《计算机网络方向大学课件 帧中继 cisco 讲课课件》由会员分享,可在线阅读,更多相关《计算机网络方向大学课件 帧中继 cisco 讲课课件(29页珍藏版)》请在金锄头文库上搜索。
1、南华工商学院第十五课 帧中继南华工商学院本章内容一、ACL作业二、配置FRAME-RELAY南华工商学院本章目标掌握以下内容: 配置ACL配置FRAMERELAY南华工商学院一、ACL作业:禁止外网向内网发起FTP连接(ftp 服务器除外) 阻止特定的内网210.38.120.0/24访 问外网 阻止内网访问特定的外网 202.100.10.0/24R1: 阻止外网对R1端口的telnet和ping。阻止外网的IP欺骗禁止外网向内网发起TCP连接(www服 务器除外)南华工商学院1:阻止外网对R1端口的telnetAccess-list 1 permit 210.38.122.0 0.0.0.
2、255Access-list 1 permit 210.38.122.0 0.0.0.255Access-list 1 permit 210.38.122.0 0.0.0.255Access-list 1 deny any南华工商学院2:阻止外网对R1端口的ping。Access-list 101 deny ip any host 192.168.0.1Access-list 101 deny ip any host 210.38.122.1Access-list 101 deny ip any host 192.168.12.1Access-list 101 deny ip any host
3、 192.168.13.1南华工商学院3:阻止外网的IP欺骗Access-list 2 deny 210.38.122.0 0.0.0.255Access-list 2 deny 210.38.120.0 0.0.0.255Access-list 2 deny 210.38.121.0 0.0.0.255Access-list 2 permit any南华工商学院4:禁止外网向内网发起TCP连接(www服务器除外210.38.122.250)Access-list 102 permit tcp any host 210.38.122.250 eq 80Access-list 102 permi
4、t tcp any any establishedAccess-list 102 deny tcp any any南华工商学院5:禁止外网向内网发起FTP连接(ftp服务器除外210.38.122.200) Access-list 103 permit tcp any host 210.38.122.200 eq 20 Access-list 103 permit tcp any host 210.38.122.200 eq 21 Access-list 103 permit tcp any any eq 20 established Access-list 103 permit tcp an
5、y any eq 21 established Access-list 103 deny tcp any any eq 20 Access-list 103 deny tcp any any eq 20南华工商学院6:阻止特定的内网210.38.120.0/24访问外网 Access-list 3 deny 210.38.120.0 0.0.0.255 Access-list 3 permit any any南华工商学院7:阻止内网访问特定的外网202.100.10.0/24 Access-list 104 deny ip any 202.100.10.0 0.0.0.255 Access-l
6、ist 104 permit ip any any南华工商学院综合1:ACL 1 绑定在vtyAccess-list 1 permit 210.38.122.0 0.0.0.255Access-list 1 permit 210.38.122.0 0.0.0.255Access-list 1 permit 210.38.122.0 0.0.0.255Access-list 1 deny any南华工商学院综合2:ACL 101 绑定在R1连接internet的接口上,in方向Access-list 101 deny ip any host 192.168.0.1Access-list 101
7、deny ip any host 210.38.122.1Access-list 101 deny ip any host 192.168.12.1Access-list 101 deny ip any host 192.168.13.1Access-list 101 deny ip 210.38.122.0 0.0.0.255 any Access-list 101 deny ip 210.38.120.0 0.0.0.255 anyAccess-list 101 deny ip 210.38.121.0 0.0.0.255 anyAccess-list 101 permit tcp any
8、 host 210.38.122.250 eq 80Access-list 101 permit tcp any any established南华工商学院综合2:ACL 101 绑定在R1连接internet的接口上,in方向 Access-list 101 permit tcp any host 210.38.122.200 eq 20 Access-list 101 permit tcp any host 210.38.122.200 eq 21 Access-list 101 deny tcp any any Access-list 101 permit ip any any南华工商学
9、院综合3:ACL 102 绑定在R1连接internet的接口上,out方向 Access-list 102 deny ip 210.38.120.0 0.0.0.255 any Access-list 102 deny ip any 202.100.10.0 0.0.0.255 Access-list 102 permit ip any any南华工商学院实验十七:ACL允许外网访问WEB服务器(10号机192.168.1.10); 不允许外网访问本组其它的主机; 不允许WEB服务器(10号机)访问外网的服务; 允许本组其它的主机访问外网的服务。南华工商学院分项:允许外网访问WEB服务器(1
10、0号机192.168.1.10); 不允许WEB服务器(10号机)访问外网的服务;Access-list 101 permit tcp any host 192.168.1.10 eq 80 Access-list 101 permit tcp host 192.168.1.10 any established Access-list 101 deny ip host 192.168.1.10 any不允许外网访问本组其它的主机; 允许本组其它的主机访问外网的服务;Access-list 102 permit tcp any 192.168.1.0 0.0.0.255 established
11、Access-list 102 deny tcp any 192.168.1.0 0.0.0.255 Access-list 102 permit ip any any南华工商学院综合:ACL 101 绑定在Rourter1连接internet的接口上,in方向Access-list 101 permit tcp any host 192.168.1.10 eq 80 Access-list 101 permit tcp host 192.168.1.10 any established Access-list 101 deny ip host 192.168.1.10 any Access-
12、list 101 permit tcp any 192.168.1.0 0.0.0.255 established Access-list 101 deny tcp any 192.168.1.0 0.0.0.255 Access-list 101 permit ip any any南华工商学院专线包交换PPP, SLIP, HDLCHDLC, PPP, SLIP电路交换X.25, Frame Relay, ATM广域网连接类型: 数据链路层Telephone CompanyService Provider南华工商学院二、Frame Relay 概述帧中继只在这里工作DCE or Frame
13、Relay SwitchCSU/DSUDLCI:数据链路连接标识符,只在本地起作用帧中继为每对DTE分配不同的DLCI、共享物理介质 和建立许多逻辑会话过程(虚电路),实现多路复用南华工商学院Frame Relay 术语Local Access Loop=T1Local Access Loop=64 kbpsLocal Access Loop=64 kbpsDLCI: 400PVCDLCI: 500LMI 100=Active 400=ActiveDLCI: 200DLCI: 100PVC南华工商学院Frame Relay 术语DTE:客户端设备,CPE,数据终端设备DCE:数据通信设备或数据
14、电路端接设备虚电路(VC):通过为每一对DTE设备分配一个连接标识 符,实现多个逻辑数据会话在同一条物理链路上进行多路复 用。数字连接识别号(DLCI):用以识别在DTE和FR之间的逻 辑虚拟电路。本地管理接口(LMI):是在DTE设备和FR之间的一种信令 标准,它负责管理链路连接和保持设备间的状态。南华工商学院CSU/DSUFrame Relay 地址映射DLCI: 500PVC10.1.1.1Inverse ARP or Frame Relay mapIP (10.1.1.1)Frame RelayDLCI (500)从提供商那里得到本地的DLCI号 建立目的地址和本地DLCI之间的映射关
15、系南华工商学院Frame Relay 的反转 ARP 协议Hello, I am 172.168.5.7.32Frame Relay Map172.168.5.5 DLCI 400 ActiveFrame Relay CloudDLCI=100DLCI=400Frame Relay Map172.168.5.7 DLCI 100 Active4172.168.5.5172.168.5.71Hello, I am 172.168.5.5.反转 ARP 缺省情况下是激活的 在配置输出信息中看不出来南华工商学院1、接口封装为帧中继:Router(config-if)#encapsulation fr
16、ame-relay2、指定路由器工作在DTE方式:Router(config-if)# frame-relay intf-type dte(2、指定路由器工作在DCE方式:frame-relay intf-type dce)3、配置本地虚电路号:Router(config-if)# frame-relay local-dlci 100配置 Frame Relay南华工商学院4、配置静态地址映射Router(config-if)# frame-relay map ip 对方ip地址 本地 dlci(4、配置动态地址映射,需要对方路由器支持逆地址解 析功能,缺省设置frame-relay inverse-arp)*如要设置路由器工作在DCE方式,则必须启动路由器 的帧中继交换工能R(config)# frame-relay switching配置 Frame Relay南华工商学院查看 Frame Relay 信息Router#show interface s0 Serial0 is up, line protocol is upHardware
