PacketTracer52实验十三扩展IP访问控制列表配置剖析.docx
《PacketTracer52实验十三扩展IP访问控制列表配置剖析.docx》由会员分享,可在线阅读,更多相关《PacketTracer52实验十三扩展IP访问控制列表配置剖析.docx(20页珍藏版)》请在冰豆网上搜索。
PacketTracer52实验十三扩展IP访问控制列表配置剖析
PacketTracer5.2实验(十三)扩展IP访问控制列表配置
一、实验目标
∙理解扩展IP访问控制列表的原理及功能;
∙掌握编号的扩展IP访问控制列表的配置方法;
二、实验背景
分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。
三、技术原理
访问列表中定义的典型规则主要有以下:
源地址、目标地址、上层协议、时间区域;
扩展IP访问列表(编号为100~199,2000~2699)使用以上四种组合来进行转发或阻断分组;可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则,进行数据包的过滤;
扩展IP访问列表的配置包括以下两步:
∙定义扩展IP访问列表
∙将扩展IP访问列表应用于特定接口上
四、实验步骤
实验步骤
1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;
2、配置PC机、服务器及路由器接口IP地址;
3、在各路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才能涉及到访问控制列表;
4、在R2上配置编号的IP扩展访问控制列表;
5、将扩展IP访问列表应用到接口上;
6、验证主机之间的互通性;
R1:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostnameR1
R1(config)#intfa0/0
R1(config-if)#ipadd192.168.1.1255.255.255.0//配置端口IP地址
R1(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R1(config-if)#exit
R1(config)#intfa0/1
R1(config-if)#ipadd192.168.2.1255.255.255.0//配置端口IP地址
R1(config-if)#noshut
R1(config-if)#
%LINK-5-CHANGED:
InterfaceFastEthernet0/1,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/1,changedstatetoup
R1(config-if)#exit
R1(config)#iproute0.0.0.00.0.0.0192.168.2.2//配置defaultroute
R1(config)#end
R1#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R1#showiproute//查看路由表
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea
*-candidatedefault,U-per-userstaticroute,o-ODR
P-periodicdownloadedstaticroute
Gatewayoflastresortis192.168.2.2tonetwork0.0.0.0
C192.168.1.0/24isdirectlyconnected,FastEthernet0/0
C192.168.2.0/24isdirectlyconnected,FastEthernet0/1
S*0.0.0.0/0[1/0]via192.168.2.2
R1#
R1#showrun
Buildingconfiguration...
Currentconfiguration:
510bytes
!
version12.4
noservicetimestampslogdatetimemsec
noservicetimestampsdebugdatetimemsec
noservicepassword-encryption
!
hostnameR1
!
...
!
interfaceFastEthernet0/0
ipaddress192.168.1.1255.255.255.0
duplexauto
speedauto
!
interfaceFastEthernet0/1
ipaddress192.168.2.1255.255.255.0
duplexauto
speedauto
!
interfaceVlan1
noipaddress
shutdown
!
ipclassless
iproute0.0.0.00.0.0.0192.168.2.2
!
...
!
linecon0
linevty04
login
!
!
!
end
R1#
R2:
Router>en
Router#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
Router(config)#hostnameR2
R2(config)#intfa0/0
R2(config-if)#ipadd192.168.2.2255.255.255.0//配置端口IP地址
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceFastEthernet0/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceFastEthernet0/0,changedstatetoup
R2(config-if)#exit
R2(config)#ints2/0
R2(config-if)#ipadd192.168.3.1255.255.255.0//配置端口IP地址
R2(config-if)#noshut
%LINK-5-CHANGED:
InterfaceSerial2/0,changedstatetodown
R2(config-if)#clockrate64000//配置时钟频率
R2(config-if)#
%LINK-5-CHANGED:
InterfaceSerial2/0,changedstatetoup
%LINEPROTO-5-UPDOWN:
LineprotocolonInterfaceSerial2/0,changedstatetoup
R2(config-if)#exit
R2(config)#iproute192.168.1.0255.255.255.0192.168.2.1//配置目标网段1.0的静态路由
R2(config)#iproute192.168.4.0255.255.255.0192.168.3.2//配置目标网段4.0的静态路由
R2(config)#end
R2#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R2#showiproute
Codes:
C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGP
D-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterarea
N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2
E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGP
i-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea
*-candidatedefault,U-per-userstaticroute,o-ODR
P-periodicdownloadedstaticroute
Gatewayoflastresortisnotset
S192.168.1.0/24[1/0]via192.168.2.1
C192.168.2.0/24isdirectlyconnected,FastEthernet0/0
C192.168.3.0/24isdirectlyconnected,Serial2/0
S192.168.4.0/24[1/0]via192.168.3.2
R2#
R2#conft
Enterconfigurationcommands,oneperline.EndwithCNTL/Z.
R2(config)#ac
R2(config)#access-list?
<1-99>IPstandardaccesslist
<100-199>IPextendedaccesslist
R2(config)#access-list100?
denySpecifypacketstoreject
permitSpecifypacketstoforward
remarkAccesslistentrycomment
R2(config)#access-list100per
R2(config)#access-list100permit?
eigrpCisco'sEIGRProutingprotocol
greCisco'sGREtunneling
icmpInternetControlMessageProtocol
ipAnyInternetProtocol
ospfOSPFroutingprotocol
tcpTransmissionControlProtocol
udpUserDatagramProtocol
R2(config)#access-list100permittcp?
//web服务使用的是tcp协议
A.B.C.DSourceaddress
anyAnysourcehost
hostAsinglesourcehost
R2(config)#access-list100permittcphost?
A.B.C.DSourceaddress
R2(config)#access-list100permittcphost192.168.1.2?
//源主机地址
A.B.C.DDestinationaddress
anyAnydestinationhost
eqMatchonlypacketsonagivenportnumber
gtMatchonlypacketswithagreaterportnumber
hostAsingledestinationhost
ltMatchonlypacketswithalowerportnumber
neqMatchonlypacketsnotonagivenportnumber
rangeMatchonlypacketsintherangeofportnumbers
R2(config)#access-list100permittcphost192.168.1.2host?
A.B.C.DDestinationaddress
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2?
//目标主机地址
dscpMatchpacketswithgivendscpvalue
eqMatchonlypacketsonagivenportnumber
establishedestablished
gtMatchonlypacketswithagreaterportnumber
ltMatchonlypacketswithalowerportnumber
neqMatchonlypacketsnotonagivenportnumber
precedenceMatchpacketswithgivenprecedencevalue
rangeMatchonlypacketsintherangeofportnumbers
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2eq?
<0-65535>Portnumber
ftpFileTransferProtocol(21)
pop3PostOfficeProtocolv3(110)
smtpSimpleMailTransportProtocol(25)
telnetTelnet(23)
wwwWorldWideWeb(HTTP,80)
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2eqwww?
//www服务
dscpMatchpacketswithgivendscpvalue
establishedestablished
precedenceMatchpacketswithgivenprecedencevalue
R2(config)#access-list100permittcphost192.168.1.2host192.168.4.2eqwww
R2(config)#
R2(config)#access-list100deny?
eigrpCisco'sEIGRProutingprotocol
greCisco'sGREtunneling
icmpInternetControlMessageProtocol
ipAnyInternetProtocol
ospfOSPFroutingprotocol
tcpTransmissionControlProtocol
udpUserDatagramProtocol
R2(config)#access-list100denyicmp?
//禁止icmp协议,也就是ping使用的协议
A.B.C.DSourceaddress
anyAnysourcehost
hostAsinglesourcehost
R2(config)#access-list100denyicmphost?
A.B.C.DSourceaddress
R2(config)#access-list100denyicmphost192.168.1.2?
A.B.C.DDestinationaddress
anyAnydestinationhost
hostAsingledestinationhost
R2(config)#access-list100denyicmphost192.168.1.2host192.168.4.2?
<0-256>type-num
echoecho
echo-replyecho-reply
host-unreachablehost-unreachable
net-unreachablenet-unreachable
port-unreachableport-unreachable
protocol-unreachableprotocol-unreachable
ttl-exceededttl-exceeded
unreachableunreachable
R2(config)#access-list100denyicmphost192.168.1.2host192.168.4.2echo?
R2(config)#access-list100denyicmphost192.168.1.2host192.168.4.2echo
R2(config)#
R2(config)#ints2/0
R2(config-if)#?
bandwidthSetbandwidthinformationalparameter
cdpCDPinterfacesubcommands
clockConfigureserialinterfaceclock
cryptoEncryption/Decryptioncommands
custom-queue-listAssignacustomqueuelisttoaninterface
delaySpecifyinterfacethroughputdelay
descriptionInterfacespecificdescription
encapsulationSetencapsulationtypeforaninterface
exitExitfrominterfaceconfigurationmode
fair-queueEnableFairQueuingonanInterface
frame-relaySetframerelayparameters
hold-queueSetholdqueuedepth
ipInterfaceInternetProtocolconfigcommands
keepaliveEnablekeepalive
mtuSettheinterfaceMaximumTransmissionUnit(MTU)
noNegateacommandorsetitsdefaults
pppPoint-to-PointProtocol
priority-groupAssignaprioritygrouptoaninterface
service-policyConfigureQoSServicePolicy
shutdownShutdowntheselectedinterface
tx-ring-limitConfigurePAleveltransmitringlimit
zone-memberApplyzonename
R2(config-if)#ip?
access-groupSpecifyaccesscontrolforpackets
addressSettheIPaddressofaninterface
hello-intervalConfiguresIP-EIGRPhellointerval
helper-addressSpecifyadestinationaddressforUDPbroadcasts
inspectApplyinspectname
ipsCreateIPSrule
mtuSetIPMaximumTransmissionUnit
natNATinterfacecommands
ospfOSPFinterfacecommands
split-horizonPerformsplithorizon
summary-addressPerformaddresssummarization
virtual-reassemblyVirtualReassembly
R2(config-if)#ipac
R2(config-if)#ipaccess-group?
<1-199>IPaccesslist(standardorextended)
WORDAccess-listname
R2(config-if)#ipaccess-group100?
ininboundpackets
outoutboundpackets
R2(config-if)#ipaccess-group100out?
R2(config-if)#ipaccess-group100out//将控制列表应用于s2/0端口
R2(config-if)#
R2(config-if)#
R2(config-if)#end
R2#
%SYS-5-CONFIG_I:
Configuredfromconsolebyconsole
R2#showrun
R2#showrunning-config
Buildingconfiguration...
Currentconfiguration:
901bytes
!
version12.2
升级会员 