2(config)#ip access-list standard kgc
sw2(config-std-nacl)#no 12
sw2(config-std-nacl)#do show access-lists
Standard IP access list kgc
10 permit 192.168.10.10 (8 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)sw2(config)#no ip access-list standard kgc
sw2(config)#do show access-lists
sw2(config)#本章內(nèi)容結(jié)束,謝謝收看
分享標(biāo)題:命名訪問控制列表詳解
本文URL:http://vcdvsql.cn/article14/pegjge.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供網(wǎng)站排名、軟件開發(fā)、關(guān)鍵詞優(yōu)化、品牌網(wǎng)站建設(shè)、搜索引擎優(yōu)化、App開發(fā)
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)
- 企業(yè)網(wǎng)站制作有哪些好處? 2014-11-20
- 高端企業(yè)網(wǎng)站制作都有哪些特征? 2022-06-12
- 企業(yè)網(wǎng)站制作中需考慮哪些問題? 2016-09-27
- 企業(yè)網(wǎng)站制作好后可以通過哪些渠道獲取客戶 2023-04-28
- 成都企業(yè)網(wǎng)站制作針對百度優(yōu)化的四個重要要素指出 2016-11-08
- 企業(yè)網(wǎng)站制作之后該如何維護 2021-12-24
- 外貿(mào)企業(yè)網(wǎng)站制作要注意的事情 2021-12-02
- 信息展示型的企業(yè)網(wǎng)站制作都需要遵循哪些原則? 2013-05-05
- 企業(yè)網(wǎng)站制作的主要費用有哪些? 2021-02-28
- 中小企業(yè)網(wǎng)站制作如何做到精彩 2015-04-01
- 企業(yè)網(wǎng)站制作好后網(wǎng)站更新的必要性分析 2014-12-17
- 如何完成一個貿(mào)易型企業(yè)網(wǎng)站制作 2021-10-09