计算机网络-ACL实验

news2024/9/30 23:35:07

一、NAT实验配置

通过基本ACL匹配VLAN 10网段，然后在出口设备NAT转换只要匹配到VLAN10地址则进行转换。

核心交换机

# 配置VLAN和默认路由，配置Trunk和Access接口
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30
 ip address 10.0.0.2 255.255.255.252

interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20

# 路由
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

出口路由器

# 配送路由和ACL以及NAT
acl number 2000  
 rule 10 permit source 192.168.10.0 0.0.0.255 

# 配置路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
ip route-static 192.168.10.0 255.255.255.0 10.0.0.2
ip route-static 192.168.20.0 255.255.255.0 10.0.0.2

# 配置接口地址，配置NAT与ACL匹配
interface GigabitEthernet0/0/0
 ip address 12.1.1.1 255.255.255.252 
 nat outbound 2000
#
interface GigabitEthernet0/0/1
 ip address 10.0.0.1 255.255.255.252

中间路由器：

interface GigabitEthernet0/0/0
 ip address 12.1.1.2 255.255.255.252 
#
interface GigabitEthernet0/0/1
 ip address 23.1.1.2 255.255.255.252 
#
ip route-static 8.8.8.8 255.255.255.255 23.1.1.1

AR3:

interface GigabitEthernet0/0/1
 ip address 23.1.1.1 255.255.255.252 
#
interface LoopBack0
 ip address 8.8.8.8 255.255.255.255 
#
ip route-static 0.0.0.0 0.0.0.0 23.1.1.2

PC1:正常访问8.8.8.8 PC1

PC2：没有进行NAT转换，访问超时 PC2

二、ACL流量过滤实验

正常配置access接口，划分VLAN，创建高级ACL匹配流量，然后调用过滤策略。

# 创建高级ACL，先匹配拒绝，然后再允许其它的访问流量
acl number 3000
 rule 5 deny ip source 192.168.10.1 0 destination 192.168.20.2 0
 rule 10 permit ip source 192.168.10.1 0

# 接口配置
#
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
#
interface Vlanif20
 ip address 192.168.20.254 255.255.255.0
#
interface Vlanif30
 ip address 10.0.0.2 255.255.255.252
 
# 应用过滤策略
# 可以在全局应用流量过滤
traffic-filter inbound acl 3000

# 或者在入接口和出接口应用，在G0/0/2，入方向过滤或者在G0/0/4出方向过滤
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
 traffic-filter inbound acl 3000

#
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 20
 traffic-filter outbound acl 3000

结果：