实验二 ACL简单配置

1. 实验要求

网络结构如下图1所示，路由器Ra有两个快速以太网接口连接内网，分别是 Fa0/0 : 210.31.10.0/24，Fa0/1 : 210.31.20.0/24；路由器Ra通过串行接口s0/0/0连接到Rb的串行接口s0/0/0；路由器Rb的快速以太网接口Fa0/0与两台服务器相连。Ra路由器一端的内网用户可以通过Ra和Rb访问服务器。 2. 实验目的

熟练掌握IP访问控制列表（ACL）的配置方法。 (1) 标准ACL配置方法：

 ACCESS-LIST access-list-number {DENY|PERMIT|REMARK}

source-wildcard destination destination-wildcard option  IP ACCESS-GROUP access-list-number {IN|OUT} (2) 扩展ACL配置方法：

 ACCESS-LIST access-list-number {DENY|PERMIT|REMARK}

source-wildcard destination destination-wildcard option  IP ACCESS-GROUP access-list-number {IN|OUT}

3. 实验设备

Devices Type Quantity

4. 实验拓扑图

PC * 4

Server DNS 1

Server WWW 1

Router 2811 2

Switch 2950-24 2 protocol

source

protocol

source

图1 实验拓扑图

5. 实验任务

1) 如上拓扑结构图将设备连接好；

2) 配置各个PC机和Server的IP，将配置好的IP填到下表： Devices PC1 PC2 PC3 PC4 DNS WWW

IP

210.31.10.1 210.31.10.2 210.31.20.1 210.31.20.2 192.168.1.1 192.168.1.2

Subnet-mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 210.31.10.2

210.31.10.2 210.31.20.2 210.31.20.2

192.168.1.2 192.168.1.2

3) 配置路由器的各个接口的IP地址（路由器的路由协议已经配置好）：

Devices Ra Rb

Ra 路由：Router>enable Router#conf t

Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa0/0

Router(config-if)#ip address 210.31.10.2 255.255.255.0 Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)#interface fa0/1

Router(config-if)#ip address 210.31.20.2 255.255.255.0 Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Router(config-if)#interface se0/0/0

Router(config-if)#ip address 10.0.0.1 255.0.0.0 Router(config-if)#no shutdown

S0/0/0 10.0.0.1 10.0.0.2

Fa0/0 210.31.10.2

192.168.1.2

Fa0/1 210.31.20.2

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down Router(config-if)# Rb 路由： Router>enable Router#conf t

Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fa0/0

Router(config-if)#ip address 192.168.1.2 255.255.255.0 Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)#interface se0/0/0

Router(config-if)#ip address 10.0.0.2 255.0.0.0 Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up Router(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up Router(config-if)#

4) 用ping命令测试各个设备的物理联通性； PC>ping 210.31.10.2

Pinging 210.31.10.2 with 32 bytes of data:

Reply from 210.31.10.2: bytes=32 time=141ms TTL=128 Reply from 210.31.10.2: bytes=32 time=59ms TTL=128 Reply from 210.31.10.2: bytes=32 time=62ms TTL=128 Reply from 210.31.10.2: bytes=32 time=33ms TTL=128 Ping statistics for 210.31.10.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 33ms, Maximum = 141ms, Average = 73ms

PC>ping 210.31.20.1

Pinging 210.31.20.1 with 32 bytes of data: Request timed out.

Reply from 210.31.20.1: bytes=32 time=125ms TTL=127 Reply from 210.31.20.1: bytes=32 time=78ms TTL=127 Reply from 210.31.20.1: bytes=32 time=125ms TTL=127 Ping statistics for 210.31.20.1:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds:

Minimum = 78ms, Maximum = 125ms, Average = 109ms PC>ping 210.31.20.2

Pinging 210.31.20.2 with 32 bytes of data: Request timed out.

Reply from 210.31.20.2: bytes=32 time=125ms TTL=127 Reply from 210.31.20.2: bytes=32 time=125ms TTL=127 Reply from 210.31.20.2: bytes=32 time=90ms TTL=127 Ping statistics for 210.31.20.2:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 125ms, Average = 113ms PC>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data: Request timed out.

Reply from 192.168.1.1: bytes=32 time=125ms TTL=126 Reply from 192.168.1.1: bytes=32 time=125ms TTL=126 Reply from 192.168.1.1: bytes=32 time=156ms TTL=126 Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds:

Minimum = 125ms, Maximum = 156ms, Average = 135ms

5）系统调试期间，①禁止PC1访问Rb路由器一端的服务器，其他PC机均能访问；②只允

许210.31.20.0/24网段访问Rb路由器内部Server2的WWW服务，拒绝访问该服务器上的其他服务；③禁止192.168.1.0/24网段的ICMP协议数据包通向210.31.20.0/24网段。

① 在Rb路由器上配置：

Router>en Router#conf t

Router(config)#access-list 1 deny host 210.31.10.1 Router(config)#access-list 1 permit any Router(config)#int s0/0/0

Router(config-if)#ip access-group 1 in ② 在Rb路由器上配置： Router(config)#int se0/0/0

Router(config)#access-list 101 permit tcp 210.31.20.0 0.0.0.255 host 192.168.1.2 eq www Router(config)#access-list 101 deny ip any any Router(config)#int fa0/0

Router(config-if)#ip access-group 101 out ③ 在Ra路由器上配置：

Router>en Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#access-list 101 deny icmp 192.168.1.0 0.0.0.255 210.31.20.0 0.0.0.255 Router(config)#access-list 101 permit ip any any Router(config)#int fa0/1

Router(config-if)#ip access-group 101 out Router(config-if)# 5) 查看ACL； Ra路由器：

Router#show access-lists 101 Extended IP access list 101

deny icmp 192.168.1.0 0.0.0.255 210.31.20.0 0.0.0.255 permit ip any any Router#

Rb路由器: Router>en

Router#show access-lists Standard IP access list 1

deny host 210.31.10.1 (4 match(es)) permit any (92 match(es)) Extended IP access list 101

permit tcp 210.31.20.0 0.0.0.255 host 192.168.1.2 eq www deny ip any any 6) 测试配置结果。 Pc1:PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 192.168.1.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Pc2:PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Reply from 10.0.0.2: Destination host unreachable. Ping statistics for 192.168.1.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),