cisco路由器实验之五:ACL访问控制列表的配置

cisco路由器实验之五:ACL访问控制列表的配置

2007-12-04 11:34

前面简单的讨论了两个最常用的CISCO路由协议的配置,今天来该讲讲ACL访问控制列表了。
what are ACLs
? 是一系列用于到接口上具有方向的的一系列允许或拒绝指令的集合。
不好意思,刚才院里面有点事……好了,接下来我们先看看拓扑把:

router1的配置:


Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router1
Router1(config)#interface e0
Router1(config-if)#ip address 192.168.1.2 255.255.255.0
Router1(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router1(config-if)#interface s0
Router1(config-if)#ip address 192.168.2.1 255.255.255.0
Router1(config-if)#en
Router1(config-if)#encapsulation ppp
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINK-3-UPDOWN: Interface Serial0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Router1(config-if)#exit
Router1(config)#ip route ?
a.b.c.d                 Destination prefix
Router1(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1 //
注意:这边的192.168.2.1不能写成S0,实际环境可以,不知道为什么在Boson NetSim环境中就是ping不通
Router1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.1
Router1(config)#exit
Router1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

router2
的配置:
Press Enter to Start


Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router2
Router2(config)#interface e0
Router2(config-if)#ip address 192.168.3.1 255.255.255.0
Router2(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router2(config-if)#interface s1
Router2(config-if)#ip address 192.168.2.2 255.255.255.0
Router2(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial1, changed state to up
Router2(config-if)#exit

Router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.2
Router2(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.2
Router2(config)#exit
Router2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]


测试:
Router2#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router2#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
//路由器之间试ping了一下,可以ping通,接下来配pc

PC1
的配置:

Boson BOSS 5.0
Copyright 1998-2003 Boson Software, Inc.
Use the command help to get started

Press Enter to begin
C:>
C:>winip?
winipcfg
           

C:>winipcfg中进行配置IP:192.168.1.1 255.255.255.0 网关:192.168.1.2

PC2的配置:
Boson BOSS 5.0
Copyright 1998-2003 Boson Software, Inc.
Use the command help to get started

Press Enter to begin
C:>
C:>winip?
winipcfg
           

C:>winipcfg中进行配置IP:192.168.3.2 255.255.255.0 网关:192.168.3.1

以上是我们实验二:静态路由的配置中的相关设置
接下来我们看下题目开始真正的配置ACL

题一:
PC1所在网段的所有机子不能访问PC2
这里我们用标准的ACL,在编写标准的ACL是一般要靠近目的。
也就是要在Router2E0口配置:
简单的说:Router2E0口不允许来自特定子网192.168.1.0的数据,而转发其他数据。

Router2#config t
Router2(config)#access-list 1 deny 192.168.1.0 0.0.0.255
Router2(config)#access-list 1 permit any
Router2(config)#interface e0
Router2(config-if)#ip ?
address                 Set the IP address of an interface
ospf                    OSPF interface commands
access-group            Specify access control for packets
nat                     NAT interface commands
summary-address         Perform address summarization
router                  IP router interface commands
policy                  Enable policy routing
network                 Assign an IPX network & enable IPX routing
Router2(config-if)#ip access-group ?
<1-199>                 IP access list (standard or extended)
Router2(config-if)#ip access-group 1 ?
in                      inbound packets
out                     outbound packets
Router2(config-if)#ip access-group 1 out
Router2(config-if)#exit
Router2(config)#exit
Router2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

测试:
PC1PingPC2
不同
PC2PingPC1
不同   // Ping是双向数据流,PC2数据能到PC1,但是PC1回应数据被过滤了,所有PING不通
成功!

题二:
PC1不能TelnetPC2
这里我们用扩展的ACL,在编写扩展的ACL时一般要靠近源。
也就是要在Router1E0口配置:
简单的说:禁止在Router1E0口上来自特定地址192.168.3.2Telnet数据流到特定地址192.168.1.1上,而转发其他数据。

Router1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 101 deny tcp host 192.168.3.2 host 192.168.1.1 eq ?
www                     World Wide Web (HTTP, 80)
bgp                     Border Gateway Protocol (179)
echo                    Echo (7)
telnet                  Telnet (23)
Router1(config)#access-list 101 deny tcp host 192.168.3.2 host 192.168.1.1 eq telnet  
//不知道为什么Boson NetSim v6.0环境下打端口号就是不行
Router1(config)#access-list 101 permit ip any any
Router1(config)#interface e0
Router1(config-if)#ip access-group 101 out
Router1(config-if)#exit
Router1(config)#exit
Router1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

测试:
在模拟器上我真不知道怎么测试!!知道的博友可以提示下!!

 

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值