ACL是关于网络安全的配置。
随着大规模开放式网络的开发,网络面临的威胁也就越来越多。网络安全问题成为网络管理员必须面对的问题。
一方面,为了业务的发展,必须允许对网络资源的开放访问权限;
另一方面,又必须确保数据和资源的尽可能安全。网络安全采用的技术很多,而通过ACL可以对数据流进行过滤,是实现基本的网络安全手段之一。
基于IPv4和IPv6的ACL功能、工作原理、使用原则、标准ACL和扩展ACL 以及IPv4 ACL和 IPv6 ACL的配置。
访问控制列表(Access Control List,ACL)是控制网络访问的一种有利的工具。
所谓ACL就是一种路由器配置脚本,它根据从数据包包头中发现的信息(源地址、目的地址、源端口、目的端口和协议等)来控制路由器应该允许还是拒绝数据包通过,从而达到访问控制的目的。
ACL是Cisco IOS 软件中最常用的功能之一,其应用非常广泛,可以实现如下典型的功能:
①限制网络流量以提高网络性能。
②提供基本的网络访问安全。
③控制路由更新的内容。
④在QoS实施中对数据包进行分类。
⑤定义IPSec VPN的感兴趣流量。
⑥定义策略路由的匹配策略。
下面某车企内网使用的ACL
实验拓扑图
2.配置脚本实现互通(协议可以直接粘贴复制)
S1
enable
configure terminal
no ip domain-lookup
no logging on
hostname S1
vlan 80
name SheBeiGuanLi
vlan 105
name SheJiZhongXin
vlan 107
name GongChengZhongXin
vlan 109
name CheShiZhongXin
vlan 111
name YanJiuYuan
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.1 255.255.255.0
no shutdown
exit
interface vlan 105
description SheJiZhongXin
ip address 172.16.105.1 255.255.255.0
no shutdown
exit
interface vlan 107
description GongChengZhongXin
ip address 172.16.107.1 255.255.255.0
no shutdown
exit
interface vlan 109
description CheShiZhongXin
ip address 172.16.109.1 255.255.255.0
no shutdown
exit
interface vlan 111
description YanJiuYuanFTP
ip address 172.16.111.1 255.255.255.0
no shutdown
exit
interface gigabitethernet 0/0
description SheJiZhongXin
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,105
exit
interface gigabitethernet 0/1
description GongChengZhongXin
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,107
exit
interface gigabitethernet 0/2
description CheShiZhongXin
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,109
exit
interface gigabitethernet 1/1
description YanJiuYuan
switchport mode access
switchport access vlan 111
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
end
write
copy running-config startup-config
S2
enable
configure terminal
no ip domain-lookup
no logging on
hostname S2
vlan 80
name SheBeiGuanLi
vlan 105
name SheJiZhongXin
exit
interface gigabitethernet 0/0
description UP-Link
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,105
exit
interface gigabitethernet 1/3
description Network Administrator
switchport mode access
switchport access vlan 80
exit
interface gigabitethernet 1/1
description SJZX
switchport mode access
switchport access vlan 105
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.2 255.255.255.0
no shutdown
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
end
write
copy running-config startup-config
S3
enable
configure terminal
no ip domain-lookup
no logging on
hostname S3
vlan 80
name SheBeiGuanLi
vlan 107
name SheJiZhongXin
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.3 255.255.255.0
no shutdown
exit
interface gigabitethernet 0/0
description UP-Link
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,107
exit
interface gigabitethernet 1/1
description GongChengZhongXin
switchport mode access
switchport access allowed vlan 107
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
end
write
copy running-config startup-config
S4
enable
configure terminal
no ip domain-lookup
no logging on
hostname S4
vlan 80
name SheBeiGuanLi
vlan 109
name CheShiZhongXin
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.4 255.255.255.0
no shutdown
exit
interface gigabite 0/0
description UP-Link
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,109
exit
interface gigabite 1/1
description CheShiZhongXin
switchport mode access
switchport access vlan 109
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
end
write
copy running-config startup-config
VPC1-SJZX-1
ip 172.16.105.111/24 172.16.105.1
set pcname SJZX-1
save
VPC2-GCZX-1
ip 172.16.107.111/24 172.16.107.1
set pcname GCZX-1
save
VPC3-CSZX-1
ip 172.16.109.111/24 172.16.109.1
set pcname CSZX-1
save
FTP-Server-YJYFTP-1
ip 172.16.111.111/24 172.16.111.1
set pcname YJYFTP-1
save
Network_Administrator
ip 172.16.80.10/24 172.16.80.1
set pcname NetworkAdmin
save
测试所有PC均可ping通172.16.80.0/24网段的设备
3. 配置脚本-ACL控制
目标,只有Network-Admin才能访问172.16.80.0网段的设备,实现只有管理员才能管理交换机
S1
enable
configure terminal
no ip domain-lookup
no logging on
hostname S1
vlan 80
name SheBeiGuanLi
vlan 105
name SheJiZhongXin
vlan 107
name GongChengZhongXin
vlan 109
name CheShiZhongXin
vlan 111
name YanJiuYuan
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.1 255.255.255.0
no shutdown
exit
interface vlan 105
description SheJiZhongXin
ip address 172.16.105.1 255.255.255.0
no shutdown
exit
interface vlan 107
description GongChengZhongXin
ip address 172.16.107.1 255.255.255.0
no shutdown
exit
interface vlan 109
description CheShiZhongXin
ip address 172.16.109.1 255.255.255.0
no shutdown
exit
interface vlan 111
description YanJiuYuanFTP
ip address 172.16.111.1 255.255.255.0
no shutdown
exit
interface gigabitethernet 0/0
description SheJiZhongXin
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,105
exit
interface gigabitethernet 0/1
description GongChengZhongXin
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,107
exit
interface gigabitethernet 0/2
description CheShiZhongXin
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,109
exit
interface gigabitethernet 1/1
description YanJiuYuan
switchport mode access
switchport access vlan 111
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
access-list 110 remark Only_Network_Admin_Access80
access-list 110 permit ip 172.16.80.0 0.0.0.255 172.16.80.0 0.0.0.255
access-list 110 deny ip any any
interface gigabitethernet 0/0
ip access-group 110 in
interface gigabitethernet 0/1
ip access-group 110 in
interface gigabitethernet 0/2
ip access-group 110 in
interface gigabitethernet 1/1
ip access-group 110 in
end
write
copy running-config startup-config
S2
enable
configure terminal
no ip domain-lookup
no logging on
hostname S2
vlan 80
name SheBeiGuanLi
vlan 105
name SheJiZhongXin
exit
interface gigabitethernet 0/0
description UP-Link
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,105
exit
interface gigabitethernet 1/3
description Network Administrator
switchport mode access
switchport access vlan 80
exit
interface gigabitethernet 1/1
description SJZX
switchport mode access
switchport access vlan 105
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.2 255.255.255.0
no shutdown
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
access-list 110 remark Only_Network_Admin_Access80
access-list 110 permit ip 172.16.80.0 0.0.0.255 172.16.80.0 0.0.0.255
access-list 110 deny ip any any
interface gigabitethernet 1/3
ip access-group 110 in
interface gigabitethernet 1/1
ip access-group 110 in
end
write
copy running-config startup-config
S3
enable
configure terminal
no ip domain-lookup
no logging on
hostname S3
vlan 80
name SheBeiGuanLi
vlan 107
name SheJiZhongXin
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.3 255.255.255.0
no shutdown
exit
interface gigabitethernet 0/0
description UP-Link
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,107
exit
interface gigabitethernet 1/1
description GongChengZhongXin
switchport mode access
switchport access allowed vlan 107
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
access-list 110 remark Only_Network_Admin_Access80
access-list 110 permit ip 172.16.80.0 0.0.0.255 172.16.80.0 0.0.0.255
access-list 110 deny ip any any
interface gigabitethernet 1/1
ip access-group 110 in
end
write
copy running-config startup-config
S4
enable
configure terminal
no ip domain-lookup
no logging on
hostname S4
vlan 80
name SheBeiGuanLi
vlan 109
name CheShiZhongXin
exit
interface vlan 80
description SheBeiGuanLi
ip address 172.16.80.4 255.255.255.0
no shutdown
exit
interface gigabite 0/0
description UP-Link
switch trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 80,109
exit
interface gigabite 1/1
description CheShiZhongXin
switchport mode access
switchport access vlan 109
exit
enable password 7 adminconsole
line console 0
logging synchronous
exec-timeout 3 0
exit
username admin password admin123
ip ssh version 2
ip domain-name lz.cn
crypto key generate rsa
1024
line vty 0 4
login local
transport input ssh
access-list 110 remark Only_Network_Admin_Access80
access-list 110 permit ip 172.16.80.0 0.0.0.255 172.16.80.0 0.0.0.255
access-list 110 deny ip any any
interface gigabitethernet 1/1
ip access-group 110 in
end
write
copy running-config startup-config
VPC1-SJZX-1
ip 172.16.105.111/24 172.16.105.1
set pcname SJZX-1
save
VPC2-GCZX-1
ip 172.16.107.111/24 172.16.107.1
set pcname GCZX-1
save
VPC3-CSZX-1
ip 172.16.109.111/24 172.16.109.1
set pcname CSZX-1
save
FTP-Server-YJYFTP-1
ip 172.16.111.111/24 172.16.111.1
set pcname YJYFTP-1
save
Network_Administrator
ip 172.16.80.10/24 172.16.80.1
set pcname NetworkAdmin
save