Experimental tasks:
- Basic ACL experiment, establish topology (pc1+pc2) SW1>>R1>>R2>>SW2(pc3), configure the default route, so that pc1, pc2 and pc3 can communicate with each other. Set the ACL so that pc1 cannot access pc3 (pc2 can normally access pc3).
- For the advanced ACL experiment, the computers in the production department are not allowed to ping the company's web server for the various departments set up in the company's network in the previous experiment, but they can visit the webpage.
- For the VLANs of each department set up in the company's network in the previous experiment, set up an enterprise financial server, and only allow computers in the VLAN of the financial department to access
The main technologies used in this experiment are common acl and advanced acl:
- The use of ACL is divided into two steps:
(1) Create an access control list ACL, and set corresponding condition items according to actual needs;
(2) Apply the ACL to the specified direction (in/out) of the specified interface of the router.
- Note the following when configuring and using ACLs:
(1) ACL is processed in top-down order. Once the match is successful, it will be processed and no further statements will be compared. Therefore, the order of statements in the ACL is very important. The most restrictive statements should be placed at the top and the least strict at the bottom.
(2) When all statements are not matched successfully, the packet will be discarded. This is also known as ACL implicit deny.
(3) Only one ACL can be applied to each interface in each direction.
(4) The standard ACL should be deployed near the destination network of the packet, and the extended ACL should be deployed near the sender of the packet
Table of contents
1.2 Experimental configuration
2.2 Experimental configuration
1 Basic ACL experiment, establish topology (pc1+pc2) SW1>>R1>>R2>>SW2(pc3), configure default routing, so that pc1, pc2 and pc3 can communicate with each other. Set ACL so that pc1 cannot access pc3 (pc2 can access pc normally)
1.1 Experimental topology
1.2 Experimental configuration
pc1:
pc2:
pc3:
R1:
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[r1]int g0/0/1
[r1-GigabitEthernet0/0/1]ip address 12.1.1.1 24R2:
[r2]int g0/0/0
[r2-GigabitEthernet0/0/0]ip address 12.1.1.2 24
[r2]int g0/0/1
[r2-GigabitEthernet0/0/1]ip address 192.168.2.1 24Configure a default route:
R1:
[r1]ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 R2:
[r2]ip route-static 0.0.0.0 0.0.0.0 12.1.1.1At this point, the three PCs can ping each other, and set the ACL so that pc1 cannot access pc3 (pc2 can access pc normally):
[Huawei]acl 2000
[Huawei-acl-basic-2000]rule 5 deny source 192.168.1.10 0 //这里匹配的是pc2的ip
[Huawei-acl-basic-2000]int e0/0/3
[Huawei-Ethernet0/0/2]traffic-filter outbound acl 2000at this time:
pc1 cannot ping pc3
But pc2 can ping pc3
Two advanced ACL experiments, for the various departments of the company's network settings in the previous experiment, the computers in the production department are not allowed to ping the company's web server, but they can visit the webpage
2.1 Experimental topology
Based on Experiment 3, you only need to add a server to simulate the web server and client. For the content of Experiment 3, please refer to my previous blog: ensp-based small LAN network construction and demand analysis (2 )
server1 simulates the company's web server and divides it into vlan10, client1 is used to test advanced acl, it belongs to the production department, and it is also vlan20
2.2 Experimental configuration
server3:
client:
Divide VLANs for server and client:
[Huawei]int e0/0/5
[Huawei-Ethernet0/0/5]port link-type access
[Huawei-Ethernet0/0/5]port default vlan 10
[Huawei]int e0/0/6
[Huawei-Ethernet0/0/5]port link-type access
[Huawei-Ethernet0/0/5]port default vlan 20Test whether the client and server can ping and access web services when acl has not been configured
So there is no problem before configuring acl
Configure advanced acl to prevent computers in the production department from pinging the company's web server, but they can access the webpage:
LSW2:
[Huawei]acl 3001
[Huawei-acl-adv-3001]rule 5 deny icmp source 192.168.20.20 0.0.0.255 destination
192.168.10.10 0
[Huawei-acl-adv-3001]rule 10 permit tcp source 192.168.20.20 0.0.0.255 destinati
on 192.168.10.10 0 destination-port eq 80
[Huawei]int Ethernet 0/0/5
[Huawei-Ethernet0/0/5]traffic-filter outbound acl 3001
Display failed, that is, unable to ping
but can still access web services
3. Set up the enterprise financial server for the VLANs of each department set up in the network of the previous experiment company, and only allow computers in the VLAN of the financial department to access
This is the same as the previous configuration, click this link for specific configuration:
Ensp-based small LAN network construction and demand analysis (2)
If you have any questions, please feel free to private message or dd in the comment area, you can private message me to get the configuration file