小公司ACL网络规划

明天会更好

实验要求：5个部门之间不能互相访问，但是都可以访问服务区和Internet。服务区不能访问Internet。Internet不能主动发起访问内部服务。

实验器材：路由器route(3620);交换机switch(2950),和6台pc等。

实验目的：了解vlan的划分；访问控制列表的设置；trunk的封装；

以及防火墙的设置等。

vlan划分部分

route: en

conf t

int e0/0.1

encapsulation islvlan 1

ip add192.168.1.1 255.255.255.0

no shut

int e0/0.2

encapsulationisl vlan 2

ip add192.168.2.1 255.255.255.0

no shut

int e0/0.3

encapsulationisl vlan 3

ip add192.168.3.1 255.255.255.0

no shut

int e0/0.4

encapsulationisl vlan 4

ip add 192.168.4.1255.255.255.0

no shut

int e0/0.5

encapsulationisl vlan 5

ip add192.168.5.1 255.255.255.0

no shut

int e0/0.6

encapsulationisl vlan 6

ip add192.168.6.1 255.255.255.0

no shut

switch:

en

vlan database

vlan 2 namevlan2

vlan 3 namevlan3

vlan 4 namevlan4

vlan 5 namevlan5

vlan 6 namevlan6

crl+z

en

conf t

int fa0/2

switchportaccess vlan 2

int fa0/3

switchportaccess vlan 3

int fa0/4

switchportaccess vlan 4

int fa0/5

switchportaccess vlan 5

int fa0/6

switchportaccess vlan 6

int fa0/7

switchport modetrunk

switchporttrunk encapsulation isl

pc1: 192.168.1.2 255.255.255.0

pc2: 192.168.2.2 255.255.255.0

pc3: 192.168.3.2 255.255.255.0

pc4: 192.168.4.2 255.255.255.0

pc5: 192.168.5.2 255.255.255.0

pc6: 192.168.6.2 255.255.255.0

设置访问控制列表部分；以及防火墙的设置:比较烦琐，我不修改他的设置了，重新在最下面为大家举一部分，其它的参照就可以了

route:

en

conf t

access-list 101deny tcp 192.168.1.2 0.0.0255 any established

permit tcp anyany established

access-list102permit ip 192.168.1.2 0.0.0.255 192.168.2.10.0.4.255

access-list103permit ip 192.168.2.2 0.0.0.255 192.168.1.20.0.0.255

denyip192.168.2.2 0 0.0.255 192.168.3.2 0.0.4.255

access-list 104permit ip 192.168.3.2 0.0.0.255 192.168.1.20.0.0.255

deny ip192.168.3.2 0.0.0.255 192.168.4.2 0.0.3.255.

deny ip192.168.3.2 0.0.0.255 192.168.2.2 0.0.0.255

acces-list 105permit ip 192.168.4.2 0.0.0.255 192.168.1.20.0.0.255

deny ip192.168.4.2 0.0.0.255 192.168.5.2 0.0.2.255

deny ip192.168.4.2 0.0.0.255 192.168.2.2 0.0.2.255

access-list 106permit ip 192.168.5.2 0.0.0.255 192.168.1.20.0.0.255

deny ip192.168.5.2 0.0.0.255 192.168.2.1 0.0.3.255

deny ip192.168.5.2 0.0.0.255 192.168.6.2 0.0.0.255

access-list 107permit ip 192.168.6.2 0.0.0.255 192.168.1.20.0.0.255

deny ip192.168.6.2 0.0.0.255 192.168.2.2.10.0.4.255

int e0/0.1

ip access-group101

ip access-group 102 in

int e0/0.2

ip access-group101

ip access-group 103 in

int e0/0.3

ip access-group101

ip access-group 104 in

int e0/0.4

ip access-group101

ip access-group 105 in

int e0/0.5

int access-group101   

int access-group106 in

int e0/0.6

int access-group101

int access-group107 in

access-list 101permit  tcp 192.168.0.0 0.0.7.255any

int e/0.1

ip access-group101 out

access-list 102deny tcp 192.168.3.0 0.0.0.255 any

access-list 102deny tcp 192.168.4.0 0.0.0.255 any

access-list 102deny tcp 192.168.5.0 0.0.0.255 any

access-list 102deny tcp 192.168.6.0 0.0.0.255 any

access-list 102permit tcp 192.168.1.0 0.0.0.255 any

access-list 102permit tcp any any established

int e0/0.2

ip access-group102 out