命名访问控制列表配置实验

实验配置图及要求

1、四台主机配置地址

PC1：PC1> ip 192.168.100.100 192.168.100.1Checking for duplicate address...PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1PC2：PC2> ip 192.168.10.10 192.168.10.1Checking for duplicate address...PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1PC3：PC3> ip 192.168.10.20 192.168.10.1Checking for duplicate address...PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1PC4：PC4> ip 192.168.20.20 192.168.20.1Checking for duplicate address...PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1

2、在交换机上配置两个vlan域，f1/1和f1/2放在vlan 10中，f1/3放在vlan 20中，f1/0配置trunk链路，最后要关闭路由功能。

sw#conf tsw(config)#vlan 10,20sw(config-vlan)#exsw(config)#do show vlan-sw bVLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/0, Fa1/1, Fa1/2, Fa1/3                                                Fa1/4, Fa1/5, Fa1/6, Fa1/7                                                Fa1/8, Fa1/9, Fa1/10, Fa1/11                                                Fa1/12, Fa1/13, Fa1/14, Fa1/1510   VLAN0010                         active    20   VLAN0020                         active    1002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup sw(config)#int f1/3sw(config-if)#sw mo accsw(config-if)#sw acc vlan 20sw(config-if)#exsw(config)#do show vlan-sw bVLAN Name                             Status    Ports---- -------------------------------- --------- -------------------------------1    default                          active    Fa1/0, Fa1/4, Fa1/5, Fa1/6                                                Fa1/7, Fa1/8, Fa1/9, Fa1/10                                                Fa1/11, Fa1/12, Fa1/13, Fa1/14                                                Fa1/1510   VLAN0010                         active    Fa1/1, Fa1/220   VLAN0020                         active    Fa1/31002 fddi-default                     act/unsup 1003 token-ring-default               act/unsup 1004 fddinet-default                  act/unsup 1005 trnet-default                    act/unsup sw(config)#int f1/0sw(config-if)#sw mo tsw(config-if)#sw t en dotsw(config-if)#exsw(config)#no ip routing        //关闭路由功能

3、在三层交换机f1/1端口关闭交换端口，配置网关地址，f1/0端口配置trunk链路；在vlan 10、20中放入网关地址。

sw-3#conf tsw-3(config)#int f1/1sw-3(config-if)#no switchport                     sw-3(config-if)#ip add 192.168.100.1 255.255.255.0sw-3(config-if)#no shutsw-3(config-if)#do show ip int bInterface                  IP-Address      OK? Method Status                ProtocolFastEthernet0/0            unassigned      YES unset  administratively down down    FastEthernet0/1            unassigned      YES unset  administratively down down    FastEthernet1/0            unassigned      YES unset  up                    up      FastEthernet1/1            192.168.100.1   YES manual up                    up      FastEthernet1/2            unassigned      YES unset  up                    down    FastEthernet1/3            unassigned      YES unset  up                    down    FastEthernet1/4            unassigned      YES unset  up                    down    FastEthernet1/5            unassigned      YES unset  up                    down    FastEthernet1/6            unassigned      YES unset  up                    down    FastEthernet1/7            unassigned      YES unset  up                    down    FastEthernet1/8            unassigned      YES unset  up                    down    FastEthernet1/9            unassigned      YES unset  up                    down    FastEthernet1/10           unassigned      YES unset  up                    down    FastEthernet1/11           unassigned      YES unset  up                    down    FastEthernet1/12           unassigned      YES unset  up                    down    FastEthernet1/13           unassigned      YES unset  up                    down    FastEthernet1/14           unassigned      YES unset  up                    down    FastEthernet1/15           unassigned      YES unset  up                    down    Vlan1                      unassigned      YES unset  up                    up      sw-3(config-if)#ex       sw-3(config)#vlan 10,20sw-3(config-vlan)#int vlan 10sw-3(config-if)#ip add 192.168.10.1 255.255.255.0sw-3(config-if)#no shutsw-3(config-if)#exsw-3(config)#int vlan 20sw-3(config-if)#ip add 192.168.20.1 255.255.255.0sw-3(config-if)#no shutsw-3(config-if)#exsw-3(config)#int f1/0sw-3(config-if)#sw mo tsw-3(config-if)#sw t en dotsw-3(config-if)#do show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2       ia - IS-IS inter area, * - candidate default, U - per-user static route       o - ODR, P - periodic downloaded static routeGateway of last resort is not setC    192.168.10.0/24 is directly connected, Vlan10C    192.168.20.0/24 is directly connected, Vlan20C    192.168.100.0/24 is directly connected, FastEthernet1/1

4、此时四台主机能互相ping通，即全网互通

PC2> ping 192.168.100.100192.168.100.100 icmp_seq=1 timeout84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=35.971 ms84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=41.517 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=31.738 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=35.188 msPC2>ping 192.168.10.20                                  84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.505 ms84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 msPC2> ping 192.168.20.20192.168.20.20 icmp_seq=1 timeout84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=31.229 ms84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=37.597 ms84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=31.007 ms84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=40.123 ms

5、在三层交换机上创建命名控制列表并定义其中的规则

sw-3(config)#ip access-list standard kgcsw-3(config-std-nacl)#permit host 192.168.10.10sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255sw-3(config-std-nacl)#permit anysw-3(config-std-nacl)#exsw-3(config)#do show access-listStandard IP access list kgc    10 permit 192.168.10.10    20 deny   192.168.10.0, wildcard bits 0.0.0.255    30 permit anysw-3(config)#int f1/1sw-3(config-if)#ip access-group kgc out     //策略应用在网关

6、结果测试
vlan 10中的PC3被禁止访问PC1

PC3> ping 192.168.100.100*192.168.10.1 icmp_seq=1 ttl=255 time=30.919 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=2 ttl=255 time=16.133 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=3 ttl=255 time=31.012 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=4 ttl=255 time=22.354 ms (ICMP type:3, code:13, Communication administratively prohibited)*192.168.10.1 icmp_seq=5 ttl=255 time=15.630 ms (ICMP type:3, code:13, Communication administratively prohibited)

vlan 10中的PC2被允许访问PC1

PC2> ping 192.168.100.100                               192.168.100.100 icmp_seq=1 timeout192.168.100.100 icmp_seq=2 timeout84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=35.353 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=31.321 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=31.239 ms

其它网段的主机（20网段）被允许访问PC1

PC4> ping 192.168.100.10084 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=32.766 ms84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=31.240 ms84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=31.244 ms84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=31.329 ms84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=31.067 ms

实验成功，谢谢大家的鼓励和支持！