Example one: The standard configuration of the access control list
Topology is as follows:
By configuring standard access list to prohibit access to the host PC1 PC3 host.
(1) sw is as follows:
SW#configure terminal //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
SW(config)#no ip routing //关闭路由功能
SW(config)#int f1/0 //进入接口模式
SW(config-if)#speed 100 //设置速率为100M
SW(config-if)#duplex full //设置全双工
SW(config-if)#exit //退出
SW(config)#
*Mar 1 00:12:46.291: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
SW(config)#
Configuration (2) R1 is as follows:
R1#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip add 192.168.10.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
*Mar 1 00:12:48.579: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:12:49.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f0/1 //进入接口模式
R1(config-if)#ip add 192.168.20.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:13:15.063: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:13:16.063: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#exit //退出
(3) respectively to PC1, PC2, PC3 configure the IP address
PC1>
PC1> ip 192.168.10.2 192.168.10.1 //配置IP和网关
Checking for duplicate address...
PC1 : 192.168.10.2 255.255.255.0 gateway 192.168.10.1
PC1>
PC2>
PC2> ip 192.168.10.3 192.168.10.1 //配置IP和网关
Checking for duplicate address...
PC1 : 192.168.10.3 255.255.255.0 gateway 192.168.10.1
PC2>
PC3>
PC3> ip 192.168.20.2 192.168.20.1 //配置IP和网关
Checking for duplicate address...
PC1 : 192.168.20.2 255.255.255.0 gateway 192.168.20.1
PC3>
(4) respectively PC1, PC2 go pingPC3, can communicate.
PC1> ping 192.168.20.2
192.168.20.2 icmp_seq=1 timeout
84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=12.961 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=17.258 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=12.084 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=18.257 ms
PC1>
PC2> ping 192.168.20.2
84 bytes from 192.168.20.2 icmp_seq=1 ttl=63 time=19.947 ms
84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=11.270 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=14.618 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=20.939 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=12.970 ms
PC2>
(5) arranged on R1 standard access control list, to refuse access PC3 PC1
R1(config)#access-list 1 deny host 192.168.10.2 //配置标准访问控制列表拒绝PC1的IP地址
R1(config)#access-list 1 permit any //允许所有IP访问
R1(config)#do show access-list //查看访问控制列表信息
Standard IP access list 1
10 deny 192.168.10.2
20 permit any
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip access-group 1 in //将ACL应用到接口(入口)
R1(config-if)#exit //退出
R1(config)#
(6) respectively, again with PC1, PC2 go pingPC3, the provision of the access control list, PC1 can not communicate with PC3.
PC1> ping 192.168.20.2
*192.168.10.1 icmp_seq=1 ttl=255 time=9.120 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=5.016 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=11.325 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=2.000 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=5.111 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC1>
PC2> ping 192.168.20.2
192.168.20.2 icmp_seq=1 timeout
192.168.20.2 icmp_seq=2 timeout
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=16.961 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=21.994 ms
84 bytes from 192.168.20.2 icmp_seq=5 ttl=63 time=17.097 ms
PC2>
Example 2: Configure access control list expansion
Topology is as follows:
By expanding access control lists, allowing access win10-1 Linux web service, prohibit access other services win10-1 Linux, allowing win10-1 access 192.168.2.0/24 network segment.
(1) into the Linux system, install the FTP and HTTP services.
[root@localhost ~]#yum install vsftpd httpd -y
(2) Configuration Linux system ens33 card configuration file, set a static IP address.
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
[root@localhost ~]# service network restart
Restarting network (via systemctl): [ 确定 ]
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::3a2f:c8ce:9161:cf9d prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:09:24:8e txqueuelen 1000 (Ethernet)
RX packets 10882 bytes 12892735 (12.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1708 bytes 131835 (128.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(3) add a site within a site http file, add a file service ftp site, while two open service, turn off the firewall and enhanced security features, port scan to see whether the service is open successfully.
[root@localhost ~]# vim /var/www/html/index.html
[root@localhost ~]# cat /var/www/html/index.html
<h1> this is test web </h1>
[root@localhost ~]#
[root@localhost ~]# echo "this is ftp" > /var/ftp/ftp_test.txt
[root@localhost ~]# ls /var/ftp/
ftp_test.txt pub
[root@localhost ~]# systemctl start httpd
[root@localhost ~]# systemctl start vsftpd
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
[root@localhost ~]#
[root@localhost ~]# netstat -ntap | egrep '(21|80)'
tcp6 0 0 :::80 :::* LISTEN 51680/httpd
tcp6 0 0 :::21 :::* LISTEN 51844/vsftpd
[root@localhost ~]#
(4) respectively Linux systems bind VMnet2 card, win10-1 host binding VMnet1 card, win10-2 host binding VMnet3 card.
(5) respectively to win10-1 win10-2 host configuration and a host IP address, subnet mask, and gateway.
(6) are closed win10-1 host win10-2 host firewall.
(7) The basic configuration of the R1.
R1#conf t //切换全局模式
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:17:49.615: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:17:50.615: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f0/1 //进入接口模式
R1(config-if)#ip add 192.168.100.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:18:27.591: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:18:28.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#int f1/0 //进入接口模式
R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置IP地址与子网掩码
R1(config-if)#no shut //开启接口
R1(config-if)#
*Mar 1 00:19:31.295: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:19:32.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1(config-if)#exit
R1(config)#do show ip route //查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0
C 192.168.100.0/24 is directly connected, FastEthernet0/1
R1(config)#
(8) at which time the host win10-1 respectively to the other two ping IP hosts can communicate.
(9) with win10-1 host Linux system to access http services in the ftp service can be successful.
(10) with win10-2 host Linux system to access http services in the ftp service also can be successful.
(11) configured to expand the access control list on R1.
R1(config)#
R1(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.100.100 eq www //允许win10-1访问Linux系统的http服务
R1(config)#access-list 100 deny ip host 192.168.1.2 host 192.168.100.100 //拒绝win10-1访问Linux系统的所有服务
R1(config)#access-list 100 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255 //允许win10-1主机访问192.168.2.0网段所有服务
R1(config)#do show access-lists //查看ACL控制列表
Extended IP access list 100
10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
20 deny ip host 192.168.1.2 host 192.168.100.100
30 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
R1(config)#int f0/0 //进入接口模式
R1(config-if)#ip access-group 100 in //将ACL应用到接口(入口)
R1(config-if)#exit //退出
R1(config)#
(12) We first clear the browser cache win10-1 host, then host access win10-1 Linux system http service can be accessed. But go visit ftp, he has not visited. Because we are an ACL only allows access http services.
(13) We then win10-1 host to ping each other two hosts can only communicate with the host win10-2, because ACL is allowed to access all services win10-1 host 192.168.2.0 network segment.
Three examples: Named Access Control List configuration
Topology is as follows:
Access control list by name, allowing the host vlan10 PC2 PC1 can access the host, other host access reject vlan10 PC1 host, allowing the host to access all other segments PC1 host.
(1) to sw configuration.
sw#conf t //切换全局模式
Enter configuration commands, one per line. End with CNTL/Z.
sw(config)#no ip routing //关闭路由功能
sw(config)#vlan 10,20 //创建vlan
sw(config-vlan)#exit //退出
sw(config)#int range f1/1 -2 //进入接口f1/1、f1/2
sw(config-if-range)#sw mo acc //接口模式设为access模式
sw(config-if-range)#sw acc vlan 10 //将接口添加到vlan10
sw(config-if-range)#exit //退出
sw(config)#int f1/3 //进入接口f1/3
sw(config-if)#sw mo acc //接口模式设为access模式
sw(config-if)#sw acc vlan 20 //将接口添加到vlan20
sw(config-if)#exit //退出
sw(config)#do show vlan-sw b //查看vlan表
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw(config)#int f1/0 //进入接口f1/0
sw(config-if)#sw mo t //设置接口模式为trunk模式
*Mar 1 00:03:20.511: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
sw(config-if)#sw t en dot1 //设置数据封装类型为dot1q
sw(config-if)#exit //退出
(2) Basic Configuration of the sw-3.
sw-3#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
sw-3(config)#int f1/1 //进入接口
sw-3(config-if)#no switchport //接口转为二层接口
*Mar 1 00:05:39.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
sw-3(config-if)#ip add 192.168.100.1 255.255.255.0 //配置IP地址和子网掩码
sw-3(config-if)#no shut //开启接口
sw-3(config-if)#exit //退出
sw-3(config)#vlan 10,20 //创建vlan
sw-3(config-vlan)#exit //退出
sw-3(config)#int vlan 10 //进入vlan10
sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 //配置IP地址和子网掩码
sw-3(config-if)#no shut //开启vlan
sw-3(config-if)#exit //退出
sw-3(config)#int vlan 20 //进入vlan20
sw-3(config-if)#ip add 192.168.20.1 255.255.255.0 //配置IP地址和子网掩码
sw-3(config-if)#no shut //开启vlan
sw-3(config-if)#exit //退出
sw-3(config)#int f1/0 //进入接口
sw-3(config-if)#sw mo t //设置接口模式为trunk模式
*Mar 1 00:08:40.075: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
*Mar 1 00:08:40.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
*Mar 1 00:08:40.583: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
sw-3(config-if)#sw t en dot1 //设置数据封装类型为dot1q
sw-3(config-if)#exit //退出
sw-3(config)#do show ip route //查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20
C 192.168.100.0/24 is directly connected, FastEthernet1/1
sw-3(config)#
(3) respectively to PC1, PC2, PC3, PC4 host IP address.
PC1>
PC1> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1
PC1>
PC2>
PC2> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1
PC2>
PC3>
PC3> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1
PC3>
PC4>
PC4> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1
PC4>
(4) to ping the host PC2 with all other hosts can communicate.
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=11.281 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.939 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=13.957 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=14.960 ms
PC2> ping 192.168.10.20
84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.642 ms
84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 ms
PC2> ping 192.168.20.20
192.168.20.20 icmp_seq=1 timeout
84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=17.046 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=12.324 ms
84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=17.953 ms
84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=15.786 ms
PC2>
(5) arranged in the access control list named sw-3.
sw-3(config)#
sw-3(config)#ip access-list standard test0 //添加命名访问控制列表test0
sw-3(config-std-nacl)#permit host 192.168.10.10 //允许PC2主机IP通过
sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255 //拒绝192.168.10.0网段所有IP通过
sw-3(config-std-nacl)#permit any //允许所有
sw-3(config-std-nacl)#exit //退出
sw-3(config)#do show access-lists //查看ACL列表
Standard IP access list test0
10 permit 192.168.10.10
20 deny 192.168.10.0, wildcard bits 0.0.0.255
30 permit any
sw-3(config)#int f1/1 //进入接口
sw-3(config-if)#ip access-group test0 out //将ACL应用到接口(出口)
sw-3(config-if)#exit //退出
sw-3(config)#
(6) with PC2 PC3, PC4 to each host, IP address, ping the host PC1. PC3 host can not communicate with PC1, PC2 as host 192.168.10.0 IP network can only sw-3.
PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=20.944 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=19.954 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=11.286 ms
PC2>
PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=9.073 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=9.978 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=11.641 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=1.995 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=1.713 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC3>
PC4> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.944 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=17.947 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=19.947 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=20.075 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=19.639 ms
PC4>
(7) We named access control list, add the IP address of PC3 allowed access to the PC's rule, then PC3 to ping the host PC1, the results can communicate in test0.
sw-3(config)#
sw-3(config)#ip access-list standard test0 //进入ACL的子模式
sw-3(config-std-nacl)#12 permit host 192.168.10.20 //添加允许规则
sw-3(config-std-nacl)#exit //退出
sw-3(config)#do show access-lists //查看ACL列表
Standard IP access list test0
10 permit 192.168.10.10 (5 matches)
12 permit 192.168.10.20
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
sw-3(config)#
PC3> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=17.954 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=15.538 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=15.956 ms
PC3>
(8) in the previous step to add allow rules to delete, then PC3 to ping the host PC1, the results can not communicate.
sw-3(config)#
sw-3(config)#ip access-list standard test0 //进入ACL列表子模式
sw-3(config-std-nacl)#no 12 //删除编号为12的规则
sw-3(config-std-nacl)#exit //退出
sw-3(config)#do show access-lists //查看ACL列表
Standard IP access list test0
10 permit 192.168.10.10 (5 matches)
20 deny 192.168.10.0, wildcard bits 0.0.0.255 (10 matches)
30 permit any (5 matches)
sw-3(config)#
PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=9.578 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=3.993 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=1.692 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=2.686 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=14.020 ms (ICMP type:3, code:13, Communication administratively prohibited)
PC3>