實驗配置圖及要求

創(chuàng)新互聯(lián)專注于企業(yè)營銷型網(wǎng)站、網(wǎng)站重做改版、南豐網(wǎng)站定制設(shè)計、自適應(yīng)品牌網(wǎng)站建設(shè)、html5、商城網(wǎng)站建設(shè)、集團公司官網(wǎng)建設(shè)、外貿(mào)網(wǎng)站制作、高端網(wǎng)站制作、響應(yīng)式網(wǎng)頁設(shè)計等建站業(yè)務(wù)，價格優(yōu)惠性價比高，為南豐等各大城市提供網(wǎng)站開發(fā)制作服務(wù)。

1、四臺主機配置地址

PC1：
PC1> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1

PC2：
PC2> ip 192.168.10.10 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1

PC3：
PC3> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1

PC4：
PC4> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1

2、在交換機上配置兩個vlan域，f1/1和f1/2放在vlan 10中，f1/3放在vlan 20中，f1/0配置trunk鏈路，最后要關(guān)閉路由功能。

sw#conf t
sw(config)#vlan 10,20
sw(config-vlan)#ex
sw(config)#do show vlan-sw b
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0, Fa1/1, Fa1/2, Fa1/3
                                                Fa1/4, Fa1/5, Fa1/6, Fa1/7
                                                Fa1/8, Fa1/9, Fa1/10, Fa1/11
                                                Fa1/12, Fa1/13, Fa1/14, Fa1/15
10   VLAN0010                         active    
20   VLAN0020                         active    
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
sw(config)#int f1/3
sw(config-if)#sw mo acc
sw(config-if)#sw acc vlan 20
sw(config-if)#ex
sw(config)#do show vlan-sw b
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0, Fa1/4, Fa1/5, Fa1/6
                                                Fa1/7, Fa1/8, Fa1/9, Fa1/10
                                                Fa1/11, Fa1/12, Fa1/13, Fa1/14
                                                Fa1/15
10   VLAN0010                         active    Fa1/1, Fa1/2
20   VLAN0020                         active    Fa1/3
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
sw(config)#int f1/0
sw(config-if)#sw mo t
sw(config-if)#sw t en dot
sw(config-if)#ex
sw(config)#no ip routing        //關(guān)閉路由功能

3、在三層交換機f1/1端口關(guān)閉交換端口，配置網(wǎng)關(guān)地址，f1/0端口配置trunk鏈路；在vlan 10、20中放入網(wǎng)關(guān)地址。

sw-3#conf t
sw-3(config)#int f1/1
sw-3(config-if)#no switchport                     
sw-3(config-if)#ip add 192.168.100.1 255.255.255.0
sw-3(config-if)#no shut
sw-3(config-if)#do show ip int b
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down    
FastEthernet0/1            unassigned      YES unset  administratively down down    
FastEthernet1/0            unassigned      YES unset  up                    up      
FastEthernet1/1            192.168.100.1   YES manual up                    up      
FastEthernet1/2            unassigned      YES unset  up                    down    
FastEthernet1/3            unassigned      YES unset  up                    down    
FastEthernet1/4            unassigned      YES unset  up                    down    
FastEthernet1/5            unassigned      YES unset  up                    down    
FastEthernet1/6            unassigned      YES unset  up                    down    
FastEthernet1/7            unassigned      YES unset  up                    down    
FastEthernet1/8            unassigned      YES unset  up                    down    
FastEthernet1/9            unassigned      YES unset  up                    down    
FastEthernet1/10           unassigned      YES unset  up                    down    
FastEthernet1/11           unassigned      YES unset  up                    down    
FastEthernet1/12           unassigned      YES unset  up                    down    
FastEthernet1/13           unassigned      YES unset  up                    down    
FastEthernet1/14           unassigned      YES unset  up                    down    
FastEthernet1/15           unassigned      YES unset  up                    down    
Vlan1                      unassigned      YES unset  up                    up      
sw-3(config-if)#ex       
sw-3(config)#vlan 10,20
sw-3(config-vlan)#int vlan 10
sw-3(config-if)#ip add 192.168.10.1 255.255.255.0
sw-3(config-if)#no shut
sw-3(config-if)#ex
sw-3(config)#int vlan 20
sw-3(config-if)#ip add 192.168.20.1 255.255.255.0
sw-3(config-if)#no shut
sw-3(config-if)#ex
sw-3(config)#int f1/0
sw-3(config-if)#sw mo t
sw-3(config-if)#sw t en dot
sw-3(config-if)#do show ip route 
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.10.0/24 is directly connected, Vlan10
C    192.168.20.0/24 is directly connected, Vlan20
C    192.168.100.0/24 is directly connected, FastEthernet1/1

4、此時四臺主機能互相ping通，即全網(wǎng)互通

PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=35.971 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=41.517 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=31.738 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=35.188 ms

PC2>ping 192.168.10.20                                  
84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.505 ms
84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 ms

PC2> ping 192.168.20.20
192.168.20.20 icmp_seq=1 timeout
84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=31.229 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=37.597 ms
84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=31.007 ms
84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=40.123 ms

5、在三層交換機上創(chuàng)建命名控制列表并定義其中的規(guī)則

sw-3(config)#ip access-list standard kgc
sw-3(config-std-nacl)#permit host 192.168.10.10
sw-3(config-std-nacl)#deny 192.168.10.0 0.0.0.255
sw-3(config-std-nacl)#permit any
sw-3(config-std-nacl)#ex
sw-3(config)#do show access-list
Standard IP access list kgc
    10 permit 192.168.10.10
    20 deny   192.168.10.0, wildcard bits 0.0.0.255
    30 permit any
sw-3(config)#int f1/1
sw-3(config-if)#ip access-group kgc out     //策略應(yīng)用在網(wǎng)關(guān)

6、結(jié)果測試
vlan 10中的PC3被禁止訪問PC1

PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=30.919 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=16.133 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=31.012 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=22.354 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=15.630 ms (ICMP type:3, code:13, Communication administratively prohibited)

vlan 10中的PC2被允許訪問PC1

PC2> ping 192.168.100.100                               
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=35.353 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=31.321 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=31.239 ms

其它網(wǎng)段的主機（20網(wǎng)段）被允許訪問PC1

PC4> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=32.766 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=31.240 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=31.244 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=31.329 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=31.067 ms

實驗成功，謝謝大家的鼓勵和支持！

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機、免備案服務(wù)器”等云主機租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價比高”等特點與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

文章題目：命名訪問控制列表配置實驗-創(chuàng)新互聯(lián)
網(wǎng)站網(wǎng)址：http://weahome.cn/article/cccgdo.html