acl配置:
實驗拓撲圖:
ip地址分配:
pc2:192.168.0.3
sw1:192.168.0.2
r1:
f0/0:192.168.0.1
s1/0:219.146.0.1
r2:
s1/0:219.146.0.2
s1/1:219.146.1.1
r3:
s1/0:219.146.1.2
f0/0:192.168.1.1
sw3:192.168.1.2
pc5:192.168.1.3
pc2:192.168.0.3
sw1:192.168.0.2
r1:
f0/0:192.168.0.1
s1/0:219.146.0.1
r2:
s1/0:219.146.0.2
s1/1:219.146.1.1
r3:
s1/0:219.146.1.2
f0/0:192.168.1.1
sw3:192.168.1.2
pc5:192.168.1.3
實驗目的:
(一)pc2在每週的週一到週五的9:00-17:00不能ping pc5,其他一切不受影響。
(二)拒絕pc2的所有流量。
(三)r1只允許pc5一臺主機每天的9:00-17:00之間telnet。
(四)r1只允許pc5一臺主機telnet
(五)只允許pc5通過ping命令和外界通信。
(一)pc2在每週的週一到週五的9:00-17:00不能ping pc5,其他一切不受影響。
(二)拒絕pc2的所有流量。
(三)r1只允許pc5一臺主機每天的9:00-17:00之間telnet。
(四)r1只允許pc5一臺主機telnet
(五)只允許pc5通過ping命令和外界通信。
基本信息配置:
r1:
Router>en
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r1
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r1
r1(config)#in f0/0
r1(config-if)#ip add 192.168.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#in s1/0
r1(config-if)#ip add 219.146.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#exi
r1(config-if)#ip add 192.168.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#in s1/0
r1(config-if)#ip add 219.146.0.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#exi
r1(config)#router ospf 10
r1(config-router)#network 219.146.0.0 0.0.0.255 a 0
r1(config-router)#network 192.168.0.0 0.0.0.255 a 0
r1(config-router)#exi
r1(config-router)#network 219.146.0.0 0.0.0.255 a 0
r1(config-router)#network 192.168.0.0 0.0.0.255 a 0
r1(config-router)#exi
r2:
Router>en
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r2
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r2
r2(config)#in s1/0
r2(config-if)#ip add 219.146.0.2 255.255.255.0
r2(config-if)#no shut
r2(config-if)#in s1/1
r2(config-if)#ip add 219.146.1.1 255.255.255.0
r2(config-if)#no shut
r2(config-if)#exi
r2(config-if)#ip add 219.146.0.2 255.255.255.0
r2(config-if)#no shut
r2(config-if)#in s1/1
r2(config-if)#ip add 219.146.1.1 255.255.255.0
r2(config-if)#no shut
r2(config-if)#exi
r2(config)#router ospf 10
r2(config-router)#network 219.146.0.0 0.0.0.255 a 0
r2(config-router)#network 219.146.1.0 0.0.0.255 a 0
r2(config-router)#exi
r2(config-router)#network 219.146.0.0 0.0.0.255 a 0
r2(config-router)#network 219.146.1.0 0.0.0.255 a 0
r2(config-router)#exi
r3:
Router>en
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r3
Router#conf t
Router(config)#enable secret abc
Router(config)#line console 0
Router(config-line)#password abc
Router(config-line)#login
Router(config-line)#logging synchronous
Router(config-line)#exec-timeout 0 0
Router(config-line)#exi
Router(config)#no ip domain lookup
Router(config)#no cdp run
Router(config)#hostname r3
r3(config)#in s1/0
r3(config-if)#ip add 219.146.1.2 255.255.255.0
r3(config-if)#no shut
r3(config-if)#in f0/0
r3(config-if)#ip add 192.168.1.1 255.255.255.0
r3(config-if)#no shut
r3(config-if)#exi
r3(config-if)#ip add 219.146.1.2 255.255.255.0
r3(config-if)#no shut
r3(config-if)#in f0/0
r3(config-if)#ip add 192.168.1.1 255.255.255.0
r3(config-if)#no shut
r3(config-if)#exi
r3(config)#router ospf 10
r3(config-router)#network 219.146.1.0 0.0.0.255 a 0
r3(config-router)#network 192.168.1.0 0.0.0.255 a 0
r3(config-router)#exi
r3(config-router)#network 219.146.1.0 0.0.0.255 a 0
r3(config-router)#network 192.168.1.0 0.0.0.255 a 0
r3(config-router)#exi
pc和sw的ip地址配置(略)
(一)pc2在每週的週一到週五的9:00-17:00不能ping pc5,其他一切不受影響。
pc2#p 219.146.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/127/212 ms
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/127/212 ms
測試後發現現在通信沒問題。下一步做訪問控制列表。
r1(config)#time-range nop //創建基於時間的列表
r1(config-time-range)#periodic weekdays 9:00 to 17:00 //每週的週一到週五的9點到17點
r1(config-time-range)#exi
r1(config-time-range)#periodic weekdays 9:00 to 17:00 //每週的週一到週五的9點到17點
r1(config-time-range)#exi
r1(config)#ip access-list extended f0 //創建命名的列表
r1(config-ext-nacl)#deny icmp host 192.168.0.3 host 219.146.1.2 time-range nop //在規定時間內拒絕192.168.0.3到219.146.1.2的icmp協議。
r1(config-ext-nacl)#permit ip any any //允許任何人的任何流量
r1(config-ext-nacl)#exi
r1(config-ext-nacl)#deny icmp host 192.168.0.3 host 219.146.1.2 time-range nop //在規定時間內拒絕192.168.0.3到219.146.1.2的icmp協議。
r1(config-ext-nacl)#permit ip any any //允許任何人的任何流量
r1(config-ext-nacl)#exi
r1(config-if)#in f0/0
r1(config-if)#ip access-group f0 in //在接口的in方向使用列表
r1(config-if)#exi
r1(config-if)#ip access-group f0 in //在接口的in方向使用列表
r1(config-if)#exi
r1#clock set 11:00:00 nov 26 2009 //設置一下時間
開啓telnet服務:
r3(config)#line vty 0 903
r3(config-line)#pass abc
r3(config-line)#login
r3(config-line)#exi
r3(config)#line vty 0 903
r3(config-line)#pass abc
r3(config-line)#login
r3(config-line)#exi
測試:
pc2#p 219.146.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
已經不能ping了,列表已經起作用。ping一下其他的主機:
pc2#p 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/148/312 ms
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/148/312 ms
沒問題:我們只是不能ping,現在測試一下telnet:
pc2#telnet 219.146.1.2
Trying 219.146.1.2 ... Open
Trying 219.146.1.2 ... Open
User Access Verification
Password:
r3>
r3>exi
r3>
r3>exi
[Connection to 219.146.1.2 closed by foreign host]
發現可以telnet,列表完全沒有問題。在r3上測試一下:
r3(config)#do p 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
發現r3現在也不能ping pc2了,這可不是我們想看到的結果。
分析一下原因:因爲r3 ping pc2的流量在返回的時候被r1的f0/0口拒絕。所以不通。解決問題:
r1(config)#ip access-list extended s1 //創建命名列表
r1(config-ext-nacl)#permit icmp host 219.146.1.2 host 192.168.0.3 reflect abc //在r3的icmp流量上添加一個abc標識,pc2返回的時候也會把這個標識帶回來,然後讓r1的f0/0口檢測有沒有帶abc標識,有就讓通過,沒有就拒絕,這樣就可以達到目的,因爲如果是pc2首先發起的會話是沒有abc標識的,所以是不能通過的。
r1(config-ext-nacl)#permit ip any any
r1(config-ext-nacl)#exi
r1(config)#no ip acce ex f0 //去掉剛纔建的列表
r1(config)#ip access-list extended f0 //重建一個命名列表
r1(config-ext-nacl)#evaluate abc //首先就檢測abc標識
r1(config-ext-nacl)#deny icmp host 192.168.0.3 host 219.146.1.2 time-range nop //拒絕pc2的icmp流量
r1(config-ext-nacl)#permit ip any any //允許所有人的任何流量
r1(config-ext-nacl)#exi
r1(config)#ip access-list extended f0 //重建一個命名列表
r1(config-ext-nacl)#evaluate abc //首先就檢測abc標識
r1(config-ext-nacl)#deny icmp host 192.168.0.3 host 219.146.1.2 time-range nop //拒絕pc2的icmp流量
r1(config-ext-nacl)#permit ip any any //允許所有人的任何流量
r1(config-ext-nacl)#exi
r1(config-if)#in s1/0
r1(config-if)#ip access-group s1 in //在r1的s1/0口應用,在數據進來的時候就添加上abc標識
r1(config-if)#exi
r1(config-if)#ip access-group s1 in //在r1的s1/0口應用,在數據進來的時候就添加上abc標識
r1(config-if)#exi
因爲r1的f0/0口剛纔應用過了列表,這裏就不需要再應用了
pc2#p 219.146.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
在pc2測試還是不通,這正常。
pc2#p 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/148/312 ms
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/148/312 ms
能夠ping其他主機,也是正常的
pc2#telnet 219.146.1.2
Trying 219.146.1.2 ... Open
Trying 219.146.1.2 ... Open
User Access Verification
Password:
r3>
r3>exi
r3>
r3>exi
[Connection to 219.146.1.2 closed by foreign host]
能夠telnet r3,沒問題。
r3(config)#do p 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/142/256 ms
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/142/256 ms
現在r3可以ping通pc2了,目的達到。
(二)拒絕pc2的所有流量。
r1(config)#no ip acce ex s1 //去掉剛纔創建的列表
r1(config)#no ip acce ex f0
r1(config)#in s1/0
r1(config-if)#no ip acce s1 in //去掉剛纔在接口上應用的列表
r1(config-if)#in f0/0
r1(config-if)#no ip acce f0 in
r1(config-if)#exi
r1(config)#no ip acce ex f0
r1(config)#in s1/0
r1(config-if)#no ip acce s1 in //去掉剛纔在接口上應用的列表
r1(config-if)#in f0/0
r1(config-if)#no ip acce f0 in
r1(config-if)#exi
r1(config)#access-list 10 deny 192.168.0.3 0.0.0.0 //創建一個標準列表
r1(config)#in f0/0
r1(config-if)#ip access-group 10 in //在in方向上應用列表
r1(config-if)#exi
測試一下:
pc2#p 219.146.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pc2#telnet 219.146.1.2
Trying 219.146.1.2 ...
% Destination unreachable; gateway or host down
Trying 219.146.1.2 ...
% Destination unreachable; gateway or host down
pc2#p 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pc5(config)#do p 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
pc2#conf t
pc2(config)#line vty 0 181
pc2(config-line)#pass abc
pc2(config-line)#login
pc2(config-line)#exi
pc2(config)#line vty 0 181
pc2(config-line)#pass abc
pc2(config-line)#login
pc2(config-line)#exi
pc5(config)#do telnet 192.168.0.3
Trying 192.168.0.3 ...
% Connection timed out; remote host not responding
所有服務都被拒絕。
(三)r1只允許pc5一臺主機每天的9:00-17:00之間telnet。
r1(config)#no access-list 10 //去掉列表
r1(config)#in f0/0
r1(config-if)#no ip access-group 10 in //去掉應用的列表
r1(config-if)#no ip access-group 10 in //去掉應用的列表
r1(config)#do show time-range //查看創建的時間列表
time-range entry: nop (active)
periodic weekdays 9:00 to 17:00
time-range entry: nop (active)
periodic weekdays 9:00 to 17:00
r1(config)#no time-r nop //去掉基於時間的列表
r1(configli)#time-r nop
r1(config-time-range)#periodic daily 9:00 to 17:00 //每天的9點到17點
r1(config-time-range)#exi
r1(config-time-range)#periodic daily 9:00 to 17:00 //每天的9點到17點
r1(config-time-range)#exi
r1(config)#ip acce ex vty //創建一個命名列表
r1(config-ext-nacl)#per tcp 192.168.1.3 0.0.0.0 host 219.146.0.1 eq telnet time-range nop //允許pc5在規定時間內telnet r1
r1(config-ext-nacl)#deny tcp any host 219.146.0.1 eq tel time-range nop //拒絕所有主機在規定時間內telnet r1
r1(config-ext-nacl)#per ip a a //允許所有人的所有流量
r1(config-ext-nacl)#exi
r1(config)#in s1/0
r1(config-if)#ip access-group vty in //在in方向應用列表
r1(config-if)#exi
r1(config-if)#ip access-group vty in //在in方向應用列表
r1(config-if)#exi
測試:
pc5#tel 219.146.0.1
Trying 219.146.0.1 ... Open
pc5#tel 219.146.0.1
Trying 219.146.0.1 ... Open
User Access Verification
Password:
r1>
r1>exi
r1>
r1>exi
[Connection to 219.146.0.1 closed by foreign host]
sw3#tel 219.146.0.1
Trying 219.146.0.1 ...
% Destination unreachable; gateway or host down
sw3#p 219.146.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 284/387/500 ms
Sending 5, 100-byte ICMP Echos to 219.146.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 284/387/500 ms
一切正常。爲了防止pc2這邊局域網內的主機tlenet,在r1的f0/0口也要應用列表
r1(config)#in f0/0
r1(config-if)#ip acce vty in
r1(config-if)#exi
r1(config-if)#ip acce vty in
r1(config-if)#exi
pc2#telnet 219.146.0.1
Trying 219.146.0.1 ...
% Destination unreachable; gateway or host down
Trying 219.146.0.1 ...
% Destination unreachable; gateway or host down
pc2#p 219.146.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/174/280 ms
Sending 5, 100-byte ICMP Echos to 219.146.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/174/280 ms
已經達到預想的目的。
現在來更改一下時間試試:
r1(config)#en
r1#clock set 18:00:00 nov 26 2009
r1#clock set 18:00:00 nov 26 2009
sw3#tel 219.146.0.1
Trying 219.146.0.1 ... Open
Trying 219.146.0.1 ... Open
User Access Verification
Password:
r1>
r1>exi
r1>
r1>exi
[Connection to 219.146.0.1 closed by foreign host]
pc2#telnet 219.146.0.1
Trying 219.146.0.1 ... Open
User Access Verification
Password:
r1>
r1>exi
r1>
r1>exi
[Connection to 219.146.0.1 closed by foreign host]
過了時間列表就失效了。
(四)r1只允許pc5一臺主機telnet
r1(config)#no ip acce ex vty //去掉列表
r1(config)#in s1/0
r1(config-if)#no ip acce vty in //去掉應用的列表
r1(config-if)#in f0/0
r1(config-if)#no ip acce vty in
r1(config-if)#exi
r1(config-if)#no ip acce vty in //去掉應用的列表
r1(config-if)#in f0/0
r1(config-if)#no ip acce vty in
r1(config-if)#exi
r1(config)#access-list 10 permit host 192.168.1.3 //創建一個標準的列表
r1(config)#line vty 0 903
r1(config-line)#pass abc
r1(config-line)#login
r1(config-line)#access-class 10 in //在這裏應用列表的語句和其他是不同的
r1(config-line)#exi
r1(config)#line vty 0 903
r1(config-line)#pass abc
r1(config-line)#login
r1(config-line)#access-class 10 in //在這裏應用列表的語句和其他是不同的
r1(config-line)#exi
測試:
pc5#tel 219.146.0.1
Trying 219.146.0.1 ... Open
pc5#tel 219.146.0.1
Trying 219.146.0.1 ... Open
User Access Verification
Password:
r1>exi
r1>exi
[Connection to 219.146.0.1 closed by foreign host]
sw3#tel 219.146.0.1
Trying 219.146.0.1 ...
% Destination unreachable; gateway or host down
sw3#tel 219.146.0.1
Trying 219.146.0.1 ...
% Connection refused by remote host
Trying 219.146.0.1 ...
% Connection refused by remote host
pc2#telnet 219.146.0.1
Trying 219.146.0.1 ...
% Connection refused by remote host
(五)只允許pc5通過ping命令和外界通信。
r3(config)#ip acce ex noping //創建命名列表
r3(config-ext-nacl)#per icmp host 192.168.1.3 any //允許pc5的icmp流量
r3(config-ext-nacl)#deny ip host 192.168.1.3 any //拒絕pc5的所有流量
r3(config-ext-nacl)#per ip a a //允許所有人的所有流量
r3(config-ext-nacl)#exi
r3(config)#in f0/0
r3(config-if)#ip acce noping in //在接口in方向應用列表
r3(config-if)#exi
測試:
pc5#p 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 404/485/512 ms
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 404/485/512 ms
pc5#telnet 192.168.0.3
Trying 192.168.0.3 ...
% Destination unreachable; gateway or host down
Trying 192.168.0.3 ...
% Destination unreachable; gateway or host down
pc5#p 219.146.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 204/249/308 ms
Sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 204/249/308 ms
pc5#telnet 219.146.0.2
Trying 219.146.0.2 ...
% Destination unreachable; gateway or host down
Trying 219.146.0.2 ...
% Destination unreachable; gateway or host down