IP访问控制列表配置.docx
《IP访问控制列表配置.docx》由会员分享,可在线阅读,更多相关《IP访问控制列表配置.docx(12页珍藏版)》请在冰豆网上搜索。
IP访问控制列表配置
PacketTracer5.2实验(十二)标准IP访问控制列表配置
一、实验目标
∙理解标准IP访问控制列表的原理及功能;
∙掌握编号的标准IP访问控制列表的配置方法;
二、实验背景
公司的经理部、财务部和销售部分别属于不同的3个网段,三部门之间用路由器进行信息传递,为了安全起见,公司领导要求销售部不能对财务部进行访问,但经理部可以对财务部进行访问。
三、技术原理
ACLs的全称为接入控制列表(AccessControlLists),也称为访问列表(AccessList),俗称为防火墙,在有的文档中还称之为包过滤。
ACLs通过定义一些规则对网络设备接口上的数据报文进行控制:
允许通过或丢弃,从而提高网络可管理性和安全性;
IPACL分为两种:
标准IP访问列表和扩展IP访问列表,编号范围分别为1~99、1300~1999,100~199、2000~2699;
标准IP访问列表可以根据数据包的源IP地址定义规则,进行数据包的过滤;
扩展IP访问列表可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
IPACL基于接口进行规则的应用,分为:
入栈应用和出栈应用;
四、实验步骤
实验拓扑
1、路由器之间通过V.35电缆串口连接,DCE端连接在R1上,配置其时间频率为64000;主机与路由器通过交叉线连接;
2、配置路由器接口IP地址;
3、在路由器上配置OSPF路由协议,让三台PC能相互ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R1上配置编号的IP标准访问控制列表;
5、将标准IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostnameR1
R1(config)#interfacefa1/0
R1(config-if)#ipaddress192.168.1.1255.255.255.0
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet1/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet1/0,changedstatetoup
R1(config-if)#exit
R1(config)#intfa0/0
R1(config-if)#ipadd192.168.2.1255.255.255.0
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R1(config-if)#exit
R1(config)#intse2/0
R1(config-if)#clockrate64000
R1(config-if)#ipadd192.168.3.1255.255.255.0
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial2/0,changedstatetodown
R1(config-if)#exit
R1(config)#
R1(config)#routerospf1
R1(config-router)#network192.168.1.00.0.0.255area0
R1(config-router)#network192.168.2.00.0.0.255area0
R1(config-router)#network192.168.3.00.0.0.255area0
R1(config-router)#end
R1#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R1#showiproute
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea
*-candidatedefault,U-per-userstaticroute,o-ODR
P-periodicdownloadedstaticroute
Gatewayoflastresortisnotset
C192.168.1.0/24isdirectlyconnected,FastEthernet1/0
C192.168.2.0/24isdirectlyconnected,FastEthernet0/0
R1#
R1#
R1#showiproute//两台路由器配置好后的路由信息
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea
*-candidatedefault,U-per-userstaticroute,o-ODR
P-periodicdownloadedstaticroute
Gatewayoflastresortisnotset
C 192.168.1.0/24isdirectlyconnected,FastEthernet1/0
C 192.168.2.0/24isdirectlyconnected,FastEthernet0/0
C 192.168.3.0/24isdirectlyconnected,Serial2/0
O 192.168.4.0/24[110/782]via192.168.3.2,00:
00:
15,Serial2/0
R1#
R1#conft
Enterconfigurationcommands,oneperline. EndwithCNTL/Z.
R1(config)#ip?
access-list Namedaccess-list
default-network Flagsnetworksascandidatesfordefaultroutes
dhcp ConfigureDHCPserverandrelayparameters
domain IPDNSResolver
domain-lookup EnableIPDomainNameSystemhostnametranslation
domain-name Definethedefaultdomainname
forward-protocol ControlsforwardingofphysicalanddirectedIPbroadcasts
host Addanentrytotheiphostnametable
name-server Specifyaddressofnameservertouse
nat NATconfigurationcommands
route Establishstaticroutes
tcp GlobalTCPparameters
R1(config)#ipac
R1(config)#ipaccess-list?
extended ExtendedAccessList
standard StandardAccessList
R1(config)#ipaccess-liststa
R1(config)#ipaccess-liststandard?
<1-99> StandardIPaccess-listnumber
WORD Access-listname
R1(config)#ipaccess-liststandarddavid?
R1(config)#ipaccess-liststandarddavid//配置名为david的IP标准访问控制列表
R1(config-std-nacl)#?
default Setacommandtoitsdefaults
deny Specifypacketstoreject
exit Exitfromaccess-listconfigurationmode
no Negateacommandorsetitsdefaults
permit Specifypacketstoforward
remark Accesslistentrycomment
R1(config-std-nacl)#permit192.168.1.0?
A.B.C.D Wildcardbits
R1(config-std-nacl)#permit192.168.1.00.0.0.255?
R1(config-std-nacl)#permit192.168.1.00.0.0.255//允许192.168.1.0网段通过
R1(config-std-nacl)#deny?
A.B.C.D Addresstomatch
any Anysourcehost
host Asinglehostaddress
R1(config-std-nacl)#deny192.168.2.0?
A.B.C.D Wildcardbits
R1(config-std-nacl)#deny192.168.2.00.0.0.255?
R1(config-std-nacl)#deny192.168.2.00.0.0.255//禁止192.168.2.0网段通过
R1(config-std-nacl)#exit
R1(config)#inter
R1(config)#interfacese2/0
R1(config-if)#?
bandwidth Setbandwidthinformationalparameter
cdp CDPinterfacesubcommands
clock Configureserialinterfaceclock
crypto Encryption/Decryptioncommands
custom-queue-list Assignacustomqueuelisttoaninterface
delay Specifyinterfacethroughputdelay
description Interfacespecificdescription
encapsulation Setencapsulationtypeforaninterface
exit Exitfrominterfaceconfigurationmode
fair-queue EnableFairQueuingonanInterface
frame-relay Setframerelayparameters
hold-queue Setholdqueuedepth
ip InterfaceInternetProtocolconfigcommands
keepalive Enablekeepalive
mtu SettheinterfaceMaximumTransmissionUnit(MTU)
no Negateacommandorsetitsdefaults
ppp Point-to-PointProtocol
priority-group Assignaprioritygrouptoaninterface
service-policy ConfigureQoSServicePolicy
shutdown Shutdowntheselectedinterface
tx-ring-limit ConfigurePAleveltransmitringlimit
zone-member Applyzonename
R1(config-if)#ip?
access-group Specifyaccesscontrolforpackets
address SettheIPaddressofaninterface
hello-interval ConfiguresIP-EIGRPhellointerval
helper-address SpecifyadestinationaddressforUDPbroadcasts
inspect Applyinspectname
ips CreateIPSrule
mtu SetIPMaximumTransmissionUnit
nat NATinterfacecommands
ospf OSPFinterfacecommands
split-horizon Performsplithorizon
summary-address Performaddresssummarization
virtual-reassembly VirtualReassembly
R1(config-if)#ipac
R1(config-if)#ipaccess-group?
<1-199> IPaccesslist(standardorextended)
WORD Access-listname
R1(config-if)#ipaccess-groupdavid?
in inboundpackets
out outboundpackets
R1(config-if)#ipaccess-groupdavidout?
R1(config-if)#ipaccess-groupdavidout//将名为david的IP标准访问控制列表应用到se2/0端口
R1(config-if)#end
R1#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R1#showrunning-config
Buildingconfiguration...
Currentconfiguration:
928bytes
!
version12.2
noservicetimestampslogdatetimemsec
noservicetimestampsdebugdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
...
!
interfaceFastEthernet0/0
ipaddress192.168.2.1255.255.255.0
duplexauto
speedauto
!
interfaceFastEthernet1/0
ipaddress192.168.1.1255.255.255.0
duplexauto
speedauto
!
interfaceSerial2/0
ipaddress192.168.3.1255.255.255.0
ipaccess-groupdavidout
clockrate64000
!
interfaceSerial3/0
noipaddress
shutdown
!
interfaceFastEthernet4/0
noipaddress
shutdown
!
interfaceFastEthernet5/0
noipaddress
shutdown
!
routerospf1
log-adjacency-changes
network192.168.1.00.0.0.255area0
network192.168.2.00.0.0.255area0
network192.168.3.00.0.0.255area0
!
ipclassless
!
!
ipaccess-liststandarddavid
permit192.168.1.00.0.0.255
deny192.168.2.00.0.0.255
!
...
!
linecon0
linevty04
login
!
!
!
end
R1#
R2:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostnameR2
R2(config)#intfa0/0
R2(config-if)#ipadd192.168.4.1255.255.255.0
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R2(config-if)#exit
R2(config)#intse2/0
R2(config-if)#ipadd192.168.3.2255.255.255.0
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial2/0,changedstatetoup
R2(config-if)#exit
R2(config)#routerospf1
R2(config-router)#
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceSerial2/0,changedstatetoup
R2(config-router)#network192.168.3.00.0.0.255area0
R2(config-router)#network192.168.4.00.0.0.255area0
00:
11:
23:
%OSPF-5-ADJCHG:
Process1,Nbr192.168.3.1onSerial2/0fromLOADINGtoFULL,LoadingDo
R2(config-router)#end
R2#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R2#showiproute
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISi
升级会员 