访问列表ACL的配置.doc

配置访问列表实验拓扑图:l 在配置访问列表前首先做到R1 R2 R3的基本配置,保证网络的连通性.可以运行任何一种路由协议,这里以OSPF为例子.配置R1:r1#sho running-configBuilding configuration.Current configuration : 1104 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname r1!logging rate-limit console 10 except errorsenable secret 5 $1$l0mP$X/cWseUaYAvmar/sYHR/b1!ip subnet-zerono ip fingerno ip domain-lookup!no ip dhcp-client network-discovery!interface Loopback0 ip address !interface Ethernet0 ip address no keepalive!interface Serial0 ip address clockrate 4000000!interface Serial1 ip address clockrate 4000000!router ospf 1 router-id log-adjacency-changes network 55 area 0 network 55 area 0 network 55 area 0!ip kerberos source-interface anyip classlessip route ip http server!banner motd CelcomeC!line con 0 exec-timeout 0 0 password cisco logging synchronous login transport input noneline aux 0line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login!endr1#show ip routr1#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set /24 is subnetted, 1 subnetsC is directly connected, Loopback0 /24 is subnetted, 1 subnetsS 1/0 via /24 is subnetted, 1 subnetsO 110/74 via , 00:02:50, Serial0 /24 is subnetted, 1 subnetsC is directly connected, Ethernet0 /24 is subnetted, 1 subnetsC is directly connected, Serial0 /24 is subnetted, 1 subnetsC is directly connected, Serial1r1#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 msr1#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 msr1#配置R2:r2#show running-configBuilding configuration.Current configuration : 944 bytes!version 12.1no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname r2!logging rate-limit console 10 except errorsenable secret 5 $1$5rLq$Vo49Q9glNM34bXqqZoYsc/!ip subnet-zerono ip fingerno ip domain-lookup!cns event-service server!interface Loopback0 ip address !interface Ethernet0 ip address no keepalive!interface Serial0 ip address no fair-queue!interface Serial1 no ip address shutdown!router ospf 1 router-id log-adjacency-changes network 55 area 0 network 55 area 0!ip kerberos source-interface anyip classlessno ip http server!line con 0 exec-timeout 0 0 logging synchronous transport input noneline aux 0line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login!endr2#r2#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set /24 is subnetted, 1 subnetsC is directly connected, Loopback0 /24 is subnetted, 1 subnetsO 110/138 via , 00:03:33, Serial0 /24 is subnetted, 1 subnetsC is directly connected, Ethernet0 /24 is subnetted, 1 subnetsO 110/74 via , 00:03:33, Serial0 /24 is subnetted, 1 subnetsC is directly connected, Serial0 /24 is subnetted, 1 subnetsO 110/128 via , 00:03:34, Serial0r2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 msr2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 msr2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/12 msr2#配置R3:r3#show runBuilding configuration.Current configuration : 935 bytes!version 12.2no service single-slot-reload-enableservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname r3!logging rate-limit console 10 except errorsenable secret 5 $1$Tcj2$skuSSEZtMp82QeG6jn3F/.!ip subnet-zerono ip fingerno ip domain-lookup!no ip dhcp-client network-discovery!interface Loopback0 ip address !interface Ethernet0 ip address no keepalive!interface Serial0 ip address !interface Serial1 no ip address shutdown!router ospf 3 router-id log-adjacency-changes network 55 area 0 network 55 area 0!ip kerberos source-interface anyip classlessip http server!line con 0 exec-timeout 0 0 logging synchronous transport input noneline aux 0line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login!endr3#show ip routr3#show ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set /24 is subnetted, 1 subnetsC is directly connected, Ethernet0 /24 is subnetted, 1 subnetsC is directly connected, Loopback0 /24 is subnetted, 1 subnetsO 110/138 via , 00:04:49, Serial0 /24 is subnetted, 1 subnetsO 110/74 via , 00:04:49, Serial0 /24 is subnetted, 1 subnetsO 110/128 via , 00:04:49, Serial0 /24 is subnetted, 1 subnetsC is directly connected, Serial0r3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 msr3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 msr3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/12 msr3#通过以上配置确保R1 R2 R3 之间的连通性.一.配置标准的ACL实验目的1：拒绝/24这个网络访问/24在R3上配置可以达到这个目的：配置R3：r3#configure terminalr3(config)#access-list 10 deny 55 拒绝网络r3(config)#access-list 10 permit any /允许所有r3(config)#interface serial 0r3(config-if)#ip access-group 10 in /在接口下面应用ACL在s0口IN的方向r3(config-if)#endr3#在R2上验证:r2#ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: U.U.U /表明不可以到达 Success rate is 0 percent (0/5)实验目的2：只允许网络 内的主机连接路由器R1的 vty 通道在R1上配置:r1#config t r1(config)#access-list 1 permit 55 r1(config)#line vty 0 4 r1(config-line)#login r1(config-line)#pass cisco r1(config-line)#access-class 1 in /在VTY下应用ACL 1 r1(config-line)#在R2上测试:r2#telnet /TELNET出去的原地址是,被拒绝访问Trying .% Connection refused by remote hostr2#config tr2(config)#ip telnet source-interface ethernet 0 /更改TELNET的原地址r2(config)#endr2#telnet /TELNET出去的原地址是,允许访问Trying . OpenUser Access VerificationPassword:二:配置扩展的访问列表一.配置扩展的ACL实验目的1：拒绝/24这个网络到/24的telnet的访问在R3上配置可以达到这个目的：配置R3：r3#config tr3(config)#access-list 100 deny tcp 55 55 eq 23r3(config)#access-list 100 permit ip any anyr3(config)#interface serial 0r3(config-if)#ip access-group 10 out /应用ACLr3(config-if)#实验目的2：只允许访问54这台FTP SERVER其它的都不可以访问FTP SERVER这里在R1上做配置:拓扑如下:r1(config)#access-list 101 permit tcp 55 54 eq 20r1(config)#access-list 101 permit tcp 55 54 eq 21r1(config)#access-list 101 deny tcp any any eq 20r1(config)#access-list 101 deny tcp any any eq 21r1(config)#access-list 101 permit ip any anyr1(config)#int serial 1r1(config-if)#ip access-group 101 outr1(config-if)#endr1#检验访问列表:r1#show access-listsStandard IP access list 1 permit permit , wildcard bits 55 (2 matches)Extended IP access list 101 permit tcp 55 host 54 eq ftp-data permit tcp 55 host 54 eq ftp deny tcp any any eq ftp-data deny tcp any any eq ftp permit ip any anyr1#show ip access-listsStandard IP access list 1 permit permit , wildcard bits 55 (2 matches)Extended IP access list 101 permit tcp 55 host 54 eq ftp-data permit tcp 55 host 54 eq ftp deny tcp any any eq ftp-data deny tcp any any eq ftp permit ip any anyr1#show ip interface serial 1Serial1 is up, line protocol is up Internet address is /24 Broadcast address is 55 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: Outgo