一、实验目标理解扩展IP访问控制列表的原理及功能;掌握编号的扩展IP访问控制列表的配置方法;二、实验背景分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门
.
一、实验目标
理解扩展IP访问控制列表的原理及功能;
掌握编号的扩展IP访问控制列表的配置方法;
二、实验背景
分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。
三、技术原理
访问列表中定义的典型规则主要有以下:源地址、目标地址、上层协议、时间区域;
扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
扩展IP访问列表的配置包括以下两步:
定义扩展IP访问列表
将扩展IP访问列表应用于特定接口上
四、实验步骤
实验步骤
1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;
2、配置PC机、服务器及路由器接口IP地址;
3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R2上配置编号的IP扩展访问控制列表;
5、将扩展IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>enRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname R1R1(config)#int fa0/0R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置端口IP地址R1(config-if)#no shut%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR1(config-if)#exitR1(config)#int fa0/1R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置端口IP地址R1(config-if)#no shutR1(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upR1(config-if)#exitR1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 //配置default routeR1(config)#endR1#%SYS-5-CONFIG_I: Configured from console by consoleR1#show ip route //查看路由表Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is 192.168.2.2 to network 0.0.0.0C 192.168.1.0/24 is directly connected, FastEthernet0/0C 192.168.2.0/24 is directly connected, FastEthernet0/1S* 0.0.0.0/0 [1/0] via 192.168.2.2R1#R1#show runBuilding configuration...Current configuration : 510 bytes!version 12.4no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R1!...!interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 duplex auto speed auto!interface Vlan1 no ip address shutdown!ip classlessip route 0.0.0.0 0.0.0.0 192.168.2.2 !...!line con 0line vty 0 4 login!!!endR1#
R2:
Router>enRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname R2R2(config)#int fa0/0R2(config-if)#ip add 192.168.2.2 255.255.255.0 //配置端口IP地址R2(config-if)#no shut%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR2(config-if)#exitR2(config)#int s2/0R2(config-if)#ip add 192.168.3.1 255.255.255.0 //配置端口IP地址R2(config-if)#no shut%LINK-5-CHANGED: Interface Serial2/0, changed state to downR2(config-if)#clock rate 64000 //配置时钟频率R2(config-if)#%LINK-5-CHANGED: Interface Serial2/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to upR2(config-if)#exitR2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 //配置目标网段1.0的静态路由R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2 //配置目标网段4.0的静态路由R2(config)#endR2#%SYS-5-CONFIG_I: Configured from console by consoleR2#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not setS 192.168.1.0/24 [1/0] via 192.168.2.1C 192.168.2.0/24 is directly connected, FastEthernet0/0C 192.168.3.0/24 is directly connected, Serial2/0S 192.168.4.0/24 [1/0] via 192.168.3.2R2#R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#acR2(config)#access-list ? <1-99> IP standard access list <100-199> IP extended access listR2(config)#access-list 100 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry commentR2(config)#access-list 100 perR2(config)#access-list 100 permit ? eigrp Cisco's EIGRP routing protocol gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram ProtocolR2(config)#access-list 100 permit tcp ? //web服务使用的是tcp协议 A.B.C.D Source address any Any source host host A single source hostR2(config)#access-list 100 permit tcp host ? A.B.C.D Source addressR2(config)#access-list 100 permit tcp host 192.168.1.2 ? //源主机地址 A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbersR2(config)#access-list 100 permit tcp host 192.168.1.2 host ? A.B.C.D Destination addressR2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ? //目标主机地址 dscp Match packets with given dscp value eq Match only packets on a given port number established established gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers <cr>R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ? <0-65535> Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) www World Wide Web (HTTP, 80)R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ? //www服务 dscp Match packets with given dscp value established established precedence Match packets with given precedence value <cr>R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www R2(config)#R2(config)#access-list 100 deny ? eigrp Cisco's EIGRP routing protocol gre Cisco's GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram ProtocolR2(config)#access-list 100 deny icmp ? //禁止icmp协议,也就是ping使用的协议 A.B.C.D Source address any Any source host host A single source hostR2(config)#access-list 100 deny icmp host ? A.B.C.D Source addressR2(config)#access-list 100 deny icmp host 192.168.1.2 ? A.B.C.D Destination address any Any destination host host A single destination hostR2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ? <0-256> type-num echo echo echo-reply echo-reply host-unreachable host-unreachable net-unreachable net-unreachable port-unreachable port-unreachable protocol-unreachable protocol-unreachable ttl-exceeded ttl-exceeded unreachable unreachable <cr>R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ? <cr>R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo R2(config)#R2(config)#int s2/0R2(config-if)#? bandwidth Set bandwidth informational parameter cdp CDP interface subcommands clock Configure serial interface clock crypto Encryption/Decryption commands custom-queue-list Assign a custom queue list to an interface delay Specify interface throughput delay description Interface specific description encapsulation Set encapsulation type for an interface exit Exit from interface configuration mode fair-queue Enable Fair Queuing on an Interface frame-relay Set frame relay parameters hold-queue Set hold queue depth ip Interface Internet Protocol config commands keepalive Enable keepalive mtu Set the interface Maximum Transmission Unit (MTU) no Negate a command or set its defaults ppp Point-to-Point Protocol priority-group Assign a priority group to an interface service-policy Configure QoS Service Policy shutdown Shutdown the selected interface tx-ring-limit Configure PA level transmit ring limit zone-member Apply zone nameR2(config-if)#ip ? access-group Specify access control for packets address Set the IP address of an interface hello-interval Configures IP-EIGRP hello interval helper-address Specify a destination address for UDP broadcasts inspect Apply inspect name ips Create IPS rule mtu Set IP Maximum Transmission Unit nat NAT interface commands ospf OSPF interface commands split-horizon Perform split horizon summary-address Perform address summarization virtual-reassembly Virtual ReassemblyR2(config-if)#ip acR2(config-if)#ip access-group ? <1-199> IP access list (standard or extended) WORD Access-list nameR2(config-if)#ip access-group 100 ? in inbound packets out outbound packetsR2(config-if)#ip access-group 100 out ? <cr>R2(config-if)#ip access-group 100 out //将控制列表应用于s2/0端口R2(config-if)#R2(config-if)#R2(config-if)#endR2#%SYS-5-CONFIG_I: Configured from console by consoleR2#show runR2#show running-config Building configuration...Current configuration : 901 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R2!...!interface FastEthernet0/0 ip address 192.168.2.2 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 no ip address duplex auto speed auto shutdown!interface Serial2/0 ip address 192.168.3.1 255.255.255.0 ip access-group 100 out clock rate 64000!interface Serial3/0 no ip address shutdown!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet5/0 no ip address shutdown!ip classlessip route 192.168.1.0 255.255.255.0 192.168.2.1 ip route 192.168.4.0 255.255.255.0 192.168.3.2 !!access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq wwwaccess-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo!...!line con 0line vty 0 4 login!!!endR2#
R3:
Router>enRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname R3R3(config)#int fa0/0R3(config-if)#ip add 192.168.4.1 255.255.255.0R3(config-if)#no shut%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR3(config-if)#exitR3(config)#int s2/0R3(config-if)#ip add 192.168.3.2 255.255.255.0R3(config-if)#no shut%LINK-5-CHANGED: Interface Serial2/0, changed state to upR3(config-if)#R3(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to upR3(config-if)#exitR3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1R3(config)#endR3#%SYS-5-CONFIG_I: Configured from console by consoleR3#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is 192.168.3.1 to network 0.0.0.0C 192.168.3.0/24 is directly connected, Serial2/0C 192.168.4.0/24 is directly connected, FastEthernet0/0S* 0.0.0.0/0 [1/0] via 192.168.3.1R3#R3#R3#show runBuilding configuration...Current configuration : 667 bytes!version 12.2no service timestamps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R3!...!interface FastEthernet0/0 ip address 192.168.4.1 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 no ip address duplex auto speed auto shutdown!interface Serial2/0 ip address 192.168.3.2 255.255.255.0!interface Serial3/0 no ip address shutdown!interface FastEthernet4/0 no ip address shutdown!interface FastEthernet5/0 no ip address shutdown!ip classlessip route 0.0.0.0 0.0.0.0 192.168.3.1 !...!line con 0line vty 0 4 login!!!endR3#
PC1:
Packet Tracer PC Command Line 1.0PC>ipconfigIP Address......................: 192.168.1.2Subnet Mask.....................: 255.255.255.0Default Gateway.................: 192.168.1.1PC>ping 192.168.4.2Pinging 192.168.4.2 with 32 bytes of data:Request timed out.Request timed out.Reply from 192.168.4.2: bytes=32 time=18ms TTL=125 //ACL前Reply from 192.168.4.2: bytes=32 time=12ms TTL=125Ping statistics for 192.168.4.2: Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),Approximate round trip times in milli-seconds: Minimum = 12ms, Maximum = 18ms, Average = 15msPC>ping 192.168.4.2Pinging 192.168.4.2 with 32 bytes of data:Reply from 192.168.2.2: Destination host unreachable. //ACL后Reply from 192.168.2.2: Destination host unreachable.Reply from 192.168.2.2: Destination host unreachable.Reply from 192.168.2.2: Destination host unreachable.Ping statistics for 192.168.4.2: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),PC>
PC1-WEB测试:
ACL前后都可以访问web服务
转至:http://www.cnblogs.com/mchina/archive/2012/07/22/2603786.html
.