Practice of establishing named access Control list 03/15 Update SLTechnology News&Howtos

Practice of establishing named access Control list

2025-03-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

The topology of this experiment is as follows:

experimental purposes

Complete the establishment of named ACL on sw-3 route, and realize the experimental requirements:

Allow PC2 hosts in vlan10 to access PC4;

Deny other hosts in vlan10 access to PC4;

Allow other network hosts to access PC4.

Experimental procedure:

1. Complete the IP address setting of four PCs

PC1

PC1> ip 192.168.100.20 192.168.100.1Checking for duplicate address... PC1 : 192.168.100.20 255.255.255.0 gateway 192.168.100.1

PC2

PC2> ip 192.168.100.30 192.168.100.1Checking for duplicate address... PC1 : 192.168.100.30 255.255.255.0 gateway 192.168.100.1

PC3

PC3> ip 192.168.200.10 192.168.200.1Checking for duplicate address... PC1 : 192.168.200.10 255.255.255.0 gateway 192.168.200.1

PC4

PC4> ip 192.168.10.10 192.168.10.1Checking for duplicate address... PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1

2. Complete the settings of SW for Layer 2 switch

sw(config)#no ip routing //Turn off routing (the original mirror is a Layer 3 switch, so you need to turn off routing here) sw(config)#vlan 10,20 //partition vlan multicast domain sw(config-vlan)#exsw(config)#int f 1/1sw(config-if)#sw mo acsw(config-if)#sw ac vlan 10sw(config-if)#exsw(config)#int f 1/2sw(config-if)#sw mo acsw(config-if)#int f 1/3sw(config-if)#sw mo ac sw(config-if)#sw ac vlan 20sw(config-if)#ex sw(config)#do show vlan-sw bVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6 Fa1/7, Fa1/8, Fa1/9, Fa1/10 Fa1/11, Fa1/12, Fa1/13, Fa1/14 Fa1/1510 VLAN0010 active Fa1/1, Fa1/220 VLAN0020 active Fa1/31002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup sw(config)#int f 1/0sw(config-if)#sw tr en dosw(config-if)#sw mo trsw(config-if)#e*Mar 1 00:03:06.579: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunksw(config-if)#exsw(config)#do show int f 1/0

3. Complete the settings of SW-3.

sw-3(config)#vlan 10,20sw-3(config-vlan)#exsw-3(config)#int vlan 10sw-3(config-if)#ip add 192.168.100.1 255.255.255.0sw-3(config-if)#no shut sw-3(config-if)#int vlan 20sw-3(config-if)#ip add 192.168.200.1 255.255.255.0sw-3(config-if)#no shut sw-3(config-if)#exsw-3(config)#int f 1/1sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 IP addresses may not be configured on L2 links.sw-3(config-if)#no switchport //Turn off routing and make it Layer 3 port sw-3(config-if)#ip add 192.168.10.1 255.255.0sw-3 (config-if)#no shutsw-3 (config-if)#exsw-3(config)#int f 1/0sw-3 (config-if)#sw mo tr *Mar 1 00:02:43.731: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk*Mar 1 00:02:44.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up*Mar 1 00:02:44.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to upsw-3(config-if)#sw tr en dotsw-3 (config-if)#ex sw-3(config)#Note: At this time, no ACL is set on sw-3. If all the experimental steps are correct, the whole network should be able to communicate.

Examples are as follows:

If the above results occur, you can continue with the following operations. Otherwise, check yourself.

4. Set ACL

sw-3

sw-3(config)#ip access-list standard zhy //create named access control list sw-3(config-std-nacl)#5 permit host 192.168.100.30 //The first 5 is the serial number, which can be omitted. default sort sw-3(config-std-nacl)#deny 192.168.100.0 0.0.0.255 //Deny all hosts sw-3(config-std-nacl) on segment 100 #permit any sw-3(config-std-nacl)#exsw-3(config)#do show access-listsStandard IP access list zhy 5 permit 192.168.100.30 15 deny 192.168.100.0, wildcard bits 0.0.0.255 25 permit anysw-3(config)#sw-3(config)#int f 1/1sw-3(config-if)#ip access-group zhy out //The in port should be a virtual port, setting ACL is more complicated. Therefore, this experiment will set ACL in the out port. sw-3(config-if)#exsw-3(config)#Experimental Results

Experiment successful!!!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.