Standard Access Control Lists
In GNS 3
topology experiments, configure a routing device, a switching device, respectively connected to three PC
machine, three PC
machines are arranged IP
address, and configure the gateway in a routing device, as shown, to complete the configuration after the configuration standard access control list prohibit PC1
and PC3
communication, PC2
and PC3
communication.
1, first enters the switching device is configured
sw#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
sw(config)#no ip routing //进入交换设备,关闭路由功能
sw(config)#int f1/0 //进入f1/0接口
sw(config-if)#speed 100 //配置速率100
sw(config-if)#duplex full //开启双工模式
2, into the routing device, configure an IP address
R1#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0 //进入f0/0接口
R1(config-if)#ip add 192.168.10.1 255.255.255.0 //添加IP地址
R1(config-if)#no shutdown //开启接口
R1(config-if)#int f0/1 //进入f0/1接口
R1(config-if)#ip add 192.168.20.1 255.255.255.0 //添加IP地址
R1(config-if)#no shutdown //开启接口
R1(config-if)#exit
R1(config)#do show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.10.0/24 is directly connected, FastEthernet0/0
C 192.168.20.0/24 is directly connected, FastEthernet0/1
3, respectively, into the PC, set the IP address
PC1> ip 192.168.10.2 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.2 255.255.255.0 gateway 192.168.10.1
PC2> ip 192.168.10.3 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.3 255.255.255.0 gateway 192.168.10.1
PC3> ip 192.168.20.2 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.2 255.255.255.0 gateway 192.168.20.1
4, to test whether PC1 and PC2 and PC3 can communicate
PC1> ping 192.168.20.2
192.168.20.2 icmp_seq=1 timeout
84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=20.913 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=14.960 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=17.917 ms
PC2> ping 192.168.20.2
84 bytes from 192.168.20.2 icmp_seq=1 ttl=63 time=19.021 ms
84 bytes from 192.168.20.2 icmp_seq=2 ttl=63 time=23.997 ms
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=21.941 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=13.966 ms
5, arranged in a routing device standard access control list, the communication is prohibited PC1 and PC3
R1(config)#access-list 1 deny 192.168.10.2 0.0.0.0
R1(config)#do show access-list
Standard IP access list 1
10 deny 192.168.10.2
R1(config)#access-list 1 permit any
R1(config)#do show access-list
Standard IP access list 1
10 deny 192.168.10.2
20 permit any
R1(config-if)#ip access-group 1 in
6, test whether PC1 can communicate with PC3
PC1> ping 192.168.20.2
*192.168.10.1 icmp_seq=1 ttl=255 time=9.943 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=3.990 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=9.014 ms (ICMP type:3, code:13, Communication administratively prohibited)
7, test whether PC2 and PC3 can communicate
PC2> ping 192.168.20.2
192.168.20.2 icmp_seq=1 timeout
192.168.20.2 icmp_seq=2 timeout
84 bytes from 192.168.20.2 icmp_seq=3 ttl=63 time=17.958 ms
84 bytes from 192.168.20.2 icmp_seq=4 ttl=63 time=19.981 ms
Extended Access Control Lists
Experimental requirements:
Allow Win10
access to Linux
the web
service
Prohibit Win10
access to linux
the service with other
Allow Win10
access to Win10-2
the host
In the first GNS 3
topology in FIG experiment, a routing device arranged to add a network interface in the routing device, arranged three real host, a Linux system, two win10 system, a routing device is connected and turned on in VMware host, They are bound to the three hosts VMnet1, VMnet2, VMnet3 card, and are connected to the router, and mark the three segments to be divided in a router interface, as shown:
1, install the FTP and HTTP services on a Linux system
[root@localhost ~]# yum install vsftpd -y
已加载插件:fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 165 kB 00:00:00
...//省略部分内容...
Running transaction
正在安装 : vsftpd-3.0.2-25.el7.x86_64 1/1
验证中 : vsftpd-3.0.2-25.el7.x86_64 1/1
已安装:
vsftpd.x86_64 0:3.0.2-25.el7
完毕!
[root@localhost ~]# yum install httpd -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.nju.edu.cn
...//省略部分内容...
已安装:
httpd.x86_64 0:2.4.6-90.el7.centos
作为依赖被安装:
apr.x86_64 0:1.4.8-5.el7 apr-util.x86_64 0:1.5.2-6.el7
httpd-tools.x86_64 0:2.4.6-90.el7.centos mailcap.noarch 0:2.1.41-2.el7
完毕!
2, change the Linux system, network card information, and bind VMnet2 card in VMware and restart the virtual machine.
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=2ef6b862-5201-48c5-a450-23b3720ab3a0
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.100.100
NTEMASK=255.255.255.0
GATEWAY=192.168.100.1
~
~
:wq
3, respectively, to bind the two Win10 network devices, and are disposed a fixed IP address, and turn off the firewall.
4, turn on the device, and further route the IP address of an interface device in GNS 3
R1#conf t //进入全局模式
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int f0/0 //进入f0/0接口
R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置IP地址
R1(config-if)#no shut //开启接口
*Mar 1 00:05:30.323: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar 1 00:05:31.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f0/1 //进入f0/1接口
R1(config-if)#ip add 192.168.100.1 255.255.255.0 //配置IP地址
R1(config-if)#no shut //开启接口
*Mar 1 00:06:16.031: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 00:06:17.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#int f1/0 //进入f1/0接口
R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置IP地址
R1(config-if)#no shut //开启接口
*Mar 1 00:06:35.815: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:06:36.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1(config-if)#do show ip route //查看路由表
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0 //显示网段信息
C 192.168.100.0/24 is directly connected, FastEthernet0/1
5, the test network connectivity
6, edit the information in the HTTP service site Linux system, and start the service, start the FTP service.
[root@localhost ~]# cd /var/www/html/ //进入站点
[root@localhost html]# vim index.html //编辑网页
<h1>this is test wed</h1> //编辑内容
~
~
:wq //保存退出
[root@localhost html]# systemctl start httpd //启动httpd服务
[root@localhost html]# systemctl stop firewalld.service //关闭防火情
[root@localhost html]# setenforce 0 //关闭增强性安全功能
[root@localhost html]# systemctl start vsftpd //启动FTP服务
[root@localhost html]# netstat -ntap | egrep '(21|80)' //查看服务是否端口
tcp6 0 0 :::80 :::* LISTEN 3437/httpd
tcp6 0 0 :::21 :::* LISTEN 3766/vsftpd
[root@localhost html]# cd /var/ftp/ //进入FTP站点
[root@localhost ftp]# echo "this is ftp" > ftp_test.txt //生成txt文件
[root@localhost ftp]# ls //查看站点内容
ftp_test.txt pub //显示站点内容
7, test HTTP and FTP services are provided in the win10 device.
8, the configuration of access control entries in the ACL routing device GNS 3
R1(config)#access-list 100 per //设置win10主机允许访问Linux系统HTTP服务
R1(config)#$ 100 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
R1(config)#do show access-li //查看
Extended IP access list 100
10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www //显示列表信息
R1(config)#access-list 100 deny ip host 192.168.1.2 host 192.168.100.100 //配置拒绝访问Linux其他服务
R1(config)#do show access-li //查看
Extended IP access list 100
10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
20 deny ip host 192.168.1.2 host 192.168.100.100 //显示列表信息
R1(config)#access-list 100 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255
//配置win10设备允许访问win10 2设备
R1(config)#do show access-li //查看
Extended IP access list 100
10 permit tcp host 192.168.1.2 host 192.168.100.100 eq www
20 deny ip host 192.168.1.2 host 192.168.100.100
30 permit ip host 192.168.1.2 192.168.2.0 0.0.0.255 //显示列表信息
R1(config)#int f0/0 //进入接口
R1(config-if)#ip access-group 100 in //将配置应用在接口,进入方向
9, the test configuration.