|
Packet Tracer 5.0是一款非常不錯的Cisco(思科)網絡設備模擬器,對於想考思科初級認證(如CCNA)的朋友們來說,Packet Tracer 5.0是非常不錯的選擇。通常我們周圍並沒有那麼多思科的設備供我們學習調試,參加培訓費用很貴,上機實踐的機會還是有限的,利用Packet Tracer 5.0練習思科IOS操作命令很不錯的。近日,在網上下載了思科CCNA640-802指導用書,打算根據此教程與諸位網友共同分享Packet Tracer 5.0的使用方法與技巧,也藉此拋磚引玉。 ACL(Access Control List,訪問控制列表),簡單說就是包過濾,根據數據包的報頭中的ip地址、協議端口號等信息進行過濾。利用ACL可以實現安全控制。編號:1-99 or 1300-1999(standard IP),100-199 or 2000-2699(Extended IP)。ACL並不複雜,但在實際應用中的,要想恰當地應用ACL,必需要制定合理的策略。 一、實驗配置拓撲圖  圖一  圖二 網絡中的DNS服務器:192.168.1.2  圖三 網絡中的WWW服務器:192.168.1.3 二、三個路由器的基本配置
LuoShan#sh startup-config Using 699 bytes ! version 12.4 no service password-encryption ! hostname LuoShan ! ! enable password cisco ! ! ! ! username senya password 0 cisco ! ip ssh version 1 no ip domain-lookup ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ! interface Serial0/3/0 ip address 172.17.1.1 255.255.255.0 clock rate 56000 ! interface Serial0/3/1 ip address 172.18.1.2 255.255.255.0 ! interface Vlan1 no ip address shutdown ! router eigrp 100 network 192.168.3.0 network 172.17.0.0 network 172.18.0.0 auto-summary ! ip classless ! ! ! ! ! line con 0 line vty 0 4 password cisco login ! ! end HuangChuang#sh startup-config
Using 669 bytes ! version 12.4 no service password-encryption ! hostname HuangChuang ! ! enable password cisco ! ! ! ! ip ssh version 1 no ip domain-lookup ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 duplex auto speed auto ! interface Serial0/3/0 ip address 172.17.1.2 255.255.255.0 ! interface Serial0/3/1 ip address 172.16.1.1 255.255.255.0 clock rate 56000 ! interface Vlan1 no ip address shutdown ! router eigrp 100 network 192.168.2.0 network 172.17.0.0 network 172.16.0.0 auto-summary ! ip classless ! ! ! ! ! line con 0 line vty 0 4 password cisco login ! ! end xixian#sh startup-config
Using 679 bytes ! version 12.4 service password-encryption ! hostname xixian ! ! enable password 7 0822455D0A16 ! ! ! ! ip ssh version 1 no ip domain-lookup ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/3/0 ip address 172.18.1.1 255.255.255.0 clock rate 56000 ! interface Serial0/3/1 ip address 172.16.1.2 255.255.255.0 ! interface Vlan1 no ip address shutdown ! router eigrp 100 network 192.168.1.0 network 172.18.0.0 network 172.16.0.0 auto-summary ! ip classless ! ! ! ! ! line con 0 line vty 0 4 password 7 0822455D0A16 login ! ! end 三、配置簡單的ACL
1、配置ACL限制遠程登錄到路由器的主機 HuangChuang#conf t Enter configuration commands, one per line. End with CNTL/Z. HuangChuang(config)#access-list 1 permit host 192.168.2.2 \\路由器HuangChuang只允許 192.168.2.2遠程登錄(telnet)
HuangChuang(config)#line vty 0 4 HuangChuang(config-line)#access-class 1 in HuangChuang(config-line)# 其它兩個路由器配置相似。
2、配置ACL禁止192.168.3.0/24網段的icmp協議數據包通向與192.168.1.0/24網段
xixian(config)#access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 xixian(config)#access-list 101 permit ip any any xixian(config)#int fa0/1 xixian(config-if)#ip access-group 101 out xixian(config-if)# 3、配置ACL禁止特點的協議端口通訊
HuangChuang#conf t Enter configuration commands, one per line. End with CNTL/Z. HuangChuang(config)#ip access-list extended ACL1 \\創建基於名稱的擴展ACL HuangChuang(config-ext-nacl)#deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq 80 HuangChuang(config-ext-nacl)#deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq 53 HuangChuang(config-ext-nacl)#permit ip any any HuangChuang(config-ext-nacl)#exit HuangChuang(config)#int fa0/1 HuangChuang(config-if)#ip access-group ACL1 in HuangChuang(config-if)#  圖四 驗證ACL 4。檢驗、查看ACL
HuangChuang#sh access-list Standard IP access list 1 permit host 192.168.2.2 (4 match(es)) Extended IP access list ACL1 deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www permit ip any any HuangChuang#show access-list Standard IP access list 1 permit host 192.168.2.2 (4 match(es)) Extended IP access list ACL1 deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es)) deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es)) permit ip any any (34 match(es)) HuangChuang#show access-list ACL1 Extended IP access list ACL1 deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es)) deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es)) permit ip any any (34 match(es)) HuangChuang#show access-list 1 Standard IP access list 1 permit host 192.168.2.2 (4 match(es)) 四、配置ACL的路由器配置內容
HuangChuang#sh startup-config
Using 914 bytes ! version 12.4 no service password-encryption ! hostname HuangChuang ! ! enable password cisco ! ! ! ! ip ssh version 1 no ip domain-lookup ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.2.1 255.255.255.0 ip access-group ACL1 in duplex auto speed auto ! interface Serial0/3/0 ip address 172.17.1.2 255.255.255.0 ! interface Serial0/3/1 ip address 172.16.1.1 255.255.255.0 clock rate 56000 ! interface Vlan1 no ip address shutdown ! router eigrp 100 network 192.168.2.0 network 172.17.0.0 network 172.16.0.0 auto-summary ! ip classless ! ! access-list 1 permit host 192.168.2.2 ip access-list extended ACL1 deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www permit ip any any ! ! ! line con 0 line vty 0 4 access-class 1 in password cisco login ! ! end LuoShan#sh startup-config
Using 756 bytes ! version 12.4 no service password-encryption ! hostname LuoShan ! ! enable password cisco ! ! ! ! username senya password 0 cisco ! ip ssh version 1 no ip domain-lookup ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ! interface Serial0/3/0 ip address 172.17.1.1 255.255.255.0 clock rate 56000 ! interface Serial0/3/1 ip address 172.18.1.2 255.255.255.0 ! interface Vlan1 no ip address shutdown ! router eigrp 100 network 192.168.3.0 network 172.17.0.0 network 172.18.0.0 auto-summary ! ip classless ! ! access-list 2 permit host 192.168.3.2 ! ! ! line con 0 line vty 0 4 access-class 2 in password cisco login ! ! end xixian#show startup-config Using 808 bytes ! version 12.4 service password-encryption ! hostname xixian ! ! enable password 7 0822455D0A16 ! ! ! ! ip ssh version 1 no ip domain-lookup ! ! interface FastEthernet0/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group 101 out duplex auto speed auto ! interface Serial0/3/0 ip address 172.18.1.1 255.255.255.0 clock rate 56000 ! interface Serial0/3/1 ip address 172.16.1.2 255.255.255.0 ! interface Vlan1 no ip address shutdown ! router eigrp 100 network 192.168.1.0 network 172.18.0.0 network 172.16.0.0 auto-summary ! ip classless ! ! access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 permit ip any any ! ! ! line con 0 line vty 0 4 password 7 0822455D0A16 login ! ! end |
Packet Tracer 5.0建構CCNA實驗攻略(15)——ACL簡單的配置
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.