14.配置扩展IP-ACL
一、背景
分公司和总公司分别属于不同的网段,部门之间用路由器进行信息传递,为了安全起见,分公司领导要求部门主机只能访问总公司服务器的WWW服务,不能对其使用ICMP服务。
二、拓扑图
三、配置流程
配置路由器R1的端口地址,静态路由表
配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34Router>en
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#int fa0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0 //配置端口IP地址
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#interface fastethernet 1/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0 //配置端口IP地址
R1(config-if)#no shutdown
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2 //配置default route
R1(config)#end查看 ip route以及running-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
\* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
R1#
R1#show run
Building configuration...
Current configuration : 746 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
ip cef
no ipv6 cef
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.2
!
ip flow-export version 9
!
line con 0
!
line aux 0
!
line vty 0 4
login
end配置路由器R2的端口地址,静态路由表
配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface fastethernet 1/0
R2(config-if)#ip add 192.168.2.2 255.255.255.0 //配置端口IP地址
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#int serial 2/0
R2(config-if)#ip add 192.168.3.1 255.255.255.0 //配置端口IP地址
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R2(config-if)#clock rate 64000
This command applies only to DCE interfaces
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 192.168.2.1
R2(config)#ip route 192.168.4.0 255.255.255.0 192.168.3.2
R2(config)#end查看 ip route以及配置扩展IP-ACL以及查看running-config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172R2#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
\* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
S 192.168.1.0/24 [1/0] via 192.168.2.1
C 192.168.2.0/24 is directly connected, FastEthernet1/0
R2#
R2#
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
R2(config)#access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
R2(config)#
R2(config)#interface serial 2/0
R2(config-if)#ip access-group 100 out
R2(config-if)#
R2(config-if)#end
R2#
%SYS-5-CONFIG_I: Configured from console by console
R2#show running-config
Building configuration...
Current configuration : 962 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
ip cef
no ipv6 cef
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface Serial2/0
ip address 192.168.3.1 255.255.255.0
ip access-group 100 out
!
interface Serial3/0
no ip address
shutdown
!
interface FastEthernet4/0
no ip address
shutdown
!
interface FastEthernet5/0
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.2.1
ip route 192.168.4.0 255.255.255.0 192.168.3.2
!
ip flow-export version 9
!
!
access-list 100 permit tcp host 192.168.1.2 host 192.168.4.2 eq www
access-list 100 deny icmp host 192.168.1.2 host 192.168.4.2 echo
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end配置路由器R3的端口地址,静态路由表
配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#interface fastEthernet 0/0
R3(config-if)#ip address 192.168.4.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#exit
R3(config)#interface serial 2/0
R3(config-if)#ip address 192.168.3.2 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
R3(config-if)#exit
R3(config)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1
R3(config)#end
R3#
%SYS-5-CONFIG_I: Configured from console by console查看路由表:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27R3#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
\* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.3.1 to network 0.0.0.0
C 192.168.3.0/24 is directly connected, Serial2/0
C 192.168.4.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 192.168.3.1
R3#%IP-4-DUPADDR: Duplicate address 192.168.4.1 on FastEthernet0/0, sourced by 0090.0C46.5567
%IP-4-DUPADDR: Duplicate address 192.168.4.1 on FastEthernet0/0, sourced by 0090.0C46.5567配置PC、服务器
4.1 分公司主机
IP:192.168.1.2
MASK:255.255.255.0
Gateway:192.168.1.1
4.2 总公司服务器
IP:192.168.4.2
MASK:255.255.255.0
Gateway:192.168.4.1
测试
5.1 分公司主机-WEB测试
5.2 分公司主机-Ping测试 ping 192.168.4.2
- Title: 14.配置扩展IP-ACL
- Author: 小浩
- Created at : 2024-04-12 09:51:19
- Updated at : 2024-06-08 13:52:13
- Link: https://blog.xh8.shop/2024/04/12/14-配置扩展IP-ACL/
- License: This work is licensed under CC BY-NC-SA 4.0.
Comments