网络工程师交换试验手册之十一访问控制列表实验(共7页).doc

精选优质文档-倾情为你奉上网络工程师交换试验手册之十一：访问控制列表实验实验目的：理解 ACL工作原理，熟悉配置ACL的基本步骤。ACL有3种（1）普通ACL列表，（2）扩展ACL列表，（3）名称ACL列表。实验一：标准访问控制列表实验拓扑：实验内容：(1)路由器的基本配置：R1上的基本配置interface Loopback0ip address 192.168.10.1 255.255.255.0ip address 192.168.10.2 255.255.255.0 secondary（同一个接口上启用多个ip地址模仿多个pc机。）ip address 192.168.10.3 255.255.255.0 secondaryip address 192.168.10.4 255.255.255.0 secondaryip address 192.168.10.5 255.255.255.0 secondaryinterface Serial0ip address 10.10.1.1 255.255.255.0clockrate 64000router ripnetwork 10.0.0.0network 192.168.10.0R2上的基本配置interface Serial1ip address 10.10.1.2 255.255.255.0router rip net 10.0.0.0(2)在R2没有起访问控制列表时测试可达性。   R2#ping 192.168.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 msR2#ping 192.168.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 msR2#ping 192.168.10.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 msR2#ping 192.168.10.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping 192.168.10.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/32/32 ms（3）在R2上起用访问控制列表ACL 10   R2(config)#access-list 10 permit 192.168.10.1 (10为标准ACL的编号，标准ACL的编号范围是099)   R2(config)#access-list 10 permit 192.168.10.3R2(config)#access-list 10 permit 192.168.10.5查看ACL配置R2#show ip access-listsStandard IP access list 10    permit 192.168.10.3    permit 192.168.10.1 (10 matches)    permit 192.168.10.5   在接口S1上调用ACL 10   R2(config)#int s1   R2(config-if)#ip access-group 10 in（4）测试起用ACL 10的效果   R2#ping 192.168.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping 192.168.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:.Success rate is 0 percent (0/5)R2#ping 192.168.10.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 msR2#ping 192.168.10.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:.Success rate is 0 percent (0/5)R2#ping 192.168.10.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms观察启用ACL 10前后的不同，体会ACL在网络管理和网络安全上的应用效果。标准ACL只能根据源地址来控制数据的流通，当我们需要根据目的或者数据类型来控制数据流通的时就需要用到扩展ACL，下面的实验将告诉你如何扩展ACL的配置和使用方法。相对而言，标准访问控制列表比较单纯，在实际应用中并不是很常用。实验二：扩展ACL实验拓扑：attach  /attach实验内容：1路由器的基本配置R1上的基本配置interface Loopback0ip address 192.168.10.1 255.255.255.0ip address 192.168.10.2 255.255.255.0 secondary（同一个接口上启用多个ip地址模仿多个pc机。）ip address 192.168.10.3 255.255.255.0 secondaryip address 192.168.10.4 255.255.255.0 secondaryip address 192.168.10.5 255.255.255.0 secondaryinterface Serial0ip address 10.10.1.1 255.255.255.0clockrate 64000router rip   network 10.0.0.0   network 192.168.10.0   R2上的基本配置  interface Serial0ip address 192.168.100.1 255.255.255.0clockrate 64000!interface Serial1ip address 10.10.1.2 255.255.255.0!router ripnetwork 10.0.0.0network 192.168.100.0R3上的基本配置interface Serial1  ip address 192.168.100.2 255.255.255.0router ripnet 192.168.100.0测试连通性：     R3#ping 192.168.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping 192.168.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/60/64 msR3#ping 192.168.10.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 msR3#ping 192.168.10.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.4, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/100 msR3#ping 192.168.10.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms在R2上启用ACL 110R2(config)#access-list 110 deny ip host 192.168.100.2 host 192.168.10.1R2(config)# access-list 110 deny ip host 192.168.100.2 host 192.168.10.2R2(config)#access-list 110 deny ip host 192.168.100.2 host 192.168.10.3R2(config)#access-list 110 permit ip any any查看ACL配置R2#show ip access-lists在S0口上调用ACL 110R2(config)#int s1R2(config-if)#ip access-group 110 out(4)测试启用ACL 110 的效果   R3#ping 192.168.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:。Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping 192.168.10.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:。Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping 192.168.10.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:。Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping 192.168.10.4Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 msR3#ping 192.168.10.5Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms总结：通过比较启用ACL 110的前后PING的效果，可知扩展ACL可以根据目的地址来限制数据流的传输。当然我们还可以根据数据流的类型作限制。比如：用access-list 110 tcp permit host 192.168.100.1 host 192.168.10.1 eq www 来限制主机到主机的www访问。实验三：名称列表又叫命名ACL因为命名ACL与普通ACL和扩展ACL可以起到同样的作用，所以这里只给出命名ACL的配置方法：rack03-1(config)#ip access-list extended www(定义命名ACL名称)rack03-1(config-ext-nacl)#permit tcp any any(给ACL添加条件)rack03-1(config-ext-nacl)#deny udp any anyrack03-1(config-ext-nacl)#exit为什么使用名称列表？因为一般访问控制列表，我们只要删除其中一个，那么所有的都已经被删除了，所以增加了我们修改的难度，而名称列表可以达到这种任意添加修改的效果。实验四: 用access-list 对抗“冲击波”病毒用access-list 对抗“冲击波”病毒，最近“冲击波”病毒”(WORM_MSBlast.A)开始在国内互联网和部分专网上传播。我以前在接入层做的access-list起了作用！access-list 120 deny 53 any anyaccess-list 120 deny 55 any anyaccess-list 120 deny 77 any anyaccess-list 120 deny 103 any any以上几条慎用！access-list 120 deny tcp any any eq echoaccess-list 120 deny tcp any any eq chargenaccess-list 120 deny tcp any any eq 135access-list 120 deny tcp any any eq 136access-list 120 deny tcp any any eq 137access-list 120 deny tcp any any eq 138access-list 120 deny tcp any any eq 139access-list 120 deny tcp any any eq 389access-list 120 deny tcp any any eq 445access-list 120 deny tcp any any eq 4444/新加access-list 120 deny udp any any eq 69 /新加access-list 120 deny udp any any eq 135access-list 120 deny udp any any eq 136access-list 120 deny udp any any eq 137access-list 120 deny udp any any eq 138access-list 120 deny udp any any eq 139access-list 120 deny udp any any eq snmpaccess-list 120 deny udp any any eq 389access-list 120 deny udp any any eq 445access-list 120 deny udp any any eq 1434access-list 120 deny udp any any eq 1433access-list 120 permit ip any anyaccess-list 120 deny icmp any any echoaccess-list 120 deny icmp any any echo-replyaccess-list 120 deny tcp any any eq 135 access-list 120 deny udp any any eq 135access-list 120 deny tcp any any eq 139access-list 120 deny udp any any eq 139access-list 120 deny tcp any any eq 445access-list 120 deny udp any any eq 445 access-list 120 deny tcp any any eq 593 access-list 120 deny udp any any eq 593access-list 120 permit ip any any access-list 115 deny icmp any any echoaccess-list 115 deny icmp any any echo-replyaccess-list 115 deny tcp any any eq 135access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 69access-list 115 deny udp any any eq 137access-list 115 deny udp any any eq 138access-list 115 deny tcp any any eq 139access-list 115 deny udp any any eq 139access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 593access-list 115 permit ip any anyinterface ip access-group 115 inip access-group 115 out如果你是在pix上封就是：access-list 115 deny icmp any any echoaccess-list 115 deny icmp any any echo-replyaccess-list 115 deny tcp any any eq 135access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 69access-list 115 deny udp any any eq 137access-list 115 deny udp any any eq 138access-list 115 deny tcp any any eq 139access-list 115 deny udp any any eq 139access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 593access-list 115 permit ip any anyaccess-group 115 in interface inaccess-group 115 in interface out  实验四路由上限制/禁止BT下载的设置路由上限制/禁止BT下载的设置限速access-list 130 remark btaccess-list 130 permit tcp any any range 6881 6890access-list 130 permit tcp any range 6881 6890 anyrate-limit input access-group 130 8000 8000 conform-action transmit exceed-action droprate-limit output access-group 130 8000 8000 conform-action transmit exceed-action drop禁止access-list 130 deny tcp any any range 6881 6890 access-list 130 deny tcp any range 6881 6890 anyip access-group 130 in / out不过有的bt软件，再封锁后会自动改端口。这个比较郁闷！专心-专注-专业