实验目的:
理解访问列表ACL的工作原理,熟悉配置扩展ACL的基本步骤
实验拓扑图:
实验内容:
路由器上的配置
R1上的配置
进入全局模式,粘贴上基本路由命令
Router(config)#enable password cisco
Router(config)#no ip domain-lookup
Router(config)#line con 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#
Router(config-line)#line aux 0
Router(config-line)# exec-timeout 0 0
Router(config-line)# logging synchronous
Router(config-line)#line vty 0 4
Router(config-line)#
Router(config-line)#
Router(config-line)# exec-timeout 0 0
Router(config-line)# password cisco
Router(config-line)#
Router(config-line)# login
Router(config-line)#
Router(config-line)#
Router(config-line)#alias exec a sh ip int bri
Router(config)#alias exec b sh ip route
Router(config)#alias exec c sh ip route rip
Router(config)#alias exec d sh run
设置路由器名称,接口地址
Router(config)#host R1
R1(config)#interface loopback0
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#ip add 192.168.10.2 255.255.255.0 secondary (这里是在同一个接口上启用多个IP地址模仿多个PC机,即一个IP地址代表一个PC)
R1(config-if)#ip add 192.168.10.3 255.255.255.0 secondary
R1(config-if)#ip add 192.168.10.4 255.255.255.0 secondary
R1(config-if)#ip add 192.168.10.5 255.255.255.0 secondary
R1(config-if)#exit
R1(config)#int s1/0
R1(config-if)#ip add 10.10.1.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shut
R1(config-if)#exit
宣告网络
R1(config)#router rip
R1(config-router)#network 10.0.0.0
R1(config-router)#network 192.168.10.0
R2上的配置
Router(config)#host R2
R2(config)#int s1/1
R2(config-if)#ip add 10.10.1.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#int s1/0
R2(config-if)#ip add 192.168.100.1 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shut
R2(config-if)#exit
宣告网络
R2(config)#router rip
R2(config-router)#network 10.0.0.0
R2(config-router)#network 192.168.100.0
R3的配置
Router(config)#host R3
R3(config)#int s1/1
R3(config-if)#ip add 192.168.100.2 255.255.255.0
R3(config-if)#no shut
宣告网络
R3(config)#router rip
R3(config-router)#network 192.168.100.0
好了,现在测试一下数据的流通情况.从R3上去pingR1的各个接口
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/143/144 ms
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/152/188 ms
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/143/144 ms
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/157/216 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/162/192 ms
结果正常,在还没设置扩展ACL之前顺利连通.
接下来在R2上启用ACL120
R2(config)#access-list 120 deny ip host 192.168.100.2 host 192.168.10.1
R2(config)#access-list 120 deny ip host 192.168.100.2 host 192.168.10.2
R2(config)#access-list 120 deny ip host 192.168.100.2 host 192.168.10.3
R2(config)#access-list 120 permit ip any any
查看一下ACL的配置情况
R2(config)#do show access-lists
Extended IP access list 120
10 deny ip host 192.168.100.2 host 192.168.10.1
20 deny ip host 192.168.100.2 host 192.168.10.2
30 deny ip host 192.168.100.2 host 192.168.10.3
40 permit ip any any
无误后在R2的S1/1口上调用ACL120
R2(config)#int s1/1
R2(config-if)#ip access-group 120 out
配置好后,测试一下调用ACL120起作用了没有
依然是从R3上去pingR1的各个接口
R3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#ping 192.168.10.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
可以看到,之前ping通的192.168.10.1~192.168.10.3地址现在都不能通了,显示Unreachabled!!原因很明显,R2上的ACL 120起作用了.在S1/1接口上阻住了数据包的流出.
R3#ping 192.168.10.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/152/188 ms
R3#ping 192.168.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/143/144 ms
而没有被ACL 120阻止的192.168.10.4~192.168.10.5即可以顺利通达.
对比一下之前做的标准访问列表的实验,可以看到扩展的访问列表ACL 120比标准访问列表功能强大得多.可以根据目的地址来限制数据流的传输.还可以根据数据流的类型来设置流通.比如:access—list 120 tcp deny host 192.168.100.1 host 192.168.10.1 eq telnet 这样限制主机(192.168.100.1)到主机(192.168.10.1)的telnet访问.
本文转自 独钩寒江雪 51CTO博客,原文链接:http://blog.51cto.com/bennie/101974,如需转载请自行联系原作者
