网络工程师交换试验手册之十一访问控制列表实验

网络工程师交换试验手册之十一：访问控制列表实验实验目的：理解 ACL工作原理，熟悉配置ACL的基本步骤。ACL有3种（1）普通ACL列表，（2）扩展ACL列表，（3）名称ACL列表。实验一：标准访问控制列表实验拓扑：实验内容：(1)路由器的基本配置：R1上的基本配置interface Loopback0ip address ip address secondary（同一个接口上启用多个ip地址模仿多个pc机。）ip address secondaryip address secondaryip address secondaryinterface Serial0ip address clockrate 64000router ripnetwork network R2上的基本配置interface Serial1ip address router rip net (2)在R2没有起访问控制列表时测试可达性。 R2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 msR2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 msR2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 msR2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms（3）在R2上起用访问控制列表ACL 10 R2(config)#access-list 10 permit (10为标准ACL的编号，标准ACL的编号范围是099) R2(config)#access-list 10 permit R2(config)#access-list 10 permit 查看ACL配置R2#show ip access-listsStandard IP access list 10 permit permit (10 matches) permit 在接口S1上调用ACL 10 R2(config)#int s1 R2(config-if)#ip access-group 10 in（4）测试起用ACL 10的效果 R2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:.Success rate is 0 percent (0/5)R2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:.Success rate is 0 percent (0/5)R2#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms观察启用ACL 10前后的不同，体会ACL在网络管理和网络安全上的应用效果。标准ACL只能根据源地址来控制数据的流通，当我们需要根据目的或者数据类型来控制数据流通的时就需要用到扩展ACL，下面的实验将告诉你如何扩展ACL的配置和使用方法。相对而言，标准访问控制列表比较单纯，在实际应用中并不是很常用。实验二：扩展ACL实验拓扑：attach/attach实验内容：1路由器的基本配置R1上的基本配置interface Loopback0ip address ip address secondary（同一个接口上启用多个ip地址模仿多个pc机。）ip address secondaryip address secondaryip address secondaryinterface Serial0ip address clockrate 64000router rip network network R2上的基本配置interface Serial0ip address clockrate 64000!interface Serial1ip address !router ripnetwork network R3上的基本配置interface Serial1ip address router ripnet 测试连通性： R3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/64 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms在R2上启用ACL 110R2(config)#access-list 110 deny ip host host R2(config)# access-list 110 deny ip host host R2(config)#access-list 110 deny ip host host R2(config)#access-list 110 permit ip any any查看ACL配置R2#show ip access-lists在S0口上调用ACL 110R2(config)#int s1R2(config-if)#ip access-group 110 out(4)测试启用ACL 110 的效果 R3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:。Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:。Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:。Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms总结：通过比较启用ACL 110的前后PING的效果，可知扩展ACL可以根据目的地址来限制数据流的传输。当然我们还可以根据数据流的类型作限制。比如：用access-list 110 tcp permit host host eq www 来限制主机到主机的www访问。实验三：名称列表又叫命名ACL因为命名ACL与普通ACL和扩展ACL可以起到同样的作用，所以这里只给出命名ACL的配置方法：rack03-1(config)#ip access-list extended www(定义命名ACL名称)rack03-1(config-ext-nacl)#permit tcp any any(给ACL添加条件)rack03-1(config-ext-nacl)#deny udp any anyrack03-1(config-ext-nacl)#exit为什么使用名称列表？因为一般访问控制列表，我们只要删除其中一个，那么所有的都已经被删除了，所以增加了我们修改的难度，而名称列表可以达到这种任意添加修改的效果。实验四: 用access-list 对抗“冲击波”病毒用access-list 对抗“冲击波”病毒，最近“冲击波”病毒”(WORM_MSBlast.A)开始在国内互联网和部分专网上传播。我以前在接入层做的access-list起了作用！access-list 120 deny 53 any anyaccess-list 120 deny 55 any anyaccess-list 120 deny 77 any anyaccess-list 120 deny 103 any any以上几条慎用！access-list 120 deny tcp any any eq echoaccess-list 120 deny tcp any any eq chargenaccess-list 120 deny tcp any any eq 135access-list 120 deny tcp any any eq 136access-list 120 deny tcp any any eq 137access-list 120 deny tcp any any eq 138access-list 120 deny tcp any any eq 139access-list 120 deny tcp any any eq 389access-list 120 deny tcp any any eq 445access-list 120 deny tcp any any eq 4444/新加access-list 120 deny udp any any eq 69 /新加access-list 120 deny udp any any eq 135access-list 120 deny udp any any eq 136access-list 120 deny udp any any eq 137access-list 120 deny udp any any eq 138access-list 120 deny udp any any eq 139access-list 120 deny udp any any eq snmpaccess-list 120 deny udp any any eq 389access-list 120 deny udp any any eq 445access-list 120 deny udp any any eq 1434access-list 120 deny udp any any eq 1433access-list 120 permit ip any anyaccess-list 120 deny icmp any any echoaccess-list 120 deny icmp any any echo-replyaccess-list 120 deny tcp any any eq 135 access-list 120 deny udp any any eq 135access-list 120 deny tcp any any eq 139access-list 120 deny udp any any eq 139access-list 120 deny tcp any any eq 445access-list 120 deny udp any any eq 445 access-list 120 deny tcp any any eq 593 access-list 120 deny udp any any eq 593access-list 120 permit ip any any access-list 115 deny icmp any any echoaccess-list 115 deny icmp any any echo-replyaccess-list 115 deny tcp any any eq 135access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 69access-list 115 deny udp any any eq 137access-list 115 deny udp any any eq 138access-list 115 deny tcp any any eq 139access-list 115 deny udp any any eq 139access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 593access-list 115 permit ip any anyinterface ip access-group 115 inip access-group 115 out如果你是在pix上封就是：access-list 115 deny icmp any any echoaccess-list 115 deny icmp any any ech