zoukankan      html  css  js  c++  java
  • Packet Tracer 5.2实验(十三) 扩展IP访问控制列表配置

    一、实验目标

    • 理解扩展IP访问控制列表的原理及功能;
    • 掌握编号的扩展IP访问控制列表的配置方法;

    二、实验背景

    分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。

    三、技术原理

    访问列表中定义的典型规则主要有以下:源地址、目标地址、上层协议、时间区域;

    扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;

    扩展IP访问列表的配置包括以下两步:

    • 定义扩展IP访问列表
    • 将扩展IP访问列表应用于特定接口上

    四、实验步骤

    实验步骤

    1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;

    2、配置PC机、服务器及路由器接口IP地址;

    3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;

    4、在R2上配置编号的IP扩展访问控制列表;

    5、将扩展IP访问列表应用到接口上;

    6、验证主机之间的互通性;

    R1:

    Router>en
    Router#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#hostname R1
    R1(config)#int fa0/0
    R1(config-if)#ip add 192.168.1.1 255.255.255.0                    //配置端口IP地址
    R1(config-if)#no shut
    
    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
    R1(config-if)#exit
    R1(config)#int fa0/1
    R1(config-if)#ip add 192.168.2.1 255.255.255.0                    //配置端口IP地址
    R1(config-if)#no shut
    
    R1(config-if)#
    %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    R1(config-if)#exit
    R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2                   //配置default route
    R1(config)#end
    R1#
    %SYS-5-CONFIG_I: Configured from console by console
    R1#show ip route                                                  //查看路由表
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    
    Gateway of last resort is 192.168.2.2 to network 0.0.0.0
    
    C    192.168.1.0/24 is directly connected, FastEthernet0/0
    C    192.168.2.0/24 is directly connected, FastEthernet0/1
    S*   0.0.0.0/0 [1/0] via 192.168.2.2
    R1#
    R1#show run
    Building configuration...

    Current configuration : 510 bytes
    !
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname R1
    !
    ...
    !
    interface FastEthernet0/0
     ip address 192.168.1.1 255.255.255.0
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     ip address 192.168.2.1 255.255.255.0
     duplex auto
     speed auto
    !
    interface Vlan1
     no ip address
     shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.2.2
    !
    ...
    !
    line con 0
    line vty 0 4
     login
    !
    !
    !
    end


    R1#

    R2:

    Router>en
    Router#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#hostname R2
    R2(config)#int fa0/0
    R2(config-if)#ip add 192.168.2.2 255.255.255.0                    //配置端口IP地址
    R2(config-if)#no shut
    
    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
    R2(config-if)#exit
    R2(config)#int s2/0
    R2(config-if)#ip add 192.168.3.1 255.255.255.0                    //配置端口IP地址
    R2(config-if)#no shut
    
    %LINK-5-CHANGED: Interface Serial2/0, changed state to down
    R2(config-if)#clock rate 64000                                    //配置时钟频率
    R2(config-if)#
    %LINK-5-CHANGED: Interface Serial2/0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
    R2(config-if)#exit
    R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1         //配置目标网段1.0的静态路由
    R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2         //配置目标网段4.0的静态路由
    R2(config)#end
    R2#
    %SYS-5-CONFIG_I: Configured from console by console
    R2#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    
    Gateway of last resort is not set
    
    S    192.168.1.0/24 [1/0] via 192.168.2.1
    C    192.168.2.0/24 is directly connected, FastEthernet0/0
    C    192.168.3.0/24 is directly connected, Serial2/0
    S    192.168.4.0/24 [1/0] via 192.168.3.2
    R2#
    R2#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    R2(config)#ac
    R2(config)#access-list ?
      <1-99>     IP standard access list
      <100-199>  IP extended access list
    R2(config)#access-list 100 ?
      deny    Specify packets to reject
      permit  Specify packets to forward
      remark  Access list entry comment
    R2(config)#access-list 100 per
    R2(config)#access-list 100 permit ?
      eigrp  Cisco's EIGRP routing protocol
      gre    Cisco's GRE tunneling
      icmp   Internet Control Message Protocol
      ip     Any Internet Protocol
      ospf   OSPF routing protocol
      tcp    Transmission Control Protocol
      udp    User Datagram Protocol
    R2(config)#access-list 100 permit tcp ? //web服务使用的是tcp协议
      A.B.C.D  Source address
      any      Any source host
      host     A single source host
    R2(config)#access-list 100 permit tcp host ?
      A.B.C.D  Source address
    R2(config)#access-list 100 permit tcp host 192.168.1.2 ? //源主机地址
      A.B.C.D  Destination address
      any      Any destination host
      eq       Match only packets on a given port number
      gt       Match only packets with a greater port number
      host     A single destination host
      lt       Match only packets with a lower port number
      neq      Match only packets not on a given port number
      range    Match only packets in the range of port numbers
    R2(config)#access-list 100 permit tcp host 192.168.1.2 host ?
      A.B.C.D  Destination address
    R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ? //目标主机地址
      dscp         Match packets with given dscp value
      eq           Match only packets on a given port number
      established  established
      gt           Match only packets with a greater port number
      lt           Match only packets with a lower port number
      neq          Match only packets not on a given port number
      precedence   Match packets with given precedence value
      range        Match only packets in the range of port numbers
      <cr>
    R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ?
      <0-65535>  Port number
      ftp        File Transfer Protocol (21)
      pop3       Post Office Protocol v3 (110)
      smtp       Simple Mail Transport Protocol (25)
      telnet     Telnet (23)
      www        World Wide Web (HTTP, 80)
    R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ? //www服务
      dscp         Match packets with given dscp value
      established  established
      precedence   Match packets with given precedence value
      <cr>
    R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
    R2(config)#
    R2(config)#access-list 100 deny ?
      eigrp  Cisco's EIGRP routing protocol
      gre    Cisco's GRE tunneling
      icmp   Internet Control Message Protocol
      ip     Any Internet Protocol
      ospf   OSPF routing protocol
      tcp    Transmission Control Protocol
      udp    User Datagram Protocol
    R2(config)#access-list 100 deny icmp ? //禁止icmp协议,也就是ping使用的协议
      A.B.C.D  Source address
      any      Any source host
      host     A single source host
    R2(config)#access-list 100 deny icmp host ?
      A.B.C.D  Source address
    R2(config)#access-list 100 deny icmp host 192.168.1.2 ?
      A.B.C.D  Destination address
      any      Any destination host
      host     A single destination host
    R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ?
      <0-256>               type-num
      echo                  echo
      echo-reply            echo-reply
      host-unreachable      host-unreachable
      net-unreachable       net-unreachable
      port-unreachable      port-unreachable
      protocol-unreachable  protocol-unreachable
      ttl-exceeded          ttl-exceeded
      unreachable           unreachable
      <cr>
    R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ?
      <cr>
    R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
    R2(config)#
    R2(config)#int s2/0
    R2(config-if)#?
      bandwidth          Set bandwidth informational parameter
      cdp                CDP interface subcommands
      clock              Configure serial interface clock
      crypto             Encryption/Decryption commands
      custom-queue-list  Assign a custom queue list to an interface
      delay              Specify interface throughput delay
      description        Interface specific description
      encapsulation      Set encapsulation type for an interface
      exit               Exit from interface configuration mode
      fair-queue         Enable Fair Queuing on an Interface
      frame-relay        Set frame relay parameters
      hold-queue         Set hold queue depth
      ip                 Interface Internet Protocol config commands
      keepalive          Enable keepalive
      mtu                Set the interface Maximum Transmission Unit (MTU)
      no                 Negate a command or set its defaults
      ppp                Point-to-Point Protocol
      priority-group     Assign a priority group to an interface
      service-policy     Configure QoS Service Policy
      shutdown           Shutdown the selected interface
      tx-ring-limit      Configure PA level transmit ring limit
      zone-member        Apply zone name
    R2(config-if)#ip ?
      access-group        Specify access control for packets
      address             Set the IP address of an interface
      hello-interval      Configures IP-EIGRP hello interval
      helper-address      Specify a destination address for UDP broadcasts
      inspect             Apply inspect name
      ips                 Create IPS rule
      mtu                 Set IP Maximum Transmission Unit
      nat                 NAT interface commands
      ospf                OSPF interface commands
      split-horizon       Perform split horizon
      summary-address     Perform address summarization
      virtual-reassembly  Virtual Reassembly
    R2(config-if)#ip ac
    R2(config-if)#ip access-group ?
      <1-199>  IP access list (standard or extended)
      WORD     Access-list name
    R2(config-if)#ip access-group 100 ?
      in   inbound packets
      out  outbound packets
    R2(config-if)#ip access-group 100 out ?
      <cr>
    R2(config-if)#ip access-group 100 out //将控制列表应用于s2/0端口
    R2(config-if)#
    R2(config-if)#
    R2(config-if)#end
    R2#
    %SYS-5-CONFIG_I: Configured from console by console
    R2#show run
    R2#show running-config
    Building configuration...

    Current configuration : 901 bytes
    !
    version 12.2
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname R2
    !
    ...
    !
    interface FastEthernet0/0
     ip address 192.168.2.2 255.255.255.0
     duplex auto
     speed auto
    !
    interface FastEthernet1/0
     no ip address
     duplex auto
     speed auto
     shutdown
    !
    interface Serial2/0
     ip address 192.168.3.1 255.255.255.0
     ip access-group 100 out
     clock rate 64000
    !
    interface Serial3/0
     no ip address
     shutdown
    !
    interface FastEthernet4/0
     no ip address
     shutdown
    !
    interface FastEthernet5/0
     no ip address
     shutdown
    !
    ip classless
    ip route 192.168.1.0 255.255.255.0 192.168.2.1
    ip route 192.168.4.0 255.255.255.0 192.168.3.2
    !
    !
    access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
    access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
    !
    ...
    !
    line con 0
    line vty 0 4
     login
    !
    !
    !
    end


    R2#

    R3:

    Router>en
    Router#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#hostname R3
    R3(config)#int fa0/0
    R3(config-if)#ip add 192.168.4.1 255.255.255.0
    R3(config-if)#no shut
    
    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
    R3(config-if)#exit
    R3(config)#int s2/0
    R3(config-if)#ip add 192.168.3.2 255.255.255.0
    R3(config-if)#no shut
    
    %LINK-5-CHANGED: Interface Serial2/0, changed state to up
    R3(config-if)#
    R3(config-if)#
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
    R3(config-if)#exit
    R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1
    R3(config)#end
    R3#
    %SYS-5-CONFIG_I: Configured from console by console
    R3#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default, U - per-user static route, o - ODR
           P - periodic downloaded static route
    
    Gateway of last resort is 192.168.3.1 to network 0.0.0.0
    
    C    192.168.3.0/24 is directly connected, Serial2/0
    C    192.168.4.0/24 is directly connected, FastEthernet0/0
    S*   0.0.0.0/0 [1/0] via 192.168.3.1
    R3#
    R3#
    R3#show run
    Building configuration...

    Current configuration : 667 bytes
    !
    version 12.2
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname R3
    !
    ...
    !
    interface FastEthernet0/0
     ip address 192.168.4.1 255.255.255.0
     duplex auto
     speed auto
    !
    interface FastEthernet1/0
     no ip address
     duplex auto
     speed auto
     shutdown
    !
    interface Serial2/0
     ip address 192.168.3.2 255.255.255.0
    !
    interface Serial3/0
     no ip address
     shutdown
    !
    interface FastEthernet4/0
     no ip address
     shutdown
    !
    interface FastEthernet5/0
     no ip address
     shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.3.1
    !
    ...
    !
    line con 0
    line vty 0 4
     login
    !
    !
    !
    end


    R3#

    PC1:

    Packet Tracer PC Command Line 1.0
    PC>ipconfig
    
    IP Address......................: 192.168.1.2
    Subnet Mask.....................: 255.255.255.0
    Default Gateway.................: 192.168.1.1
    
    PC>ping 192.168.4.2
    
    Pinging 192.168.4.2 with 32 bytes of data:
    
    Request timed out.
    Request timed out.
    Reply from 192.168.4.2: bytes=32 time=18ms TTL=125                 //ACL前
    Reply from 192.168.4.2: bytes=32 time=12ms TTL=125
    
    Ping statistics for 192.168.4.2:
        Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 12ms, Maximum = 18ms, Average = 15ms
    
    PC>ping 192.168.4.2
    
    Pinging 192.168.4.2 with 32 bytes of data:
    
    Reply from 192.168.2.2: Destination host unreachable.              //ACL后
    Reply from 192.168.2.2: Destination host unreachable.
    Reply from 192.168.2.2: Destination host unreachable.
    Reply from 192.168.2.2: Destination host unreachable.
    
    Ping statistics for 192.168.4.2:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
    PC>

    PC1-WEB测试:

    ACL前后都可以访问web服务

  • 相关阅读:
    根据实体中一个属性值查找实体数组中的所有实体并放到list中
    asp.net ajax 客户端框架未能加载 sys 未定义
    SYS_CONNECT_BY_PATH函数用法 ORACLE
    滚动条小结 平时容易忘记的小东西 JAVASCRIPT
    ORACLE 和 SQL 分别实现递归的方法
    JS 获取控件的绝对位置
    GridView内控件获取所在行的信息
    sql server 使用for xml path 将1列多行转换为字符串连接起来
    ORACLE 行转列 及函数定义
    子窗口刷新父窗口 javascript 并调用父窗口函数
  • 原文地址:https://www.cnblogs.com/mchina/p/2603786.html
Copyright © 2011-2022 走看看