cisco路由器实验之五:ACL访问控制列表的配置
2007-12-04 11:34
前面简单的讨论了两个最常用的CISCO路由协议的配置,今天来该讲讲ACL访问控制列表了。
what are ACLs? 是一系列用于到接口上具有方向的的一系列允许或拒绝指令的集合。
不好意思,刚才院里面有点事……好了,接下来我们先看看拓扑把:
router1的配置:
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router1
Router1(config)#interface e0
Router1(config-if)#ip address 192.168.1.2 255.255.255.0
Router1(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router1(config-if)#interface s0
Router1(config-if)#ip address 192.168.2.1 255.255.255.0
Router1(config-if)#en
Router1(config-if)#encapsulation ppp
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINK-3-UPDOWN: Interface Serial0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Router1(config-if)#exit
Router1(config)#ip route ?
a.b.c.d Destination prefix
Router1(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1 //注意:这边的192.168.2.1不能写成S0,实际环境可以,不知道为什么在Boson NetSim环境中就是ping不通
Router1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.1
Router1(config)#exit
Router1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
router2的配置:
Press Enter to Start
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router2
Router2(config)#interface e0
Router2(config-if)#ip address 192.168.3.1 255.255.255.0
Router2(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router2(config-if)#interface s1
Router2(config-if)#ip address 192.168.2.2 255.255.255.0
Router2(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial1, changed state to up
Router2(config-if)#exit
Router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.2
Router2(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.2
Router2(config)#exit
Router2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
测试:
Router2#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router2#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
//路由器之间试ping了一下,可以ping通,接下来配pc
PC1的配置:
Boson BOSS 5.0
Copyright 1998-2003 Boson Software, Inc.
Use the command help to get started
Press Enter to begin
C:>
C:>winip?
winipcfg
C:>winipcfg中进行配置IP:192.168.1.1 255.255.255.0 网关:192.168.1.2
PC2的配置:
Boson BOSS 5.0
Copyright 1998-2003 Boson Software, Inc.
Use the command help to get started
Press Enter to begin
C:>
C:>winip?
winipcfg
C:>winipcfg中进行配置IP:192.168.3.2 255.255.255.0 网关:192.168.3.1
以上是我们实验二:静态路由的配置中的相关设置
接下来我们看下题目开始真正的配置ACL:
题一:PC1所在网段的所有机子不能访问PC2?
这里我们用标准的ACL,在编写标准的ACL是一般要靠近目的。
也就是要在Router2的E0口配置:
简单的说:Router2的E0口不允许来自特定子网192.168.1.0的数据,而转发其他数据。
Router2#config t
Router2(config)#access-list 1 deny 192.168.1.0 0.0.0.255
Router2(config)#access-list 1 permit any
Router2(config)#interface e0
Router2(config-if)#ip ?
address Set the IP address of an interface
ospf OSPF interface commands
access-group Specify access control for packets
nat NAT interface commands
summary-address Perform address summarization
router IP router interface commands
policy Enable policy routing
network Assign an IPX network & enable IPX routing
Router2(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
Router2(config-if)#ip access-group 1 ?
in inbound packets
out outbound packets
Router2(config-if)#ip access-group 1 out
Router2(config-if)#exit
Router2(config)#exit
Router2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
测试:
PC1PingPC2不同
PC2PingPC1不同 // Ping是双向数据流,PC2数据能到PC1,但是PC1回应数据被过滤了,所有PING不通
成功!
题二:PC1不能TelnetPC2?
这里我们用扩展的ACL,在编写扩展的ACL时一般要靠近源。
也就是要在Router1的E0口配置:
简单的说:禁止在Router1的E0口上来自特定地址192.168.3.2的Telnet数据流到特定地址192.168.1.1上,而转发其他数据。
Router1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 101 deny tcp host 192.168.3.2 host 192.168.1.1 eq ?
www World Wide Web (HTTP, 80)
bgp Border Gateway Protocol (179)
echo Echo (7)
telnet Telnet (23)
Router1(config)#access-list 101 deny tcp host 192.168.3.2 host 192.168.1.1 eq telnet //不知道为什么Boson NetSim v6.0环境下打端口号就是不行
Router1(config)#access-list 101 permit ip any any
Router1(config)#interface e0
Router1(config-if)#ip access-group 101 out
Router1(config-if)#exit
Router1(config)#exit
Router1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
测试:
在模拟器上我真不知道怎么测试!!知道的博友可以提示下!!