詳細説明
目次
CatalystのACLの種類
Catalystでアクセス制御を行う方法として、適用箇所や制御レイヤーが異なる3つのACLがあります。
| 対象ACL | 適用箇所 | 適用タイミング | 適用方向 | 制御レイヤー |
|---|---|---|---|---|
| RACL (Router ACL) | ルーテッドポート SVI | ルーティング時 | IN/OUT | L3/L4 |
| VACL (VLAN ACL) | VLAN | ルーティング時 スイッチング時 | IN | L2/L3/L4 |
| PACL (Port ACL) | スイッチポート | ルーティング時 スイッチング時 | IN | L2/L3/L4 |
実ネットワークを用いた説明
CMLの構成
CMLで下記のネットワークを構築し説明していきます。L3SW(IOSvL2)を1台とServerを4台設置します。
各機器の基本設定は下記のとおりです。
L3SWの設定
Server1の設定
Server2の設定
Server3の設定
Server4の設定
疎通確認
Server1から、デフォルトゲートウェイと他のServerにPingが通ることを確認します。
Server1
ping -c 5 192.168.1.254
ping -c 5 192.168.1.2
ping -c 5 192.168.2.1
ping -c 5 192.168.2.2cisco@Server1:~$ ping -c 5 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: seq=0 ttl=255 time=17.111 ms
64 bytes from 192.168.1.254: seq=1 ttl=255 time=4.524 ms
64 bytes from 192.168.1.254: seq=2 ttl=255 time=8.055 ms
64 bytes from 192.168.1.254: seq=3 ttl=255 time=7.530 ms
64 bytes from 192.168.1.254: seq=4 ttl=255 time=4.733 ms
--- 192.168.1.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.524/8.390/17.111 ms
================================================
cisco@Server1:~$ ping -c 5 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=10.645 ms
64 bytes from 192.168.1.2: seq=1 ttl=64 time=4.572 ms
64 bytes from 192.168.1.2: seq=2 ttl=64 time=4.811 ms
64 bytes from 192.168.1.2: seq=3 ttl=64 time=5.510 ms
64 bytes from 192.168.1.2: seq=4 ttl=64 time=7.290 ms
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.572/6.565/10.645 ms
================================================
cisco@Server1:~$ ping -c 5 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=63 time=9.739 ms
64 bytes from 192.168.2.1: seq=1 ttl=63 time=7.757 ms
64 bytes from 192.168.2.1: seq=2 ttl=63 time=19.472 ms
64 bytes from 192.168.2.1: seq=3 ttl=63 time=7.656 ms
64 bytes from 192.168.2.1: seq=4 ttl=63 time=8.246 ms
--- 192.168.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 7.656/10.574/19.472 ms
================================================
cisco@Server1:~$ ping -c 5 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
64 bytes from 192.168.2.2: seq=0 ttl=63 time=8.801 ms
64 bytes from 192.168.2.2: seq=1 ttl=63 time=11.593 ms
64 bytes from 192.168.2.2: seq=2 ttl=63 time=7.877 ms
64 bytes from 192.168.2.2: seq=3 ttl=63 time=8.235 ms
64 bytes from 192.168.2.2: seq=4 ttl=63 time=10.794 ms
--- 192.168.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 7.877/9.460/11.593 msL3SWの内部構成
L3SW(Catalyst)の内部構成を図示します。
各ACLの適用箇所は下記のイメージです。
この構成を用いて、各ACLの詳細を説明します。
