一、实验目标
- 理解标准IP访问控制列表的原理及功能;
- 掌握编号的标准IP访问控制列表的配置方法;
二、实验背景
公司的经理部、财务部和销售部分别属于不同的3个网段,三部门之间用路由器进行信息传递,为了安全起见,公司领导要求销售部不能对财务部进行访问,但经理部可以对财务部进行访问。
三、技术原理
ACLs的全称为接入控制列表(Access Control Lists),也称为访问列表(Access List),俗称为防火墙,在有的文档中还称之为包过滤。ACLs通过定义一些规则对网络设备接口上的数据报文进行控制:允许通过或丢弃,从而提高网络可管理性和安全性;
IP ACL分为两种:标准IP访问列表和扩展IP访问列表,编号范围分别为1~99、1300~1999,100~199、2000~2699;
标准IP访问列表可以根据数据包的源IP地址定义规则,进行数据包的过滤;
扩展IP访问列表可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
IP ACL基于接口进行规则的应用,分为:入栈应用和出栈应用;
四、实验步骤
实验拓扑
1、路由器之间通过V.35电缆串口连接,DCE端连接在R1上,配置其时间频率为64000;主机与路由器通过交叉线连接;
2、配置路由器接口IP地址;
3、在路由器上配置OSPF路由协议,让三台PC 能相互ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R1上配置编号的IP标准访问控制列表;
5、将标准IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fa1/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1(config-if)#exit
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.2.1 255.255.255.0
R1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#int se2/0
R1(config-if)#clock rate 64000
R1(config-if)#ip add 192.168.3.1 255.255.255.0
R1(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R1(config-if)#exit
R1(config)#
R1(config)#router ospf 1
R1(config-router)#network 192.168.1.0 0.0.0.255 area 0
R1(config-router)#network 192.168.2.0 0.0.0.255 area 0
R1(config-router)#network 192.168.3.0 0.0.0.255 area 0
R1(config-router)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet1/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
R1#
R1#
R1#show ip route //两台路由器配置好后的路由信息
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet1/0
C 192.168.2.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial2/0
O 192.168.4.0/24 [110/782] via 192.168.3.2, 00:00:15, Serial2/0
R1#
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip ?
access-list Named access-list
default-network Flags networks as candidates for default routes
dhcp Configure DHCP server and relay parameters
domain IP DNS Resolver
domain-lookup Enable IP Domain Name System hostname translation
domain-name Define the default domain name
forward-protocol Controls forwarding of physical and directed IP broadcasts
host Add an entry to the ip hostname table
name-server Specify address of name server to use
nat NAT configuration commands
route Establish static routes
tcp Global TCP parameters
R1(config)#ip ac
R1(config)#ip access-list ?
extended Extended Access List
standard Standard Access List
R1(config)#ip access-list sta
R1(config)#ip access-list standard ?
<1-99> Standard IP access-list number
WORD Access-list name
R1(config)#ip access-list standard david ?
<cr>
R1(config)#ip access-list standard david //配置名为david的IP标准访问控制列表
R1(config-std-nacl)#?
default Set a command to its defaults
deny Specify packets to reject
exit Exit from access-list configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
remark Access list entry comment
R1(config-std-nacl)#permit 192.168.1.0 ?
A.B.C.D Wildcard bits
<cr>
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255 ?
<cr>
R1(config-std-nacl)#permit 192.168.1.0 0.0.0.255 //允许192.168.1.0网段通过
R1(config-std-nacl)#deny ?
A.B.C.D Address to match
any Any source host
host A single host address
R1(config-std-nacl)#deny 192.168.2.0 ?
A.B.C.D Wildcard bits
<cr>
R1(config-std-nacl)#deny 192.168.2.0 0.0.0.255 ?
<cr>
R1(config-std-nacl)#deny 192.168.2.0 0.0.0.255 //禁止192.168.2.0网段通过
R1(config-std-nacl)#exit
R1(config)#inter
R1(config)#interface se2/0
R1(config-if)#?
bandwidth Set bandwidth informational parameter
cdp CDP interface subcommands
clock Configure serial interface clock
crypto Encryption/Decryption commands
custom-queue-list Assign a custom queue list to an interface
delay Specify interface throughput delay
description Interface specific description
encapsulation Set encapsulation type for an interface
exit Exit from interface configuration mode
fair-queue Enable Fair Queuing on an Interface
frame-relay Set frame relay parameters
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
keepalive Enable keepalive
mtu Set the interface Maximum Transmission Unit (MTU)
no Negate a command or set its defaults
ppp Point-to-Point Protocol
priority-group Assign a priority group to an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
tx-ring-limit Configure PA level transmit ring limit
zone-member Apply zone name
R1(config-if)#ip ?
access-group Specify access control for packets
address Set the IP address of an interface
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
inspect Apply inspect name
ips Create IPS rule
mtu Set IP Maximum Transmission Unit
nat NAT interface commands
ospf OSPF interface commands
split-horizon Perform split horizon
summary-address Perform address summarization
virtual-reassembly Virtual Reassembly
R1(config-if)#ip ac
R1(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
WORD Access-list name
R1(config-if)#ip access-group david ?
in inbound packets
out outbound packets
R1(config-if)#ip access-group david out ?
<cr>
R1(config-if)#ip access-group david out //将名为david的IP标准访问控制列表应用到se2/0端口
R1(config-if)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show running-config
Building configuration...
Current configuration : 928 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
...
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.3.1 255.255.255.0
ip access-group david out
clock rate 64000
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
!
ip classless
!
!
ip access-list standard david
permit 192.168.1.0 0.0.0.255
deny 192.168.2.0 0.0.0.255
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R1#
R2:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int fa0/0
R2(config-if)#ip add 192.168.4.1 255.255.255.0
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#int se2/0
R2(config-if)#ip add 192.168.3.2 255.255.255.0
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
R2(config-if)#exit
R2(config)#router ospf 1
R2(config-router)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config-router)#network 192.168.3.0 0.0.0.255 area 0
R2(config-router)#network 192.168.4.0 0.0.0.255 area 0
00:11:23: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.3.1 on Serial2/0 from LOADING to FULL, Loading Do
R2(config-router)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O 192.168.1.0/24 [110/782] via 192.168.3.1, 00:00:09, Serial2/0
O 192.168.2.0/24 [110/782] via 192.168.3.1, 00:00:09, Serial2/0
C 192.168.3.0/24 is directly connected, Serial2/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0
R2#
五、测试
PC1:
Packet Tracer PC Command Line 1.0
PC>ipconfig
IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.1
PC>ping 192.168.4.2 //ACL前
Pinging 192.168.4.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.4.2: bytes=32 time=15ms TTL=126
Reply from 192.168.4.2: bytes=32 time=9ms TTL=126
Reply from 192.168.4.2: bytes=32 time=15ms TTL=126
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 15ms, Average = 13ms
PC>ping 192.168.4.2 //ACL后
Pinging 192.168.4.2 with 32 bytes of data:
Reply from 192.168.4.2: bytes=32 time=10ms TTL=126
Reply from 192.168.4.2: bytes=32 time=9ms TTL=126
Reply from 192.168.4.2: bytes=32 time=16ms TTL=126
Reply from 192.168.4.2: bytes=32 time=13ms TTL=126
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 16ms, Average = 12ms
PC>
PC2:
Packet Tracer PC Command Line 1.0
PC>ipconfig
IP Address......................: 192.168.2.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.2.1
PC>ping 192.168.4.2 //ACL前
Pinging 192.168.4.2 with 32 bytes of data:
Reply from 192.168.4.2: bytes=32 time=17ms TTL=126
Reply from 192.168.4.2: bytes=32 time=10ms TTL=126
Reply from 192.168.4.2: bytes=32 time=11ms TTL=126
Reply from 192.168.4.2: bytes=32 time=9ms TTL=126
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 17ms, Average = 11ms
PC>ping 192.168.4.2 //ACL后
Pinging 192.168.4.2 with 32 bytes of data:
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>