访问控制列表(ACL)

ACL

实验拓扑及网络规划:如上图。

实验任务和目标:

任务1.在ROUTER1上应用标准访问控制列表仅限制PC1对VS1的访问。

任务2.在ROUTER2上应用标准访问控制列表限制网络192.168.3.0/24访问VS2。

任务3.在ROUTER2上应用扩展访问控制列表拒绝VS1向VS2发起远程桌面,但是允许别的流量。

任务4.使用命名访问控制列表重复以上实验。

任务5.使用命名访问控制列表完成任务3后再修改列表,使ROUTER2拒绝VS1向VS2发起TELNET,仍

然允许别的流量。

实验操作过程及配置说明:

clip_image002

clip_image002[9]

第一步:配置IP地址

r1(config)#int f0/0

r1(config-if)#no sw

r1(config-if)#ip add 192.168.4.1 255.255.255.0

r1(config-if)#no shut

r1(config-if)#int f0/1

r1(config-if)#no sw

r1(config-if)#ip add 192.168.1.1 255.255.255.0

r1(config-if)#no shut

r1(config-if)#end

 

r2(config)#int f0/0

r2(config-if)#no sw

r2(config-if)#ip add 192.168.4.2 255.255.255.0

r2(config-if)#no shut

r2(config-if)#int f0/1

r2(config-if)#no sw

r2(config-if)#ip add 192.168.2.1 255.255.255.0

r2(config-if)#no shut

r2(config-if)#end

 

r3(config)#int f0/0

r3(config-if)#no sw

r3(config-if)#ip add 192.168.4.3 255.255.255.0

r3(config-if)#no shut

r3(config-if)#int f0/1

r3(config-if)#no sw

r3(config-if)#ip add 192.168.3.1 255.255.255.0

r3(config-if)#no shut

r3(config-if)#end

 

第二步:启动RIP协议,让每个网段互通。

r1(config)#router rip

r1(config-router)#ver 2

r1(config-router)#no au

r1(config-router)#network 192.168.4.0

r1(config-router)#network 192.168.1.0

r1(config-router)#end

 

r2(config)#router rip

r2(config-router)#ver 2

r2(config-router)#no au

r2(config-router)#network 192.168.4.0

r2(config-router)#network 192.168.2.0

r2(config-router)#end

 

r3(config)#router rip

r3(config-router)#ver 2

r3(config-router)#no au

r3(config-router)#network 192.168.4.0

r3(config-router)#network 192.168.3.0

r3(config-router)#end

 

r1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.4.0/24 is directly connected, FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

R 192.168.2.0/24 [120/1] via 192.168.4.2, 00:00:21, FastEthernet0/0

R 192.168.3.0/24 [120/1] via 192.168.4.3, 00:00:12, FastEthernet0/0

 

r2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.4.0/24 is directly connected, FastEthernet0/0

R 192.168.1.0/24 [120/1] via 192.168.4.1, 00:00:24, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

R 192.168.3.0/24 [120/1] via 192.168.4.3, 00:00:01, FastEthernet0/0

 

r3#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.4.0/24 is directly connected, FastEthernet0/0

R 192.168.1.0/24 [120/1] via 192.168.4.1, 00:00:19, FastEthernet0/0

R 192.168.2.0/24 [120/1] via 192.168.4.2, 00:00:07, FastEthernet0/0

C 192.168.3.0/24 is directly connected, FastEthernet0/1

 

任务1.在ROUTER1上应用标准访问控制列表仅限制PC1对VS1的访问。

r1(config)#access-list 1 deny host 192.168.3.2

r1(config)#access-list 1 permit any

r1(config)#int f0/0

r1(config-if)#ip access-group 1 in

r1(config-if)#end

clip_image002[12]

r3#ping 192.168.1.2 source 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/50/96 ms

只有主机IP 地址为192.168.3.2 的主机不能访问,其它地址都有可以访问。

 

任务2.在ROUTER2上应用标准访问控制列表限制网络192.168.3.0/24访问VS2。

r2(config)#access-list 1 deny 192.168.3.0 0.0.0.255

r2(config)#access-list 1 permit any

r2(config)#int f0/0

r2(config-if)#ip access-group 1 in

r2(config-if)#end

 

r3#ping 192.168.2.2 source 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/44/64 ms

r3#ping 192.168.2.2 source 192.168.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

U.U.U

Success rate is 0 percent (0/5)

clip_image002[14]

 

任务3.在ROUTER2上应用扩展访问控制列表拒绝VS1向VS2发起远程桌面,但是允许别的流量。

r2(config)#no access-list 1

r2(config)#end

r2(config)#access-list 101 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389

r2(config)#access-list 101 permit ip any any

r2(config)#int f0/0

r2(config-if)#ip access-group 101 in

r2(config-if)#end

clip_image002[16]

 

任务4.使用命名访问控制列表重复以上实验

r2(config)#ip access-list extended 101

r2(config-ext-nacl)#15 deny icmp host 192.168.1.2 host 192.168.2.2

r2(config-ext-nacl)#end

r2#show access-lists

Extended IP access list 101

10 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389 (9 matches)

15 deny icmp host 192.168.1.2 host 192.168.2.2

20 permit ip any any (544 matches

clip_image002[18]

 

任务5.使用命名访问控制列表完成任务3后再修改列表,使ROUTER2拒绝VS1向VS2发起TELNET,仍

然允许别的流量。

r2(config)#ip access-list extended 101

r2(config-ext-nacl)#16 deny tcp host 192.168.1.2 host 192.168.2.2 eq 23

r2(config-ext-nacl)#end

r2#show access-lists 101

Extended IP access list 101

10 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389 (9 matches)

15 deny icmp host 192.168.1.2 host 192.168.2.2 (36 matches)

16 deny tcp host 192.168.1.2 host 192.168.2.2 eq telnet (9 matches)

20 permit ip any any (1580 matches)

clip_image002[20]

r2(config)#ip access-list extended 101

r2(config-ext-nacl)#no 15 deny icmp host 192.168.1.2 host 192.168.2.2

r2(config-ext-nacl)#end

r2#show access-lists

Extended IP access list 101

10 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389 (9 matches)

16 deny tcp host 192.168.1.2 host 192.168.2.2 eq telnet (23 matches)

20 permit ip any any (1768 matches)

clip_image002[22]

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值