1. 程式人生 > >簡單的ACL控制實驗

簡單的ACL控制實驗

實驗名稱:簡單ACL控制實驗
實驗拓撲:
簡單的ACL控制實驗
實驗要求:
模擬一個簡單的公司內部網路
WG用一個路由器來模擬。
-路由器R1 只允許WG遠端登陸
-YF和CW之間不能互通,但都可以和WG互通
-WG和YF可以訪問Client1
-YF和CW只能訪問server的www服務
-只有WG才能訪問server1的所有服務
-閘道器設定都為.254
實驗步驟:
1、先按照圖中的地址,進行配置。並做通鏈路。
#R1
interface GigabitEthernet0/0/0
ip address 1.1.1.254 255.255.255.0
interface GigabitEthernet0/0/1
ip address 192.168.12.1 255.255.255.252
interface GigabitEthernet0/0/2
ip address 192.168.13.1 255.255.255.252
ip route-static 192.168.1.0 255.255.255.0 192.168.13.2
ip route-static 192.168.10.0 255.255.255.0 192.168.12.2
ip route-static 192.168.20.0 255.255.255.0 192.168.12.2
ip route-static 192.168.30.0 255.255.255.0 192.168.13.2

#R2
   interface GigabitEthernet0/0/0
     ip address 192.168.12.2 255.255.255.252
  interface GigabitEthernet0/0/1
    ip address 192.168.10.254 255.255.255.0 
 interface GigabitEthernet0/0/2
    ip address 192.168.20.254 255.255.255.0

ip route-static 1.1.1.0 255.255.255.0 192.168.12.1
ip route-static 192.168.1.0 255.255.255.0 192.168.12.1
ip route-static 192.168.13.0 255.255.255.252 192.168.12.1
ip route-static 192.168.30.0 255.255.255.0 192.168.12.1

#R3
interface GigabitEthernet0/0/0
ip address 192.168.13.2 255.255.255.252
interface GigabitEthernet0/0/1
ip address 192.168.30.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 192.168.1.254 255.255.255.0
ip route-static 1.1.1.0 255.255.255.0 192.168.13.1
ip route-static 192.168.10.0 255.255.255.0 192.168.13.1
ip route-static 192.168.12.0 255.255.255.252 192.168.13.1
ip route-static 192.168.20.0 255.255.255.0 192.168.13.1

#wg

interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0
ip route-static 0.0.0.0 0.0.0.0 192.168.10.254

檢查互通之後
2、進行控制訪問ACL的配置
#R1:
-配置telnet
-僅能允許WG訪問telnet
acl 2000
rule permit source 192.168.10.1 0
rule deny source any

telnet server enable

user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
aaa
local-user tedu password cipher tedu
local-user tedu server-type telnet

#R2:
YF主機訪問控制
-YF和CW之間互能互通
-YF可以和WG和Client1 互通
-YF 只能訪問Server1的www服務
acl 3000
rule 5 permit ip source 192.168.20.1 0 destination 192.168.10.1 0
rule 10 permit ip source 192.168.20.1 0 destination 1.1.1.1 0
rule 15 permit tcp source 192.168.20.1 0 destination 192.168.1.1 0 destination-port eq www

interface g0/0/2
traffic-filter inbound acl 3000

#R3
CW主機訪問控制
-CW和YF、client1 之間不能互通
-CW可以和WG互通
-CW只能訪問server1 的www服務
acl 3000
rule permit ip source 192.168.30.1 0 destination 192.168.10.1 0
rule permit tcp source 192.168.30.1 0 destination 192.168.1.1 0 destination-port eq 80
rule deny ip source any
interface g0/0/1
traffic-filter inbound acl 3000

3、驗證