cisco路由器實驗之五:ACL通路控制清單的配置
2007-12-04 11:34
前面簡單的讨論了兩個最常用的CISCO路由協定的配置,今天來該講講ACL通路控制清單了。
what are ACLs? 是一系列用于到接口上具有方向的的一系列允許或拒絕指令的集合。
不好意思,剛才院裡面有點事……好了,接下來我們先看看拓撲把:
router1的配置:
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router1
Router1(config)#interface e0
Router1(config-if)#ip address 192.168.1.2 255.255.255.0
Router1(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router1(config-if)#interface s0
Router1(config-if)#ip address 192.168.2.1 255.255.255.0
Router1(config-if)#en
Router1(config-if)#encapsulation ppp
Router1(config-if)#clock rate 64000
Router1(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial0, changed state to up
%LINK-3-UPDOWN: Interface Serial0, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down
Router1(config-if)#exit
Router1(config)#ip route ?
a.b.c.d Destination prefix
Router1(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.1 //注意:這邊的192.168.2.1不能寫成S0,實際環境可以,不知道為什麼在Boson NetSim環境中就是ping不通
Router1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.1
Router1(config)#exit
Router1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
router2的配置:
Press Enter to Start
Router>enable
Router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Router2
Router2(config)#interface e0
Router2(config-if)#ip address 192.168.3.1 255.255.255.0
Router2(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router2(config-if)#interface s1
Router2(config-if)#ip address 192.168.2.2 255.255.255.0
Router2(config-if)#no shutdown
%LINK-3-UPDOWN: Interface Serial1, changed state to up
Router2(config-if)#exit
Router2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.2
Router2(config)#ip route 192.168.2.0 255.255.255.0 192.168.2.2
Router2(config)#exit
Router2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
測試:
Router2#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router2#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
//路由器之間試ping了一下,可以ping通,接下來配pc
PC1的配置:
Boson BOSS 5.0
Copyright 1998-2003 Boson Software, Inc.
Use the command help to get started
Press Enter to begin
C:>
C:>winip?
winipcfg
C:>winipcfg中進行配置IP:192.168.1.1 255.255.255.0 網關:192.168.1.2
PC2的配置:
Boson BOSS 5.0
Copyright 1998-2003 Boson Software, Inc.
Use the command help to get started
Press Enter to begin
C:>
C:>winip?
winipcfg
C:>winipcfg中進行配置IP:192.168.3.2 255.255.255.0 網關:192.168.3.1
以上是我們實驗二:靜态路由的配置中的相關設定
接下來我們看下題目開始真正的配置ACL:
題一:PC1所在網段的所有機子不能通路PC2?
這裡我們用标準的ACL,在編寫标準的ACL是一般要靠近目的。
也就是要在Router2的E0口配置:
簡單的說:Router2的E0口不允許來自特定子網192.168.1.0的資料,而轉發其他資料。
Router2#config t
Router2(config)#access-list 1 deny 192.168.1.0 0.0.0.255
Router2(config)#access-list 1 permit any
Router2(config)#interface e0
Router2(config-if)#ip ?
address Set the IP address of an interface
ospf OSPF interface commands
access-group Specify access control for packets
nat NAT interface commands
summary-address Perform address summarization
router IP router interface commands
policy Enable policy routing
network Assign an IPX network & enable IPX routing
Router2(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
Router2(config-if)#ip access-group 1 ?
in inbound packets
out outbound packets
Router2(config-if)#ip access-group 1 out
Router2(config-if)#exit
Router2(config)#exit
Router2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
測試:
PC1PingPC2不同
PC2PingPC1不同 // Ping是雙向資料流,PC2資料能到PC1,但是PC1回應資料被過濾了,所有PING不通
成功!
題二:PC1不能TelnetPC2?
這裡我們用擴充的ACL,在編寫擴充的ACL時一般要靠近源。
也就是要在Router1的E0口配置:
簡單的說:禁止在Router1的E0口上來自特定位址192.168.3.2的Telnet資料流到特定位址192.168.1.1上,而轉發其他資料。
Router1#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 101 deny tcp host 192.168.3.2 host 192.168.1.1 eq ?
www World Wide Web (HTTP, 80)
bgp Border Gateway Protocol (179)
echo Echo (7)
telnet Telnet (23)
Router1(config)#access-list 101 deny tcp host 192.168.3.2 host 192.168.1.1 eq telnet //不知道為什麼Boson NetSim v6.0環境下打端口号就是不行
Router1(config)#access-list 101 permit ip any any
Router1(config)#interface e0
Router1(config-if)#ip access-group 101 out
Router1(config-if)#exit
Router1(config)#exit
Router1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
測試:
在模拟器上我真不知道怎麼測試!!知道的博友可以提示下!!