访问控制列表实验报告

实训报告实验名称 访问控制列表课程名称 计算机网络实验目的掌握访问控制列表的概念。能对路由器进行访问控制列表的设置。实验环境微机4台，2811的路由器2台，2950的交换机4台，双绞线4条，串行线一条。在计算机上安装有windowsxp的操作系统，并且安装有CiscoPacketTracer软件。实训规划和拓扑图规划：IIBO.O.0.0/24sQ/0/OsO/0/D20.0.0.1/24fj/150.0.0.1/24fO/OLanSwitch2£0/03B1140.0.0.l/24ir22350-Z4Switchl2呻-24Sw®ch3湿IIBO.O.0.0/24sQ/0/OsO/0/D20.0.0.1/24fj/150.0.0.1/24fO/OLanSwitch2£0/03B1140.0.0.l/24ir22350-Z4Switchl2呻-24Sw®ch3湿Mfo/!Roi|terl30.0.0.1/24PC-PTPC2PC-PTPCInPC-PTPC3PC-PTPC420.0.0.2/2430.0.0.2/2440.0.0.2/2420.0.0.2/2430.0.0.2/2440.0.0.2/2450.0.0.Z/24TOC\o"1-5"\h\zA -]rLM/0/0(60.0.0.1/24)-R2.M/D/0(60.0.0.2/24)]rLfQ/D(20. 0.1/24)-邻1 Lm 1 pel(20. 0. 0. 2)pl.fO/1(30. 0. 0. 1/24)-$战 言n 2 pc：2C3D. 0. 0. 2)R2.f0/0(40. 0. 0. 1/24)-州 Lan 3 pc3(40. 0. 0. 2)]r2.fO/lG50. 0. 0. 1/24)-S战 Lan 4 pc4C50. 0. 0. 2)4、实验要求：要求：a、Lan1不能访问lan2.b、 Lan1能访问lan3不能访问lan4.c、 Lan2能访问lan4不能访问lan3.5、实验步骤:（1） 按照规划，构建拓扑图。（标注好各个接口，和ip地址）（2） 按照规划配置好路由器的各个接口的ip地址，并且配置好路由协议，这里用的rip2.通过showiproute是否学到全网的路由。R1结果如下：Gatewayoflastresortisnotset-ZCi.0.0.0/Z4isEutmettedK1sulmetEC ZO.0.0.□isdirectlyconnected.FastEthernet0/030.0.0.0/Z4isEufcmettedK1subnetsC 30.0.0.0isdirectlyconnected.FastEthernet0/1R 4Ci.0.0.OXS [120/1]via 60.0.0.Z,00:00:18,SerialO/O/OR Sa.O.O.OXS [1Z0/1]via 60.0.0.Z,00:00:18,EerialO/O/OC 60.0.0.0/S isdirectly connected,EerialO/O/OR2结果如下：Gat-eway>z>flast- isnotset-RZO.U.O.0/8[ISOrl]via60.□.00;00;16^SerialC/U/U4U.0-0.L>/24Am4U.Li.0.Uis4U.0-0.L>/24Am4U.Li.0.Uis50.0_0.Li/24is■50.Li.0.Uis60.0_0.LI/E4is60.Li.0.Uisdirect-lycumiected„Fast-EtheunetU/0si-iEinet.r.ed^1siiLitietsdirect-lycumiect.ed_Fast-Et-hemet-U/lsi-itmet.r.Ed^1siiLiriet-sdirect-lycumieex已d仃Seriain/O./Li（3）配置访问控制列表:针对要求：Lan1不能访问lan2（以R1的接口f0/1为参照）

在R1：access-list1deny20.0.0.00.0.0.255access-list1permitanyR1的接口f0/1:ipaccess-group1out针对要求：Lan1能访问lan3不能访问lan4（以R2的接口f0/1为参照）在R2:access-list1deny20.0.0.00.0.0.255access-list1permitanyR2.f0/1ipaccess-groupout针对要求：Lan2能访问lan4不能访问lan3（以R2的接口f0/0为参照）在R2:aceess-list2deny30.0.0.00.0.0.255aceess-list2permitanyR2.f0/0:ipaccess-group2out6、实验结果：（1）针对要求：Lan1不能访问lan2.测试有以下结果:

pcipingpc2不通，符合要求1，如下图所示。PC^ping30.0_0-£Pinging30.0_0.2：with3Zbytesofdata:ReplyReplyReplyReplyfromfromframframZ0_0.0.1:DestinationZ0_0.0.1:Dest-inationZ0.0.0.1;ReplyReplyReplyReplyfromfromframframZ0_0.0.1:DestinationZ0_0.0.1:Dest-inationZ0.0.0.1;^0.0.0.1;liostunrea-ctiahle-unr&acliatole-Pingstatistiesfor30_□_0_Z:Packets:Serit4fRaceived0fLostPc2pingpciPingstatistiesfor30_□_0_Z:Packets:Serit4fRaceived0fLostPc2pingpci如下图:POping20_0.0_2Pi&giHgZ0.0.0_2rri七B3Ztoytssofda.ts:ReqTiQEt.timLed out..ReqriesttimLed out..Reqriesttilled out.Recjuesttimed out.Pc1上路由跟踪pc2:PC?-t.racert.30.0.0.ZTracing:mumto3QLQ-0.2；w移匚日.皿盆芯 口f3口h口gm:1£3mm 47mm必mm20.0.0.12£3mm 右凸mm47mm20.0.0.1363I£lS 63ms62ms20.a.o.i462UlS €2地三C220_0_0.1（2）针对要求：Lan1能访问lan3不能访问lan4Pcipingpc3:结果如下Pinging40.0.0.Zwith3Zbytesofdata:ReplyReplyReplyReplyfEonfEonfEonfEon40.0_0.Z:40.0_0.Z=40.0_0.Z=40.0_0.Z=bytes=3Zbyt@£=3Zbyt@£=3Zbyt@£=3£tine=lE6iiL£tin@=lZ5nL£ReplyReplyReplyReplyfEonfEonfEonfEon40.0_0.Z:40.0_0.Z=40.0_0.Z=40.0_0.Z=bytes=3Zbyt@£=3Zbyt@£=3Zbyt@£=3£tine=lE6iiL£tin@=lZ5nL£tin@=156nL£tin@=lS6nL£TTL=IZ6TTL=IZ6TTL=IZ6TTL=IZ6Pelpingpc4结果如下:£0_0.0.2Pinning50_0.0.Zuith3Ziytesofdata:ReplyReplyReplyReplyfremfromfmmfmm60.0.0.ZzDestination60.0.0.ZzDestinationP±n^Ps_ckets:SentforSO.0.0.2:4ReplyReplyReplyReplyfremfromfmmfmm60.0.0.ZzDestination60.0.0.ZzDestinationP±n^Ps_ckets:SentforSO.0.0.2:4rP_eceitredhostliostllQStllQStunraachahle.unreactiaLile-0fLost4(100^lossPcl路由跟踪pc4:tracert50.0.0.2TracitigroutetoS0_0_□_Z.o^7ermmaximumof30tiops:146uls6Zmw6ZmsZ0_0.□.1Z93uls93mm94ms60_0.□.Z394ULS94mm94ms60-0.□.Z494m_s79mw90mmS0_0.□.2594uls92m三93am60_0.□.2SSOuls94mw94amS0_0.□.2793uls93mw7SmsS0_0.□.2S7Suls54mm54ms50_0_0_£(3)针对要求：Lan2能访问lan4不能访问lan3Pc2pingpc4:PC>pin.g-50_0.□.ZFin^in.^-50_0_□_2-witki32bytesofdata:HeplyReplyReplyUsplyfrom50.a.0.2:50.a_0_2:50.a.0.2:bytes=32byt&s=32byt&s=32tinia=l25m与time=140ii5ti^e=141TisHeplyReplyReplyUsplyfrom50.a.0.2:50.a_0_2:50.a.0.2:bytes=32byt&s=32byt&s=32tinia=l25m与time=140ii5ti^e=141TisTTL=126TTL=126TTL=1Z6SO.□.0.2:toyt&s=32TTL=12GPin^statisticc：for50.0.0.Z:Packets:Sent=4^Received=4*Lost=0(0^loss)FApproximateroundtriptlute5inmilli-seconds:Hiiiimun=LE5H5,MaKinLumi=14Lm5,Average=136n5Pc2pingpc3:POpiny40.0_0_ZP 40_0_0_2wi七k22bytesqfdata:ReplyReplyReplyReplyfrom_0-□-2:Lestination_0-□-2:Destinatioti0_0-0-£:Destlnatioti_0.□.Z:Destlnationhosthosthosthostimreackiah1e-imreachah1e.imreackiati1e-imreacliah1e.Pc2路由跟踪pc3：FC>t-rs_cert40_0-0_2TtacirLg eto40_0.2overa.ma.妇mumof30hops:147色三47T£lS62MM30_0_0.1Z94a三9494MEeo.o.a.2aS3mu94T£l594eo_o.a.2463mm94ms94皿匚€o_o.a.z59493ms62皿匚€o_o.a.z4.实验分析（1） 要求Lan1不能互相访问lan2（以接口R1的接口f0/1为参照）以R1的接口f0/1为参照，（一般在实际情况，在自己的路由器上防止别个进入，进行设置，跑到别个的路由器上设置不现实）不允许源地址为lan1的网络（20.0.0.0/24）从接口f0/1出。允许原地址为的其它任何网络（包括如30.0.0.0/24）通过出。所以在R1上有以下语句：access-list1deny20.0.0.00.0.0.255access-list1permitanyR1的接口f0/1:ipaccess-group1out从ping和路由跟踪的结果来看，数据分组只到达20.0.0.1就停止了。符合要求。（2） 针对要求：Lan1能访问lan3不能访问lan4以R2的接口f0/1为参照，拒绝源地址网络为lan1（20.0.0.0/24）数据分组通过路由器R2的接口f0/1出。允许原地址为其它网络的数据分组从路由器R2的接口f0/1出。语句如下：R2:access-list1deny20.0.0.00.0.0.255access-list1permitanyR2.f0/1ipaccess-groupout从pc1pingpc4和路由跟踪的结果来看，数据分组经过20.0.0.1，到达60.0.0.2就停止了，没有到达50.0.0.1。符合要求。(3)针对要求：Lan2能访问lan4不能访问lan3以R2的接口f0/0为参照，拒绝原地址网络为lan2(30.0.0.0/24)的数据分组从R2的接口f0/0出。允许源地址为其它网络地址的数据分组从R2的？0/0接口出。所以有以下程序：在R2 aceess-list2deny30.0.0.00.0.0.255aceess-list2permitanyR2.f0/0: ipaccess-group2out从pc2pingpc3和路由跟踪来看：pc2的数据分组经过了30.0.0.1，到达了60.0.0.2，但就是到达不了40.0.0.1，所以符合要求。5.实验结论：(1)通过这次实验，明白了访问控制列表的作用和配置格式，以及其含义：config)#access-list[#][permit|deny][source-addresskeywordany][sourcemask]语法：a