1、IP通信实验报告ACL实验IP通信基础实验报告ACL实验一、实验目的1、掌握在GAR路由器上配置ACL所需的基本命令;2、理解巩固ACL的基本原理,了解ACL在网络中的应用二、实验内容(仿真程序ACL standard.pkt和extended ACL.pkt) GAR路由器的ACL配置三、实验设备路由器 2台PC机 3台交叉网线 4条四、实验拓扑图一、标准ACL实验二、扩展ACL实验五、配置步骤一、标准ACL实验配置=底层配置RouterenableRouter#conf tEnter configuration commands, one per line. End with CNTL/Z
2、.Router(config)#hostname RT1RT1(config)#interface fastEthernet 1/0RT1config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to upRT1(config-if)#ip address 192.168.20.254 255.255.255.0RT1(conf
3、ig-if)#exitRT1(config)#interface fastEthernet 1/1RT1(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet1/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to upRT1(config-if)#ip address 192.168.10.254 255.255.255.0RT1(config-if)#exitRT1(c
4、onfig)#interface fastEthernet 0/0RT1(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to upRT1(config-if)#ip address 12.12.12.1 255.255.255.0RT1(config-if)#exitRT1(config)#RT2RouterenableRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(co
5、nfig)#hostname RT2RT2(config)#interface fastEthernet 0/0RT2(config-if)#ip address 12.12.12.2 255.255.255.0RT2(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upRT2(config-if)#exitRT
6、2(config)#interface fastEthernet 1/0RT2(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to upRT2(config-if)#ip address 192.168.30.254 255.255.255.0RT2(config-if)#exitRT2(config)#=静态路由配
7、置RT1RT1(config)#ip route 192.168.30.0 255.255.255.0 12.12.12.2RT1(config)#RT2RT2(config)#ip route 0.0.0.0 0.0.0.0 12.12.12.1=默认路由RT2(config)#=ACL配置第一种方法RT1RT1(config)#access-list 1 permit 192.168.10.0 0.0.0.255=建立ACL列表,允许192.168.10.0网络通过RT1(config)#access-list 1 deny 192.168.20.0 0.0.0.255=禁止192.168
8、.20.0网络通过RT1(config)#interface fastEthernet 0/0=应用到相应接口RT1(config-if)#ip access-group ? IP access list (standard or extended) WORD Access-list nameRT1(config-if)#ip access-group 1 ? in inbound packets out outbound packetsRT1(config-if)#ip access-group 1 out ? RT1(config-if)#ip access-group 1 out RT1
9、(config-if)#exitRT1#show access-lists 1Standard IP access list 1 permit 192.168.10.0 0.0.0.255 (4 match(es) deny 192.168.20.0 0.0.0.255 (4 match(es)RT1#=ACL配置第二种方法RT1(config)#ip access-list standard 1 RT1(config-std-nacl)#perRT1(config-std-nacl)#permit ? A.B.C.D Address to match any Any source host
10、host A single host addressRT1(config-std-nacl)#permit 192.168.10.0 ? A.B.C.D Wildcard bits RT1(config-std-nacl)#permit 192.168.10.0 0.0.0.255 ? RT1(config-std-nacl)#permit 192.168.10.0 0.0.0.255 RT1(config-std-nacl)#deny 192.168.20.0 0.0.0.255RT1(config-std-nacl)#exitRT1(config)#inRT1(config)#interf
11、ace fRT1(config)#interface fastEthernet 0/0RT1(config-if)#ip acRT1(config-if)#ip access-group 1 ? in inbound packets out outbound packetsRT1(config-if)#ip access-group 1 outRT1(config-if)#end%SYS-5-CONFIG_I: Configured from console by consoleRT1#show access-lists 1Standard IP access list 1 permit 19
12、2.168.10.0 0.0.0.255 (4 match(es) deny 192.168.20.0 0.0.0.255 (4 match(es)RT1#二、扩展ACL实验=底层配置RT1Continue with configuration dialog? yes/no: noPress RETURN to get started!RouterenableRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#hostname RT1RT1(config)#interfa
13、ce fastEthernet 1/1RT1(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet1/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to upRT1(config-if)#ip address 192.168.10.254 255.255.255.0RT1(config-if)#exitRT1(config)#interface fastEthernet
14、0/0RT1(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to upRT1(config-if)#ip address 12.12.12.1 255.255.255.0RT1(config-if)#exitRT1(config)#RT2=Continue with configuration dialog? yes/no: noPress RETURN to get started!RouterenableRouter#conf tEnter configuration comm
15、ands, one per line. End with CNTL/Z.Router(config)#hostname RT2RT2(config)#interface fastEthernet 0/0RT2(config-if)#ip address 12.12.12.2 255.255.255.0RT2(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet
16、0/0, changed state to upRT2(config-if)#exitRT2(config)#interface fastEthernet 1/1RT2(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet1/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to upRT2(config-if)#ip address 192.168.20.254 255.2
17、55.255.0RT2(config-if)#exitRT2(config)#=静态路由配置RT1RT1(config)#ip route 192.168.20.0 255.255.255.0 12.12.12.2RT1(config)#RT2RT2(config)#ip route 192.168.10.0 255.255.255.0 12.12.12.1RT2(config)#=检测服务通否PC11.登录192.168.20.1,成功2.ping 192.168.20.1,成功=ACL配置第一种方法RT1RT1(config)#access-list 101 permit tcp host
18、 192.168.10.1 host 192.168.20.1 eq wwwRT1(config)#access-list 101 deny icmp host 192.168.10.1 host 192.168.20.1 echoRT1(config)#interface fastEthernet 0/0=将ACL规则应用到接口RT1(config-if)#ip access-group 101 out六、验证方法及验证结果一、标准ACL实验验证1、PC0 能ping通 PC2结果如下:2、PC1 不能ping通 PC2结果如下:二、标准ACL实验验证1、PC 不能ping通 服务器,都是可以通过www访问结果如下:七、实验结论 路由器可以通过ACL配置禁止某个物理端口的数据包进入网络。同样,路由器可以通过ACL配置禁止TCP/UDP目的端口号的数据包进入网络。另外,ACL配置也以源IP地址、目的IP地址、TCP/UDP源端口号、TCP/UDP目的端口号、 ICMP类型、ICMP Code、DSCP(DiffServ Code Point)、ToS、Precedence作为过滤标准,可以精确的限制到某一种具体的协议。