命名ACL配置
【实验目的】
- 掌握命名ACL的配置。
- 验证配置。
【实验拓扑】
实验拓扑如图1所示。
图1 实验拓扑
设备参数如表所示。
表1 设备参数表
| 设备 | 接口 | IP地址 | 子网掩码 | 默认网关 |
| R1 | S0/3/0 | 192.168.1.1 | 255.255.255.252 | N/A |
| Fa0/0 | 192.168.2.1 | 255.255.255.0 | N/A | |
| R2 | S0/3/0 | 192.168.1.2 | 255.255.255.252 | N/A |
| Fa0/0 | 172.16.10.254 | 255.255.255.0 | N/A | |
| PC1 | N/A | 192.168.2.2 | 255.255.255.0 | 192.168.2.1 |
| PC2 | N/A | 192.168.3.2 | 255.255.255.0 | 192.168.3.1 |
| Server1 | N/A | 172.16.10.1 | 255.255.255.0 | 172.16.10.254 |
【实验内容】
1.配置路由协议
- R1的基本配置
Router>en
Router#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface f0/0
R1(config-if)#ip add 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface s0/3/0
R1(config-if)#ip add 192.168.1.1 255.255.255.252
R1(config-if)#no shutdown%LINK-5-CHANGED: Interface Serial0/3/0, changed state to down
R1(config-if)#ex
R1(config)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R1(config)#ip route 192.168.3.0 255.255.255.0 s0/3/0%Default route without gateway, if not a point-to-point interface, may impact performance
R1(config)#ip route 172.16.10.0 255.255.255.0 s0/3/0%Default route without gateway, if not a point-to-point interface, may impact performance
//配置静态路由协议
(2)R2的基本配置
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface s0/3/0
R2(config-if)#ip add 192.168.1.2 255.255.255.252
R2(config-if)#no shutdownR2(config-if)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
0
R2(config-if)#interface f0/0
R2(config-if)#ip add 172.16.10.254 255.255.255.0
R2(config-if)#no shutdownR2(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#interface f0/1
R2(config-if)#ip add 192.168.3.1 255.255.255.0
R2(config-if)#no shutdownR2(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R2(config-if)#ex
R2(config)#ip route 192.168.2.0 255.255.255.0 s0/3/0%Default route without gateway, if not a point-to-point interface, may impact performance
R2(config)#
(3)Server1的基本配置
(4)PC1的基本配置
(5)PC2的基本配置
- 验证连通性
- PC1 ping PC2
- PC1 ping Server1
3.验证PC1访问服务
(1)访问Web服务
②访问FTP服务
③访问DNS服务
4.在R2上配置命名标准ACL
R2(config)#ip access-list standard ACL
R2(config-std-nacl)#deny 172.16.10.0 0.0.0.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#ex
R2(config)#int f0/1
R2(config-if)#ip access-group ACL out- 验证连通性
4.在R1上配置扩展ACL禁用Web
(1)R1的配置
R1(config)#ip access-list extended web
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
//禁止192.168.2.0/24
R1(config-ext-nacl)#permit ip any any
//允许其他任何网段访问
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group web out
//在S0/3/0接口出方向应用ACL- 验证Web服务
\\禁用Web服务后,无法访问Web服务器
7.配置扩展ACL禁用FTP服务
(1)R1的配置
R1(config)#ip access-list extended ftp
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 20
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 21
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group ftp out(2)验证FTP服务
\\禁用FTP服务后,无法访问FTP服务器8..配置扩展ACL禁用DNS服务
(1)R1的配置
R1(config)#ip access-list extended dns
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53
R1(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group dns out(2)验证DNS服务
//禁用DNS服务后,无法访问DNS服务器
