命名ACL配置

命名ACL配置

【实验目的】

1. 掌握命名ACL的配置。
2. 验证配置。

【实验拓扑】

实验拓扑如图1所示。

 

图1 实验拓扑

设备参数如表所示。

表1 设备参数表

设备	接口	IP地址	子网掩码	默认网关
R1	S0/3/0	192.168.1.1	255.255.255.252	N/A
	Fa0/0	192.168.2.1	255.255.255.0	N/A
R2	S0/3/0	192.168.1.2	255.255.255.252	N/A
	Fa0/0	172.16.10.254	255.255.255.0	N/A
PC1	N/A	192.168.2.2	255.255.255.0	192.168.2.1
PC2	N/A	192.168.3.2	255.255.255.0	192.168.3.1
Server1	N/A	172.16.10.1	255.255.255.0	172.16.10.254

【实验内容】

1.配置路由协议

1. R1的基本配置

Router>enRouter#conf Configuring from terminal, memory, or network [terminal]?Enter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname R1R1(config)#interface f0/0R1(config-if)#ip add 192.168.2.1 255.255.255.0R1(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R1(config-if)#interface s0/3/0R1(config-if)#ip add 192.168.1.1 255.255.255.252R1(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/3/0, changed state to down

R1(config-if)#ex

R1(config)#

%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up

R1(config)#ip route 192.168.3.0 255.255.255.0 s0/3/0

%Default route without gateway, if not a point-to-point interface, may impact performance

R1(config)#ip route 172.16.10.0 255.255.255.0 s0/3/0

%Default route without gateway, if not a point-to-point interface, may impact performance

//配置静态路由协议

（2）R2的基本配置

Router>enRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname R2R2(config)#interface s0/3/0R2(config-if)#ip add 192.168.1.2 255.255.255.252R2(config-if)#no shutdown

R2(config-if)#

%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up

0

R2(config-if)#interface f0/0R2(config-if)#ip add 172.16.10.254 255.255.255.0R2(config-if)#no shutdown

R2(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

R2(config-if)#interface f0/1R2(config-if)#ip add 192.168.3.1 255.255.255.0R2(config-if)#no shutdown

R2(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

R2(config-if)#ex

R2(config)#ip route 192.168.2.0 255.255.255.0 s0/3/0

%Default route without gateway, if not a point-to-point interface, may impact performance

R2(config)#

（3）Server1的基本配置

 

 

(4)PC1的基本配置

 

(5)PC2的基本配置 

 

1. 验证连通性

1. PC1 ping PC2

 

1. PC1 ping Server1

 

3.验证PC1访问服务

（1）访问Web服务

 

②访问FTP服务

 

③访问DNS服务

 

4.在R2上配置命名标准ACL

R2(config)#ip access-list standard ACLR2(config-std-nacl)#deny 172.16.10.0 0.0.0.255R2(config-std-nacl)#permit anyR2(config-std-nacl)#exR2(config)#int f0/1R2(config-if)#ip access-group ACL out

1. 验证连通性

 

4.在R1上配置扩展ACL禁用Web

（1）R1的配置

R1(config)#ip access-list extended webR1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www//禁止192.168.2.0/24R1(config-ext-nacl)#permit ip any any//允许其他任何网段访问R1(config-ext-nacl)#exitR1(config)#interface s0/3/0R1(config-if)#ip access-group web out//在S0/3/0接口出方向应用ACL

1. 验证Web服务

 

\\禁用Web服务后，无法访问Web服务器

7.配置扩展ACL禁用FTP服务

（1）R1的配置

R1(config)#ip access-list extended ftpR1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 20R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 21R1(config-ext-nacl)#permit ip any anyR1(config-ext-nacl)#exitR1(config)#interface s0/3/0R1(config-if)#ip access-group ftp out

（2）验证FTP服务

 

\\禁用FTP服务后，无法访问FTP服务器8..配置扩展ACL禁用DNS服务
（1）R1的配置

R1(config)#ip access-list extended dnsR1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53R1(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53R1(config-ext-nacl)#permit ip any anyR1(config-ext-nacl)#exitR1(config)#interface s0/3/0R1(config-if)#ip access-group dns out

（2）验证DNS服务

 

//禁用DNS服务后，无法访问DNS服务器