Packet Tracer 50建构CCNA实验攻略ACL简单的配置.docx

Packet Tracer 50建构CCNA实验攻略ACL简单的配置.docx

《Packet Tracer 50建构CCNA实验攻略ACL简单的配置.docx》由会员分享，可在线阅读，更多相关《Packet Tracer 50建构CCNA实验攻略ACL简单的配置.docx（13页珍藏版）》请在冰豆网上搜索。

PacketTracer50建构CCNA实验攻略ACL简单的配置

PacketTracer5.0建构CCNA实验攻略（15）——ACL简单的配置

2008-10-0822:

43

　　PacketTracer5.0是一款非常不错的Cisco（思科）网络设备模拟器，对于想考思科初级认证（如CCNA）的朋友们来说，PacketTracer5.0是非常不错的选择。

通常我们周围并没有那么多思科的设备供我们学习调试，参加培训费用很贵，上机实践的机会还是有限的，利用PacketTracer5.0练习思科IOS操作命令很不错的。

近日，在网上下载了思科CCNA640-802指导用书，打算根据此教程与诸位网友共同分享PacketTracer5.0的使用方法与技巧，也借此抛砖引玉。

　　ACL（AccessControlList，访问控制列表），简单说就是包过滤，根据数据包的报头中的ip地址、协议端口号等信息进行过滤。

利用ACL可以实现安全控制。

编号：

1-99or1300-1999（standardIP），100-199or2000-2699（ExtendedIP）。

ACL并不复杂，但在实际应用中的，要想恰当地应用ACL，必需要制定合理的策略。

　　一、实验配置拓扑图

图一

图二　网络中的DNS服务器:

192.168.1.2

图三　网络中的WWW服务器:

192.168.1.3

　　二、三个路由器的基本配置

LuoShan#shstartup-config

Using699bytes

!

version12.4

noservicepassword-encryption

!

hostnameLuoShan

!

!

enablepasswordcisco

!

!

!

!

usernamesenyapassword0cisco

!

ipsshversion1

noipdomain-lookup

!

!

interfaceFastEthernet0/0

noipaddress

duplexauto

speedauto

shutdown

!

interfaceFastEthernet0/1

ipaddress192.168.3.1255.255.255.0

duplexauto

speedauto

!

interfaceSerial0/3/0

ipaddress172.17.1.1255.255.255.0

clockrate56000

!

interfaceSerial0/3/1

ipaddress172.18.1.2255.255.255.0

!

interfaceVlan1

noipaddress

shutdown

!

routereigrp100

network192.168.3.0

network172.17.0.0

network172.18.0.0

auto-summary

!

ipclassless

!

!

!

!

!

linecon0

linevty04

passwordcisco

login

!

!

end

HuangChuang#shstartup-config

Using669bytes

!

version12.4

noservicepassword-encryption

!

hostnameHuangChuang

!

!

enablepasswordcisco

!

!

!

!

ipsshversion1

noipdomain-lookup

!

!

interfaceFastEthernet0/0

noipaddress

duplexauto

speedauto

shutdown

!

interfaceFastEthernet0/1

ipaddress192.168.2.1255.255.255.0

duplexauto

speedauto

!

interfaceSerial0/3/0

ipaddress172.17.1.2255.255.255.0

!

interfaceSerial0/3/1

ipaddress172.16.1.1255.255.255.0

clockrate56000

!

interfaceVlan1

noipaddress

shutdown

!

routereigrp100

network192.168.2.0

network172.17.0.0

network172.16.0.0

auto-summary

!

ipclassless

!

!

!

!

!

linecon0

linevty04

passwordcisco

login

!

!

end

xixian#shstartup-config

Using679bytes

!

version12.4

servicepassword-encryption

!

hostnamexixian

!

!

enablepassword70822455D0A16

!

!

!

!

ipsshversion1

noipdomain-lookup

!

!

interfaceFastEthernet0/0

noipaddress

duplexauto

speedauto

shutdown

!

interfaceFastEthernet0/1

ipaddress192.168.1.1255.255.255.0

duplexauto

speedauto

!

interfaceSerial0/3/0

ipaddress172.18.1.1255.255.255.0

clockrate56000

!

interfaceSerial0/3/1

ipaddress172.16.1.2255.255.255.0

!

interfaceVlan1

noipaddress

shutdown

!

routereigrp100

network192.168.1.0

network172.18.0.0

network172.16.0.0

auto-summary

!

ipclassless

!

!

!

!

!

linecon0

linevty04

password70822455D0A16

login

!

!

end

　　三、配置简单的ACL

　　１、配置ACL限制远程登录到路由器的主机

HuangChuang#conft

Enterconfigurationcommands,oneperline.EndwithCNTL/Z.

HuangChuang（config）#access-list1permithost192.168.2.2　＼＼路由器HuangChuang只允许

192.168.2.2远程登录（telnet）

HuangChuang（config）#linevty04

HuangChuang（config-line）#access-class1in

HuangChuang（config-line）#

　　其它两个路由器配置相似。

　　２、配置ACL禁止192.168.3.0/24网段的icmp协议数据包通向与192.168.1.0/24网段

xixian（config）#access-list101denyicmp192.168.3.00.0.0.255192.168.1.00.0.0.255

xixian（config）#access-list101permitipanyany

xixian（config）#intfa0/1

xixian（config-if）#ipaccess-group101out

xixian（config-if）#

　　３、配置ACL禁止特点的协议端口通讯

HuangChuang#conft

Enterconfigurationcommands,oneperline.EndwithCNTL/Z.

HuangChuang（config）#ipaccess-listextendedACL1　　＼＼创建基于名称的扩展ACL

HuangChuang（config-ext-nacl）#denytcphost192.168.2.2192.168.1.00.0.0.255eq80

HuangChuang（config-ext-nacl）#denyudphost192.168.2.3192.168.1.00.0.0.255eq53

HuangChuang（config-ext-nacl）#permitipanyany

HuangChuang（config-ext-nacl）#exit

HuangChuang（config）#intfa0/1

HuangChuang（config-if）#ipaccess-groupACL1in

HuangChuang（config-if）#

图四　验证ACL

　　４。

检验、查看ACL

HuangChuang#shaccess-list

StandardIPaccesslist1

   permithost192.168.2.2（4match（es））

ExtendedIPaccesslistACL1

   denyudphost192.168.2.3192.168.1.00.0.0.255eqdomain

   denytcphost192.168.2.2192.168.1.00.0.0.255eqwww

   permitipanyany

HuangChuang#showaccess-list

StandardIPaccesslist1

   permithost192.168.2.2（4match（es））

ExtendedIPaccesslistACL1

   denyudphost192.168.2.3192.168.1.00.0.0.255eqdomain（15match（es））

   denytcphost192.168.2.2192.168.1.00.0.0.255eqwww（60match（es））

   permitipanyany（34match（es））

HuangChuang#showaccess-listACL1

ExtendedIPaccesslistACL1

   denyudphost192.168.2.3192.168.1.00.0.0.255eqdomain（15match（es））

   denytcphost192.168.2.2192.168.1.00.0.0.255eqwww（60match（es））

   permitipanyany（34match（es））

HuangChuang#showaccess-list1

StandardIPaccesslist1

   permithost192.168.2.2（4match（es））

　　四、配置ACL的路由器配置内容

HuangChuang#shstartup-config

Using914bytes

!

version12.4

noservicepassword-encryption

!

hostnameHuangChuang

!

!

enablepasswordcisco

!

!

!

!

ipsshversion1

noipdomain-lookup

!

!

interfaceFastEthernet0/0

noipaddress

duplexauto

speedauto

shutdown

!

interfaceFastEthernet0/1

ipaddress192.168.2.1255.255.255.0

ipaccess-groupACL1in

duplexauto

speedauto

!

interfaceSerial0/3/0

ipaddress172.17.1.2255.255.255.0

!

interfaceSerial0/3/1

ipaddress172.16.1.1255.255.255.0

clockrate56000

!

interfaceVlan1

noipaddress

shutdown

!

routereigrp100

network192.168.2.0

network172.17.0.0

network172.16.0.0

auto-summary

!

ipclassless

!

!

access-list1permithost192.168.2.2

ipaccess-listextendedACL1

denyudphost192.168.2.3192.168.1.00.0.0.255eqdomain

denytcphost192.168.2.2192.168.1.00.0.0.255eqwww

permitipanyany

!

!

!

linecon0

linevty04

access-class1in

passwordcisco

login

!

!

end

LuoShan#shstartup-config

Using756bytes

!

version12.4

noservicepassword-encryption

!

hostnameLuoShan

!

!

enablepasswordcisco

!

!

!

!

usernamesenyapassword0cisco

!

ipsshversion1

noipdomain-lookup

!

!

interfaceFastEthernet0/0

noipaddress

duplexauto

speedauto

shutdown

!

interfaceFastEthernet0/1

ipaddress192.168.3.1255.255.255.0

duplexauto

speedauto

!

interfaceSerial0/3/0

ipaddress172.17.1.1255.255.255.0

clockrate56000

!

interfaceSerial0/3/1

ipaddress172.18.1.2255.255.255.0

!

interfaceVlan1

noipaddress

shutdown

!

routereigrp100

network192.168.3.0

network172.17.0.0

network172.18.0.0

auto-summary

!

ipclassless

!

!

access-list2permithost192.168.3.2

!

!

!

linecon0

linevty04

access-class2in

passwordcisco

login

!

!

end

xixian#showstartup-config

Using808bytes

!

version12.4

servicepassword-encryption

!

hostnamexixian

!

!

enablepassword70822455D0A16

!

!

!

!

ipsshversion1

noipdomain-lookup

!

!

interfaceFastEthernet0/0

noipaddress

duplexauto

speedauto

shutdown

!

interfaceFastEthernet0/1

ipaddress192.168.1.1255.255.255.0

ipaccess-group101out

duplexauto

speedauto

!

interfaceSerial0/3/0

ipaddress172.18.1.1255.255.255.0

clockrate56000

!

interfaceSerial0/3/1

ipaddress172.16.1.2255.255.255.0

!

interfaceVlan1

noipaddress

shutdown

!

routereigrp100

network192.168.1.0

network172.18.0.0

network172.16.0.0

auto-summary

!

ipclassless

!

!

access-list101denyicmp192.168.3.00.0.0.255192.168.1.00.0.0.255

access-list101permitipanyany

!

!

!

linecon0

linevty04

password70822455D0A16

login

!

!

end