實驗目的:
理解訪問控制列表ACL的工作原理,熟悉配置標準ACL的基本步驟.
實驗拓撲圖:
實驗內容:
路由器上的配置
R1上的配置
粘貼上路由器基本命令
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#enable password cisco
Router(config)#no ip domain-lookup
Router(config)#line con 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#
Router(config-line)#line aux 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#line vty 0 4
Router(config-line)#
Router(config-line)#
Router(config-line)# exec-timeout 0 0
Router(config-line)# password cisco
Router(config-line)#
Router(config-line)# login
Router(config-line)#
Router(config-line)#
Router(config-line)#alias exec a sh ip int bri
Router(config)#alias exec b sh ip route
Router(config)#alias exec c sh ip route rip
Router(config)#alias exec d sh run
Router(config)#host R1
R1(config)#int loopback0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#ip address 192.168.10.2 255.255.255.0
R1(config-if)#no ip address 192.168.10.2 255.255.255.0
R1(config-if)#ip address 192.168.10.2 255.255.255.0 secondary
R1(config-if)#ip address 192.168.10.3 255.255.255.0 secondary
R1(config-if)#ip address 192.168.10.4 255.255.255.0 secondary
R1(config-if)#ip address 192.168.10.5 255.255.255.0 secondary
R1(config-if)#int s1/0
R1(config-if)#ip add 10.10.1 .1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shut
R1(config-if)#exit
宣告網絡
R1(config)#router rip
R1(config-router)#net 10.0.0 .0
R1(config-router)#net 192.168.10.0
R2上的配置
Router(config)#host R2
R2(config)#int s1/1
R2(config-if)#ip add 10.10.1 .2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#net 10.0.0 .0
R2(config-router)#net 192.168.10.0
好了,在未開始在R2上設置訪問控制列表時測試路由可達性
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/120 ms
可以看出R1的各個接口都順利到達R2
下面開始在R2上設置ACL標準訪問列表
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 10 permit 192.168.10.1
R2(config)#access-list 10 permit 192.168.10.3
R2(config)#access-list 10 permit 192.168.10.5
R2(config)#^Z
注意記住標準ACL命令的格式,其中的10爲標準ACL的編號,標準ACL的編號範圍爲0-99.
下面查看一下ACL的配置
R2#
*Mar 1 00:07:14.635: %SYS-5-CONFIG_I: Configured from console by console
R2#show ip access-lists
Standard IP access list 10
20 permit 192.168.10.3
10 permit 192.168.10.1
30 permit 192.168.10.5
最後在R2上的S1/1接口上調用ACL10即可.
好了,配置好ACL訪問列表後,在R1上測試一下ACL10的作用
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
在這裏遇到了一個問題,爲什麼192.168.10.1不能作爲ping的源地址去pingR2的S1/1接口呢?大家明白的麻煩給我解釋一下.
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.2
U.U.U
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)
Source address or interface: 192.168.10.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/96/120 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.4
U.U.U
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/120 ms
好了,結果也證明了創建的ACL標準訪問列表起作用了.被充許訪問的192.168.10.1,192.168.10.3,192.168.10.5都可以ping得通R2的S1/1接口,而其它被禁止的地址即不能ping得通.
標準訪問列表ACL只能根據源地址來控制數據的流通,但當我們需要根據目的地、數據類型來控制數據流通的時候宵能用它了.需要用到擴展的訪問控制列表.
本文出自 “孤帆遠影碧空盡” 博客,請務必保留此出處[url]http://bennie.blog.51cto.com/192876/101793[/url]
本文出自 51CTO.COM技術博客