Packet Tracer 5.0建构CCNA实验攻略(15)——ACL简单的配置

Packet Tracer 5.0建构CCNA实验攻略(15)——ACL简单的配置

ACL(Access Control List，访问控制列表)，简单说就是包过滤，根据数据包的报头中的ip地址、协议端口号等信息进行过滤。利用ACL可以实现安全控制。编号：1-99 or 1300-1999(standard IP)，100-199 or 2000-2699(Extended IP)。ACL并不复杂，但在实际应用中的，要想恰当地应用ACL，必需要制定合理的策略。

一、实验配置拓扑图

图一

图二 网络中的DNS服务器:192.168.1.2

图三 网络中的WWW服务器:192.168.1.3

二、三个路由器的基本配置 LuoShan#sh startup-config Using 699 bytes !

version 12.4

no service password-encryption !

hostname LuoShan ! !

enable password cisco ! ! !

!

username senya password 0 cisco !

ip ssh version 1 no ip domain-lookup ! !

interface FastEthernet0/0 no ip address duplex auto speed auto shutdown !

interface FastEthernet0/1

ip address 192.168.3.1 255.255.255.0 duplex auto speed auto !

interface Serial0/3/0

ip address 172.17.1.1 255.255.255.0 clock rate 56000 !

interface Serial0/3/1

ip address 172.18.1.2 255.255.255.0 !

interface Vlan1 no ip address shutdown !

router eigrp 100 network 192.168.3.0 network 172.17.0.0 network 172.18.0.0 auto-summary !

ip classless ! ! ! ! !

line con 0 line vty 0 4 password cisco

login ! ! end

HuangChuang#sh startup-config Using 669 bytes !

version 12.4

no service password-encryption !

hostname HuangChuang ! !

enable password cisco ! ! ! !

ip ssh version 1 no ip domain-lookup ! !

interface FastEthernet0/0 no ip address duplex auto speed auto shutdown !

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0 duplex auto speed auto !

interface Serial0/3/0

ip address 172.17.1.2 255.255.255.0 !

interface Serial0/3/1

ip address 172.16.1.1 255.255.255.0 clock rate 56000 !

interface Vlan1 no ip address shutdown

router eigrp 100 network 192.168.2.0 network 172.17.0.0 network 172.16.0.0 auto-summary !

ip classless ! ! ! ! !

line con 0 line vty 0 4 password cisco login ! ! end

xixian#sh startup-config Using 679 bytes !

version 12.4

service password-encryption !

hostname xixian ! !

enable password 7 0822455D0A16 ! ! ! !

ip ssh version 1 no ip domain-lookup ! !

interface FastEthernet0/0 no ip address duplex auto speed auto shutdown

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0 duplex auto speed auto !

interface Serial0/3/0

ip address 172.18.1.1 255.255.255.0 clock rate 56000 !

interface Serial0/3/1

ip address 172.16.1.2 255.255.255.0 !

interface Vlan1 no ip address shutdown !

router eigrp 100 network 192.168.1.0 network 172.18.0.0 network 172.16.0.0 auto-summary !

ip classless ! ! ! ! !

line con 0 line vty 0 4

password 7 0822455D0A16 login ! ! end

三、配置简单的ACL

１、配置ACL限制远程登录到路由器的主机 HuangChuang#conf t

Enter configuration commands, one per line. End with CNTL/Z.

HuangChuang(config)#access-list 1 permit host 192.168.2.2 ＼＼路由器HuangChuang只允许

192.168.2.2远程登录(telnet)

HuangChuang(config)#line vty 0 4

HuangChuang(config-line)#access-class 1 in HuangChuang(config-line)# 其它两个路由器配置相似。

２、配置ACL禁止192.168.3.0/24网段的icmp协议数据包通向与192.168.1.0/24网段

xixian(config)#access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

xixian(config)#access-list 101 permit ip any any xixian(config)#int fa0/1

xixian(config-if)#ip access-group 101 out xixian(config-if)#

３、配置ACL禁止特点的协议端口通讯 HuangChuang#conf t

Enter configuration commands, one per line. End with CNTL/Z.

HuangChuang(config)#ip access-list extended ACL1 ＼＼创建基于名称的扩展ACL

HuangChuang(config-ext-nacl)#deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq 80

HuangChuang(config-ext-nacl)#deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq 53

HuangChuang(config-ext-nacl)#permit ip any any HuangChuang(config-ext-nacl)#exit HuangChuang(config)#int fa0/1

HuangChuang(config-if)#ip access-group ACL1 in HuangChuang(config-if)#

图四 验证ACL

４。检验、查看ACL

HuangChuang#sh access-list Standard IP access list 1

permit host 192.168.2.2 (4 match(es)) Extended IP access list ACL1

deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www permit ip any any

HuangChuang#show access-list Standard IP access list 1

permit host 192.168.2.2 (4 match(es)) Extended IP access list ACL1

deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15

match(es)) deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es)) permit ip any any (34 match(es)) HuangChuang#show access-list ACL1 Extended IP access list ACL1

deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es)) deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es)) permit ip any any (34 match(es)) HuangChuang#show access-list 1 Standard IP access list 1

permit host 192.168.2.2 (4 match(es)) 四、配置ACL的路由器配置内容 HuangChuang#sh startup-config Using 914 bytes !

version 12.4

no service password-encryption !

hostname HuangChuang ! !

enable password cisco ! ! ! !

ip ssh version 1 no ip domain-lookup ! !

interface FastEthernet0/0 no ip address duplex auto speed auto shutdown !

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0 ip access-group ACL1 in duplex auto speed auto

!

interface Serial0/3/0

ip address 172.17.1.2 255.255.255.0 !

interface Serial0/3/1

ip address 172.16.1.1 255.255.255.0 clock rate 56000 !

interface Vlan1 no ip address shutdown !

router eigrp 100 network 192.168.2.0 network …… 此处隐藏：5080字，全部文档内容请下载后查看。喜欢就下载吧 ……