【eNSP实战】基本ACL实现网络安全
拓扑图
要求:
- PC3不允许访问其他PC和Server1
- PC2允许访问Server1服务器,不允许其他PC访问
- 各设备IP配置如图所示,这里不做展示
AR1接口vlan配置
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.254 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.254 255.255.255.0
#
interface Ethernet0/0/0
port link-type access
port default vlan 30
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.2
AR2接口配置
interface Vlanif1
ip address 172.16.1.254 255.255.255.0
#
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
下面开始配置基本ALC
AR1配置ACL:PC3不允许访问其他PC和Server1
[AR1]acl 2000 # 配置ACL2000
[AR1-acl-basic-2000]rule deny source 172.16.1.0 0.0.0.255 # 设置拒绝源IP地址流量
[AR1-acl-basic-2000]quit
[AR1]interface GigabitEthernet 0/0/0 # 进入接口试图
[AR1-GigabitEthernet0/0/0]traffic-filter inbound acl 2000 # 把acl2000策略应用到该接口上,检测入站流量进行匹配安全策略
[AR1-GigabitEthernet0/0/0]quit
AR1配置ACL:PC2允许访问Server1服务器,不允许其他PC访问
[AR1]acl 2010
[AR1-acl-basic-2010]rule permit source 192.168.2.0 0.0.0.255 # 设置允许该网段的流量通过
[AR1-acl-basic-2010]rule deny # 拒绝所有流量(虽然是拒绝所有,但是会优先匹配上面一条规则)
[AR1-acl-basic-2010]quit
[AR1]interface Vlanif 30 # 进入vlan30视图
[AR1-Vlanif30]traffic-filter outbound acl 2010 # 将acl2010应用到vlan30接口上
[AR1-Vlanif30]quit
至此路由器ACL策略配置完成,下面测试PC1与Server1互通,PC2与与Server2互通
