1.1 实验任务
在网络中配置访问控制列表
1.2 实验环境和网络拓扑
1.3 完成标准
按照拓扑图连接网络,在 R1 的 Fa1/1 接口配置访问控制列表,使得 PC1 可以 Ping 通
PC2,而 PC2 不能 Ping通 PC1。
2.详细操作步骤
Step 1: 连通网络
(1) 配置PC1、PC2 的 IP和网关;配置 R1和R2 的接口 IP和路由
PC1 配置如下:
//因Dynamips无法模拟 PC 机,实验采用7200 路由器模拟 PC,实际依照 PC 机配置为准。
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho PC1
PC1(config)#int f0/0 //配置接口IP
PC1(config-if)#ip add 192.168.10.1 255.255.255.0
PC1(config-if)#no shut
*Dec 15 15:01:20.823: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:01:21.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
在网络中配置访问控制列表
1.2 实验环境和网络拓扑
1.3 完成标准
按照拓扑图连接网络,在 R1 的 Fa1/1 接口配置访问控制列表,使得 PC1 可以 Ping 通
PC2,而 PC2 不能 Ping通 PC1。
2.详细操作步骤
Step 1: 连通网络
(1) 配置PC1、PC2 的 IP和网关;配置 R1和R2 的接口 IP和路由
PC1 配置如下:
//因Dynamips无法模拟 PC 机,实验采用7200 路由器模拟 PC,实际依照 PC 机配置为准。
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho PC1
PC1(config)#int f0/0 //配置接口IP
PC1(config-if)#ip add 192.168.10.1 255.255.255.0
PC1(config-if)#no shut
*Dec 15 15:01:20.823: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:01:21.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
PC1(config-if)#exit
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.2 //配置默认路由
PC2 配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho PC2
PC2(config)#int f0/0 //配置接口IP
PC2(config-if)#ip add 192.168.30.1 255.255.255.0
PC2(config-if)#no shut
*Dec 15 15:01:42.927: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to u
*Dec 15 15:01:43.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthe
changed state to up
PC2(config-if)#exit
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.30.2 //配置默认路由
R1 配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho R1
R1(config)#int f0/0 //配置接口IP
R1(config-if)#ip add 192.168.10.2 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:22.091: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to u
*Dec 15 14:59:23.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthe
changed state to up
R1(config-if)#int f1/1 //配置接口IP
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:51.771: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to u
*Dec 15 14:59:52.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthe
changed state to up
R1(config-if)#exit
R1(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2 //配置静态路由
R2 配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho R2
R2(config)#int f1/1 //配置接口IP
PC1(config-if)#exit
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.2 //配置默认路由
PC2 配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho PC2
PC2(config)#int f0/0 //配置接口IP
PC2(config-if)#ip add 192.168.30.1 255.255.255.0
PC2(config-if)#no shut
*Dec 15 15:01:42.927: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to u
*Dec 15 15:01:43.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthe
changed state to up
PC2(config-if)#exit
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.30.2 //配置默认路由
R1 配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho R1
R1(config)#int f0/0 //配置接口IP
R1(config-if)#ip add 192.168.10.2 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:22.091: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to u
*Dec 15 14:59:23.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthe
changed state to up
R1(config-if)#int f1/1 //配置接口IP
R1(config-if)#ip add 192.168.20.1 255.255.255.0
R1(config-if)#no shut
*Dec 15 14:59:51.771: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to u
*Dec 15 14:59:52.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthe
changed state to up
R1(config-if)#exit
R1(config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2 //配置静态路由
R2 配置如下:
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ho R2
R2(config)#int f1/1 //配置接口IP
R2(config-if)#ip add 192.168.20.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:22.719: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Dec 15 15:00:23.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1
changed state to up
R2(config-if)#int f0/0 //配置接口IP
R2(config-if)#ip add 192.168.30.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:48.651: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:00:49.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0
changed state to up
R2(config-if)#exit
R2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1 //配置静态路由
R2(config)#
(2) 检查网络连通性
PC1 ping PC2:
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
...!! //网络已连通,过程中丢包 3 个,为确保连通性 ping 两次
Success rate is 40 percent (2/5), round-trip min/avg/max = 144/178/212 ms
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!! //PC1 完全 ping通 PC2
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/171/280 ms
PC2 ping PC1:
PC2(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!! //PC2 完全 ping通 PC1
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/134/204 ms
Step 2: 配置 ACL
(1) 配置R1 的Fa1/1 接口 IN 方向的 ACL
R2(config-if)#no shut
*Dec 15 15:00:22.719: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up
*Dec 15 15:00:23.719: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1
changed state to up
R2(config-if)#int f0/0 //配置接口IP
R2(config-if)#ip add 192.168.30.2 255.255.255.0
R2(config-if)#no shut
*Dec 15 15:00:48.651: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 15 15:00:49.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0
changed state to up
R2(config-if)#exit
R2(config)#ip route 192.168.10.0 255.255.255.0 192.168.20.1 //配置静态路由
R2(config)#
(2) 检查网络连通性
PC1 ping PC2:
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
...!! //网络已连通,过程中丢包 3 个,为确保连通性 ping 两次
Success rate is 40 percent (2/5), round-trip min/avg/max = 144/178/212 ms
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!! //PC1 完全 ping通 PC2
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/171/280 ms
PC2 ping PC1:
PC2(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!! //PC2 完全 ping通 PC1
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/134/204 ms
Step 2: 配置 ACL
(1) 配置R1 的Fa1/1 接口 IN 方向的 ACL
R1 配置如下:
R1(config)#ip access-list extended benet //扩展访问控制列表命名为 benet
R1(config-ext-nacl)#deny icmp host 192.168.30.1 host 192.168.10.1 echo
//拒绝从 192.168.30.1 主机到 192.168.10.1 主机的 icmp 协议数据包消息
R1(config-ext-nacl)#permit ip any any //允许其余所有 ip地址数据包转发
R1(config-ext-nacl)#exit
R1(config)#int f1/1
R1(config-if)#ip access-group benet in //将命名为 benet 的扩展访问控制列
表应用到接口 F1/1 in方向
R1(config-if)#exit
R1(config)#do show access-list //显示访问列表
Extended IP access list benet //扩展 IP访问列表 benet
10 deny icmp host 192.168.30.1 host 192.168.10.1 echo (11 matches)
//10 拒绝从主机192.168.30.1 到主机192.168.10.1 回应得 icmp (11 个符合)
20 permit ip any any (5 matches)
//20 允许其余任何 ip 的数据包转发 (5 个符合)
(2) 检查网络连通性
PC1 ping PC2:
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!! //PC1 仍然正常 ping通 PC2
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/146/280 ms
PC2 ping PC1:
PC2(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
U.U.U //PC2 无法正常 ping通 PC1,显示 U 即为 ACL生效
Success rate is 0 percent (0/5)
3.实验总结
访问控制列表(Access Control List, ACL)基本原理是:使用包过滤技术,在路哟其上
读取 OSI 7 层模型的第3 层及第 4 层包头中的信息,根据预先定义好的规则,对包进行过滤
从而达到访问控制的目的。其基本知识点有:
l ACL的两种基本类型:标准访问控制列表(Standard)和扩展访问列表(Extended)
l ACL的主要用途归纳为:提供网络访问的基本安全手段;可用于QoS(Quality of Server
服务质量)对数据流量进行控制;提供对通信流量的控制手段。
R1(config)#ip access-list extended benet //扩展访问控制列表命名为 benet
R1(config-ext-nacl)#deny icmp host 192.168.30.1 host 192.168.10.1 echo
//拒绝从 192.168.30.1 主机到 192.168.10.1 主机的 icmp 协议数据包消息
R1(config-ext-nacl)#permit ip any any //允许其余所有 ip地址数据包转发
R1(config-ext-nacl)#exit
R1(config)#int f1/1
R1(config-if)#ip access-group benet in //将命名为 benet 的扩展访问控制列
表应用到接口 F1/1 in方向
R1(config-if)#exit
R1(config)#do show access-list //显示访问列表
Extended IP access list benet //扩展 IP访问列表 benet
10 deny icmp host 192.168.30.1 host 192.168.10.1 echo (11 matches)
//10 拒绝从主机192.168.30.1 到主机192.168.10.1 回应得 icmp (11 个符合)
20 permit ip any any (5 matches)
//20 允许其余任何 ip 的数据包转发 (5 个符合)
(2) 检查网络连通性
PC1 ping PC2:
PC1(config)#do ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!! //PC1 仍然正常 ping通 PC2
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/146/280 ms
PC2 ping PC1:
PC2(config)#do ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
U.U.U //PC2 无法正常 ping通 PC1,显示 U 即为 ACL生效
Success rate is 0 percent (0/5)
3.实验总结
访问控制列表(Access Control List, ACL)基本原理是:使用包过滤技术,在路哟其上
读取 OSI 7 层模型的第3 层及第 4 层包头中的信息,根据预先定义好的规则,对包进行过滤
从而达到访问控制的目的。其基本知识点有:
l ACL的两种基本类型:标准访问控制列表(Standard)和扩展访问列表(Extended)
l ACL的主要用途归纳为:提供网络访问的基本安全手段;可用于QoS(Quality of Server
服务质量)对数据流量进行控制;提供对通信流量的控制手段。