**关于ACL综合实验配置**
实验要求:
1、r1只允许网管登录;网管能ping通server1和client1
2、研发和财务不能互通,但是可以与网管互通;
3、研发可以访问client1;
4、财务不能访问client1;
5、研发和财务只能访问server1的web服务
6、只有网管可以访问server1的所有服务
配置步骤:
1、配置全网互通(此处略过)
2、配置acl
(1)为满足第一个要求,在R1上配置:
[R1]aaa
[R1-aaa]local-user admin password cipher 1234
[R1-aaa]local-user admin service-type telnet
[R1-aaa]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa
(2)创建ACL
acl 2000
[R1-acl-basic-2000]rule 10 permit source 192.168.10.1 0.0.0.0
#调用ACL
[R1]user-interface vty 0 4
[R1-ui-vty0-4]acl 2000 inbound
(3)满足研发要求,在R2上配置
[R2]acl 3000
[R2-acl-adv-3000]rule 10 permit ip source 192.168.20.1 0.0.0.0 destination 192.168.10.1 0.0.0.0
[R2-acl-adv-3000]rule 20 permit ip source 192.168.20.1 0.0.0.0 destination 1.1.1.1 0.0.0.0
[R2-acl-adv-3000]rule 30 permit tcp source 192.168.20.1 0.0.0.0 destination 192.168.1.1 0.0.0.0 destination-port eq 80
[R2-acl-adv-3000]rule 40 deny ip source any destination any
[R2]interface g0/0/2
[R2-GigabitEthernet0/0/2]traffic-filter inbound acl 3000
(4)满足财务要求,在R3上配置
[R3]acl 3000
[R3-acl-adv-3000]rule 10 permit ip source 192.168.30.1 0.0.0.0 destination 1
92.168.10.1 0.0.0.0
[R3-acl-adv-3000]rule 20 permit tcp source 192.168.30.1 0.0.0.0 destination
192.168.1.1 0.0.0.0 destination-port eq 80
[R3-acl-adv-3000]rule 30 deny ip source any destination any
[R3]interface g0/0/0
[R3-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
在网管上进行telnet远程测试:
telnet 192.168.12.2
Press CTRL_] to quit telnet mode
Trying 192.168.12.2 …
Connected to 192.168.12.2 …
Login authentication
Username:admin
Password:
User last login information:
Access Type: Telnet
IP-Address : 192.168.10.1
Time : 2019-11-27 20:55:56-08:00
