實驗目的:
理解訪問列表ACL的工作原理,熟悉配置擴展ACL的基本步驟
實驗拓撲圖:
實驗內容:
路由器上的配置
R1上的配置
進入全局模式,粘貼上基本路由命令
Router(config)#enable password cisco
Router(config)#no ip domain-lookup
Router(config)#line con 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#
Router(config-line)#line aux 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#line vty 0 4
Router(config-line)#
Router(config-line)#
Router(config-line)# exec-timeout 0 0
Router(config-line)# password cisco
Router(config-line)#
Router(config-line)# login
Router(config-line)#
Router(config-line)#
Router(config-line)#alias exec a sh ip int bri
Router(config)#alias exec b sh ip route
Router(config)#alias exec c sh ip route rip
Router(config)#alias exec d sh run
設置路由器名稱,接口地址
Router(config)#host R1
R1(config)#interface loopback0
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#ip add 192.168.10.2 255.255.255.0 secondary (這裏是在同一個接口上啓用多個IP地址模仿多個PC機,即一個IP地址代表一個PC)
R1(config-if)#ip add 192.168.10.3 255.255.255.0 secondary
R1(config-if)#ip add 192.168.10.4 255.255.255.0 secondary
R1(config-if)#ip add 192.168.10.5 255.255.255.0 secondary
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip add 10.10.1 .1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shut
R1(config-if)#exit
宣告網絡
R1(config)#router rip
R1(config-router)#network 10.0.0 .0
R1(config-router)#network 192.168.10.0
R2上的配置
Router(config)#host R2
R2(config)#int s1/1
R2(config-if)#ip add 10.10.1 .2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int s1/0
R2(config-if)#ip add 192.168.100.1 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shut
R2(config-if)#exit
宣告網絡
R2(config)#router rip
R2(config-router)#network 10.0.0 .0
R2(config-router)#network 192.168.100.0
R3的配置
Router(config)#host R3
R3(config)#int s1/1
R3(config-if)#ip add 192.168.100.2 255.255.255.0
R3(config-if)#no shut
宣告網絡
R3(config)#router rip
R3(config-router)#network 192.168.100.0
好了,現在測試一下數據的流通情況.從R3上去pingR1的各個接口
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/143/144 ms
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/152/188 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/143/144 ms
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/157/216 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/162/192 ms
結果正常,在還沒設置擴展ACL之前順利連通.
接下來在R2上啓用ACL120
R2(config)#access-list 120 deny ip host 192.168.100.2 host 192.168.10.1
R2(config)#access-list 120 deny ip host 192.168.100.2 host 192.168.10.2
R2(config)#access-list 120 deny ip host 192.168.100.2 host 192.168.10.3
R2(config)#access-list 120 permit ip any any
查看一下ACL的配置情況
R2(config)#do show access-lists
Extended IP access list 120
10 deny ip host 192.168.100.2 host 192.168.10.1
20 deny ip host 192.168.100.2 host 192.168.10.2
30 deny ip host 192.168.100.2 host 192.168.10.3
40 permit ip any any
無誤後在R2的S1/1口上調用ACL120
R2(config)#int s1/1
R2(config-if)#ip access-group 120 out
配置好後,測試一下調用ACL120起作用了沒有
依然是從R3上去pingR1的各個接口
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
可以看到,之前ping通的192.168.10.1~192.168.10.3地址現在都不能通了,顯示Unreachabled!!原因很明顯,R2上的ACL 120起作用了.在S1/1接口上阻住了數據包的流出.
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/152/188 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/143/144 ms
而沒有被ACL 120阻止的192.168.10.4~192.168.10.5即可以順利通達.
對比一下之前做的標準訪問列表的實驗,可以看到擴展的訪問列表ACL 120比標準訪問列表功能強大得多.可以根據目的地址來限制數據流的傳輸.還可以根據數據流的類型來設置流通.比如:access—list 120 tcp deny host 192.168.100.1 host 192.168.10.1 eq telnet 這樣限制主機(192.168.100.1)到主機(192.168.10.1)的telnet訪問.
本文出自 “孤帆遠影碧空盡” 博客,請務必保留此出處[url]http://bennie.blog.51cto.com/192876/101974[/url]
本文出自 51CTO.COM技術博客