扩展IP访问控制列表配置
技术原理:
访问控制列表定义的典型规则主要有以下:源地址、目标地址、上层协议、时间区域;
扩展IP访问列表(编号100-199、2000-2699)使用以上四种组合来进行转发或者阻断分组;可以根据数据包的源IP、目的IP、原端口、目的端口、协议来定义规则,进行数据包的过滤。
扩展IP访问列表的配置包括以下两个部分:
定义扩展IP访问列表
将扩展IP访问列表应用于特定接口上
实验步骤:
建立拓扑:
1.路由器与路由器之间通过v.35电缆串口连接,DCE端连接在R2上,配置其时钟频率64000;主机与路由器通过交叉线连接;
2.配置PC机、服务器及路由器接口IP地址
3.在路由器上配置静态路由协议,让PC间能互相ping通,因为只有在互通的前提下才涉及到访问控制列表。
4.在R2上配置编号的ip扩展访问控制列表
5.将扩展IP访问列表应用到接口上。
6.验证主机之间的互通性
实验设备:
Pc一台;server-PT1台;Router-PT3台;交叉线;DCE串口线
R0配置:
Router>en
Router#config t
Enter configuration commands, one perline. End with CNTL/Z.
Router(config)#host R0
R0(config)#int fa0/0
R0(config-if)#ip address 172.16.1.1255.255.255.0
R0(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0,changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on InterfaceFastEthernet0/0, changed state to up
R0(config-if)#exit
R0(config)#int fa1/0
R0(config-if)#ip address 172.16.2.1255.255.255.0
R0(config-if)#no shut
R0(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0,changed state to up
exit
R0(config)#
R1配置:
Router>en
Router#config t
Enter configuration commands, one perline. End with CNTL/Z.
Router(config)#host R1
R1(config)#int fa1/0
R1(config-if)#ip address 172.16.2.2255.255.255.0
R1(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet1/0,changed state to up
%LINEPROTO-5-UPDOWN: Line protocol onInterface FastEthernet1/0, changed state to up
R1(config-if)#exit
R1(config)#int se2/0
R1(config-if)#ip address 172.16.3.1255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0,changed state to down
R1(config-if)#exit
R1(config)#
R2配置:
Router>en
Router#config t
Enter configuration commands, one perline. End with CNTL/Z.
Router(config)#host R2
R2(config)#int se2/0
R2(config-if)#ip address 172.16.3.2255.255.255.0
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial2/0,changed state to up
R2(config-if)#exit
R2(config)#int fa0/0
%LINEPROTO-5-UPDOWN: Line protocol onInterface Serial2/0, changed state to up
R2(config-if)#ip address 172.16.4.1255.255.255.0
R2(config-if)#no shut
%LINK-5-CHANGED: Interface FastEthernet0/0,changed state to up
%LINEPROTO-5-UPDOWN: Line protocol onInterface FastEthernet0/0, changed state to up
R2(config-if)#exit
在R0上配置静态路由:
R0(config)#ip route 0.0.0.0 0.0.0.0172.16.2.2
在R2上配置静态路由:
R2(config)#ip route 0.0.0.0 0.0.0.0172.16.3.1
在R1上配置静态路由:
R1(config)#ip route 172.16.1.0255.255.255.0 172.16.2.1
R1(config)#ip route 172.16.4.0255.255.255.0 172.16.3.2
测试连通性:
PC>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Reply from 172.16.4.2: bytes=32 time=80msTTL=125
Reply from 172.16.4.2: bytes=32 time=80msTTL=125
Reply from 172.16.4.2: bytes=32 time=80msTTL=125
Reply from 172.16.4.2: bytes=32 time=80msTTL=125
Ping statistics for 172.16.4.2:
Packets: Sent = 4, Received = 4, Lost = 0(0% loss),
Approximate round trip times inmilli-seconds:
Minimum = 80ms,Maximum = 80ms, Average = 80ms
Web测试:
配置控制列表:
R1(config)#access-list 100 permit tcp host172.16.1.2 host 172.16.4.2 eq www
R1(config)#access-list 100 deny icmp host172.16.1.2 host 172.16.4.2 echo
R1(config)#int se2/0
R1(config-if)#ip access-group 100 out
R1(config-if)#exit
测试:
PC>ping 172.16.4.2
Pinging 172.16.4.2 with 32 bytes of data:
Reply from 172.16.2.2: Destination hostunreachable.
Reply from 172.16.2.2: Destination hostunreachable.
Reply from 172.16.2.2: Destination hostunreachable.
Reply from 172.16.2.2: Destination hostunreachable.
Ping statistics for 172.16.4.2:
Packets: Sent =4, Received = 0, Lost = 4 (100% loss),
Web测试: