《《计算机网络》实验指导书:标准访问控制列表》由会员分享,可在线阅读,更多相关《《计算机网络》实验指导书:标准访问控制列表(6页珍藏版)》请在金锄头文库上搜索。
1、 海量资料 超值下载标准访问控制列表一、实验目的1.掌握访问控制列表安全性的配置2.理解标准访问控制列表的作用。二、实验描述1.某些安全性要求比较高的主机或网络需要进行访问控制2.其他的很多应用都可以使用访问控制列表提供操作条件3.在本例中禁止192.168.1.0/24对PC2的访问三、实验拓扑四、所需设备1.R2801 2台2.PC 2台3.网线 2根4.串口线 1根五、实验步骤第1步:基本配置PC1:192.168.1.2 默认网关:192.168.1.1PC2:192.168.3.2默认网关:192.168.3.1R1(config)#int f0/0R1(config-if)#ip
2、add 192.168.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#int s1/0R1(config-if)#ip add 192.168.2.1 255.255.255.0R1(config-if)#clo rate 64000DCE设备需配置时钟速率R1(config-if)#no shR2(config)#int f0/0R2(config-if)#ip add 192.168.3.1 255.255.255.0R2(config-if)#no shR2(config-if)#int s1/0R2(config-if)#ip ad
3、d 192.168.2.2 255.255.255.0R2(config-if)#no sh第2步:路由配置,保证网络的连通性。R1(config)#ip route 192.168.3.0 255.255.255.0 192.168.2.2R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1配置测试:R1#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external
4、, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodi
5、c downloaded static routeGateway of last resort is not setC 192.168.1.0/24 is directly connected, FastEthernet0/0C 192.168.2.0/24 is directly connected, Serial1/0S 192.168.3.0/24 1/0 via 192.168.2.2R2(config)#exit%SYS-5-CONFIG_I: Configured from console by consoleR2#sh ip routeCodes: C - connected,
6、S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
7、 inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not setS 192.168.1.0/24 1/0 via 192.168.2.1C 192.168.2.0/24 is directly connected, Serial1/0C 192.168.3.0/24 is directly connected, FastEthernet0/0第3步:PC1能与PC2通信。第4步:配置
8、访问控制列表禁止PC1所在网段对PC2的访问R2(config)#access-list 1 deny 192.168.1.0 0.0.0.255定义基于源地址的标准访问控制列表R2(config)#access-list 1 permit any允许任何数据包通过,因为隐含条件为拒绝所有第5步:将访问控制列表绑定在相应的接口R2(config)#int s1/0进入要进行过虑的接口R2(config-if)#ip access-group 1 in绑定ACL 1在进的方向第6步:验证R2#sh access-lists 显示配置的ACLStandard IP access list 1 de
9、ny 192.168.1.0 0.0.0.255 (4 match(es)permit any第7步:测试六、注意事项1. 标准访问控制列表是基于源地址的2. 每条访问控制列表都有隐含的拒绝3. 标准访问控制列表一般绑定在离目标最近的接口4. 注意方向,以该接口为参考点,in是流进的方向;out是流出的方向七、参考配置R1#sh runBuilding configuration.Current configuration : 633 bytes!version 12.4no service password-encryption!hostname R1!ip ssh version 1!in
10、terface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 no ip address duplex auto speed auto shutdown!interface Serial1/0 ip address 192.168.2.1 255.255.255.0 clock rate 64000!interface Serial1/1 no ip address shutdown!interface Serial1/2 no ip a
11、ddress shutdown!interface Serial1/3 no ip address shutdown!interface Vlan1 no ip address shutdown!ip classlessip route 192.168.3.0 255.255.255.0 192.168.2.2 !line con 0line vty 0 4 login!EndR2#sh runBuilding configuration.Current configuration : 703 bytes!version 12.4no service password-encryption!h
12、ostname R2!ip ssh version 1!interface FastEthernet0/0 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto!interface FastEthernet0/1 no ip address duplex auto speed auto shutdown!interface Serial1/0 ip address 192.168.2.2 255.255.255.0 ip access-group 1 in!interface Serial1/1 no ip address shutdown!interface Serial1/2 no ip address shutdown!interface Serial1/3 no ip address shutdown!interface Vlan1 no ip address shutdown!ip classlessip route 192.168.1.0 255.255.255.0 192.168.2.1 !access-list 1 deny 192.168.1.0 0.0.0.255access-list 1 permit any!line con 0line vty 0 4 login!end5
