52扩展ACL访问控制列表实验三(VLAN方式VTY访问限制)

-1-5.3扩展ACL访问控制列表实验三(VLAN方式、VTY访问限制)【项目情境】假设你是某公司的网络管理员，公司的销售部（172.16.1.0网段），经理部（172.16.2.0网段），和内网服务器（172.16.4.2），为了安全起见，公司领导要求禁止销售部172.16.1.0/24网段访问内网端口，但经理部不受限制。要求使用编号方式在三层交换机的VTY上进行标准ACL的应用，增强远程登录的安全性。【项目目的】1.掌握命名方式扩展访问控制列表的制定规则与配置方法。2.巩固三层交换机的SVI路由功能和在三层交换机的VTY上进行扩展ACL的应用。【相关设备】三层交换机1台、二层交换机1台(模拟外网服务器)，直连线3根。【项目拓扑】【项目任务】1.如上图搭建网络环境，对三层交换机建立相应的VLAN，加入对应端口并配置SVI地址，形成路由。2.配置PC机、SwitchB的地址和默认网关，设置SwitchB的远程登录密码为wjxvtc。测试所有设备之间的联通性(应该全通)。在PC1和PC2远程登录SwitchB，测试telnet命令及联通性。-2-3.设置扩展IP访问控制列表（命名方式），禁止172.16.1.0/24网段访问172.16.4.0/24网段的telnet端口，其他不受影响。查看配置和端口的状态，并测试结果(PC1telnetSwitchB不通，PC1pingSwitchB通，但PC2telnetSwitchB通，PC2pingSwitchB通)。把PC1的地址改成172.16.1.3，PC1telnetSwitchB仍然不通，PC1pingSwitchB通。4.对三层交换机SwitchA配置远程登录密码为wjxvtc，特权密码为abcdef（加密方式）。5.设置标准IP访问控制列表（编号方式）,只允许PC1可以对三层交换机SwitchA进行远程登录。测试结果（PC1可以telnetSwitchA，PC2不能telnetSwitchA）。6.最后把配置以及ping的结果截图打包，以“学号姓名”为文件名，提交作业。7.使用锐捷设备（2、3人一组）完成上面的步骤，将SwitchB改成一台PC。【实验命令】1.对三层交换机SwitchA配置远程登录密码为wjxvtc，特权密码为abcdef（加密方式）。SwitchA(config)#linevty015SwitchA(config-line)#passwordwjxvtcSwitchA(config-line)#loginSwitchA(config-line)#exitSwitchA(config)#enablesecretabcdef2.设置标准IP访问控制列表（编号方式），只允许PC1可以对三层交换机SwitchA进行远程登录。(1)定义规则：SwitchA(config)#access-list9permithost172.16.1.2SwitchA(config)#access-list9denyany(2)应用端口：SwitchA(config)#linevty015SwitchA(config-line)#access-class9in【注意事项】1.比较在三层交换机上进行VLAN地址设置和进行端口地址的区别和相同点。2.注意在三层交换机VTY上进行标准ACL应用的access-class9in命令。-3-【配置结果】1.SwitchA#showiprouteCodes:C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGPi-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefault,U-per-userstaticroute,o-ODRP-periodicdownloadedstaticrouteGatewayoflastresortisnotset172.16.0.0/24issubnetted,3subnetsC172.16.1.0isdirectlyconnected,Vlan10C172.16.2.0isdirectlyconnected,Vlan20C172.16.4.0isdirectlyconnected,Vlan302.SwitchB#showrunning-configBuildingconfiguration...Currentconfiguration:1053bytesversion12.1noservicepassword-encryptionhostnameSwitchBenablesecret5$1$mERr$OAZJyntnash.EflFFzcMJ1interfaceFastEthernet0/1interfaceFastEthernet0/2interfaceFastEthernet0/3interfaceFastEthernet0/4interfaceFastEthernet0/5interfaceFastEthernet0/6interfaceFastEthernet0/7interfaceFastEthernet0/8interfaceFastEthernet0/9interfaceFastEthernet0/10interfaceFastEthernet0/11interfaceFastEthernet0/12interfaceFastEthernet0/13interfaceFastEthernet0/14interfaceFastEthernet0/15interfaceFastEthernet0/16interfaceFastEthernet0/17interfaceFastEthernet0/18interfaceFastEthernet0/19interfaceFastEthernet0/20interfaceFastEthernet0/21interfaceFastEthernet0/22-4-interfaceFastEthernet0/23interfaceFastEthernet0/24interfaceGigabitEthernet1/1interfaceGigabitEthernet1/2interfaceVlan1ipaddress172.16.4.2255.255.255.0ipdefault-gateway172.16.4.1linecon0linevty04passwordwjxvtcloginlinevty515passwordwjxvtcloginend3.SwitchA#showaccess-listsStandardIPaccesslist9permithost172.16.1.2denyany4.SwitchA#showrunning-configBuildingconfiguration...Currentconfiguration:1677bytesversion12.2noservicepassword-encryptionhostnameSwitchAipsshversion1port-channelload-balancesrc-macinterfaceFastEthernet0/1switchportaccessvlan10interfaceFastEthernet0/2switchportaccessvlan10interfaceFastEthernet0/3switchportaccessvlan10interfaceFastEthernet0/4switchportaccessvlan10interfaceFastEthernet0/5switchportaccessvlan10interfaceFastEthernet0/6switchportaccessvlan20interfaceFastEthernet0/7switchportaccessvlan20interfaceFastEthernet0/8switchportaccessvlan20-5-interfaceFastEthernet0/9switchportaccessvlan20interfaceFastEthernet0/10switchportaccessvlan20interfaceFastEthernet0/11switchportaccessvlan30interfaceFastEthernet0/12switchportaccessvlan30interfaceFastEthernet0/13switchportaccessvlan30interfaceFastEthernet0/14switchportaccessvlan30interfaceFastEthernet0/15switchportaccessvlan30interfaceFastEthernet0/16interfaceFastEthernet0/17interfaceFastEthernet0/18interfaceFastEthernet0/19interfaceFastEthernet0/20interfaceFastEthernet0/21interfaceFastEthernet0/22interfaceFastEthernet0/23interfaceFastEthernet0/24interfaceGigabitEthernet0/1interfaceGigabitEthernet0/2interfaceVlan1noipaddressshutdowninterfaceVlan10ipaddress172.16.1.1255.255.255.0interfaceVlan20ipaddress172.16.2.1255.255.255.0interfaceVlan30ipaddress172.16.4.1255.255.255.0ipclasslessaccess-list9permithost172.16.1.2access-list9denyanylinecon0linevty04access-class9inloginlinevty515access-class9inlogin-6-end