13.配置标准IP-ACL
一、背景
某公司网络中,行政部、销售部和财务部分别属于不同的子网,三个子网之间使用路由器互联。行政部所在的子网为172.16.1.0/24,销售部所在的子网为172.16.2.0/24,财务部所在的子网为172.16.4.0/24。考虑到信息安全的问题,要求销售部不能对财务部进行访问,但是行政部可以对财务部进行访问。通过分析,标准IP ACL可以根据配置的规则对网络中的数据进行多虑。
二、拓扑图
三、配置流程
配置R1
配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 172.16.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fastEthernet 1/0
Router(config-if)#ip address 172.16.2.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
Router(config-if)#exit
Router(config)#interface serial 2/0
Router(config-if)#ip address 172.16.3.1 255.255.255.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
Router(config-if)#exit
Router(config)#ip route 172.16.4.0 255.255.255.0 serial 2/0
Router(config)#end查看interface:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.1.1 YES manual up up
FastEthernet1/0 172.16.2.1 YES manual up up
Serial2/0 172.16.3.1 YES manual down down
Serial3/0 unassigned YES unset administratively down down
FastEthernet4/0 unassigned YES unset administratively down down
FastEthernet5/0 unassigned YES unset administratively down down
Router#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up配置R2
配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 172.16.4.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface serial 2/0
Router(config-if)#ip address 172.16.3.2 255.255.255.0
Router(config-if)#clock rate 64000
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
Router(config-if)#exit
Router(config)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
Router(config)#ip route 172.16.1.0 255.255.255.0 serial 2/0
Router(config)#ip route 172.16.2.0 255.255.255.0 serial 2/0
Router(config)#access-list 1 deny 172.16.2.0 0.0.0.255
Router(config)#access-list 1 permit 172.16.1.0 0.0.0.255
Router(config)#access-list 1 permit 172.16.1.0 0.0.0.255
Router(config)#interface fastethernet 0/0
Router(config-if)#ip access-group 1 out
Router(config-if)#end查看interface:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.4.1 YES manual up up
FastEthernet1/0 unassigned YES unset administratively down down
Serial2/0 172.16.3.2 YES manual up up
Serial3/0 unassigned YES unset administratively down down
FastEthernet4/0 unassigned YES unset administratively down down
FastEthernet5/0 unassigned YES unset administratively down down配置PC
3.1 行政部
ip:172.16.1.10
MASK:255.255.255.0
Gateway:172.16.1.1
3.2 销售部
ip:172.16.2.10
MASK:255.255.255.0
Gateway:172.16.2.1
3.3 财务部
ip:172.16.4.10
MASK:255.255.255.0
Gateway:172.16.4.1
验证测试
4.1 行政部 ping 财务部 ping 192.168.4.10
4.2 销售部 ping 财务部 ping 192.168.4.10
- Title: 13.配置标准IP-ACL
- Author: 小浩
- Created at : 2024-04-12 08:49:10
- Updated at : 2024-06-08 13:52:13
- Link: https://blog.xh8.shop/2024/04/12/13-配置标准IP-ACL/
- License: This work is licensed under CC BY-NC-SA 4.0.
Comments