14.配置扩展IP-ACL

小浩 Lv3

一、背景

分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。

二、拓扑图

cisco26

三、配置流程

  1. 配置路由器R1的端口地址,静态路由表

    配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    Router>en

    Router#configure terminal

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname R1

    R1(config)#int fa0/0

    R1(config-if)#ip address 192.168.1.1 255.255.255.0 //配置端口IP地址

    R1(config-if)#no shutdown

    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

    R1(config-if)#exit

    R1(config)#interface fastethernet 1/0

    R1(config-if)#ip address 192.168.2.1 255.255.255.0 //配置端口IP地址

    R1(config-if)#no shutdown

    R1(config-if)#
    %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

    R1(config-if)#exit

    R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 //配置default route

    R1(config)#end

    查看 ip route以及running-config

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    R1#show ip route

    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

    ​ D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

    ​ N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

    ​ E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

    ​ i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

    ​ \* - candidate default, U - per-user static route, o - ODR

    ​ P - periodic downloaded static route

    Gateway of last resort is not set

    C 192.168.1.0/24 is directly connected, FastEthernet0/0

    R1#

    R1#show run

    Building configuration...
    Current configuration : 746 bytes

    version 12.2
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname R1
    !
    ip cef
    no ipv6 cef

    interface FastEthernet0/0
    ip address 192.168.1.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.2.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial2/0
    no ip address
    shutdown
    !
    interface Serial3/0
    no ip address
    shutdown
    !
    interface FastEthernet4/0
    no ip address
    shutdown
    !
    interface FastEthernet5/0
    no ip address
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.2.2
    !
    ip flow-export version 9
    !
    line con 0
    !
    line aux 0
    !
    line vty 0 4

    login

    end
  2. 配置路由器R2的端口地址,静态路由表

    配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    Router>en

    Router#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname R2

    R2(config)#interface fastethernet 1/0

    R2(config-if)#ip add 192.168.2.2 255.255.255.0 //配置端口IP地址

    R2(config-if)#no shutdown

    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

    R2(config-if)#exit

    R2(config)#int serial 2/0

    R2(config-if)#ip add 192.168.3.1 255.255.255.0 //配置端口IP地址

    R2(config-if)#no shutdown

    %LINK-5-CHANGED: Interface Serial2/0, changed state to down

    R2(config-if)#clock rate 64000

    This command applies only to DCE interfaces

    R2(config-if)#exit

    R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1

    R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2

    R2(config)#end



    查看 ip route以及配置扩展IP-ACL以及查看running-config

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    R2#show ip route

    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

    ​ D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

    ​ N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

    ​ E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

    ​ i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

    ​ \* - candidate default, U - per-user static route, o - ODR

    ​ P - periodic downloaded static route

    Gateway of last resort is not set

    S 192.168.1.0/24 [1/0] via 192.168.2.1

    C 192.168.2.0/24 is directly connected, FastEthernet1/0

    R2#

    R2#

    R2#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www

    R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo

    R2(config)#

    R2(config)#interface serial 2/0

    R2(config-if)#ip access-group 100 out

    R2(config-if)#

    R2(config-if)#end

    R2#

    %SYS-5-CONFIG_I: Configured from console by console


    R2#show running-config

    Building configuration...



    Current configuration : 962 bytes

    !

    version 12.2

    no service timestamps log datetime msec

    no service timestamps debug datetime msec

    no service password-encryption

    !

    hostname R2

    !

    !

    !

    ip cef

    no ipv6 cef

    !

    interface FastEthernet0/0

    no ip address

    duplex auto

    speed auto

    shutdown

    !

    interface FastEthernet1/0

    ip address 192.168.2.2 255.255.255.0

    duplex auto

    speed auto

    !

    interface Serial2/0

    ip address 192.168.3.1 255.255.255.0

    ip access-group 100 out

    !

    interface Serial3/0

    no ip address

    shutdown

    !

    interface FastEthernet4/0

    no ip address

    shutdown

    !

    interface FastEthernet5/0

    no ip address

    shutdown

    !

    ip classless

    ip route 192.168.1.0 255.255.255.0 192.168.2.1

    ip route 192.168.4.0 255.255.255.0 192.168.3.2

    !

    ip flow-export version 9

    !

    !

    access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www

    access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo

    !

    line con 0

    !

    line aux 0

    !

    line vty 0 4

    login

    !

    end
  3. 配置路由器R3的端口地址,静态路由表

    配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    Router>en

    Router#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    Router(config)#hostname R3

    R3(config)#interface fastEthernet 0/0

    R3(config-if)#ip address 192.168.4.1 255.255.255.0

    R3(config-if)#no shutdown

    R3(config-if)#

    %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

    %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

    R3(config-if)#exit

    R3(config)#interface serial 2/0

    R3(config-if)#ip address 192.168.3.2 255.255.255.0

    R3(config-if)#no shutdown

    R3(config-if)#

    %LINK-5-CHANGED: Interface Serial2/0, changed state to up

    R3(config-if)#exit

    R3(config)#

    %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up

    R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1

    R3(config)#end

    R3#

    %SYS-5-CONFIG_I: Configured from console by console

    查看路由表:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    R3#show ip route 

    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

    ​ D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

    ​ N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

    ​ E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

    ​ i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

    ​ \* - candidate default, U - per-user static route, o - ODR

    ​ P - periodic downloaded static route

    Gateway of last resort is 192.168.3.1 to network 0.0.0.0

    C 192.168.3.0/24 is directly connected, Serial2/0

    C 192.168.4.0/24 is directly connected, FastEthernet0/0

    S* 0.0.0.0/0 [1/0] via 192.168.3.1

    R3#%IP-4-DUPADDR: Duplicate address 192.168.4.1 on FastEthernet0/0, sourced by 0090.0C46.5567

    %IP-4-DUPADDR: Duplicate address 192.168.4.1 on FastEthernet0/0, sourced by 0090.0C46.5567
  4. 配置PC、服务器

    4.1 分公司主机

    IP:192.168.1.2

    MASK:255.255.255.0

    Gateway:192.168.1.1

    4.2 总公司服务器

    IP:192.168.4.2

    MASK:255.255.255.0

    Gateway:192.168.4.1

  5. 测试

    5.1 分公司主机-WEB测试

    cisco27

    5.2 分公司主机-Ping测试 ping 192.168.4.2

    cisco28

  • Title: 14.配置扩展IP-ACL
  • Author: 小浩
  • Created at : 2024-04-12 09:51:19
  • Updated at : 2024-06-08 13:52:13
  • Link: https://blog.xh8.shop/2024/04/12/14-配置扩展IP-ACL/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments