扩展IP访问控制列表配置

扩展 IP 访问控制列表配置 技术原理 访问列表中定义的典型规则主要有以下 源地址 目标地址 上层协议 时间区域 扩展 IP 访问列表 编号为 100 199 2000 2699 使用四种以上组合来进行转发或者阻 断分组 可以根据数数据包的源 IP 地址 目的 IP 地址 源端口 目的端口 协议来 定义规则 进行数据包的过滤 扩展 IP 访问列表的配置包括以下 2 步 定义扩展 IP 访问列表 将扩展 IP 访问列表应用于特定接口上 实验步骤 新建拓扑图 打开老师的实验拓扑图 1 分公司出口路由器与外部路由器之间通过 v 35 电缆串口连接 DCE 端连接在 R2 上 配置其时钟频率 64000 主机与路由器通过交叉线连接 2 配置 pc 机 服务器及路由器接口 IP 地址 3 在各路由器上配置静态路由协议 让 pc 机能相互 ping 通 因为只有在相互通的前提下 才能涉及访问控制列表 4 在 R2 上配置编号的 IP 扩展访问控制列表 5 将扩展 IP 访问列表应用到接口 6 验证主机之间的互通性 Pc0 172 16 1 2 255 255 255 0 172 16 1 2 Server0 172 16 4 2 255 255 255 0 172 16 4 1 在路由器 0 上进行配置 Router enable Router config terminal Enter configuration commands one per line End with CNTL Z Router config hostname R0 R0 config interface fa0 0 R0 config if ip address 172 16 1 1 255 255 255 0 R0 config if no shutdown LINK 5 CHANGED Interface FastEthernet0 0 changed state to up LINEPROTO 5 UPDOWN Line protocol on Interface FastEthernet0 0 changed state to up R0 config if exit R0 config interface fa1 0 R0 config if ip address 172 16 2 1 255 255 255 0 R0 config if no shutdown R0 config if LINK 5 CHANGED Interface FastEthernet1 0 changed state to up R0 config if exit R0 config 在路由器 R1 上配置 Router enable Router config terminal Enter configuration commands one per line End with CNTL Z Router config hostname R1 R1 config interface fa1 0 R1 config if ip 172 16 2 2 255 255 255 0 Invalid input detected at marker R1 config if ip address 172 16 2 2 255 255 255 0 R1 config if no shutdown LINK 5 CHANGED Interface FastEthernet1 0 changed state to up LINEPROTO 5 UPDOWN Line protocol on Interface FastEthernet1 0 changed state to up R1 config if exit R1 config interface s2 0 R1 config if ip address 172 16 3 1 255 255 255 0 R1 config if no shutdown LINK 5 CHANGED Interface Serial2 0 changed state to down R1 config if clock rate 64000 R1 config if 在路由器 2 上 Router enable Router config terminal Enter configuration commands one per line End with CNTL Z Router config hostname R2 R2 config interface s2 0 R2 config if ip address 172 16 3 2 255 255 255 0 R2 config if no shutdown LINK 5 CHANGED Interface Serial2 0 changed state to up R2 config if exit LINEPROTO 5 UPDOWN Line protocol on Interface Serial2 0 changed state to up R2 config interface fa0 0 R2 config if ip address 172 16 4 1 255 255 255 0 R2 config if no shutdown LINK 5 CHANGED Interface FastEthernet0 0 changed state to up LINEPROTO 5 UPDOWN Line protocol on Interface FastEthernet0 0 changed state to up R2 config if 第二步 配置静态路由 实现全网通信 在路由器 0 上 R0 R0 enable R0 config terminal Enter configuration commands one per line End with CNTL Z R0 config ip route 0 0 0 0 0 0 0 0 172 16 2 2 R0 config 在路由器 2 上 R2 enable R2 config terminal Enter configuration commands one per line End with CNTL Z R2 config ip route 0 0 0 0 0 0 0 0 172 16 3 1 R2 config 在路由器 1 上配置 2 条静态路由 R1 R1 enable R1 config terminal Enter configuration commands one per line End with CNTL Z R1 config ip route 172 16 1 0 255 255 255 0 Incomplete command R1 config ip route 172 16 1 0 255 255 255 0 172 16 2 1 R1 config ip route 172 16 4 0 255 255 255 0 172 16 3 2 R1 config end R1 SYS 5 CONFIG I Configured from console by console R1 show ip route Codes C connected S static I IGRP R RIP M mobile B BGP D EIGRP EX EIGRP external O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 E EGP i IS IS L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is not set 172 16 0 0 24 is subnetted 4 subnets S 172 16 1 0 1 0 via 172 16 2 1 C 172 16 2 0 is directly connected FastEthernet1 0 C 172 16 3 0 is directly connected Serial2 0 S 172 16 4 0 1 0 via 172 16 3 2 R1 已经配置成功 现在需要在 pc0 上进行测试 PC ping 172 16 4 2 Pinging 172 16 4 2 with 32 bytes of data Reply from 172 16 4 2 bytes 32 time 125ms TTL 125 Reply from 172 16 4 2 bytes 32 time 112ms TTL 125 Reply from 172 16 4 2 bytes 32 time 110ms TTL 125 Reply from 172 16 4 2 bytes 32 time 113ms TTL 125 Ping statistics for 172 16 4 2 Packets Sent 4 Received 4 Lost 0 0 loss Approximate round trip times in milli seconds Minimum 110ms Maximum 125ms Average 115ms PC 发现是通的 然后 pc0 中 web browser 的 URL 中输入对方服务器的 IP 地址 Welcome to Cisco Packet Tracer the best thing since Packet Tracer 4 x Quick Links A small page Copyrights Image page Image 发现可以访问对方的 web 服务器 下面在路由器 1 上配置高级访问控制列表 R1 enable R1 config terminal Enter configuration commands one per line End with CNTL Z R1 config access list IP standard access list IP extended access list R1 config access list 100 Incomplete command R1 config access list 100 deny Specify packets to reject permit Specify packets to forward remark Access list entry comment R1 config access list 100 permit eigrp Cisco s EIGRP routing protocol gre Cisco s GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol R1 config access list 100 permit tcp host 172 16 1 2 Incomplete command R1 config access list 100 permit tcp host 172 16 1 2 172 16 4 2 Incomplete command R1 config access list 100 permit tcp host 172 16 1 2 host A B C D Destination address R1 config access list 100 permit tcp host 172 16 1 2 host 172 16 4 2 R1 config access list 100 permit tcp host 172 16 1 2 host 172 16 4 2 dscp Match packets with given dscp value eq Match only packets on a given port number established established gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers R1 config access list 100 permit tcp host 172 16 1 2 host 172 16 4 2 eq Port number ftp File Transfer Protocol 21 pop3 Post Office Protocol v3 110 smtp Simple Mail Transport Protocol 25 telnet Telnet 23 www World Wide Web HTTP 80 R1 config access list 100 permit tcp host 172 16 1 2 host 172 16 4 2 eq www R1 config access list 100 deny eigrp Cisco s EIGRP routing protocol gre Cisco s GRE tunneling icmp Internet Control Message Protocol ip Any Internet Protocol ospf OSPF routing protocol tcp Transmission Control Protocol udp User Datagram Protocol R1 config access list 100 deny icmp A B C D Source address any Any sou