[Experiment Name] Extended IP address access list named www.2cto.com [Objective] To master the rules for the extended IP address access list named on the vswitch and configure [experiment function] to implement security control for mutual access between network segments lab device: layer-3 Switch (1 unit) PC (3), direct connection (3) [experiment topology] www.2cto.com [experiment step] Switch1 Switch> enableSwitch # configure terminalSwitch (config) # vlan 5 Switch (config-vlan) # exitSwitch (config) # vlan 10 Switch (config-vlan) # exitSwitch (config) # vlan 15 Switch (config-vlan) # exitSwitch (config) # interface vlan 5 Switch (config-if) # no shutdownSwitch (config-if) # ip Address 172.16.5.1 255.255.255.0Switch (config-if) # exitSwitch (config) # interface vlan 10 Switch (config-if) # no shutdownSwitch (config-if) # ip address 172.16.10.1 255.255.255.0Switch (config-if) # exitSwitch (config) # interface vlan 15 Switch (config-if) # no shutdownSwitch (config-if) # After configuring ip address 172.16.15.1 255.255.255.0! Next, this chapter focuses on network-wide interconnection! Using the IP address extended access list to implement access restrictions for the Application Service, we will configure the WWW Service that restricts the access of the student machine to the server here! (The rest are similar) Switch (config) # ip access-list extended cisco (set the extended list and name it cisco)
Switch (config-ext-nacl) # deny tcp 172.16.5.0 0.0.0.255 172.16.15.0 0.0.0.255 eq www (refuse the network segment 172.16.5.0 to access the WWW Service of the network segment 172.16.15.0 (you can write HTTP or 80 ). Use anti-mask)
Switch (config-ext-nacl) # permit ip any (deny) Another CIDR block must be peimit after a certain CIDR block is denied)
Switch (config-ext-nacl) # exit
Switch (config) # interface vlan 5
Switch (config-if) # ip access-group cisco in (apply the cisco extension list to the in direction of the vlan5 port)
Www.2cto.com next we will discuss why we should put the interface on vlan 5! This topology cannot be reflected! Let's imagine if there are N vswitches in the VLAN5 and the switch named extension list in this configuration to access the WWW Service of VLAN15! Then, the PC in VLAN5 sends data packets. After passing through N switches on the way, it reaches the switch in the configuration name extension list. Then, the switch finds the extension list and finds that it is blocked! Then discard the data packet. Is this a waste of bandwidth? Therefore, we need to add the extended access control list to the port closest to the restricted CIDR block! The most recent vlan 5 Interface in this figure! Let's take a closer look!