扩展IP访问控制列表配置.docx

1、扩展IP访问控制列表配置Packet Tracer 5.2实验(十三) 扩展IP访问控制列表配置一、实验目标 理解扩展IP访问控制列表的原理及功能； 掌握编号的扩展IP访问控制列表的配置方法；二、实验背景分公司和总公司分别属于不同的网段，部门之间用路由器进行信息传递，为了安全起见，分公司领导要求部门主机只能访问总公司服务器的WWW服务，不能对其使用ICMP服务。三、技术原理访问列表中定义的典型规则主要有以下：源地址、目标地址、上层协议、时间区域；扩展IP访问列表（编号为100199，20002699）使用以上四种组合来进行转发或阻断分组；可以根据数据包的源IP、目的IP、源端口、目的端口、协议

2、来定义规则，进行数据包的过滤；扩展IP访问列表的配置包括以下两步： 定义扩展IP访问列表 将扩展IP访问列表应用于特定接口上四、实验步骤实验步骤1、分公司出口路由器与外部路由器之间通过V.35电缆串口连接，DCE端连接在R2上，配置其时钟频率64000；主机与路由器通过交叉线连接；2、配置PC机、服务器及路由器接口IP地址；3、在各路由器上配置静态路由协议，让PC间能互相ping通，因为只有在互通的前提下才能涉及到访问控制列表；4、在R2上配置编号的IP扩展访问控制列表；5、将扩展IP访问列表应用到接口上；6、验证主机之间的互通性；R1:RouterenRouter#conf tEnter c

3、onfiguration commands, one per line. End with CNTL/Z.Router(config)#hostname R1R1(config)#int fa0/0R1(config-if)#ip add 192.168.1.1 255.255.255.0 /配置端口IP地址R1(config-if)#no shut%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0

4、/0, changed state to upR1(config-if)#exitR1(config)#int fa0/1R1(config-if)#ip add 192.168.2.1 255.255.255.0 /配置端口IP地址R1(config-if)#no shutR1(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upR

5、1(config-if)#exitR1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 /配置default routeR1(config)#endR1#%SYS-5-CONFIG_I: Configured from console by consoleR1#show ip route /查看路由表Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF int

6、er area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

7、Gateway of last resort is 192.168.2.2 to network 0.0.0.0C 192.168.1.0/24 is directly connected, FastEthernet0/0C 192.168.2.0/24 is directly connected, FastEthernet0/1S* 0.0.0.0/0 1/0 via 192.168.2.2R1#R1#show runBuilding configuration.Current configuration : 510 bytes!version 12.4no service timestam

8、ps log datetime msecno service timestamps debug datetime msecno service password-encryption!hostname R1!.!interface FastEthernet0/0ip address 192.168.1.1 255.255.255.0duplex autospeed auto!interface FastEthernet0/1ip address 192.168.2.1 255.255.255.0duplex autospeed auto!interface Vlan1no ip address

9、shutdown!ip classlessip route 0.0.0.0 0.0.0.0 192.168.2.2 !.!line con 0line vty 0 4login!endR1#R2:RouterenRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname R2R2(config)#int fa0/0R2(config-if)#ip add 192.168.2.2 255.255.255.0 /配置端口IP地址R2(config-if)#no sh

10、ut%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR2(config-if)#exitR2(config)#int s2/0R2(config-if)#ip add 192.168.3.1 255.255.255.0 /配置端口IP地址R2(config-if)#no shut%LINK-5-CHANGED: Interface Serial2/0,

11、 changed state to downR2(config-if)#clock rate 64000 /配置时钟频率R2(config-if)#%LINK-5-CHANGED: Interface Serial2/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to upR2(config-if)#exitR2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1 /配置目标网段1.0的静态路由

12、R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2 /配置目标网段4.0的静态路由R2(config)#endR2#%SYS-5-CONFIG_I: Configured from console by consoleR2#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OS

13、PF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last

14、 resort is not setS 192.168.1.0/24 1/0 via 192.168.2.1C 192.168.2.0/24 is directly connected, FastEthernet0/0C 192.168.3.0/24 is directly connected, Serial2/0S 192.168.4.0/24 1/0 via 192.168.3.2R2#R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#acR2(config)#access-lis

15、t ? IP standard access list IP extended access listR2(config)#access-list 100 ? deny Specify packets to reject permit Specify packets to forward remark Access list entry commentR2(config)#access-list 100 perR2(config)#access-list 100 permit ? eigrp Ciscos EIGRP routing protocol gre Ciscos GRE tunnel

16、ing icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram ProtocolR2(config)#access-list 100 permit tcp ? /web服务使用的是tcp协议 A.B.C.D Source address any Any source host host A single source hostR2(config)#access-lis

17、t 100 permit tcp host ? A.B.C.D Source addressR2(config)#access-list 100 permit tcp host 192.168.1.2 ? /源主机地址 A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match onl

18、y packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbersR2(config)#access-list 100 permit tcp host 192.168.1.2 host ? A.B.C.D Destination addressR2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 ?

19、 /目标主机地址 dscp Match packets with given dscp value eq Match only packets on a given port number established established gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given

20、 precedence value range Match only packets in the range of port numbers R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ? Port number ftp File Transfer Protocol (21) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) telnet Telnet (23) www World Wi

21、de Web (HTTP, 80)R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www ? /www服务 dscp Match packets with given dscp value established established precedence Match packets with given precedence value R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq ww

22、w R2(config)#R2(config)#access-list 100 deny ? eigrp Ciscos EIGRP routing protocol gre Ciscos GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram ProtocolR2(config)#access-list 100 deny icmp ? /禁

23、止icmp协议，也就是ping使用的协议 A.B.C.D Source address any Any source host host A single source hostR2(config)#access-list 100 deny icmp host ? A.B.C.D Source addressR2(config)#access-list 100 deny icmp host 192.168.1.2 ? A.B.C.D Destination address any Any destination host host A single destination hostR2(con

24、fig)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 ? type-num echo echo echo-reply echo-reply host-unreachable host-unreachable net-unreachable net-unreachable port-unreachable port-unreachable protocol-unreachable protocol-unreachable ttl-exceeded ttl-exceeded unreachable unreachable

25、R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo ? R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo R2(config)#R2(config)#int s2/0R2(config-if)#? bandwidth Set bandwidth informational parameter cdp CDP interface subcommands clock Configure serial

26、 interface clock crypto Encryption/Decryption commands custom-queue-list Assign a custom queue list to an interface delay Specify interface throughput delay description Interface specific description encapsulation Set encapsulation type for an interface exit Exit from interface configuration mode fa

27、ir-queue Enable Fair Queuing on an Interface frame-relay Set frame relay parameters hold-queue Set hold queue depth ip Interface Internet Protocol config commands keepalive Enable keepalive mtu Set the interface Maximum Transmission Unit (MTU) no Negate a command or set its defaults ppp Point-to-Poi

28、nt Protocol priority-group Assign a priority group to an interface service-policy Configure QoS Service Policy shutdown Shutdown the selected interface tx-ring-limit Configure PA level transmit ring limit zone-member Apply zone nameR2(config-if)#ip ? access-group Specify access control for packets address Set the IP address of an interface hello-interval Configures IP-EIGRP hello interval helper-address Specify a destination address for UDP broadcasts inspect Apply inspect name ips Create IPS rule mtu Set IP Maximum Transmission Unit nat NAT interface commands o