理解 ACL工作原理,熟悉配置ACL的基本步驟。ACL有3種(1)普通ACL列表,(2)擴展ACL列表,(3)名稱ACL列表。
實驗一:標準訪問控制列表
實驗拓撲:
實驗內容:
(1)路由器的基本配置:
R1上的基本配置
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.2 255.255.255.0 secondary(同一個接口上啓用多個ip地址模仿多個pc機。)
ip address 192.168.10.3 255.255.255.0 secondary
ip address 192.168.10.4 255.255.255.0 secondary
ip address 192.168.10.5 255.255.255.0 secondary
interface Serial0
ip address 10.10.1.1 255.255.255.0
clockrate 64000
router rip
network 10.0.0.0
network 192.168.10.0
R2上的基本配置
interface Serial1
ip address 10.10.1.2 255.255.255.0
router rip
net 10.0.0.0
(2)在R2沒有起訪問控制列表時測試可達性。
R2#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
R2#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
R2#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
R2#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R2#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms
(3)在R2上起用訪問控制列表ACL 10
R2(config)#access-list 10 permit 192.168.10.1 (10爲標準ACL的編號,標準ACL的編號範圍是0-99)
R2(config)#access-list 10 permit 192.168.10.3
R2(config)#access-list 10 permit 192.168.10.5
查看ACL配置
R2#show ip access-lists
Standard IP access list 10
permit 192.168.10.3
permit 192.168.10.1 (10 matches)
permit 192.168.10.5
在接口S1上調用ACL 10
R2(config)#int s1
R2(config-if)#ip access-group 10 in
(4)測試起用ACL 10的效果
R2#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R2#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
R2#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
觀察啓用ACL 10前後的不同,體會ACL在網絡管理和網絡安全上的應用效果。標準ACL只能根據源地址來控制數據的流通,當我們需要根據目的或者數據類型來控制數據流通的時就需要用到擴展ACL,下面的實驗將告訴你如何擴展ACL的配置和使用方法。相對而言,標準訪問控制列表比較單純,在實際應用中並不是很常用。
實驗二:擴展ACL
實驗拓撲:[attach] [/attach]
實驗內容:
1.路由器的基本配置
R1上的基本配置
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip address 192.168.10.2 255.255.255.0 secondary(同一個接口上啓用多個ip地址模仿多個pc機。)
ip address 192.168.10.3 255.255.255.0 secondary
ip address 192.168.10.4 255.255.255.0 secondary
ip address 192.168.10.5 255.255.255.0 secondary
interface Serial0
ip address 10.10.1.1 255.255.255.0
clockrate 64000
router rip
network 10.0.0.0
network 192.168.10.0
R2上的基本配置
interface Serial0
ip address 192.168.100.1 255.255.255.0
clockrate 64000
!
interface Serial1
ip address 10.10.1.2 255.255.255.0
!
router rip
network 10.0.0.0
network 192.168.100.0
R3上的基本配置
interface Serial1
ip address 192.168.100.2 255.255.255.0
router rip
net 192.168.100.0
測試連通性:
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/64 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 ms
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
在R2上啓用ACL 110
R2(config)#access-list 110 deny ip host 192.168.100.2 host 192.168.10.1
R2(config)# access-list 110 deny ip host 192.168.100.2 host 192.168.10.2
R2(config)#access-list 110 deny ip host 192.168.100.2 host 192.168.10.3
R2(config)#access-list 110 permit ip any any
查看ACL配置
R2#show ip access-lists
在S0口上調用ACL 110
R2(config)#int s1
R2(config-if)#ip access-group 110 out
(4)測試啓用ACL 110 的效果
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
。。。。。
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
。。。。。
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
。。。。。
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
總結:通過比較啓用ACL 110的前後PING的效果,可知擴展ACL可以根據目的地址來限制數據流的傳輸。當然我們還可以根據數據流的類型作限制。比如:用access-list 110 tcp permit host 192.168.100.1 host 192.168.10.1 eq www 來限制主機到主機的www訪問。
實驗三:名稱列表又叫命名ACL
因爲命名ACL與普通ACL和擴展ACL可以起到同樣的作用,所以這裏只給出命名ACL的配置方法:
rack03-1(config)#ip access-list extended www(定義命名ACL名稱)
rack03-1(config-ext-nacl)#permit tcp any any(給ACL添加條件)
rack03-1(config-ext-nacl)#deny udp any any
rack03-1(config-ext-nacl)#exit
爲什麼使用名稱列表?
因爲一般訪問控制列表,我們只要刪除其中一個,那麼所有的都已經被刪除了,所以增加了我們修改的難度,而名稱列表可以達到這種任意添加修改的效果。
實驗四: 用access-list 對抗“衝擊波”病毒
用access-list 對抗“衝擊波”病毒,最近“衝擊波”病毒”(WORM_MSBlast.A)開始在國內互聯網和部分專網上傳播。我以前在接入層做的access-list起了作用!
access-list 120 deny 53 any any
access-list 120 deny 55 any any
access-list 120 deny 77 any any
access-list 120 deny 103 any any
以上幾條慎用!
access-list 120 deny tcp any any eq echo
access-list 120 deny tcp any any eq chargen
access-list 120 deny tcp any any eq 135
access-list 120 deny tcp any any eq 136
access-list 120 deny tcp any any eq 137
access-list 120 deny tcp any any eq 138
access-list 120 deny tcp any any eq 139
access-list 120 deny tcp any any eq 389
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any eq 4444//新加
access-list 120 deny udp any any eq 69 //新加
access-list 120 deny udp any any eq 135
access-list 120 deny udp any any eq 136
access-list 120 deny udp any any eq 137
access-list 120 deny udp any any eq 138
access-list 120 deny udp any any eq 139
access-list 120 deny udp any any eq snmp
access-list 120 deny udp any any eq 389
access-list 120 deny udp any any eq 445
access-list 120 deny udp any any eq 1434
access-list 120 deny udp any any eq 1433
access-list 120 permit ip any any
access-list 120 deny icmp any any echo
access-list 120 deny icmp any any echo-reply
access-list 120 deny tcp any any eq 135
access-list 120 deny udp any any eq 135
access-list 120 deny tcp any any eq 139
access-list 120 deny udp any any eq 139
access-list 120 deny tcp any any eq 445
access-list 120 deny udp any any eq 445
access-list 120 deny tcp any any eq 593
access-list 120 deny udp any any eq 593
access-list 120 permit ip any any
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any echo-reply
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq 69
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 permit ip any any
interface
ip access-group 115 in
ip access-group 115 out
如果你是在pix上封就是:
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any echo-reply
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq 69
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 permit ip any any
access-group 115 in interface in
access-group 115 in interface out
實驗四路由上限制/禁止BT下載的設置
路由上限制/禁止BT下載的設置∶
限速∶
access-list 130 remark bt
access-list 130 permit tcp any any range 6881 6890
access-list 130 permit tcp any range 6881 6890 any
rate-limit input access-group 130 712000 8000 8000 conform-action transmit exceed-action drop
rate-limit output access-group 130 712000 8000 8000 conform-action transmit exceed-action drop
禁止∶
access-list 130 deny tcp any any range 6881 6890 access-list 130 deny tcp any range 6881 6890 any
ip access-group 130 in / out
不過有的bt軟件,再封鎖後會自動改端口。這個比較鬱悶!