一、實驗目標
- 理解擴展IP訪問控制列表的原理及功能;
- 掌握編號的擴展IP訪問控制列表的配置方法;
二、實驗背景
分公司和總公司分別屬於不同的網段,部門之間用路由器進行信息傳遞,為了安全起見,分公司領導要求部門主機只能訪問總公司服務器的WWW服務,不能對其使用ICMP服務。
三、技術原理
訪問列表中定義的典型規則主要有以下:源地址、目標地址、上層協議、時間區域;
擴展IP訪問列表(編號為100~199,2000~2699)使用以上四種組合來進行轉發或阻斷分組;可以根據數據包的源IP、目的IP、源端口、目的端口、協議來定義規則,進行數據包的過濾;
擴展IP訪問列表的配置包括以下兩步:
- 定義擴展IP訪問列表
- 將擴展IP訪問列表應用於特定接口上
四、實驗步驟
實驗步驟
1、分公司出口路由器與外部路由器之間通過V.35電纜串口連接,DCE端連接在R2上,配置其時鍾頻率64000;主機與路由器通過交叉線連接;
2、配置PC機、服務器及路由器接口IP地址;
3、在各路由器上配置靜態路由協議,讓PC間能互相ping通,因為只有在互通的前提下才能涉及到訪問控制列表;
4、在R2上配置編號的IP擴展訪問控制列表;
5、將擴展IP訪問列表應用到接口上;
6、驗證主機之間的互通性;
R1:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int fa0/0
R1(config-if)#ip add 192.168.1.1 255.255.255.0 //配置端口IP地址
R1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#int fa0/1
R1(config-if)#ip add 192.168.2.1 255.255.255.0 //配置端口IP地址
R1(config-if)#no shut
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 //配置default route
R1(config)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route //查看路由表
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.2.2
R1#
R1#show run
Building configuration...
Current configuration : 510 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
...
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R1#
R2:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#int fa0/0
R2(config-if)#ip add 192.168.2.2 255.255.255.0 //配置端口IP地址
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#int s2/0
R2(config-if)#ip add 192.168.3.1 255.255.255.0 //配置端口IP地址
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R2(config-if)#clock rate 64000 //配置時鍾頻率
R2(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 //配置目標網段1.0的靜態路由
R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2 //配置目標網段4.0的靜態路由
R2(config)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.1.0/24 [1/0] via 192.168.2.1
C 192.168.2.0/24 is directly connected, FastEthernet0/0
C 192.168.3.0/24 is directly connected, Serial2/0
S 192.168.4.0/24 [1/0] via 192.168.3.2
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ac
R2(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R2(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R2(config)#access-list 100 per
R2(config)#access-list 100 permit ?
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R2(config)#access-list 100 permit tcp ? //web服務使用的是tcp協議
A.B.C.D Source address
any Any source host
host A single source host
R2(config)#access-list 100 permit tcp host ?
A.B.C.D Source address
R2(config)#access-list 100 permit tcp host 192.168.1.2 ? //源主機地址
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
R2(config)#access-list 100 permit tcp host 192.168.1.2 host ?
A.B.C.D Destination address
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ? //目標主機地址
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ? //www服務
dscp Match packets with given dscp value
established established
precedence Match packets with given precedence value
<cr>
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
R2(config)#
R2(config)#access-list 100 deny ?
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R2(config)#access-list 100 deny icmp ? //禁止icmp協議,也就是ping使用的協議
A.B.C.D Source address
any Any source host
host A single source host
R2(config)#access-list 100 deny icmp host ?
A.B.C.D Source address
R2(config)#access-list 100 deny icmp host 192.168.1.2 ?
A.B.C.D Destination address
any Any destination host
host A single destination host
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ?
<0-256> type-num
echo echo
echo-reply echo-reply
host-unreachable host-unreachable
net-unreachable net-unreachable
port-unreachable port-unreachable
protocol-unreachable protocol-unreachable
ttl-exceeded ttl-exceeded
unreachable unreachable
<cr>
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ?
<cr>
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
R2(config)#
R2(config)#int s2/0
R2(config-if)#?
bandwidth Set bandwidth informational parameter
cdp CDP interface subcommands
clock Configure serial interface clock
crypto Encryption/Decryption commands
custom-queue-list Assign a custom queue list to an interface
delay Specify interface throughput delay
description Interface specific description
encapsulation Set encapsulation type for an interface
exit Exit from interface configuration mode
fair-queue Enable Fair Queuing on an Interface
frame-relay Set frame relay parameters
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
keepalive Enable keepalive
mtu Set the interface Maximum Transmission Unit (MTU)
no Negate a command or set its defaults
ppp Point-to-Point Protocol
priority-group Assign a priority group to an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
tx-ring-limit Configure PA level transmit ring limit
zone-member Apply zone name
R2(config-if)#ip ?
access-group Specify access control for packets
address Set the IP address of an interface
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
inspect Apply inspect name
ips Create IPS rule
mtu Set IP Maximum Transmission Unit
nat NAT interface commands
ospf OSPF interface commands
split-horizon Perform split horizon
summary-address Perform address summarization
virtual-reassembly Virtual Reassembly
R2(config-if)#ip ac
R2(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
WORD Access-list name
R2(config-if)#ip access-group 100 ?
in inbound packets
out outbound packets
R2(config-if)#ip access-group 100 out ?
<cr>
R2(config-if)#ip access-group 100 out //將控制列表應用於s2/0端口
R2(config-if)#
R2(config-if)#
R2(config-if)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show run
R2#show running-config
Building configuration...
Current configuration : 901 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
...
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
ip address 192.168.3.1 255.255.255.0
ip access-group 100 out
clock rate 64000
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 192.168.3.2
!
!
access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R2#
R3:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#int fa0/0
R3(config-if)#ip add 192.168.4.1 255.255.255.0
R3(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#exit
R3(config)#int s2/0
R3(config-if)#ip add 192.168.3.2 255.255.255.0
R3(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
R3(config-if)#
R3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1
R3(config)#end
R3#
%SYS-5-CONFIG_I: Configured from console by console
R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
C 192.168.3.0/24 is directly connected, Serial2/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.3.1
R3#
R3#
R3#show run
Building configuration...
Current configuration : 667 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
...
!
interface FastEthernet0/0
ip address 192.168.4.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
ip address 192.168.3.2 255.255.255.0
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.1
!
...
!
line con 0
line vty 0 4
login
!
!
!
end
R3#
PC1:
Packet Tracer PC Command Line 1.0
PC>ipconfig
IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.1
PC>ping 192.168.4.2
Pinging 192.168.4.2 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.4.2: bytes=32 time=18ms TTL=125 //ACL前
Reply from 192.168.4.2: bytes=32 time=12ms TTL=125
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 18ms, Average = 15ms
PC>ping 192.168.4.2
Pinging 192.168.4.2 with 32 bytes of data:
Reply from 192.168.2.2: Destination host unreachable. //ACL后
Reply from 192.168.2.2: Destination host unreachable.
Reply from 192.168.2.2: Destination host unreachable.
Reply from 192.168.2.2: Destination host unreachable.
Ping statistics for 192.168.4.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
PC1-WEB測試:
ACL前后都可以訪問web服務
