一、实验目标
- 理解扩展IP访问控制列表的原理及功能;
- 掌握编号的扩展IP访问控制列表的配置方法;
二、实验背景
分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。
三、技术原理
访问列表中定义的典型规则主要有以下:源地址、目标地址、上层协议、时间区域;
扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
扩展IP访问列表的配置包括以下两步:
- 定义扩展IP访问列表
- 将扩展IP访问列表应用于特定接口上
四、实验步骤
实验步骤
1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;
2、配置PC机、服务器及路由器接口IP地址;
3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R2上配置编号的IP扩展访问控制列表;
5、将扩展IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置端口IP地址
R1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置端口IP地址
R1(config-if)#no shut
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 //配置default route
R1(config)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route //查看路由表
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.2.2
R1#
R1#show run
Building configuration...
Current configuration : 510 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
...
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R1#
R2:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int fa0/0
R2(config-if)#ip add 192.168.2.2 255.255.255.0 //配置端口IP地址
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#int s2/0
R2(config-if)#ip add 192.168.3.1 255.255.255.0 //配置端口IP地址
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R2(config-if)#clock rate 64000 //配置时钟频率
R2(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 //配置目标网段1.0的静态路由
R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2 //配置目标网段4.0的静态路由
R2(config)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.1.0/24 [1/0] via 192.168.2.1
C 192.168.2.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial2/0
S 192.168.4.0/24 [1/0] via 192.168.3.2
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ac
R2(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R2(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R2(config)#access-list 100 per
R2(config)#access-list 100 permit ?
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R2(config)#access-list 100 permit tcp ? //web服务使用的是tcp协议
A.B.C.D Source address
any Any source host
host A single source host
R2(config)#access-list 100 permit tcp host ?
A.B.C.D Source address
R2(config)#access-list 100 permit tcp host 192.168.1.2 ? //源主机地址
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
R2(config)#access-list 100 permit tcp host 192.168.1.2 host ?
A.B.C.D Destination address
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ? //目标主机地址
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ? //www服务
dscp Match packets with given dscp value
established established
precedence Match packets with given precedence value
<cr>
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
R2(config)#
R2(config)#access-list 100 deny ?
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R2(config)#access-list 100 deny icmp ? //禁止icmp协议,也就是ping使用的协议
A.B.C.D Source address
any Any source host
host A single source host
R2(config)#access-list 100 deny icmp host ?
A.B.C.D Source address
R2(config)#access-list 100 deny icmp host 192.168.1.2 ?
A.B.C.D Destination address
any Any destination host
host A single destination host
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ?
<0-256> type-num
echo echo
echo-reply echo-reply
host-unreachable host-unreachable
net-unreachable net-unreachable
port-unreachable port-unreachable
protocol-unreachable protocol-unreachable
ttl-exceeded ttl-exceeded
unreachable unreachable
<cr>
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ?
<cr>
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
R2(config)#
R2(config)#int s2/0
R2(config-if)#?
bandwidth Set bandwidth informational parameter
cdp CDP interface subcommands
clock Configure serial interface clock
crypto Encryption/Decryption commands
custom-queue-list Assign a custom queue list to an interface
delay Specify interface throughput delay
description Interface specific description
encapsulation Set encapsulation type for an interface
exit Exit from interface configuration mode
fair-queue Enable Fair Queuing on an Interface
frame-relay Set frame relay parameters
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
keepalive Enable keepalive
mtu Set the interface Maximum Transmission Unit (MTU)
no Negate a command or set its defaults
ppp Point-to-Point Protocol
priority-group Assign a priority group to an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
tx-ring-limit Configure PA level transmit ring limit
zone-member Apply zone name
R2(config-if)#ip ?
access-group Specify access control for packets
address Set the IP address of an interface
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
inspect Apply inspect name
ips Create IPS rule
mtu Set IP Maximum Transmission Unit
nat NAT interface commands
ospf OSPF interface commands
split-horizon Perform split horizon
summary-address Perform address summarization
virtual-reassembly Virtual Reassembly
R2(config-if)#ip ac
R2(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
WORD Access-list name
R2(config-if)#ip access-group 100 ?
in inbound packets
out outbound packets
R2(config-if)#ip access-group 100 out ?
<cr>
R2(config-if)#ip access-group 100 out //将控制列表应用于s2/0端口
R2(config-if)#
R2(config-if)#
R2(config-if)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show run
R2#show running-config
Building configuration...
Current configuration : 901 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
...
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
ip address 192.168.3.1 255.255.255.0
ip access-group 100 out
clock rate 64000
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 192.168.3.2
!
!
access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R2#
R3:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#int fa0/0
R3(config-if)#ip add 192.168.4.1 255.255.255.0
R3(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#exit
R3(config)#int s2/0
R3(config-if)#ip add 192.168.3.2 255.255.255.0
R3(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
R3(config-if)#
R3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1
R3(config)#end
R3#
%SYS-5-CONFIG_I: Configured from console by console
R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
C 192.168.3.0/24 is directly connected, Serial2/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.3.1
R3#
R3#
R3#show run
Building configuration...
Current configuration : 667 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
...
!
interface FastEthernet0/0
ip address 192.168.4.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
ip address 192.168.3.2 255.255.255.0
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R3#
PC1:
Packet Tracer PC Command Line 1.0
PC>ipconfig
IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.1
PC>ping 192.168.4.2
Pinging 192.168.4.2 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.4.2: bytes=32 time=18ms TTL=125 //ACL前
Reply from 192.168.4.2: bytes=32 time=12ms TTL=125
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 18ms, Average = 15ms
PC>ping 192.168.4.2
Pinging 192.168.4.2 with 32 bytes of data:
Reply from 192.168.2.2: Destination host unreachable. //ACL后
Reply from 192.168.2.2: Destination host unreachable.
Reply from 192.168.2.2: Destination host unreachable.
Reply from 192.168.2.2: Destination host unreachable.
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
PC1-WEB测试:
ACL前后都可以访问web服务