1.1
实验任务
在网络中配置访问控制列表
1.2
实验环境和网络拓扑
1.3
完成标准
按照拓扑图连接网络,在R1的Fa1/1接口配置访问控制列表,使得PC1可以Ping通PC2,而PC2不能Ping通PC1。
2
.详细操作步骤
Step 1:
连通网络
(1)
配置PC1、PC2的IP和网关;配置R1和R2的接口IP和路由
PC1配置如下:
//因Dynamips无法模拟PC机,实验采用7200路由器模拟PC,实际依照PC机配置为准。
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho PC1
PC1(config)#int f0/0 //配置接口IP
PC1(config-if)#ip add 192.168.10.1 255.255.255.0
PC1(config-if)#no shut
*Dec 15 15:01:20.823: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:01:21.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
PC1(config-if)#exit
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.2 //配置默认路由
PC2配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho PC2
PC2(config)#int f0/0 //配置接口IP
PC2(config-if)#ip add 192.168.30.1 255.255.255.0
PC2(config-if)#no shut
*Dec 15 15:01:42.927: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:01:43.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
PC2(config-if)#exit
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.30.2 //配置默认路由
R1配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho R1
R1(config)#int f0/0 //配置接口IP
R1(config-if)#ip add 192.168.10.2 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:22.091: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 14:59:23.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int f1/1 //配置接口IP
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:51.771: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Dec 15 14:59:52.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
R1(config-if)#exit
R1(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2 //配置静态路由
R2配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho R2
R2(config)#int f1/1 //配置接口IP
R2(config-if)#ip add 192.168.20.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:22.719: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Dec 15 15:00:23.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to up
R2(config-if)#int f0/0 //配置接口IP
R2(config-if)#ip add 192.168.30.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:48.651: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:00:49.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1 //配置静态路由
R2(config)#
(2)
检查网络连通性
PC1 ping PC2:
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
...!! //网络已连通,过程中丢包3个,为确保连通性ping两次
Success rate is 40 percent (2/5), round-trip min/avg/max = 144/178/212 ms
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!! //PC1完全ping通PC2
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/171/280 ms
PC2 ping PC1:
PC2(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!! //PC2完全ping通PC1
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/134/204 ms
Step 2:
配置
ACL
(1)
配置R1的Fa1/1接口IN方向的ACL
R1配置如下:
R1(config)#ip access-list extended benet //扩展访问控制列表命名为benet
R1(config-ext-nacl)#deny icmp host 192.168.30.1 host 192.168.10.1 echo
//拒绝从192.168.30.1主机到192.168.10.1主机的icmp协议数据包消息
R1(config-ext-nacl)#permit ip any any //允许其余所有ip地址数据包转发
R1(config-ext-nacl)#exit
R1(config)#int f1/1
R1(config-if)#ip access-group benet in //将命名为benet的扩展访问控制列表应用到接口F1/1 in方向
R1(config-if)#exit
R1(config)#do show access-list //显示访问列表
Extended IP access list benet //扩展IP访问列表 benet
10 deny icmp host 192.168.30.1 host 192.168.10.1 echo (11 matches)
//10 拒绝从主机192.168.30.1到主机192.168.10.1 回应得icmp (11个符合)
20 permit ip any any (5 matches)
//20 允许其余任何ip的数据包转发 (5个符合)
(2)
检查网络连通性
PC1 ping PC2:
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!! //PC1仍然正常ping通PC2
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/146/280 ms
PC2 ping PC1:
PC2(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
U.U.U //PC2无法正常ping通PC1,显示U即为ACL生效
Success rate is 0 percent (0/5)
3
.实验总结
访问控制列表(Access Control List, ACL)基本原理是:使用包过滤技术,在路哟其上读取OSI 7层模型的第3层及第4层包头中的信息,根据预先定义好的规则,对包进行过滤,从而达到访问控制的目的。其基本知识点有:
l
ACL的两种基本类型:标准访问控制列表(Standard)和扩展访问列表(Extended)
l
ACL的主要用途归纳为:提供网络访问的基本安全手段;可用于QoS(Quality of Server,服务质量)对数据流量进行控制;提供对通信流量的控制手段。
l
ACL是一组判断语句的集合,对入站接口进入和出站接口离开路由器的数据包进行检测并控制
l
标准访问控制列表根据数据包的源IP地址来允许或拒绝数据包,列表号范围1~99。
l
扩展访问控制列表通过启用基于源和目的地址、传输层协议和应用端口号的过滤来提供更高程度的控制。利用这些特性,可基于网络的应用类型来限制数据流。列表号范围101~199。