2. 实现网络中所有设备的互通-脚本及验证过程
模块化配置,配置模块化
实际工作中要先写脚本。网络割接/调整前先将配置脚本及回退脚本写好,割接时仅仅是将配置脚本复制粘贴到设备上。割接时间有限,没有时间思用什么命令,命令怎么写。在竞赛中也是这样。写脚本更有助于发现错误。
配置ACL R1脚本
enable
configure terminal
no ip domain-lookup
no logging on
hostname R1
interface vlan 111
description YanJiuYuan
ip address 172.16.111.1 255.255.255.0
no shutdown
exit
interface gigabitethernet 0/0
no shutdown
ip address 172.16.105.1 255.255.255.0
description SheJiZhongXin
exit
interface gigabitethernet 0/1
no shutdown
description GongChengZhongXin
ip address 172.16.107.1 255.255.255.0
exit
interface gigabitethernet 0/2
no shutdown
description CheShiZhongXin
ip address 172.16.109.1 255.255.255.0
exit
interface fastethernet 0/3/0
description YanJiuYuan
switchport mode access
switchport access vlan 111
exit
write
copy running-config startup-config
3. 加入扩展ACL后的脚本及验证过程
配置ACL的目的:
-
PC1所在网段不能ping通Server0网段
-
PC2所在网段不能ping通Server0网段
-
配置ACL后R1
-
enable
configure terminal
no ip domain-lookup
no logging on
hostname R1
interface vlan 111
description YanJiuYuan
ip address 172.16.111.1 255.255.255.0
no shutdown
exit
interface gigabitethernet 0/0
no shutdown
ip address 172.16.105.1 255.255.255.0
description SheJiZhongXin
exit
interface gigabitethernet 0/1
no shutdown
description GongChengZhongXin
ip address 172.16.107.1 255.255.255.0
exit
interface gigabitethernet 0/2
no shutdown
description CheShiZhongXin
ip address 172.16.109.1 255.255.255.0
exit
interface fastethernet 0/3/0
description YanJiuYuan
switchport mode access
switchport access vlan 111
exit
access-list 110 remark JinZhi GCZX FangWen YJYFTP
access-list 110 deny ip 172.16.107.0 0.0.0.255 172.16.111.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 remark JinZhi CEZX FangWen YJYFTP
access-list 120 deny ip 172.16.109.0 0.0.0.255 172.16.111.0 0.0.0.255
access-list 120 permit ip any any
interface gigabitethernet 0/1
ip access-group 110 in
exit
interface gigabitethernet 0/2
ip access-group 120 in
exit
end
write
copy running-config startup-config
- 建立ACL规则
地方法规:广西壮族自治区的地方法规,新疆维吾尔自治区的地方法规
access-list 110 remark JinZhi GCZX FangWen YJYFTP //建立编号为110的ACL,该ACL是扩展ACL,其用途是“禁止工程中心访问”
access-list 110 deny ip 172.16.107.0(源IP网段) 0.0.0.255(通配符掩码) 172.16.111.0(目的IP网段) 0.0.0.255(通配符掩码)
access-list 110 permit ip any(源IP网段) any(目的IP网段) //any表示任何IP地址,等同于0.0.0.0 255.255.255.255
access-list 120 remark JinZhi CEZX FangWen YJYFTP
access-list 120 deny ip 172.16.109.0 0.0.0.255 172.16.111.0 0.0.0.255
access-list 120 permit ip any any
- 将ACL应用到接口
广西壮族自治区的地方法规适用于广西;
新疆维吾尔自治区的地方法规适用于新疆。
interface gigabitethernet 0/1
ip access-group 110 in
exit
interface gigabitethernet 0/2
ip access-group 120 in
exit
- 生词
remark英 [rɪˈmɑːk]n.注意,观察。remark在IPv4 ACL中,其后面跟着的是备注,备注明确指出了该ACL的用途。配置过程中要加描述和备注。
deny英 [dɪˈnaɪ] v.否认,拒绝
permit英 [pəˈmɪt , ˈpɜːmɪt]v.允许
- ACL的取值范围?
4.1 在cisco packet tracer 6.2中查看
1-99:standard access list标准ACL的编号的取值范围
100-199:extended access list,扩展ACL的编号取值范围,extended英 [ɪkˈstendɪd]adj.扩展的
4.2 在EVE-NG中查看思科交换机中ACL编号的取值范围
-
- ENSP中交换机ACL的编号范围