PacketTracer5.2实验(十二)标准IP访问控制列表配置解读

1、课题：标准IP访问控制列表配置教学目标理解标准IP访问控制列表的原理及功能；掌握编号的标准IP访问控制列表的配置方法；教学重点：理解标准IP访问控制列表的原理及功能教学难点：掌握编号的标准IP访问控制列表的配置方法教具、教学素材准备：网络环境教学方法：讲授，演示，实作教学时数：2公司的经理部、财务部和销售部分别属于不同的3个网段，三部门之间用路由器进行信息传递，为了安全起见，公司领导要求销售部不能对财务部进行访问，但经理部可以对财务部进行访问。基本原理ACLs的全称为接入控制列表(AccessControlLists)，也称为访问列表(AccessList)，俗称为防火墙，在有的文档中还称之为

2、包过滤。ACLs通过定义一些规则对网络设备接口上的数据报文进行控制：允许通过或丢弃，从而提高网络可管理性和安全性；IPACL分为两种：标准IP访问列表和扩展IP访问列表，编号范围分别为199、13001999,100199、20002699；标准IP访问列表可以根据数据包的源IP地址定义规则，进行数据包的过滤；扩展IP访问列表可以根据数据包的源IP、目的IP、源端口、目的端口、协议来定义规则，进行数据包的过滤；IPACL基于接口进行规则的应用，分为：入栈应用和出栈应用；教学过程实验拓扑aFC1192.168.1：4W3.!FaJO/O*丿财劳FG3192.168.42419i168.4.119

3、2.1681.1经理-/FC2-192:168.2.24曲168:?.1誚售1、路由器之间通过V.35电缆串口连接，DCE端连接在R1上，配置其时间频率为64000；主机与路由器通过交叉线连接；2、配置路由器接口IP地址；3、在路由器上配置OSPF路由协议，让三台PC能相互ping通，因为只有在互通的前提下才能涉及到访问控制列表；4、在R1上配置编号的IP标准访问控制列表；5、将标准IP访问列表应用到接口上；6、验证主机之间的互通性；R1:RouterenRouter#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.Router

4、(config)#hostnameR1Rl(config)#interfacefal/0R1(config-if)#ipaddressR1(config-if)#noshut%LINK-5-CHANGED:InterfaceFastEthernet1/0,changedstatetoup%LINEPR0T0-5-UPD0WN:LineprotocolonInterfaceFastEthernet1/0,changedstatetoupRl(config-if)#exitRl(config)#intfaO/OR1(config-if)#ipadd1

5、R1(config-if)#noshut%LINK-5-CHANGED:InterfaceFastEthernet0/0,changedstatetoup%LINEPR0T0-5-UPD0WN:LineprotocolonInterfaceFastEthernet0/0,changedstatetoupR1(config-if)#exitR1(config)#intse2/0R1(config-if)#clockrate64000R1(config-if)#ipaddR1(config-if)#nos

6、hut%LINK-5-CHANGED:InterfaceSerial2/0,changedstatetodownR1(config-if)#exitR1(config)#R1(config)#routerospf1R1(config-router)#network55area0R1(config-router)#network55area0R1(config-router)#network55area0R1(config-router)#endR1#%SYS5C0NFIG_I:Confi

7、guredfromconsolebyconsoleR1#showiprouteCodes:C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGPi-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*candi

8、datedefault,Uper-userstaticroute,oODRPperiodicdownloadedstaticrouteGatewayoflastresortisnotsetC/24isdirectlyconnected.FastEthernet1/0C/24isdirectlyconnected.FastEthernet0/0R1#R1#R1#showiproute/两台路由器配置好后的路由信息Codes:C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPe

9、xternal,O-OSPF,IA-OSPFinter2N1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltypeE1-OSPFexternaltype1,E2-OSPFexternaltype2,E-EGPi-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefault,U-per-userstaticroute,o-ODRP-periodicdownloadedstaticrouteareaoflastresortGatewayisnotsetCCCOR1#R1#co

10、nf/24/24/24/24isisisdirectlydirectlydirectlyconnected,FastEthernet1/0connected.FastEthernet0/0connected,Serial2/0110/782via,00:00:15,Serial2/0EnterconfigurationR1(config)#ip?access-listdefault-networkdhcpparametersdomaindomain-lookuptranslationd

11、omain-nameforward-protocolbroadcastshostname-servernatroutetcpR1(config)#ipR1(config)#ipextendedstandardR1(config)#ipR1(config)#ipacaccessTist?ExtendedAccessStandardAccessaccess-liststaaccess-liststandard?ListListcommands,oneperline.EndwithCNTL/Z.Namedaccess-listFlagsnetworksascandidatesfordefaultro

12、utesConfigureDHCPserverandrelayIPDNSResolverEnableIPDomainNameSystemhostnameDefinethedefaultdomainnameControlsforwardingofphysicalanddirectedIPAddanentrytotheiphostnametableSpecifyaddressofnameservertouseNATconfigurationcommandsEstablishstaticroutesGlobalTCPparametersStandardIPaccess-listnumberWORDA

13、ccess-listnameR1(config)#ipaccess-liststandarddavid?R1(config)#ipaccess-liststandarddavid配置名为david的IP标准访问控制列表R1(config-std-nacl)#?defaultdenyexitnopermitremarkSetacommandtoitsdefaultsSpecifypacketstorejectExitfromaccess-listconfigurationmodeNegateacommandorsetitsdefaultsSpecifypacketstoforwardAccess

14、listentrycommentR1(config-std-nacl)#permitA.B.C.DWildcardbitsR1(config-std-nacl)#permitR1(config-std-nacl)#permit允许网段通过R1(config-std-nacl)#deny?A.B.C.Danyhost?55?55AddresstomatchAnysourcehostAsinglehostaddressR1(config-std-nacl)#deny192.168.2

15、.0?A.B.C.DWildcardbitsR1(config-std-nacl)#deny55?R1(config-std-nacl)#deny55禁止网段通过R1(config-std-nacl)#exitR1(config)#interR1(config)#interfaceR1(config-if)#?bandwidthcdpclockcryptocustom-queue-listdelaydescriptionencapsulationexitmodefair-queueframe-rela

16、yse2/0/SetbandwidthinformationalparameterCDPinterfacesubcommandsConfigureserialinterfaceclockEncryption/DecryptioncommandsAssignacustomqueuelisttoaninterfaceSpecifyinterfacethroughputdelayInterfacespecificdescriptionSetencapsulationtypeforaninterfaceExitfrominterfaceconfigurationEnableFairQueuingona

17、nInterfaceSetframerelayparametersholdqueueipconfigcommandskeepalivemtuSetholdqueuedepthInterfaceInternetProtocolEnablekeepaliveSettheinterfaceMaximumTransmissionUnit(MTU)nodefaultsNegateacommandorsetitspppprioritygroupservicepolicyshutdowntxringlimitzonememberPointtoPointProtocolAssignaprioritygroup

18、toaninterfaceConfigureQoSServicePolicyShutdowntheselectedinterfaceConfigurePAleveltransmitringlimitApplyzonenameRl(configif)#ipaccessgroupaddresshellointervalhelperaddressbroadcastsinspectipsmtunatospfsplithorizonsummaryaddressSpecifyaccesscontrolforpacketsSettheIPaddressofaninterfaceConfiguresIPEIG

19、RPhellointervalSpecifyadestinationaddressforUDPApplyinspectnameCreateIPSruleSetIPMaximumTransmissionUnitNATinterfacecommandsOSPFinterfacecommandsPerformsplithorizonPerformaddresssummarizationvirtualreassemblyVirtualReassemblyR1(configif)#ipacR1(config-if)#ipaccessgroup?IPaccesslist(standardorextende

20、d)WORDAccesslistnameR1(configif)#ipaccessgroupdavid?ininboundpacketsoutoutboundpacketsR1(configif)#ipaccessgroupdavidout?R1(configif)#ipaccessgroupdavidout/将名为david的IP标准访问控制列表应用到se2/0端口R1(configif)#endR1#%SYS5CONFIG_I:ConfiguredfromconsolebyconsoleR1#showrunningconfigBuildingconfiguration.Currentcon

21、figuration:928bytes!version12.2noservicetimestampslogdatetimemsecnoservicetimestampsdebugdatetimemsecnoservicepassword-encryption!hostnameR1interfaceFastEthernet0/0ipaddressduplexautospeedauto!interfaceFastEthernet1/0ipaddressduplexautospeedauto!interf

22、aceSerial2/0ipaddressipaccess-groupdavidoutclockrate64000!interfaceSerial3/0noipaddressshutdown!interfaceFastEthernet4/0noipaddressshutdown!interfaceFastEthernet5/0noipaddressshutdown!routerospf1log-adjacency-changesnetwork55area0network55a

23、rea0network55area0ipclassless!ipaccessliststandarddavidpermit55deny55linecon0linevty04loginendR1#R2:RouterenRouter#conftEnterconfigurationcommands,oneperline.EndwithCNTL/Z.Router(config)#hostnameR2R2(config)#intfa0/0R2(config-if)#ipadd

24、R2(config-if)#noshut%LINK-5-CHANGED:InterfaceFastEthernet0/0,changedstatetoup%LINEPR0T0-5-UPD0WN:LineprotocolonInterfaceFastEthernet0/0,changedstatetoupR2(config-if)#exitR2(config)#intse2/0R2(config-if)#ipaddR2(config-if)#noshut%LINK-5-CHANGED:InterfaceSerial2/0,

25、changedstatetoupR2(config-if)#exitR2(config)#routerospf1R2(config-router)#%LINEPR0T0-5-UPD0WN:LineprotocolonInterfaceSerial2/0,changedstatetoupR2(config-router)#network55area0R2(config-router)#network55area000:11:23:%0SPF-5-ADJCHG:Process1,NbronSerial2/

26、0fromLOADINGtoFULL,LoadingDoR2(config-router)#endR2#%SYS5C0NFIG_I:ConfiguredfromconsolebyconsoleR2#showiprouteCodes:C-connected,S-static,I-IGRP,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltyp

27、e2,E-EGPi-IS-IS,L1-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*candidatedefault,Uper-userstaticroute,oODRPperiodicdownloadedstaticrouteGatewayoflastresortisnotsetO/24110/782via,00:00:09,Serial2/0O/24110/782via,00:00:09,Serial2/0C/24isdirectly

28、connected,Serial2/0C/24isdirectlyconnected.FastEthernet0/0R2#五、测试PC1:PacketTracerPCCommandLine1.0PCipconfigIPAddress:SubnetMask:DefaultGateway:PCping/ACL前Pingingwith32bytesofdata:Requesttimedout.Replyfrom:bytes=32time=15m

29、sTTL=126Replyfrom:bytes=32time=9msTTL=126Replyfrom:bytes=32time=15msTTL=126Pingstatisticsfor:Packets:Sent二4,Received=3,Lost二1(25%loss),Approximateroundtriptimesinmilli-seconds:Minimum=9ms,Maximum=15ms,Average=13msPCping/ACL后Pingingwith32bytesofdata:Replyfrom:bytes=32time=10msTTL=126Replyfrom:bytes=32time=9msTTL=126Replyfrom:bytes=32time=16msTTL=126Replyfrom:bytes=3