1.1 实验任务

在网络中配置访问控制列表

 

1.2 实验环境和网络拓扑

 

1.3 完成标准

按照拓扑图连接网络,在R1Fa1/1接口配置访问控制列表,使得PC1可以PingPC2,而PC2不能PingPC1

 

2 .详细操作步骤

 

Step 1: 连通网络

(1)    配置PC1PC2IP和网关;配置R1R2的接口IP和路由

 

PC1配置如下:
//Dynamips无法模拟PC机,实验采用7200路由器模拟PC,实际依照PC机配置为准。

Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ho PC1
PC1(config)#int f0/0                                                       //配置接口IP

PC1(config-if)#ip add 192.168.10.1 255.255.255.0
PC1(config-if)#no shut
*Dec 15 15:01:20.823: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:01:21.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
PC1(config-if)#exit
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.2            //配置默认路由

 

PC2配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ho PC2
PC2(config)#int f0/0                                                       //配置接口IP
PC2(config-if)#ip add 192.168.30.1 255.255.255.0
PC2(config-if)#no shut
*Dec 15 15:01:42.927: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:01:43.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
PC2(config-if)#exit
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.30.2            //配置默认路由

 

R1配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ho R1
R1(config)#int f0/0                                                         //配置接口IP
R1(config-if)#ip add 192.168.10.2 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:22.091: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 14:59:23.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f1/1                                                     //配置接口IP
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:51.771: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Dec 15 14:59:52.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
R1(config-if)#exit
R1(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2         //配置静态路由

 

R2配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ho R2
R2(config)#int f1/1                                                         //配置接口IP
R2(config-if)#ip add 192.168.20.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:22.719: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Dec 15 15:00:23.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
R2(config-if)#int f0/0                                                     //配置接口IP
R2(config-if)#ip add 192.168.30.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:48.651: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:00:49.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1         //配置静态路由
R2(config)#

 

(2)    检查网络连通性

 

PC1 ping PC2
PC1(config)#do ping 192.168.30.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
...!!                //网络已连通,过程中丢包3个,为确保连通性ping两次

Success rate is 40 percent (2/5), round-trip min/avg/max = 144/178/212 ms
PC1(config)#do ping 192.168.30.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!               //PC1完全pingPC2

Success rate is 100 percent (5/5), round-trip min/avg/max = 92/171/280 ms

 

PC2 ping PC1
PC2(config)#do ping 192.168.10.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!               //PC2完全pingPC1

Success rate is 100 percent (5/5), round-trip min/avg/max = 80/134/204 ms

 

 

 

Step 2: 配置 ACL

(1)    配置R1Fa1/1接口IN方向的ACL

 

R1配置如下:
R1(config)#ip access-list extended benet                           //扩展访问控制列表命名为benet

R1(config-ext-nacl)#deny icmp host 192.168.30.1 host 192.168.10.1 echo
//拒绝从192.168.30.1主机到192.168.10.1主机的icmp协议数据包消息

R1(config-ext-nacl)#permit ip any any                              //允许其余所有ip地址数据包转发

R1(config-ext-nacl)#exit
R1(config)#int f1/1
R1(config-if)#ip access-group benet in                             //将命名为benet的扩展访问控制列表应用到接口F1/1 in方向

R1(config-if)#exit
R1(config)#do show access-list                                       //显示访问列表

Extended IP access list benet                                           //扩展IP访问列表 benet

10 deny icmp host 192.168.30.1 host 192.168.10.1 echo (11 matches)
//10 拒绝从主机192.168.30.1到主机192.168.10.1 回应得icmp 11个符合)

20 permit ip any any (5 matches)
//20 允许其余任何ip的数据包转发 5个符合)

 

(2)    检查网络连通性

 

PC1 ping PC2
PC1(config)#do ping 192.168.30.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!        //PC1仍然正常pingPC2

Success rate is 100 percent (5/5), round-trip min/avg/max = 76/146/280 ms

 

PC2 ping PC1
PC2(config)#do ping 192.168.10.1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
U.U.U     //PC2无法正常pingPC1,显示U即为ACL生效

Success rate is 0 percent (0/5)

 

3 .实验总结

       访问控制列表(Access Control List, ACL)基本原理是:使用包过滤技术,在路哟其上读取OSI 7层模型的第3层及第4层包头中的信息,根据预先定义好的规则,对包进行过滤,从而达到访问控制的目的。其基本知识点有:

 

l         ACL的两种基本类型:标准访问控制列表(Standard)和扩展访问列表(Extended
l         ACL的主要用途归纳为:提供网络访问的基本安全手段;可用于QoSQuality of Server,服务质量)对数据流量进行控制;提供对通信流量的控制手段。
l         ACL是一组判断语句的集合,对入站接口进入和出站接口离开路由器的数据包进行检测并控制
l         标准访问控制列表根据数据包的源IP地址来允许或拒绝数据包,列表号范围1~99
l         扩展访问控制列表通过启用基于源和目的地址、传输层协议和应用端口号的过滤来提供更高程度的控制。利用这些特性,可基于网络的应用类型来限制数据流。列表号范围101~199