ACL(Access Control List,访问控制列表),简单说就是包过滤,根据数据包的报头中的ip地址、协议端口号等信息进行过滤。利用ACL可以实现安全控制。编号:1-99 or 1300-1999(standard IP),100-199 or 2000-2699(Extended IP)。ACL并不复杂,但在实际应用中的,要想恰当地应用ACL,必需要制定合理的策略。
一、实验配置拓扑图
图一
图二 网络中的DNS服务器:192.168.1.2
图三 网络中的WWW服务器:192.168.1.3
图四 验证ACL
一、实验配置拓扑图
图一
图二 网络中的DNS服务器:192.168.1.2
图三 网络中的WWW服务器:192.168.1.3
二、三个路由器的基本配置
LuoShan#sh startup-config
Using 699 bytes
!
version 12.4
no service password-encryption
!
hostname LuoShan
!
!
enable password cisco
!
!
!
!
username senya password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.18.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.3.0
network 172.17.0.0
network 172.18.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
end
LuoShan#sh startup-config
Using 699 bytes
!
version 12.4
no service password-encryption
!
hostname LuoShan
!
!
enable password cisco
!
!
!
!
username senya password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.18.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.3.0
network 172.17.0.0
network 172.18.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
end
HuangChuang#sh startup-config
Using 669 bytes
!
version 12.4
no service password-encryption
!
hostname HuangChuang
!
!
enable password cisco
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0
!
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0
clock rate 56000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.2.0
network 172.17.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
end
Using 669 bytes
!
version 12.4
no service password-encryption
!
hostname HuangChuang
!
!
enable password cisco
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0
!
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0
clock rate 56000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.2.0
network 172.17.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password cisco
login
!
!
end
xixian#sh startup-config
Using 679 bytes
!
version 12.4
service password-encryption
!
hostname xixian
!
!
enable password 7 0822455D0A16
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.18.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.16.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.1.0
network 172.18.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password 7 0822455D0A16
login
!
!
end
Using 679 bytes
!
version 12.4
service password-encryption
!
hostname xixian
!
!
enable password 7 0822455D0A16
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.18.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.16.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.1.0
network 172.18.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
!
!
!
line con 0
line vty 0 4
password 7 0822455D0A16
login
!
!
end
三、配置简单的ACL
1、配置ACL限制远程登录到路由器的主机
HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#access-list 1 permit host 192.168.2.2 \\路由器HuangChuang只允许
1、配置ACL限制远程登录到路由器的主机
HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#access-list 1 permit host 192.168.2.2 \\路由器HuangChuang只允许
192.168.2.2远程登录(telnet)
HuangChuang(config)#line vty 0 4
HuangChuang(config-line)#access-class 1 in
HuangChuang(config-line)#
HuangChuang(config)#line vty 0 4
HuangChuang(config-line)#access-class 1 in
HuangChuang(config-line)#
其它两个路由器配置相似。
2、配置ACL禁止192.168.3.0/24网段的icmp协议数据包通向与192.168.1.0/24网段
xixian(config)#access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
xixian(config)#access-list 101 permit ip any any
xixian(config)#int fa0/1
xixian(config-if)#ip access-group 101 out
xixian(config-if)#
xixian(config)#access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
xixian(config)#access-list 101 permit ip any any
xixian(config)#int fa0/1
xixian(config-if)#ip access-group 101 out
xixian(config-if)#
3、配置ACL禁止特点的协议端口通讯
HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#ip access-list extended ACL1 \\创建基于名称的扩展ACL
HuangChuang(config-ext-nacl)#deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq 80
HuangChuang(config-ext-nacl)#deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq 53
HuangChuang(config-ext-nacl)#permit ip any any
HuangChuang(config-ext-nacl)#exit
HuangChuang(config)#int fa0/1
HuangChuang(config-if)#ip access-group ACL1 in
HuangChuang(config-if)#
HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#ip access-list extended ACL1 \\创建基于名称的扩展ACL
HuangChuang(config-ext-nacl)#deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq 80
HuangChuang(config-ext-nacl)#deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq 53
HuangChuang(config-ext-nacl)#permit ip any any
HuangChuang(config-ext-nacl)#exit
HuangChuang(config)#int fa0/1
HuangChuang(config-if)#ip access-group ACL1 in
HuangChuang(config-if)#
图四 验证ACL
4。检验、查看ACL
HuangChuang#sh access-list
Standard IP access list 1
permit host 192.168.2.2 (4 match(es))
Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www
permit ip any any
HuangChuang#show access-list
Standard IP access list 1
permit host 192.168.2.2 (4 match(es))
Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es))
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es))
permit ip any any (34 match(es))
HuangChuang#show access-list ACL1
Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es))
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es))
permit ip any any (34 match(es))
HuangChuang#show access-list 1
Standard IP access list 1
permit host 192.168.2.2 (4 match(es))
HuangChuang#sh access-list
Standard IP access list 1
permit host 192.168.2.2 (4 match(es))
Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www
permit ip any any
HuangChuang#show access-list
Standard IP access list 1
permit host 192.168.2.2 (4 match(es))
Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es))
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es))
permit ip any any (34 match(es))
HuangChuang#show access-list ACL1
Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es))
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es))
permit ip any any (34 match(es))
HuangChuang#show access-list 1
Standard IP access list 1
permit host 192.168.2.2 (4 match(es))
四、配置ACL的路由器配置内容
HuangChuang#sh startup-config
Using 914 bytes
!
version 12.4
no service password-encryption
!
hostname HuangChuang
!
!
enable password cisco
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip access-group ACL1 in
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0
!
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0
clock rate 56000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.2.0
network 172.17.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
access-list 1 permit host 192.168.2.2
ip access-list extended ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www
permit ip any any
!
!
!
line con 0
line vty 0 4
access-class 1 in
password cisco
login
!
!
end
Using 914 bytes
!
version 12.4
no service password-encryption
!
hostname HuangChuang
!
!
enable password cisco
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip access-group ACL1 in
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0
!
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0
clock rate 56000
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.2.0
network 172.17.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
access-list 1 permit host 192.168.2.2
ip access-list extended ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www
permit ip any any
!
!
!
line con 0
line vty 0 4
access-class 1 in
password cisco
login
!
!
end
LuoShan#sh startup-config
Using 756 bytes
!
version 12.4
no service password-encryption
!
hostname LuoShan
!
!
enable password cisco
!
!
!
!
username senya password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.18.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.3.0
network 172.17.0.0
network 172.18.0.0
auto-summary
!
ip classless
!
!
access-list 2 permit host 192.168.3.2
!
!
!
line con 0
line vty 0 4
access-class 2 in
password cisco
login
!
!
end
Using 756 bytes
!
version 12.4
no service password-encryption
!
hostname LuoShan
!
!
enable password cisco
!
!
!
!
username senya password 0 cisco
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.17.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.18.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.3.0
network 172.17.0.0
network 172.18.0.0
auto-summary
!
ip classless
!
!
access-list 2 permit host 192.168.3.2
!
!
!
line con 0
line vty 0 4
access-class 2 in
password cisco
login
!
!
end
xixian#show startup-config
Using 808 bytes
!
version 12.4
service password-encryption
!
hostname xixian
!
!
enable password 7 0822455D0A16
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.18.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.16.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.1.0
network 172.18.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
line con 0
line vty 0 4
password 7 0822455D0A16
login
!
!
end
Using 808 bytes
!
version 12.4
service password-encryption
!
hostname xixian
!
!
enable password 7 0822455D0A16
!
!
!
!
ip ssh version 1
no ip domain-lookup
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip access-group 101 out
duplex auto
speed auto
!
interface Serial0/3/0
ip address 172.18.1.1 255.255.255.0
clock rate 56000
!
interface Serial0/3/1
ip address 172.16.1.2 255.255.255.0
!
interface Vlan1
no ip address
shutdown
!
router eigrp 100
network 192.168.1.0
network 172.18.0.0
network 172.16.0.0
auto-summary
!
ip classless
!
!
access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
line con 0
line vty 0 4
password 7 0822455D0A16
login
!
!
end
