需求:
公司新网段中建一台服务器(IP地址:192.168.100.100),出于安全方面考虑要求如下:
(1)允许vlan10中除192.168.1.4~192.168.1.5外的所有其余地址都不能访问服务器
(2)其他公司网段都可以访问服务器
GNS3上拓扑图规划:
具体操作:
1.二层交换机(sw)配置:
(1)创建vlan,并把相应端口分配到vlan中
(2)配置trunk:
2.三层交换机(sw-3)配置:
(1),关闭三层交换功能,配端口相对应IP地址:
(2)划分vlan,配相应IP地址:
sw-3(config-if)#vlan 10,20
sw-3(config)#int vlan 10
sw-3(config-if)#ip add 192.168.1.1 255.255.255.0
sw-3(config-if)#no shut
sw-3(config-if)#ex
sw-3(config)#int vlan 20
sw-3(config-if)#ip add 192.168.2.1 255.255.255.0
sw-3(config-if)#no shut
sw-3(config-if)#ex
sw-3(config)#do show ip int b
,,,,//省略部分内容
Vlan1 unassigned YES unset up up
Vlan10 192.168.1.1 YES manual up down
Vlan20 192.168.2.1 YES manual up down
(3)配置trunk:
sw-3(config)#int f1/0
sw-3(config-if)#sw mo t
sw-3(config-if)#sw
*Mar 1 00:43:32.235: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
*Mar 1 00:43:32.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
*Mar 1 00:43:32.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
sw-3(config-if)#sw t en dot
sw-3(config-if)#do show int f1/0 switchport
Name: Fa1/0
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Trunking VLANs Active: 1,10,20,1025
Protected: false
Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
(4)查看路由表,看是否有三个网段:
3.分别给PC机配IP地址,并查看相互之间是否互通
(1)PC1
PC1> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1
(2)PC2
PC2> ip 192.168.1.4 192.168.1.1
Checking for duplicate address...
PC1 : 192.168.1.4 255.255.255.0 gateway 192.168.1.1
(3)PC3
PC3> ip 192.168.1.5 192.168.1.1
Checking for duplicate address...
PC1 : 192.168.1.5 255.255.255.0 gateway 192.168.1.1
(4)PC4
PC4> ip 192.168.2.2 192.168.2.1
Checking for duplicate address...
PC1 : 192.168.2.2 255.255.255.0 gateway 192.168.2.1
在PC2上进行ping各主机,查看是否互通;
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=19.990 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=19.950 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.995 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=22.936 ms
PC2> ping 192.168.1.5
84 bytes from 192.168.1.5 icmp_seq=1 ttl=64 time=0.000 ms
84 bytes from 192.168.1.5 icmp_seq=2 ttl=64 time=0.156 ms
84 bytes from 192.168.1.5 icmp_seq=3 ttl=64 time=0.444 ms
84 bytes from 192.168.1.5 icmp_seq=4 ttl=64 time=0.000 ms
84 bytes from 192.168.1.5 icmp_seq=5 ttl=64 time=0.000 ms
PC2> ping 192.168.2.2
192.168.2.2 icmp_seq=1 timeout
84 bytes from 192.168.2.2 icmp_seq=2 ttl=63 time=20.900 ms
84 bytes from 192.168.2.2 icmp_seq=3 ttl=63 time=17.950 ms
84 bytes from 192.168.2.2 icmp_seq=4 ttl=63 time=42.198 ms
84 bytes from 192.168.2.2 icmp_seq=5 ttl=63 time=33.863 ms
4.在三层交换机上定义命名性访问列表规则:
sw-3(config-if)#ex //退回到全局模式
sw-3(config)#ip access-list ?
extended Extended Access List
log-update Control access list log updates
logging Control access list logging
resequence Resequence Access List
standard Standard Access List
sw-3(config)#ip access-list standard ?
<1-99> Standard IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
WORD Access-list name
sw-3(config)#ip access-list standard kgc //类型为标准的,名字为kgc
sw-3(config-std-nacl)#permit ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
sw-3(config-std-nacl)#permit host 192.168.1.4 //允许固定IP192.168.1.4访问
sw-3(config-std-nacl)#deny 192.168.1.0 0.0.0.255 //拒绝192.168.1.0网段IP进行访问
sw-3(config-std-nacl)#permit any //允许所有IP访问
sw-3(config-std-nacl)#ex
sw-3(config)#do show access-lists //查看访问控制列表
Standard IP access list kgc
10 permit 192.168.1.4
20 deny 192.168.1.0, wildcard bits 0.0.0.255
30 permit any
sw-3(config)#int f1/1
sw-3(config-if)#ip access-group kgc ?
in inbound packets
out outbound packets
sw-3(config-if)#ip access-group kgc out //定义方向为出口
此时,理论上PC2可以访问PC1;PC3可以不能访问PC1;PC4可以访问PC1,再去进行验证:
PC2上:
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=19.912 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.019 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=18.022 ms
PC3上:
PC1 : 192.168.1.5 255.255.255.0 gateway 192.168.1.1
PC3> ping 192.168.100.100
*192.168.1.1 icmp_seq=1 ttl=255 time=9.056 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.1 icmp_seq=2 ttl=255 time=11.047 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.1 icmp_seq=3 ttl=255 time=4.063 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.1 icmp_seq=4 ttl=255 time=5.927 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.1 icmp_seq=5 ttl=255 time=14.503 ms (ICMP type:3, code:13, Communication administratively prohibite
PC4上:
PC4> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=19.165 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=15.066 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=14.939 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=21.400 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=19.084 ms
5.之前PC3不能访问PC1,现在要让它能进行访问,就必须要再添加条允许语句,并且列表号得在20之前才可以:
sw-3(config-if)#ex
sw-3(config)#ip access-list stan
sw-3(config)#ip access-list standard kgc
sw-3(config-std-nacl)#12 permit host 192.168.1.5
sw-3(config-std-nacl)#ex
sw-3(config)#do show access-lists
Standard IP access list kgc
12 permit 192.168.1.5
10 permit 192.168.1.4 (5 matches)
20 deny 192.168.1.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
sw-3(config)#
再次去验证:
PC3> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=14.096 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=13.975 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=21.249 ms
结果:能进行访问