命名ACL的应用实例

ACL应用的实例

一、拓扑图

1、拓扑图

在这里插入图片描述

2、要求

①、划分VLAN,隔离广播域,实现不同VLAN间通信
②、实现DHCP中继、自动获取IP和内网访问
③、利用ACL实现,123.0.0.0网段禁止访问外网,其他网段正常
④、利用ACL实现,123-124网段禁止访问125网段

二、配置接入层交换机

1、配置Trunk

		SW1: configure terminal
			 interface f0/3
			 switchport mode trunk
			 no shutdown
			 exit
		SW2: configure terminal
			 interface f0/3
			 switchport mode trunk
			 no shutdown
			 exit
		SW3: configure terminal
			 interface f0/3
			 switchport mode trunk
			 no shutdown
			 exit

2、接口划分VLAN,在核心交换机上创建VLAN

	SW1:interface f0/1 
	    switchport access vlan 10
	    exit
	    interface f0/2 
	    switchport access vlan 20
	    exit
	SW2:interface f0/1 
	    switchport access vlan 30
	    exit
	    interface f0/2 
	    switchport access vlan 10
	    exit
	SW3:interface f0/1 
	    switchport access vlan 40
	    exit

三、配置核心交换机

1、配置Trunk

	SW0:configure terminal
	    interface range f0/1-3
	    switchport trunk encapsulation dot1q
	    switchport mode trunk 
	    exit

2、VTP创建VLAN

		configure terminal
		vtp domain MONKEY
		vlan 10
		exit
		vlan 20
		exit
		vlan 30
		exit
		vlan 40
		exit

3、启动路由引擎,升级端口,并配置端口IP

		configure terminal
		ip routing
		interface f0/4
		no switchport 
		ip address 192.0.0.1  255.255.255.0
		no shutdown 
		exit

4、创建虚拟端口

		interface vlan 10
		ip address 123.0.0.254  255.255.255.0
		no shutdown
		exit
		interface vlan 20
		ip address 124.0.0.254  255.255.255.0
		no shutdown
		exit
		interface vlan 30
		ip address 125.0.0.254  255.255.255.0
		no shutdown
		exit
		interface vlan 40
		ip address 126.0.0.254  255.255.255.0
		no shutdown
		exit

5、DHCP中继

		interface vlan 10
		ip helper-address 126.0.0.1
		exit
		interface vlan 20
		ip helper-address 126.0.0.1
		exit
		interface vlan 30
		ip helper-address 126.0.0.1
		exit

6、路由配置

		configure terminal
		ip route 0.0.0.0  0.0.0.0  192.0.0.2
		exit

四、配置路由

1、内网路由

		interface g0/0/0
		ip address 192.0.0.2  255.255.255.0
		no shutdown
		exit
		interface g0/0/1
		ip address 202.0.0.1  255.255.255.0
		no shutdown
		exit
		ip route 203.0.0.0  255.255.255.0 202.0.0.2
		ip route 123.0.0.0  255.255.255.0 192.0.0.1
		ip route 124.0.0.0  255.255.255.0 192.0.0.1
		ip route 125.0.0.0  255.255.255.0 192.0.0.1
		ip route 126.0.0.0  255.255.255.0 192.0.0.1

2、外网路由

		interface g0/0/1
		ip address 203.0.0.254  255.255.255.0
		no shutdown
		exit
		interface g0/0/0
		ip address 202.0.0.2  255.255.255.0
		no shutdown
		exit
		ip route 0.0.0.0  255.255.255.0  202.0.0.1

五、命名ACL具体命令

1、123.0.0.0网段只能访问内网,需要在核心交换机上,限制123.0.0.0网段数据出f0/4

		ip access-list extended MONKEY
		1 deny ip 123.0.0.0  0.0.0.255 any
		2 permit ip any any
		exit
		interface f0/4
		ip access-group MONKEY out
		exit

2、任何其他内网网段不能访问125.0.0.0网段,在核心交换机上设置

		ip access-list extended LUCY
		1 permit ip  host 126.0.0.1  125.0.0.0  0.0.0.255
		2 permit ip 192.0.0.0  0.0.0.255  125.0.0.0  0.0.0.255
		3 permit ip 202.0.0.0  0.0.0.255  125.0.0.0  0.0.0.255
		4 permit ip 203.0.0.0  0.0.0.255  125.0.0.0  0.0.0.255
		5 deny ip any  125.0.0.0  0.0.0.255
		6 permit ip any any
		exit
		interface vlan 30
		ip access-group LUCY out
		exit
版权声明:本文为weixin_44839457原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。