Catalog

Experimental environment ：

  The experimental steps ：

Step one ：

1、acl type （ Here is the basis acl And advanced acl The difference between types ）：

2、 establish acl：

 3、 stay acl Write rules in （ be based on IP Address to reject ）

  Step two ： Call rules

 1、 The interface necessary for entering data ：

 2、 Call rules ：

3、 Check whether the rule is invoked successfully ：

Experimental environment ：

First, configure the layer 3 switch , It was explained in detail in the last article , Configuring a three-layer switch is to isolate viruses but connect communications . Realize different networks , Different vlan Your machine can communicate , these pc Computers cannot communicate directly through the middle switch , The packet must be transferred to the layer 3 switch , The three-layer switch realizes data forwarding to communicate , That is, when the layer 3 switch pc Gateway of computer .

In this environment ,pc Machine can be different from any gateway vlan Of pc Machine communication . We configure ACL Access control lists are designed to achieve pc The machine can only access vlan 20 Inside pc machine , Give him no access vlan 30 Of pc machine .

 pc The gateway of the machine is in the three-layer switch , each vlan Of IP Address .

  You can see PC Machine can be different from vlan Different network segments pc Machine communication , It's because of the three-layer switch .

  The experimental steps ：

Step one ： Create an access control rule

Step two ： Call this rule

Step one ：

1、acl type （ Here is the basis acl And advanced acl The difference between types ）：

Basics acl（Basic ACL）： When doing access control, only look at the source address , I won't check the target address , Only the source address will be checked

senior acl（Advanced ACL）： When doing access control, the target address will be checked .（ This experiment needs to check the target address acl）

2、 establish acl：

Create a test Of acl：（ It is not recommended to directly create ）

acl name test

Correct creation method ：

  establish acl Name and enter acl type ： senior （advance）、 Basics （basic）

# Create a file called test Advanced acl
acl name test advance

# Command usage 
acl name  name  acl type 

 3、 stay acl Write rules in （ be based on IP Address to reject ）

Writing acl The mask needs to be written backwards ,acl Set the rules ( Regulations ) for example ：

The original ：255.255,255,0

Reverse writing ：0.0.0.255      # take 255 Switch to 0,0 Switch to 255

#rule deny ip    Reject rule ip agreement

# source    source address
#destination    Destination

  Deny access rules ：

# The rejection source address is 192.168.10.0 Network segment 、 Access target ( Destination ) by 192.168.30.0 Communication of network segment 
rule deny ip source 192.168.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255

# Command usage ：
rule deny ip source  Source address network segment   Subnet mask （ Reverse writing ） destination  Target geosyncline segment   Subnet mask （ Reverse writing ）

  Allow access to rules ：

 Rules allow ip The source address is arbitrary , Access any packet communication of the target 
rule permit ip source any destination any

  That is, reject the network segment as 10 Of pc Machine access network segment is 30 Of pc machine . Other access is not restricted  

View customized rules ：

dis this

  Step two ： Call rules

  The calling rule needs to be in the interface that the packet must pass , That is, it must be called on the interface , Only in this way can we manage the passage of data .

 1、 The interface necessary for entering data ：

int g0/0/1

 2、 Call rules ：

Filter the incoming data in this interface , according to acl be known as test Rule filtering for .

traffic-filter inbound acl name test

3、 Check whether the rule is invoked successfully ：

Discovery use 10 The network segment pc machine ping no 30 The network segment pc machine , Prove that the calling rule swims , Next, check whether the rule affects other network segments pc Machine communication  

  Discovery visit 20 The network segment pc Machine has no effect , Achieve the final experimental effect .