概述
公司需要控制哪些主机可以访问各个部门,所以需要一个工具来匹配流量。acl是一个匹配用的工具,用于报文匹配,对路由的匹配
acl应用
①匹配流量(基于源,目的ip地址,协议类型,端口号等元素)
②可在traffic-filter中被调用
③可在nat中被调用
④可在路由策略中被调用
acl分类
basic acl
基础acl,2000-2999,只可对源ip地址进行匹配
advanced acl
高级acl,3000-3999,可对源ip,目的ip,源端口,目的端口,协议号进行匹配
二层acl
范围4000-4999,用于数据链路层
自定义acl
5000-5999,可写名字,范围为官方定义
通配符
用点分十进制表示,用于指示ip地址中,哪些比特位需要严格匹配,哪些比特位不需要匹配,其中1为无需匹配,0为严格匹配
有个隐含规则,当不配置时是默认放行所有
实验
首先在sw1上配置端口状态
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface Ethernet0/0/4
port link-type access
port default vlan 20
#
interface Ethernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
然后在R1上配置单臂路由
#
interface GigabitEthernet0/0/0.1
dot1q termination vid 10
ip address 192.168.1.254 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/0.2
dot1q termination vid 20
ip address 192.168.2.254 255.255.255.0
arp broadcast enable
#
再配置一个acl使vlan10不能访问vlan20但能自己互相访问
[R1]dis acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny icmp source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
(14 matches)
#
interface GigabitEthernet0/0/0
traffic-filter inbound acl 3000
#
[R1]
在R2上配置acl
[r2]dis acl 3000
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 deny tcp source 12.1.1.0 0.0.0.255 destination 10.1.1.1 0 destination-po
rt eq www (8 matches)
[r2]
在R2的g0/0/1接口激活
interface GigabitEthernet0/0/1
ip address 10.1.1.254 255.255.255.0
traffic-filter outbound acl 3000
#
在R1,R2上配置路由使全网通
#
ip route-static 10.1.1.0 255.255.255.0 12.1.1.2
<R1> dis ip ro
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 15 Routes : 15
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Static 60 0 RD 12.1.1.2 GigabitEthernet
0/0/1
12.1.1.0/24 Direct 0 0 D 12.1.1.1 GigabitEthernet
0/0/1
12.1.1.1/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
12.1.1.10/32 Unr 64 0 D 127.0.0.1 InLoopBack0
12.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.1.0/24 Direct 0 0 D 192.168.1.254 GigabitEthernet
0/0/0.1
192.168.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0.1
192.168.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0.1
192.168.2.0/24 Direct 0 0 D 192.168.2.254 GigabitEthernet
0/0/0.2
192.168.2.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0.2
192.168.2.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0.2
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
#
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1
<r2>dis ip ro
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 12.1.1.1 GigabitEthernet
0/0/0
10.1.1.0/24 Direct 0 0 D 10.1.1.254 GigabitEthernet
0/0/1
10.1.1.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
12.1.1.0/24 Direct 0 0 D 12.1.1.2 GigabitEthernet
0/0/0
12.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
12.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
在R2上配置acl使客户机不能访问服务器的websever,且其他主机能访问sever