ACL访问控制列表(一)
实验要求
通过ACL访问控制,Vlan10 可以访问Vlan20,但Vlan10不能访问Vlan30
ACL步骤:
1.创建一个访问控制规则
2.调用这个规则
拓扑图
实验步骤
1.按照拓扑搭建实验环境,为PC配置好IP地址
2.在LSW1上创建VLAN 10、20、30
[LSW1]vlan 10
[LSW1-vlan10]vlan 20
[LSW1-vlan20]vlan 30
[LSW1-vlan30]q
3.在LSW1上给各个接口划分vlan
[LSW1]int g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type access
[LSW1-GigabitEthernet0/0/1]port default vlan 10
[LSW1-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
return
[LSW1-GigabitEthernet0/0/1]int g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type access
[LSW1-GigabitEthernet0/0/2]port default vlan 20
[LSW1-GigabitEthernet0/0/2]dis th
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
return
[LSW1-GigabitEthernet0/0/2]int g0/0/3
[LSW1-GigabitEthernet0/0/3]port link-type access
[LSW1-GigabitEthernet0/0/3]port de
[LSW1-GigabitEthernet0/0/3]port default vlan 30
[LSW1-GigabitEthernet0/0/3]dis th
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
return
[LSW1-GigabitEthernet0/0/3]int g0/0/4
[LSW1-GigabitEthernet0/0/4]
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan all
[LSW1-GigabitEthernet0/0/4]dis th
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
return
4.dis vlan查看是否配置成功
[LSW1]dis vlan
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/4(U) GE0/0/5(D) GE0/0/6(D) GE0/0/7(D)
GE0/0/8(D) GE0/0/9(D) GE0/0/10(D) GE0/0/11(D)
GE0/0/12(D) GE0/0/13(D) GE0/0/14(D) GE0/0/15(D)
GE0/0/16(D) GE0/0/17(D) GE0/0/18(D) GE0/0/19(D)
GE0/0/20(D) GE0/0/21(D) GE0/0/22(D) GE0/0/23(D)
GE0/0/24(D)
10 common UT:GE0/0/1(U)
TG:GE0/0/4(U)
20 common UT:GE0/0/2(U)
TG:GE0/0/4(U)
30 common UT:GE0/0/3(U)
TG:GE0/0/4(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
1 enable default enable disable VLAN 0001
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
30 enable default enable disable VLAN 0030
5.在LSW2三层交换机上配置
[LSW2]vlan 10
[LSW2-vlan10]vlan 20
[LSW2-vlan20]vlan 30
[LSW2-vlan30]q
[LSW2]
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[LSW2]int vlan 10
[LSW2-Vlanif10]ip add 192.168.10.254 24
[LSW2-Vlanif10]int vlan 20
[LSW2-Vlanif20]ip add 192.168.20.254 24
[LSW2-Vlanif20]int vlan 30
[LSW2-Vlanif30]ip address 192.168.30.254 24
[LSW2-Vlanif30]q
[LSW2]dis vlan
The total number of vlans is : 4
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(D) GE0/0/3(D) GE0/0/4(D)
GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D)
10 common
20 common
30 common
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
1 enable default enable disable VLAN 0001
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
30 enable default enable disable VLAN 0030
6.相互Ping,现在三台PC都可以相互Ping通
PC>ping 192.168.30.1
Ping 192.168.30.1: 32 data bytes, Press Ctrl_C to break
From 192.168.30.1: bytes=32 seq=1 ttl=127 time=234 ms
From 192.168.30.1: bytes=32 seq=2 ttl=127 time=156 ms
From 192.168.30.1: bytes=32 seq=3 ttl=127 time=172 ms
From 192.168.30.1: bytes=32 seq=4 ttl=127 time=141 ms
From 192.168.30.1: bytes=32 seq=5 ttl=127 time=171 ms
--- 192.168.30.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 141/174/234 ms
PC>ping 192.168.20.1
Ping 192.168.20.1: 32 data bytes, Press Ctrl_C to break
From 192.168.20.1: bytes=32 seq=1 ttl=127 time=265 ms
From 192.168.20.1: bytes=32 seq=2 ttl=127 time=156 ms
From 192.168.20.1: bytes=32 seq=3 ttl=127 time=172 ms
From 192.168.20.1: bytes=32 seq=4 ttl=127 time=171 ms
From 192.168.20.1: bytes=32 seq=5 ttl=127 time=156 ms
--- 192.168.20.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 156/184/265 ms
创建ACL
ACL分类
advance Advance ACL (相较于基本 ACL,高级 ACL 提供更高的扩展性,可以对流量进行更精细的匹配。通过配置高级 ACL,可以阻止特定主机或者整个网段的源或者目标。)
basic Basic ACL (基本 ACL 规则只包含源 IP 地址,对设备的 CPU 消耗较少,可用于简单的部署,但是使用场景有限,不能提供强大的安全保障。)
link Link ACL (使用二层 ACL,可以根据源 MAC 地址、目的 MAC 地址、802.1p 优先级、二层协议类型等二层信息对流量进行管控。)
user USer ACL (用户 ACL 在高级 ACL 的基础上增加了用户组的配置项,可以实现对不同用户组的流量管控。)
1.在LSW2三层交换机进入ACL,创建vlan 10 不能访问 vlan 30的规则
[LSW2]acl name test advance //选择打开高级ACL 名字为test
[LSW2-acl-adv-test]rule deny ip source 192.168.10.0 0.0.0.255 destination 192.16
8.30.0 0.0.0.255 //添加规则 拒绝10.0的ip访问30.0,注意这里的语法要求子网掩码反写
[LSW2-acl-adv-test]rule permit ip source any destination any //允许其他网段相互访问
[LSW2-acl-adv-test]dis th
#
acl name test 3999
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 10 permit ip
2.在接口g0/0/1中调用这一名叫test的ACL过滤规则
[LSW2]int g0/0/1
[LSW2-GigabitEthernet0/0/1]traffic-filter inbound acl name test //调用过滤规则
3.10.0 Ping 30.0
PC>ping 192.168.30.1
Ping 192.168.30.1: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!
--- 192.168.30.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss