实验目的:
理解访问控制列表ACL的工作原理,熟悉配置标准ACL的基本步骤.
实验拓扑图:
实验内容:
路由器上的配置
R1上的配置
粘贴上路由器基本命令
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#enable password cisco
Router(config)#no ip domain-lookup
Router(config)#line con 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#
Router(config-line)#line aux 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#line vty 0 4
Router(config-line)#
Router(config-line)#
Router(config-line)# exec-timeout 0 0
Router(config-line)# password cisco
Router(config-line)#
Router(config-line)# login
Router(config-line)#
Router(config-line)#
Router(config-line)#alias exec a sh ip int bri
Router(config)#alias exec b sh ip route
Router(config)#alias exec c sh ip route rip
Router(config)#alias exec d sh run
Router(config)#host R1
R1(config)#int loopback0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#ip address 192.168.10.2 255.255.255.0
R1(config-if)#no ip address 192.168.10.2 255.255.255.0
R1(config-if)#ip address 192.168.10.2 255.255.255.0 secondary
R1(config-if)#ip address 192.168.10.3 255.255.255.0 secondary
R1(config-if)#ip address 192.168.10.4 255.255.255.0 secondary
R1(config-if)#ip address 192.168.10.5 255.255.255.0 secondary
R1(config-if)#int s1/0
R1(config-if)#ip add 10.10.1 .1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shut
R1(config-if)#exit
宣告网络
R1(config)#router rip
R1(config-router)#net 10.0.0 .0
R1(config-router)#net 192.168.10.0
R2上的配置
Router(config)#host R2
R2(config)#int s1/1
R2(config-if)#ip add 10.10.1 .2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#net 10.0.0 .0
R2(config-router)#net 192.168.10.0
好了,在未开始在R2上设置访问控制列表时测试路由可达性
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/120 ms
可以看出R1的各个接口都顺利到达R2
下面开始在R2上设置ACL标准访问列表
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 10 permit 192.168.10.1
R2(config)#access-list 10 permit 192.168.10.3
R2(config)#access-list 10 permit 192.168.10.5
R2(config)#^Z
注意记住标准ACL命令的格式,其中的10为标准ACL的编号,标准ACL的编号范围为0-99.
下面查看一下ACL的配置
R2#
*Mar 1 00:07:14.635: %SYS-5-CONFIG_I: Configured from console by console
R2#show ip access-lists
Standard IP access list 10
20 permit 192.168.10.3
10 permit 192.168.10.1
30 permit 192.168.10.5
最后在R2上的S1/1接口上调用ACL10即可.
好了,配置好ACL访问列表后,在R1上测试一下ACL10的作用
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
在这里遇到了一个问题,为什么192.168.10.1不能作为ping的源地址去pingR2的S1/1接口呢?大家明白的麻烦给我解释一下.
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.2
U.U.U
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)
Source address or interface: 192.168.10.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/96/120 ms
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.4
U.U.U
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]:
Target IP address: 10.10.1 .2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.5
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1 .2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/120 ms
好了,结果也证明了创建的ACL标准访问列表起作用了.被充许访问的192.168.10.1,192.168.10.3,192.168.10.5都可以ping得通R2的S1/1接口,而其它被禁止的地址即不能ping得通.
标准访问列表ACL只能根据源地址来控制数据的流通,但当我们需要根据目的地、数据类型来控制数据流通的时候宵能用它了.需要用到扩展的访问控制列表.
本文出自 “孤帆远影碧空尽” 博客,请务必保留此出处[url]http://bennie.blog.51cto.com/192876/101793[/url]
本文出自 51CTO.COM技术博客