实验目的:
理解 ACL工作原理,熟悉配置ACL的基本步骤。ACL有3种(1)普通ACL列表,(2)扩展ACL列表,(3)名称ACL列表。
实验一:标准访问控制列表
实验拓扑:
实验内容:
(1)路由器的基本配置:
R1上的基本配置
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.2 255.255.255.0 secondary(同一个接口上启用多个ip地址模仿多个pc机。)
ip address 192.168.10.3 255.255.255.0 secondary
ip address 192.168.10.4 255.255.255.0 secondary
ip address 192.168.10.5 255.255.255.0 secondary
interface Serial0
ip address 10.10.1.1 255.255.255.0
clockrate 64000
router rip
network 10.0.0.0
network 192.168.10.0
R2上的基本配置
interface Serial1
ip address 10.10.1.2 255.255.255.0
router rip
net 10.0.0.0
(2)在R2没有起访问控制列表时测试可达性。
R2#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
R2#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
R2#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
R2#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R2#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
(3)在R2上起用访问控制列表ACL 10
R2(config)#access-list 10 permit 192.168.10.1 (10为标准ACL的编号,标准ACL的编号范围是0-99)
R2(config)#access-list 10 permit 192.168.10.3
R2(config)#access-list 10 permit 192.168.10.5
查看ACL配置
R2#show ip access-lists
Standard IP access list 10
permit 192.168.10.3
permit 192.168.10.1 (10 matches)
permit 192.168.10.5
在接口S1上调用ACL 10
R2(config)#int s1
R2(config-if)#ip access-group 10 in
(4)测试起用ACL 10的效果
R2#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R2#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R2#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
观察启用ACL 10前后的不同,体会ACL在网络管理和网络安全上的应用效果。标准ACL只能根据源地址来控制数据的流通,当我们需要根据目的或者数据类型来控制数据流通的时就需要用到扩展ACL,下面的实验将告诉你如何扩展ACL的配置和使用方法。相对而言,标准访问控制列表比较单纯,在实际应用中并不是很常用。
实验二:扩展ACL
实验拓扑:[attach] [/attach]
实验内容:
1.路由器的基本配置
R1上的基本配置
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.2 255.255.255.0 secondary(同一个接口上启用多个ip地址模仿多个pc机。)
ip address 192.168.10.3 255.255.255.0 secondary
ip address 192.168.10.4 255.255.255.0 secondary
ip address 192.168.10.5 255.255.255.0 secondary
interface Serial0
ip address 10.10.1.1 255.255.255.0
clockrate 64000
router rip
network 10.0.0.0
network 192.168.10.0
R2上的基本配置
interface Serial0
ip address 192.168.100.1 255.255.255.0
clockrate 64000
!
interface Serial1
ip address 10.10.1.2 255.255.255.0
!
router rip
network 10.0.0.0
network 192.168.100.0
R3上的基本配置
interface Serial1
ip address 192.168.100.2 255.255.255.0
router rip
net 192.168.100.0
测试连通性:
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/64 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 ms
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
在R2上启用ACL 110
R2(config)#access-list 110 deny ip host 192.168.100.2 host 192.168.10.1
R2(config)# access-list 110 deny ip host 192.168.100.2 host 192.168.10.2
R2(config)#access-list 110 deny ip host 192.168.100.2 host 192.168.10.3
R2(config)#access-list 110 permit ip any any
查看ACL配置
R2#show ip access-lists
在S0口上调用ACL 110
R2(config)#int s1
R2(config-if)#ip access-group 110 out
(4)测试启用ACL 110 的效果
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
。。。。。
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
。。。。。
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
。。。。。
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
总结:通过比较启用ACL 110的前后PING的效果,可知扩展ACL可以根据目的地址来限制数据流的传输。当然我们还可以根据数据流的类型作限制。比如:用access-list 110 tcp permit host 192.168.100.1 host 192.168.10.1 eq www 来限制主机到主机的www访问。
实验三:名称列表又叫命名ACL
因为命名ACL与普通ACL和扩展ACL可以起到同样的作用,所以这里只给出命名ACL的配置方法:
rack03-1(config)#ip access-list extended www(定义命名ACL名称)
rack03-1(config-ext-nacl)#permit tcp any any(给ACL添加条件)
rack03-1(config-ext-nacl)#deny udp any any
rack03-1(config-ext-nacl)#exit
为什么使用名称列表?
因为一般访问控制列表,我们只要删除其中一个,那么所有的都已经被删除了,所以增加了我们修改的难度,而名称列表可以达到这种任意添加修改的效果。
实验四: 用access-list 对抗“冲击波”病毒
用access-list 对抗“冲击波”病毒,最近“冲击波”病毒”(WORM_MSBlast.A)开始在国内互联网和部分专网上传播。我以前在接入层做的access-list起了作用!
access-list 120 deny 53 any any
access-list 120 deny 55 any any
access-list 120 deny 77 any any
access-list 120 deny 103 any any
以上几条慎用!
access-list 120 deny tcp any any eq echo
access-list 120 deny tcp any any eq chargen
access-list 120 deny tcp any any eq 135
access-list 120 deny tcp any any eq 136
access-list 120 deny tcp any any eq 137
access-list 120 deny tcp any any eq 138
access-list 120 deny tcp any any eq 139
access-list 120 deny tcp any any eq 389
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any eq 4444//新加
access-list 120 deny udp any any eq 69 //新加
access-list 120 deny udp any any eq 135
access-list 120 deny udp any any eq 136
access-list 120 deny udp any any eq 137
access-list 120 deny udp any any eq 138
access-list 120 deny udp any any eq 139
access-list 120 deny udp any any eq snmp
access-list 120 deny udp any any eq 389
access-list 120 deny udp any any eq 445
access-list 120 deny udp any any eq 1434
access-list 120 deny udp any any eq 1433
access-list 120 permit ip any any
access-list 120 deny icmp any any echo
access-list 120 deny icmp any any echo-reply
access-list 120 deny tcp any any eq 135
access-list 120 deny udp any any eq 135
access-list 120 deny tcp any any eq 139
access-list 120 deny udp any any eq 139
access-list 120 deny tcp any any eq 445
access-list 120 deny udp any any eq 445
access-list 120 deny tcp any any eq 593
access-list 120 deny udp any any eq 593
access-list 120 permit ip any any
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any echo-reply
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq 69
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 permit ip any any
interface
ip access-group 115 in
ip access-group 115 out
如果你是在pix上封就是:
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any echo-reply
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq 69
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 permit ip any any
access-group 115 in interface in
access-group 115 in interface out
实验四路由上限制/禁止BT下载的设置
路由上限制/禁止BT下载的设置∶
限速∶
access-list 130 remark bt
access-list 130 permit tcp any any range 6881 6890
access-list 130 permit tcp any range 6881 6890 any
rate-limit input access-group 130 712000 8000 8000 conform-action transmit exceed-action drop
rate-limit output access-group 130 712000 8000 8000 conform-action transmit exceed-action drop
禁止∶
access-list 130 deny tcp any any range 6881 6890 access-list 130 deny tcp any range 6881 6890 any
ip access-group 130 in / out
不过有的bt软件,再封锁后会自动改端口。这个比较郁闷!