Packet Tracer 5.0建构CCNA实验攻略(15)—

Packet Tracer 5.0建构CCNA实验攻略(15)——ACL简单的配置

2009-06-05 10:59

Packet Tracer 5.0是一款非常不错的Cisco(思科)网络设备模拟器，对于想考思科初级认证（如CCNA）的朋友们来说，Packet Tracer 5.0是非常不错的选择。通常我们周围并没有那么多思科的设备供我们学习调试，参加培训费用很贵，上机实践的机会还是有限的，利用Packet Tracer 5.0练习思科IOS操作命令很不错的。近日，在网上下载了思科CCNA640-802指导用书，打算根据此教程与诸位网友共同分享Packet Tracer 5.0的使用方法与技巧，也借此抛砖引玉。
　
　　ACL(Access Control List，访问控制列表)，简单说就是包过滤，根据数据包的报头中的ip地址、协议端口号等信息进行过滤。利用ACL可以实现安全控制。编号：1-99 or 1300-1999(standard IP)，100-199 or 2000-2699(Extended IP)。ACL并不复杂，但在实际应用中的，要想恰当地应用ACL，必需要制定合理的策略。

　　一、实验配置拓扑图

图一

图二　网络中的DNS服务器:192.168.1.2

图三　网络中的WWW服务器:192.168.1.3

　　二、三个路由器的基本配置
LuoShan#sh startup-config
Using 699 bytes
!
version 12.4
no service password-encryption
!
hostname LuoShan
!
!
enable password cisco
!
!
!
!
username senya password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.18.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.3.0
network 172.17.0.0
network 172.18.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
end

HuangChuang#sh startup-config
Using 669 bytes
!
version 12.4
no service password-encryption
!
hostname HuangChuang
!
!
enable password cisco
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0
!
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0
clock rate 56000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.2.0
network 172.17.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
end

xixian#sh startup-config
Using 679 bytes
!
version 12.4
service password-encryption
!
hostname xixian
!
!
enable password 7 0822455D0A16
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.18.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.16.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.1.0
network 172.18.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password 7 0822455D0A16
login
!
!
end

　　三、配置简单的ACL
　　１、配置ACL限制远程登录到路由器的主机
HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#access-list 1 permit host 192.168.2.2　＼＼路由器HuangChuang只允许

192.168.2.2远程登录(telnet)
HuangChuang(config)#line vty 0 4
HuangChuang(config-line)#access-class 1 in
HuangChuang(config-line)#

　　其它两个路由器配置相似。

　　２、配置ACL禁止192.168.3.0/24网段的icmp协议数据包通向与192.168.1.0/24网段
xixian(config)#access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
xixian(config)#access-list 101 permit ip any any
xixian(config)#int fa0/1
xixian(config-if)#ip access-group 101 out
xixian(config-if)#

　　３、配置ACL禁止特点的协议端口通讯
HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#ip access-list extended ACL1　　＼＼创建基于名称的扩展ACL
HuangChuang(config-ext-nacl)#deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq 80
HuangChuang(config-ext-nacl)#deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq 53
HuangChuang(config-ext-nacl)#permit ip any any
HuangChuang(config-ext-nacl)#exit
HuangChuang(config)#int fa0/1
HuangChuang(config-if)#ip access-group ACL1 in
HuangChuang(config-if)#

图四　验证ACL

　　４。检验、查看ACL
HuangChuang#sh access-list
Standard IP access list 1
    permit host 192.168.2.2 (4 match(es))
Extended IP access list ACL1
    deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
    deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www
    permit ip any any
HuangChuang#show access-list
Standard IP access list 1
    permit host 192.168.2.2 (4 match(es))
Extended IP access list ACL1
    deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es))
    deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es))
    permit ip any any (34 match(es))
HuangChuang#show access-list ACL1
Extended IP access list ACL1
    deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es))
    deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es))
    permit ip any any (34 match(es))
HuangChuang#show access-list 1
Standard IP access list 1
    permit host 192.168.2.2 (4 match(es))

　　四、配置ACL的路由器配置内容

HuangChuang#sh startup-config
Using 914 bytes
!
version 12.4
no service password-encryption
!
hostname HuangChuang
!
!
enable password cisco
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip access-group ACL1 in
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0
!
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0
clock rate 56000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.2.0
network 172.17.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
access-list 1 permit host 192.168.2.2
ip access-list extended ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www
permit ip any any
!
!
!
line con 0
line vty 0 4
access-class 1 in
password cisco
login
!
!
end

LuoShan#sh startup-config
Using 756 bytes
!
version 12.4
no service password-encryption
!
hostname LuoShan
!
!
enable password cisco
!
!
!
!
username senya password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.18.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.3.0
network 172.17.0.0
network 172.18.0.0
auto-summary
!
ip classless
!
!
access-list 2 permit host 192.168.3.2
!
!
!
line con 0
line vty 0 4
access-class 2 in
password cisco
login
!
!
end

xixian#show startup-config
Using 808 bytes
!
version 12.4
service password-encryption
!
hostname xixian
!
!
enable password 7 0822455D0A16
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.18.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.16.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.1.0
network 172.18.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
line con 0
line vty 0 4
password 7 0822455D0A16
login
!
!
end

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。