13.配置标准IP-ACL

小浩 Lv3

一、背景

某公司网络中,行政部、销售部和财务部分别属于不同的子网,三个子网之间使用路由器互联。行政部所在的子网为172.16.1.0/24,销售部所在的子网为172.16.2.0/24,财务部所在的子网为172.16.4.0/24。考虑到信息安全的问题,要求销售部不能对财务部进行访问,但是行政部可以对财务部进行访问。通过分析,标准IP ACL可以根据配置的规则对网络中的数据进行多虑。

二、拓扑图

cisco23

三、配置流程

  1. 配置R1

    配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    Router>en

    Router#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#interface fastEthernet 0/0

    Router(config-if)#ip address 172.16.1.1 255.255.255.0

    Router(config-if)#no shutdown

    Router(config-if)#

    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

    Router(config-if)#exit

    Router(config)#interface fastEthernet 1/0

    Router(config-if)#ip address 172.16.2.1 255.255.255.0

    Router(config-if)#no shutdown

    Router(config-if)#

    %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up

    Router(config-if)#exit

    Router(config)#interface serial 2/0

    Router(config-if)#ip address 172.16.3.1 255.255.255.0

    Router(config-if)#no shutdown

    %LINK-5-CHANGED: Interface Serial2/0, changed state to down

    Router(config-if)#exit

    Router(config)#ip route 172.16.4.0 255.255.255.0 serial 2/0

    Router(config)#end

    查看interface:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    Router#show ip interface brief 

    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 172.16.1.1 YES manual up up

    FastEthernet1/0 172.16.2.1 YES manual up up

    Serial2/0 172.16.3.1 YES manual down down

    Serial3/0 unassigned YES unset administratively down down

    FastEthernet4/0 unassigned YES unset administratively down down

    FastEthernet5/0 unassigned YES unset administratively down down

    Router#

    %LINK-5-CHANGED: Interface Serial2/0, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
  2. 配置R2

    配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    Router>en

    Router#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#interface fastEthernet 0/0

    Router(config-if)#ip address 172.16.4.1 255.255.255.0

    Router(config-if)#no shutdown

    Router(config-if)#

    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

    Router(config-if)#exit

    Router(config)#interface serial 2/0

    Router(config-if)#ip address 172.16.3.2 255.255.255.0

    Router(config-if)#clock rate 64000

    Router(config-if)#no shutdown

    Router(config-if)#

    %LINK-5-CHANGED: Interface Serial2/0, changed state to up

    Router(config-if)#exit

    Router(config)#

    %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

    Router(config)#ip route 172.16.1.0 255.255.255.0 serial 2/0

    Router(config)#ip route 172.16.2.0 255.255.255.0 serial 2/0

    Router(config)#access-list 1 deny 172.16.2.0 0.0.0.255

    Router(config)#access-list 1 permit 172.16.1.0 0.0.0.255

    Router(config)#access-list 1 permit 172.16.1.0 0.0.0.255

    Router(config)#interface fastethernet 0/0

    Router(config-if)#ip access-group 1 out

    Router(config-if)#end

    查看interface:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    Router# show ip interface brief

    Interface IP-Address OK? Method Status Protocol

    FastEthernet0/0 172.16.4.1 YES manual up up

    FastEthernet1/0 unassigned YES unset administratively down down

    Serial2/0 172.16.3.2 YES manual up up

    Serial3/0 unassigned YES unset administratively down down

    FastEthernet4/0 unassigned YES unset administratively down down

    FastEthernet5/0 unassigned YES unset administratively down down

  3. 配置PC

    3.1 行政部

    ip:172.16.1.10

    MASK:255.255.255.0

    Gateway:172.16.1.1

    3.2 销售部

    ip:172.16.2.10

    MASK:255.255.255.0

    Gateway:172.16.2.1

    3.3 财务部

    ip:172.16.4.10

    MASK:255.255.255.0

    Gateway:172.16.4.1

  4. 验证测试

    4.1 行政部 ping 财务部 ping 192.168.4.10

    cisco24

    4.2 销售部 ping 财务部 ping 192.168.4.10

    cisco25

  • Title: 13.配置标准IP-ACL
  • Author: 小浩
  • Created at : 2024-04-12 08:49:10
  • Updated at : 2024-06-08 13:52:13
  • Link: https://blog.xh8.shop/2024/04/12/13-配置标准IP-ACL/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments