Practice of establishing named ACL
The topology of this experiment is as follows:
Experimental purpose
To complete the establishment of named ACL on sw-3 route, the experimental requirements are as follows:
Allow PC2 host in vlan10 to access PC4;
Deny other hosts in VLAN 10 to access PC4;
Allow other network hosts to access PC4.
Experimental steps:
1. Complete the IP address setting of four PC s
PC1
PC1> ip 192.168.100.20 192.168.100.1 Checking for duplicate address... PC1 : 192.168.100.20 255.255.255.0 gateway 192.168.100.1
PC2
PC2> ip 192.168.100.30 192.168.100.1 Checking for duplicate address... PC1 : 192.168.100.30 255.255.255.0 gateway 192.168.100.1
PC3
PC3> ip 192.168.200.10 192.168.200.1 Checking for duplicate address... PC1 : 192.168.200.10 255.255.255.0 gateway 192.168.200.1
PC4
PC4> ip 192.168.10.10 192.168.10.1 Checking for duplicate address... PC1 : 192.168.10.10 255.255.255.0 gateway 192.168.10.1
2. Complete the setup of layer 2 switch sw
sw(config)#no ip routing / / turn off the routing function (the original image is a three-layer switch, so you need to turn off the routing function here)
sw(config)#vlan 10,20 / / partition vlan broadcast domain
sw(config-vlan)#ex
sw(config)#int f 1/1
sw(config-if)#sw mo ac
sw(config-if)#sw ac vlan 10
sw(config-if)#ex
sw(config)#int f 1/2
sw(config-if)#sw mo ac
sw(config-if)#sw ac vlan 10
sw(config-if)#int f 1/3
sw(config-if)#sw mo ac
sw(config-if)#sw ac vlan 20
sw(config-if)#ex
sw(config)#do show vlan-sw b
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/0, Fa1/4, Fa1/5, Fa1/6
Fa1/7, Fa1/8, Fa1/9, Fa1/10
Fa1/11, Fa1/12, Fa1/13, Fa1/14
Fa1/15
10 VLAN0010 active Fa1/1, Fa1/2
20 VLAN0020 active Fa1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
sw(config)#int f 1/0
sw(config-if)#sw tr en do
sw(config-if)#sw mo tr
sw(config-if)#e
*Mar 1 00:03:06.579: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk
sw(config-if)#ex
sw(config)#do show int f 1/03. Complete the setup of three-layer switch sw-3
sw-3(config)#vlan 10,20 sw-3(config-vlan)#ex sw-3(config)#int vlan 10 sw-3(config-if)#ip add 192.168.100.1 255.255.255.0 sw-3(config-if)#no shut sw-3(config-if)#int vlan 20 sw-3(config-if)#ip add 192.168.200.1 255.255.255.0 sw-3(config-if)#no shut sw-3(config-if)#ex sw-3(config)#int f 1/1 sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 / / the port is a layer-2 port and the IP address cannot be set. % IP addresses may not be configured on L2 links. sw-3(config-if)#no switchport / / turn off the routing function and make it a layer 3 port. sw-3(config-if)#ip add 192.168.10.1 255.255.255.0 sw-3(config-if)#no shut sw-3(config-if)#ex sw-3(config)#int f 1/0 sw-3(config-if)#sw mo tr *Mar 1 00:02:43.731: %DTP-5-TRUNKPORTON: Port Fa1/0 has become dot1q trunk *Mar 1 00:02:44.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up *Mar 1 00:02:44.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up sw-3(config-if)#sw tr en dot sw-3(config-if)#ex sw-3(config)#
Note: at this time, the ACL is not set on sw-3. If all the experimental steps are correct, the whole network can be interconnected.
Examples are as follows:
If the above results occur, you can continue with the following operations. Otherwise, please check by yourself.
4. Set ACL
sw-3
sw-3(config)#IP access list standard zh / / create a named access control list
sw-3(config-std-nacl)#5 allow host 192.168.100.30 / / the first 5 is the serial number, which is not required. Default sort if not written
sw-3(config-std-nacl)#Deny 192.168.100.0.0.0.0.255 / / deny all hosts in the 100 network segment
sw-3(config-std-nacl)#permit any
sw-3(config-std-nacl)#ex
sw-3(config)#do show access-lists
Standard IP access list zhy
5 permit 192.168.100.30
15 deny 192.168.100.0, wildcard bits 0.0.0.255
25 permit any
sw-3(config)#
sw-3(config)#int f 1/1
sw-3(config-if)#IP access group ZY out / / the in port should be a virtual port, and setting ACL is cumbersome. Therefore, ACL is set at the out port in this experiment.
sw-3(config-if)#ex
sw-3(config)#experimental result
