實(shí)踐環(huán)境部署

拓?fù)浣Y(jié)構(gòu)圖及需求

如東ssl適用于網(wǎng)站、小程序/APP、API接口等需要進(jìn)行數(shù)據(jù)傳輸應(yīng)用場景，ssl證書未來市場廣闊！成為成都創(chuàng)新互聯(lián)的ssl證書銷售渠道，可以享受市場價(jià)格4-6折優(yōu)惠！如果有意向歡迎電話聯(lián)系或者加微信：18982081108（備注：SSL證書合作）期待與您的合作！

注意點(diǎn):SW設(shè)備與SW-3設(shè)備需要事先添加容量及業(yè)務(wù)單板

---

實(shí)踐步驟

第一步:配置SW交換機(jī)

conf t                //進(jìn)入全局模式,設(shè)定vlan10 和20
vlan 10,20
ex
do show vlan-sw b      //查看vlan信息

VLAN Name                             Status    
10   VLAN0010                         active    
20   VLAN0020                         active    

int range fa1/1 -2          //進(jìn)入端口fa1/1和1/2 接口,將端口劃入vlan10
sw mo acc
sw acc vlan 10
ex
do show vlan-sw b       //查看vlan信息

VLAN Name                             Status    Ports
10   VLAN0010                         active    Fa1/1, Fa1/2
20   VLAN0020                         active    

int f1/3                //進(jìn)入端口f1/3,將端口劃入vlan20 
sw mo acc
sw acc vlan 20
ex
do show vlan-sw b

VLAN Name                             Status    Ports
10   VLAN0010                         active    Fa1/1, Fa1/2
20   VLAN0020                         active    Fa1/3

int f1/0          //進(jìn)入端口f1/0,配置trunk鏈路
sw mo t
sw t en dot1q
ex
no ip routing          //關(guān)閉路由功能

---

第二步:配置SW-3三層交換機(jī)

conf t
no switchport                //關(guān)閉交換功能
int f1/1
ip add 192.168.100.1 255.255.255.0
no shut
ex
vlan 10,20
ex
int vlan 10
ip add 192.168.10.1 255.255.255.0
no shut
ex
int vlan 20
ip add 192.168.20.1 255.255.255.0
no shut
ex
do show ip int b        //查看vlan信息

FastEthernet1/1            192.168.100.1   YES manual up                    up 
Vlan10                     192.168.10.1    YES manual up                    down    
Vlan20                     192.168.20.1    YES manual up                    down

int f1/0                   //進(jìn)入端口f1/0配置trunk鏈路
sw mo t
sw t en dot1q
do show ip route        //查看路由表

C    192.168.10.0/24 is directly connected, Vlan10
C    192.168.20.0/24 is directly connected, Vlan20
C    192.168.100.0/24 is directly connected, FastEthernet1/1

---

第三步:配置客戶機(jī)IP地址,并測試全網(wǎng)互通性

1.配置客戶機(jī)IP地址

PC1> ip 192.168.100.100 192.168.100.1
Checking for duplicate address...
PC1 : 192.168.100.100 255.255.255.0 gateway 192.168.100.1

PC2> ip 192.168.10.10 192.168.10.1 
Checking for duplicate address...
PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1

PC3> ip 192.168.10.20 192.168.10.1
Checking for duplicate address...
PC1 : 192.168.10.20 255.255.255.0 gateway 192.168.10.1

PC4> ip 192.168.20.20 192.168.20.1
Checking for duplicate address...
PC1 : 192.168.20.20 255.255.255.0 gateway 192.168.20.1

---

2.測試全網(wǎng)互通性

PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=18.946 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=19.942 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=11.937 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=17.674 ms

PC2> ping 192.168.10.20  
84 bytes from 192.168.10.20 icmp_seq=1 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=2 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=3 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=4 ttl=64 time=0.000 ms
84 bytes from 192.168.10.20 icmp_seq=5 ttl=64 time=0.000 ms

PC2> ping 192.168.20.20
192.168.20.20 icmp_seq=1 timeout
84 bytes from 192.168.20.20 icmp_seq=2 ttl=63 time=18.230 ms
84 bytes from 192.168.20.20 icmp_seq=3 ttl=63 time=21.964 ms
84 bytes from 192.168.20.20 icmp_seq=4 ttl=63 time=19.229 ms
84 bytes from 192.168.20.20 icmp_seq=5 ttl=63 time=11.992 ms

---

第四步:配置命名ACL策略

在SW-3交換機(jī)上進(jìn)行配置,全局模式下

ip access-list standard yun          //設(shè)定模式以及命名名稱,standard為標(biāo)準(zhǔn)命名ACL,extended為擴(kuò)展命名ACL
permit host 192.168.10.10            //設(shè)定允許訪問主機(jī)ip的條目
deny 192.168.10.0 0.0.0.255        //設(shè)定拒絕的網(wǎng)段條目
permit any                                    //設(shè)頂允許其他所有主機(jī)訪問
ex
do show access-list                   //查看訪問列表清單

Standard IP access list yun
    10 permit 192.168.10.10
    20 deny   192.168.10.0, wildcard bits 0.0.0.255
    30 permit any

int f1/1                                       //進(jìn)入端口f1/1,將ACL應(yīng)用與此出方向
ip access-group yun out

---

第五步:測試ACL效果

1.測試vlan10 中的主機(jī)2與主機(jī)1的互通性

PC2> ping 192.168.100.100
192.168.100.100 icmp_seq=1 timeout
192.168.100.100 icmp_seq=2 timeout
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=15.953 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=19.232 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=19.049 ms

2.測試主機(jī)4與主機(jī)1的互通性

PC4> ping 192.168.100.100
84 bytes from 192.168.100.100 icmp_seq=1 ttl=63 time=20.226 ms
84 bytes from 192.168.100.100 icmp_seq=2 ttl=63 time=18.953 ms
84 bytes from 192.168.100.100 icmp_seq=3 ttl=63 time=18.208 ms
84 bytes from 192.168.100.100 icmp_seq=4 ttl=63 time=17.023 ms
84 bytes from 192.168.100.100 icmp_seq=5 ttl=63 time=12.985 ms

3.測試vlan10 中的其他主機(jī)與主機(jī)1的互通性

PC3> ping 192.168.100.100
*192.168.10.1 icmp_seq=1 ttl=255 time=8.907 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=2 ttl=255 time=3.775 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=3 ttl=255 time=7.979 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=4 ttl=255 time=5.965 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.10.1 icmp_seq=5 ttl=255 time=1.992 ms (ICMP type:3, code:13, Communication administratively prohibited)

---

注:命名訪問控制列表可靈活的調(diào)整策略,前提是在標(biāo)準(zhǔn)訪問列表以及擴(kuò)展訪問列表的基礎(chǔ)上,可以使用no+ACL號(hào)刪除策略.也可以使用ACL號(hào)+permit+ip追加ACL策略

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)cdcxhl.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場景需求。

本文標(biāo)題：ACL訪問控制列表之命名篇(實(shí)踐)-創(chuàng)新互聯(lián)
轉(zhuǎn)載來源：http://weahome.cn/article/cchdip.html