ACL扩展试验:

clip_image002

考虑网络实际情况:

clip_image004

配置:

计算机IP如上,

路由1的配置如下:

Router>enable

Router#config t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R1

R1(config)#int fa0/0

R1(config-if)#ip add 192.168.1.1 255.255.255.0

R1(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R1(config-if)#int fa0/1

R1(config-if)#ip add 192.168.2.1 255.255.255.0

R1(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

R1(config-if)#int s0/1/1/0

^

% Invalid input detected at '^' marker.

R1(config-if)#int s0/1/0

R1(config-if)#ip add 192.168.3.1 255.255.255.0

R1(config-if)#clock rate 56000

R1(config-if)#no shut

%LINK-5-CHANGED: Interface Serial0/1/0, changed state to down

R1(config-if)#exit

R1(config)#router rip

R1(config-router)#network 192.168.1.0

R1(config-router)#network 192.168.2.0

R1(config-router)#network 192.168.3.0

R1(config-router)#end

%SYS-5-CONFIG_I: Configured from console by console

R1#

路由2的配置如下:

Router>enable

Router#config t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R2

R2(config)#int fa0/0

R2(config-if)#ip add 192.168.4.1 255.255.255.0

R2(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R2(config-if)#int s0/1/1

R2(config-if)#ip add 192.168.3.2 255.255.255.0

R2(config-if)#no shut

%LINK-5-CHANGED: Interface Serial0/1/1, changed state to up

R2(config-if)#int s0/1/

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to up0

R2(config-if)#int s0/1/0

R2(config-if)#ip add 192.168.5.1 255.255.255.0

R2(config-if)#clock rate 56000

R2(config-if)#no shut

%LINK-5-CHANGED: Interface Serial0/1/0, changed state to down

R2(config-if)#exit

R2(config)#router rip

R2(config-router)#network 192.168.3.0

R2(config-router)#network 192.168.4.0

R2(config-router)#network 192.168.5.0

R2(config-router)#end

%SYS-5-CONFIG_I: Configured from console by console

R2#

在R3上:

Router>enable

Router#config t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#hostname R3

R3(config)#int s0/1/1

R3(config-if)#ip add 192.168.5.2 255.255.255.0

R3(config-if)#no shut

%LINK-5-CHANGED: Interface Serial0/1/1, changed state to up

R3(config-if)#int fa

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/1, changed state to up0/

^

% Invalid input detected at '^' marker.

R3(config-if)#int fa0/0

R3(config-if)#ip add 192.168.6.1 255.255.255.0

R3(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R3(config-if)#int fa0/1

R3(config-if)#ip add 192.168.7.1 255.255.255.0

R3(config-if)#no shut

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

R3(config-if)#

R3(config-if)#exit

R3(config)#router rip

R3(config-router)#network 192.168.5.0

R3(config-router)#network 192.168.6.0

R3(config-router)#network 192.168.7.0

R3(config-router)#end

%SYS-5-CONFIG_I: Configured from console by console

R3#

开始测试:

clip_image006

clip_image008

在***计算机上测试:

clip_image010

clip_image012

互联网络基本搭建完成.

504网络中心发现经常有来自192.168.1.2 网络***:***对象是504的服务器

在该504研究所的接入路由器配置ACL:

R3>enable

R3#config t

Enter configuration commands, one per line. End with CNTL/Z.

R3(config)#access-list 1 deny 192.168.1.2 0.0.0.0

R3(config)#access-list 1 permit any

R3(config)#

R3(config)#access-list 1 permit any

R3(config)#int s0/1/1

R3(config-if)#ip access-group 1 in

R3(config-if)#

作用是禁止***,允许其它用户访问504服务器

***发现自己无法联系到504服务器,

PC>ping 192.168.6.2

Pinging 192.168.6.2 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.6.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

说明,网络有问题,经过测试发先自己的被屏蔽。

***修改IP 192.168.1.6 继续访问504服务器。(***)

504网络中心通过一段的监控,发现该网段经常***504的服务器,肯能是有目的的***行为。504网络中心决定屏蔽该网段。

1. 断网

2. 去原有的ACL

3. 重新加载ACL

如果网络实施性较高,不允许断网,编写代码,直接加载 ACL 。就是直接编写脚本的方式

R3(config-if)#exit

R3(config)#

R3(config)#access-list 68 deny 192.168.1.0 0.0.0.255

R3(config)#

R3(config)#access-list 68 permit any

R3(config)#

R3(config)#int s0/1/1

R3(config-if)#

R3(config-if)#ip access-group 68 in

R3(config-if)#

***突然发现该网段都无法访问504服务器。

504网络中心ACL基本防护完成。