acl command is mainly controlled
We look to build topology
Content Experiments
Analysis: 1. We need to plan for multiple domains ospf
2. Financial and R & D areas where instability is not affecting other regions link
3. Set acl rule on R1, R2, R3, limits only allowed to log IT
4. R & D department and can not be exchanged between the Ministry of Finance, on the written acl advanced rules R1,
Financial settings do not allow access Client1 on 5.R3
R & D and financial Server1 can only access the service on 6.R3 WWW
Finance Department:
we can not communicate 1.YF and CW, but they can communicate with IT;
2.CW can not access Client1;
3.CW Server1 can only access the WWW services;
R & D:
can not be exchanged between 1.YF and CW , but they can communicate with IT;
3.YF Server1 can only access the WWW services;
IT department:
1.R1, R2, R3 are only allowed to log on IT management;
2.IT can access Client1;
First, we configure our basic network
Configuring the pc
Configure the interfaces on R1
R2 configuration interface
R3 is an interface
Here we configure OSPF service, set different domains on each switch, and we can set about the router id (can not be provided, we set up in order to better identify)
R1 setting
Provided R2 (stub no-summary disposed edge region save bandwidth, receiving only intra-area routes)
Provided R3 (stub no-summary disposed edge region save bandwidth, receiving only intra-area routes)
Set about IT router, remember to set ip
Next, we in R3 this is the rule, first set the rules of 2000, set up easy-ip, vty be achieved at the entrance, we set the password,
And then set up a Ministry of Finance acl
Segment 30 is provided to prohibit 1.0 segment (R1 prohibiting access to financial unit switches)
禁止30网段访问20网段(禁止财务部访问研发部),允许30网段访问www服务器,禁止30网段访问40网段(禁止财务部ping服务器),我们在0/1接口入口实现规则
我们再在R2上进行ACL规则的编写。先设置个2000的规则,设置easy-ip,使IT部可以访问出去在vty的入口进行实现,我们设置密码登录,
再设置一个研发部的acl
设置禁止20网段到30网段(禁止财务部访问R1交换机)
允许20网段访问www服务器,禁止20网段访问40网段(禁止财务部ping服务器),我们在0/2接口入口实现规则
下面我们配置R1的ACL。先设置个2000的规则,设置easy-ip,使IT部可以访问出去在vty的入口进行实现,我们设置密码登录,
再设置一个3000的高级acl
允许R1访问www服务器,禁止20网段访问40网段(禁止财务部ping服务器)
我们在0/1接口入口实现高级规则
接下来我们来验证一下
财务部可以访问www服务
但不可以ping
研发部可以访问www服务,但是不可以ping
验证R1,R2,R3只允许IT登录
而别的不可以登录
记得save