ACL原理应用
利用acl实现
主机1可以访问web但不能访问ftp
主机2可以访问ftp但不能访问web
拓扑图ENSP
- 配置主机和服务器IP地址
主机1
Ip:192.168.1.1
子网掩码:255.255.255.0
网关:192.168.1.254
主机2
IP:192.168.2.1
子网掩码:255.255.255.0
网关:192.168.2.254
ftp服务器:
IP:192.168.3.1
子网掩码:255.255.255.0
网关:192.168.3.254
http服务器
Ip:192.168.4.1
子网掩码:255.255.255.0
网关:192.168.4.254
- SW1,SW2划分vlan 配置网关及IP ,AR1配置IP
SW1
vlan bacth 10 20 30
int e0/0/1
port link-type access
port default vlan 10
int e0/0/2
port link-type access
port default vlan 20
int e0/0/3
port link-type access
port default vlan 30
int vlanif 10
ip address 192.168.1.254 24
int vlanif 20
ip address 192.168.2.254 24
int vlanif 30
ip address 172.16.1.1 30
SW2
vlan bacth 40 50
int e0/0/1
port link-type access
port default vlan 40
int e0/0/2
port link-type access
port default vlan 50
int vlanif 40
ip address 172.16.1.2 30
int vlanif 50
ip address 172.16.2.1 30
AR1
int g0/0/0
ip address 172.16.2.2 30
ip g0/0/1
ip address 192.168.3.254 24
ip g0/0/2
ip address 192.168.4.254 24
- 配置缺省路由 回执路由
SW1
ip route-static 0.0.0.0 0.0.0.0 172.16.1.2
SW2
ip route-static 0.0.0.0 0.0.0.0 172.16.2.2
ip route-static 192.168.1.0 255.255.255.0 172.16.1.1
ip route-static 192.168.2.0 255.255.255.0 172.16.1.1
AR1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
ip route-static 192.168.2.0 255.255.255.0 172.16.2.1
- 在AR1上配置ACL,在g0/0/0端口使用
acl number 3000
rule 5 permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.4.1 0 destin
ation-port eq www
rule 10 deny tcp source 192.168.1.0 0.0.0.255 destination 192.168.3.1 0 destina
tion-port eq ftp
rule 15 permit tcp source 192.168.2.0 0.0.0.255 destination 192.168.3.1 0 desti
nation-port eq ftp
rule 20 deny tcp source 192.168.2.0 0.0.0.255 destination 192.168.4.1 0 destina
tion-port eq www
int g0/0/0
traffic-filter inbound acl 3000
- 测试网络连通性
- 测试ACL配置是否成功
主机1:
主机2:
很明显的可以看出主机1不能访问ftp能访问http
主机2不能访问http 能访问ftp