配置扩展的访问控制列表------允许tcp协议通过出站端口访问服务器和禁止icmp协议通过出站端口访问服务器

拓扑图如下:

配置扩展的访问控制列表------允许tcp协议通过出站端口访问服务器和禁止icmp协议通过出站端口访问服务器_第1张图片





第1步:配置路由器R1启用的端口信息
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#host R1
R1(config)#int fa0/0
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int fa1/0
R1(config-if)#ip add 172.16.2.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
R1(config-if)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1#


第1步:配置路由器R2启用的端口信息
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#host R2
R2(config)#int fa0/0
R2(config-if)#ip add 172.16.2.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#int se2/0
R2(config-if)#ip add 172.16.3.1 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R2(config-if)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2#


第1步:配置路由器R3启用的端口信息
Router>en
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#host R3
R3(config)#int se3/0
R3(config-if)#ip add 172.16.3.2 255.255.255.0
R3(config-if)#no shut
R3(config-if)#
%LINK-5-CHANGED: Interface Serial3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/0, changed state to up 
R3(config-if)#int fa0/0
R3(config-if)#ip add 172.16.4.1 255.255.255.0
R3(config-if)#no shut
R3(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#end
R3#
%SYS-5-CONFIG_I: Configured from console by console
R3#


第2步:配置路由器R1的静态路由
R1>en
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2    !--- 使用缺省的方式配置路由器
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 172.16.2.2 to network 0.0.0.0
        172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, FastEthernet0/0
C       172.16.2.0 is directly connected, FastEthernet1/0
S*      0.0.0.0/0 [1/0] via 172.16.2.2
R1#


第2步:配置路由器R3的静态路由
R3>en
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip route 0.0.0.0 0.0.0.0 172.16.3.1    !--- 使用缺省的方式配置路由器
R3(config)#exit
R3#
%SYS-5-CONFIG_I: Configured from console by console
R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 172.16.3.1 to network 0.0.0.0
        172.16.0.0/24 is subnetted, 2 subnets
C       172.16.3.0 is directly connected, Serial3/0
C       172.16.4.0 is directly connected, FastEthernet0/0
S*      0.0.0.0/0 [1/0] via 172.16.3.1
R3#


第2步:配置路由器R2的静态路由
R2>en
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1    !--- 直接指定路由目标网络地址和下一跳地址
R2(config)#ip route 172.16.4.0 255.255.255.0 172.16.3.2    !--- 直接指定路由目标网络地址和下一跳地址
R2(config)#exit
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set
        172.16.0.0/24 is subnetted, 4 subnets
S       172.16.1.0 [1/0] via 172.16.2.1
C       172.16.2.0 is directly connected, FastEthernet0/0
C       172.16.3.0 is directly connected, Serial2/0
S       172.16.4.0 [1/0] via 172.16.3.2
R2#


回过头来查看一下路由器R1的路由表信息
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 172.16.2.2 to network 0.0.0.0
        172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, FastEthernet0/0
C       172.16.2.0 is directly connected, FastEthernet1/0
S*      0.0.0.0/0 [1/0] via 172.16.2.2
R1#
最后回过头来查看一下路由器R3的路由表信息
R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 172.16.3.1 to network 0.0.0.0
        172.16.0.0/24 is subnetted, 2 subnets
C       172.16.3.0 is directly connected, Serial3/0
C       172.16.4.0 is directly connected, FastEthernet0/0
S*      0.0.0.0/0 [1/0] via 172.16.3.1
R3#


第3步:测试PC1可以ping通Web Server
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::230:A3FF:FE8C:A257
IP Address......................: 172.16.1.2
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: 172.16.1.1
PC>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 172.16.4.2: bytes=32 time=1ms TTL=125
Reply from 172.16.4.2: bytes=32 time=1ms TTL=125
Ping statistics for 172.16.4.2:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
PC>




第4步:配置扩展访问控制列表(
     i.  创建扩展访问控制列表编号
     ii. 允许源主机地址使用tcp协议通过出站端口访问目标地址WEB服务器
     iii.禁止源主机地址使用icmp协议通过出站端口到达目标主机地址WEB服务器
     iv. 将扩展访问控制列表编号应用到出站端口

R2>en
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list
R2(config)#access-list 100
% Incomplete command.
R2(config)#access-list 100 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment
R2(config)#access-list 100 permit ?
  ahp    Authentication Header Protocol
  eigrp  Cisco's EIGRP routing protocol
  esp    Encapsulation Security Payload
  gre    Cisco's GRE tunneling
  icmp   Internet Control Message Protocol
  ip     Any Internet Protocol
  ospf   OSPF routing protocol
  tcp    Transmission Control Protocol
  udp    User Datagram Protocol
R2(config)#access-list 100 permit tcp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host
R2(config)#access-list 100 permit tcp host 172.16.1.2 ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers
R2(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2 ?
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  established
  gt           Match only packets with a greater port number
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence valuet
  range        Match only packets in the range of port numbers
 
R2(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2 eq ?
  <0-65535>  Port number
  ftp        File Transfer Protocol (21)
  pop3       Post Office Protocol v3 (110)
  smtp       Simple Mail Transport Protocol (25)
  telnet     Telnet (23)
  www        World Wide Web (HTTP, 80)
R2(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2 eq www    !--- ii.允许源主机地址使用tcp协议通过出站端口访问目标地址WEB服务器
R2(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list
R2(config)#access-list 100 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment
R2(config)#access-list 100 deny ?
  ahp    Authentication Header Protocol
  eigrp  Cisco's EIGRP routing protocol
  esp    Encapsulation Security Payload
  gre    Cisco's GRE tunneling
  icmp   Internet Control Message Protocol
  ip     Any Internet Protocol
  ospf   OSPF routing protocol
  tcp    Transmission Control Protocol
  udp    User Datagram Protocol
R2(config)#access-list 100 deny icmp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host
R2(config)#access-list 100 deny icmp host 172.16.1.2 ?
  A.B.C.D  Destination address
  any      Any destination host
  host     A single destination host
R2(config)#access-list 100 deny icmp host 172.16.1.2 host 172.16.4.2 ?
  <0-256>               type-num
  echo                  Echo (ping)
  echo-reply            Echo reply
  host-unreachable      Host unreachable
  net-unreachable       Net unreachable
  port-unreachable      Port unreachable
  protocol-unreachable  Protocol unreachable
  ttl-exceeded          TTL exceeded
  unreachable           All unreachables
 
R2(config)#access-list 100 deny icmp host 172.16.1.2 host 172.16.4.2 echo-reply     !--- i.创建编号和iii.禁止源主机地址使用icmp协议通过出站端口到达目标主机地址WEB服务器
R2(config)#int se2/0
R2(config-if)#ip access-group 100 ?
  in   inbound packets
  out  outbound packets
R2(config-if)#ip access-group 100 out  !--- iv. 将扩展访问控制列表编号应用到出站端口
R2(config-if)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#




第5步:测试禁止icmp协议出站 只对源主机地址172.16.1.2目标主机地址172.16.4.2 ping服务有效
              测试允许tcp协议出站    只对源主机地址172.16.1.2到目标主机地址172.16.4.2 web服务有效

PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::230:A3FF:FE8C:A257
IP Address......................: 172.16.1.2
Subnet Mask.....................: 255.255.0.0
Default Gateway.................: 172.16.1.1
PC>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 172.16.4.2: bytes=32 time=1ms TTL=125
Reply from 172.16.4.2: bytes=32 time=1ms TTL=125
Ping statistics for 172.16.4.2:
    Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms
PC>


http://172.16.4.2

配置扩展的访问控制列表------允许tcp协议通过出站端口访问服务器和禁止icmp协议通过出站端口访问服务器_第2张图片


测试结果表明扩展访问控制列表配置完全正确。




你可能感兴趣的:(路由器和交换机)