CCNA培训课总结笔记--标准访问控制列表实验(八)

实验目的:

理解访问控制列表ACL的工作原理,熟悉配置标准ACL的基本步骤.

实验拓扑图:

实验内容:

路由器上的配置

R1 上的配置

粘贴上路由器基本命令

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#

Router(config)#

Router(config)#

Router(config)#

Router(config)#enable password cisco

Router(config)#no ip domain-lookup

Router(config)#line con 0

Router(config-line)# exec-timeout 0 0

Router(config-line)# logging synchronous

Router(config-line)#

Router(config-line)#line aux 0

Router(config-line)# exec-timeout 0 0

Router(config-line)# logging synchronous

Router(config-line)#line vty 0 4

Router(config-line)#

Router(config-line)#

Router(config-line)# exec-timeout 0 0

Router(config-line)# password cisco

Router(config-line)#

Router(config-line)# login

Router(config-line)#

Router(config-line)#

Router(config-line)#alias exec a sh ip int bri

Router(config)#alias exec b sh ip route

Router(config)#alias exec c sh ip route rip

Router(config)#alias exec d sh run

Router(config)#host R1

R1(config)#int loopback0

R1(config-if)#ip address 192.168.10.1 255.255.255.0

R1(config-if)#ip address 192.168.10.2 255.255.255.0

R1(config-if)#no ip address 192.168.10.2 255.255.255.0

R1(config-if)#ip address 192.168.10.2 255.255.255.0 secondary

R1(config-if)#ip address 192.168.10.3 255.255.255.0 secondary

R1(config-if)#ip address 192.168.10.4 255.255.255.0 secondary

R1(config-if)#ip address 192.168.10.5 255.255.255.0 secondary

R1(config-if)#int s1/0

R1(config-if)#ip add <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.10.1.1 255.255.255.0

R1(config-if)#clock rate 64000

R1(config-if)#no shut

R1(config-if)#exit

宣告网络

R1(config)#router rip

R1(config-router)#net 10.0.0.0

R1(config-router)#net 192.168.10.0

R2 上的配置

Router(config)#host R2

R2(config)#int s1/1

R2(config-if)#ip add 10.10.1.2 255.255.255.0

R2(config-if)#no shut

R2(config-if)#exit

R2(config)#router rip

R2(config-router)#net 10.0.0.0

R2(config-router)#net 192.168.10.0

好了 , 在未开始在 R2 上设置访问控制列表时测试路由可达性

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.1

% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.2

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.2

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.3

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/96 ms

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.4

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.4

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/96/96 ms

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.5

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 96/100/120 ms

可以看出 R1 的各个接口都顺利到达 R2

下面开始在 R2 上设置 ACL 标准访问列表

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#access-list 10 permit 192.168.10.1

R2(config)#access-list 10 permit 192.168.10.3

R2(config)#access-list 10 permit 192.168.10.5

R2(config)#^Z

注意记住标准 ACL 命令的格式 , 其中的 10 为标准 ACL 的编号 , 标准 ACL 的编号范围为 0-99.

下面查看一下 ACL 的配置

R2#

*Mar  1 00:07:14.635: %SYS-5-CONFIG_I: Configured from console by console

R2#show ip access-lists

Standard IP access list 10

    20 permit 192.168.10.3

    10 permit 192.168.10.1

30 permit 192.168.10.5

最后在 R2 上的 S1/1 接口上调用 ACL10 即可 .

好了 , 配置好 ACL 访问列表后 , 在 R1 上测试一下 ACL10 的作用

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.1

% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

U.U.U

Success rate is 0 percent (0/5)

在这里遇到了一个问题 , 为什么 192.168.10.1 不能作为 ping 的源地址去 pingR2 的 S1/1 接口呢 ? 大家明白的麻烦给我解释一下 .

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.2

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.2

U.U.U

Success rate is 0 percent (0/5)

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.1

% Invalid source. Must use IP address or full interface name without spaces (e.g. Serial0/1)

Source address or interface: 192.168.10.3

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/96/120 ms

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.4

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.4

U.U.U

Success rate is 0 percent (0/5)

R1#ping

Protocol [ip]:

Target IP address: 10.10.1.2

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.5

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/91/120 ms

好了 , 结果也证明了创建的 ACL 标准访问列表起作用了 . 被充许访问的 192.168.10.1,192.168.10.3,192.168.10.5 都可以 ping 得通 R2 的 S1/1 接口 , 而其它被禁止的地址即不能 ping 得通 .

标准访问列表 ACL 只能根据源地址来控制数据的流通 , 但当我们需要根据目的地、数据类型来控制数据流通的时候宵能用它了 . 需要用到扩展的访问控制列表 .

 

转载于:https://blog.51cto.com/bennie/101793