资源描述
扩展IP访问控制列表配置
技术原理:
访问列表中定义的典型规则主要有以下:源地址,目标地址,上层协议,时间区域:
扩展IP访问列表(编号为100-199,2000-2699)使用四种以上组合来进行转发或者阻断分组:可以根据数数据包的源IP地址,目的IP地址,源端口,目的端口,协议来定义规则,进行数据包的过滤。
扩展IP访问列表的配置包括以下2步:
定义扩展IP 访问列表
将扩展IP访问列表应用于特定接口上。
实验步骤:
新建拓扑图(打开老师的实验拓扑图):
1:分公司出口路由器与外部路由器之间通过v.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000:主机与路由器通过交叉线连接。
2:配置pc机,服务器及路由器接口IP地址。
3:在各路由器上配置静态路由协议,让pc机能相互ping 通,因为只有在相互通的前提下才能涉及访问控制列表。
4:在R2上配置编号的IP扩展访问控制列表。
5:将扩展IP访问列表应用到接口。
6:验证主机之间的互通性。
Pc0:
172.16.1.2
255.255.255.0
172.16.1.2
Server0:
172.16.4.2
255.255.255.0
172.16.4.1
在路由器0上进行配置
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R0
R0(config)#interface fa0/0
R0(config-if)#ip address 172.16.1.1 255.255.255.0
R0(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R0(config-if)#exit
R0(config)#interface fa1/0
R0(config-if)#ip address 172.16.2.1 255.255.255.0
R0(config-if)#no shutdown
R0(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
R0(config-if)#exit
R0(config)#
在路由器R1上配置
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fa1/0
R1(config-if)#ip 172.16.2.2 255.255.255.0
^
% Invalid input detected at '^' marker.
R1(config-if)#ip address 172.16.2.2 255.255.255.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R1(config-if)#exit
R1(config)#interface s2/0
R1(config-if)#ip address 172.16.3.1 255.255.255.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R1(config-if)#clock rate 64000
R1(config-if)#
在路由器2上:
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface s2/0
R2(config-if)#ip address 172.16.3.2 255.255.255.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config)#interface fa0/0
R2(config-if)#ip address 172.16.4.1 255.255.255.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#
第二步:配置静态路由,实现全网通信。
在路由器0上
R0>
R0>enable
R0#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R0(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
R0(config)#
在路由器2上
R2>enable
R2#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip route 0.0.0.0 0.0.0.0 172.16.3.1
R2(config)#
在路由器1上配置2条静态路由
R1>
R1>enable
R1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip route 172.16.1.0 255.255.255.0
% Incomplete command.
R1(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1
R1(config)#ip route 172.16.4.0 255.255.255.0 172.16.3.2
R1(config)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 4 subnets
S 172.16.1.0 [1/0] via 172.16.2.1
C 172.16.2.0 is directly connected, FastEthernet1/0
C 172.16.3.0 is directly connected, Serial2/0
S 172.16.4.0 [1/0] via 172.16.3.2
R1#
已经配置成功,现在需要在pc0上进行测试
PC>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Reply from 172.16.4.2: bytes=32 time=125ms TTL=125
Reply from 172.16.4.2: bytes=32 time=112ms TTL=125
Reply from 172.16.4.2: bytes=32 time=110ms TTL=125
Reply from 172.16.4.2: bytes=32 time=113ms TTL=125
Ping statistics for 172.16.4.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 110ms, Maximum = 125ms, Average = 115ms
PC>
发现是通的。
然后pc0中 web browser 的URL 中输入对方服务器的IP地址。
Welcome to Cisco Packet Tracer, the best thing since..... Packet Tracer 4.x. Quick Links:
A small page
Copyrights
Image page
Image
发现可以访问对方的web 服务器。
下面在路由器1上配置高级访问控制列表
R1>enable
R1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R1(config)#access-list 100
% Incomplete command.
R1(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
R1(config)#access-list 100 permit ?
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config)#access-list 100 permit tcp host 172.16.1.2
% Incomplete command.
R1(config)#access-list 100 permit tcp host 172.16.1.2 172.16.4.2
% Incomplete command.
R1(config)#access-list 100 permit tcp host 172.16.1.2 host ?
A.B.C.D Destination address
R1(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2
R1(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2 ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
<cr>
R1(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2 eq ?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
R1(config)#access-list 100 permit tcp host 172.16.1.2 host 172.16.4.2 eq www
R1(config)#access-list 100 deny ?
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config)#access-list 100 deny icmp ?
A.B.C.D Source address
any Any source host
host A single source host
R1(config)#access-list 100 deny icmp host 172.16.1.2 host 172.16.4.2
R1(config)#interface s 2/0
R1(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
WORD Access-list name
R1(config-if)#ip access-group 100 out
R1(config-if)#end
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#
最好在pc0上进行测试
PC>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Reply from 172.16.2.2: Destination host unreachable.
Reply from 172.16.2.2: Destination host unreachable.
Reply from 172.16.2.2: Destination host unreachable.
Reply from 172.16.2.2: Destination host unreachable.
Ping statistics for 172.16.4.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
发现已经不能够ping 通。
本实验到处结束。
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
