《IP扩展访问控制列表.ppt》由会员分享,可在线阅读,更多相关《IP扩展访问控制列表.ppt(27页珍藏版)》请在三一办公上搜索。
1、IP扩展访问控制列表,利用IP扩展访问控制列表实现应用服务的访问限制基于时间的访问控制列表专家级访问列表,实训内容,利用IP扩展访问控制列表实现应用服务的访问限制,1、基本配置(创建vlan,给vlan分配端口,创建vlan虚接口并配置IP参数。给主机配置IP参数,网关应该是什么?)本步骤结束后,验证所有的IP应该互相ping通。,实验步骤,2、部署web服务器可选用“个人网页服务器”软件在服务器主机上部署web服务验证学生机和教师机均能正常访问服务器的web主页,实验步骤,3、配置命名的IP扩展ACL6-S3760-1(config)#ip access-list extended deny
2、studentwww6-S3760-1(config-ext-nacl)#deny tcp 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255 eq www 6-S3760-1(config-ext-nacl)#permit ip any any,实验步骤,4、将ACL应用在接口上6-S3760-1(config)#interface vlan 306-S3760-1(config-if)#ip access-group denystudentwww?in Specify filtering on inbound packets out Specify
3、filtering on outbound packets6-S3760-1(config-if)#ip access-group denystudentwww in,实验步骤,学生机无法访问服务器的web主页而教师机则可以正常访问服务器的web主页,验证,思考:如果在服务器上部署了ftp服务,则学生机和教师机能否访问其ftp服务。,验证,实训内容,基于时间的访问控制列表,1、基本配置(配置路由器接口参数、配置PC及Server的IP参数,网关应该是什么?)PC及Server互相ping一下,保证互通。,实验步骤,2、配置路由器时钟6-R1762-2#show clock clock:2009
4、-3-9 7:37:86-R1762-2#clock?set Set the time and date6-R1762-2#clock set?hh:mm:ss Current Time6-R1762-2#clock set 16:03:40?Day of the month MONTH Month of the year6-R1762-2#clock set 16:03:40 17?MONTH Month of the year6-R1762-2#clock set 16:03:40 17 may?Year6-R1762-2#clock set 16:03:40 11 may 20096-R
5、1762-2#show clock clock:2009-5-11 16:3:50,实验步骤,3、定义时间段6-R1762-2#conf6-R1762-2(config)#time-range?WORD timerange name6-R1762-2(config)#time-range freetime6-R1762-2(config-time-range)#?timerange configuration commands:absolute absolute time and date default Set a command to its defaults end Exit from
6、timerange configuration mode exit Exit from timerange configuration mode help Description of the interactive help system no Negate a command or set its defaults periodic periodic time and date show Show running system information,实验步骤,6-R1762-2(config-time-range)#absolute?end ending time and date st
7、art starting time and date6-R1762-2(config-time-range)#absolute start?hh:mm Starting time6-R1762-2(config-time-range)#absolute start 8:00?Day of the month6-R1762-2(config-time-range)#absolute start 8:00 1?MONTH Month of the year6-R1762-2(config-time-range)#absolute start 8:00 1 jan?Year6-R1762-2(con
8、fig-time-range)#absolute start 8:00 1 jan 2006?end ending time and date 6-R1762-2(config-time-range)#absolute start 8:00 1 jan 2006 end?hh:mm Ending time-stays valid until beginning of next minute6-R1762-2(config-time-range)#absolute start 8:00 1 jan 2006 end 18:00?Day of the month6-R1762-2(config-t
9、ime-range)#absolute start 8:00 1 jan 2006 end 18:00 30?MONTH Month of the year6-R1762-2(config-time-range)#absolute start 8:00 1 jan 2006 end 18:00 30 dec?Year 6-R1762-2(config-time-range)#absolute start 8:00 1 jan 2006 end 18:00 30 dec 2010,6-R1762-2(config-time-range)#periodic?Daily Every day of t
10、he week Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday Weekdays Monday through Friday Weekend Saturday and Sunday6-R1762-2(config-time-range)#periodic daily?hh:mm Starting time6-R1762-2(config-time-range)#periodic daily 0:00?to endin
11、g day and time6-R1762-2(config-time-range)#periodic daily 0:00 to?hh:mm Ending time-stays valid until beginning of next minute6-R1762-2(config-time-range)#periodic daily 0:00 to 9:006-R1762-2(config-time-range)#periodic daily 17:00 to 23:59 6-R1762-2(config-time-range)#show time-range time-range ent
12、ry:freetime(inactive)absolute start 08:00 01 January 2006 end 18:00 30 December 2010 periodic Daily 0:00 to 9:00 periodic Daily 17:00 to 23:59,4、定义访问控制列表规则6-R1762-2(config)#6-R1762-2(config)#access-list?IP standard access list IP extended access list IP standard access list(expanded range)IP extende
13、d access list(expanded range)IP address range standard access list IP address range extended access list,实验步骤,6-R1762-2(config)#access-list 100?deny Specify packets to reject permit Specify packets to forward6-R1762-2(config)#access-list 100 permit?icmp Internet Control Message Protocol ip Any Inter
14、net Protocol tcp Transmission Control Protocol udp User Datagram Protocol6-R1762-2(config)#access-list 100 permit ip?A.B.C.D Source address any Any source host host A single source host6-R1762-2(config)#access-list 100 permit ip any?A.B.C.D destination address any Any destination host host A single
15、destination host6-R1762-2(config)#access-list 100 permit ip any host?A.B.C.D destination address,6-R1762-2(config)#access-list 100 permit ip any host 160.16.1.1?precedence Match packets with given precedence value time-range Match packets with given timerange set tos Match packets with given TOS val
16、ue 6-R1762-2(config)#access-list 100 permit ip any host 160.16.1.16-R1762-2(config)#access-list 100 permit ip any any time-range freetime6-R1762-2(config)#show access-lists Extended IP access list 100 includes 2 items:permit ip any host 160.16.1.1 permit ip any any time-range freetime(active),5、将访问控
17、制列表应用在接口上6-R1762-2(config)#int fa 1/06-R1762-2(config-if)#ip access-group 100 in6-R1762-2(config-if)#show ip int fa 1/0FastEthernet 1/0 IP interface state is:UP IP interface type is:BROADCAST IP interface MTU is:1500 IP address is:172.16.1.1/24(primary)Outgoing access list is not set.Inbound access
18、list is 100.,实验步骤,查看系统配置6-R1762-2#show runBuilding configuration.Current configuration:966 bytes!version 8.52(building 6)hostname 6-R1762-2!time-range freetime absolute start 8:00 1 January 2006 end 18:00 30 December 2010 periodic Daily 0:00 to 9:00 periodic Daily 17:00 to 23:59!access-list 100 perm
19、it ip any host 160.16.1.1access-list 100 permit ip any any time-range freetime!no service password-encryption!,interface serial 1/2!interface serial 1/3 clock rate 64000!interface FastEthernet 1/0 ip access-group 100 in ip address 172.16.1.1 255.255.255.0 duplex auto speed auto!interface FastEtherne
20、t 1/1 ip address 160.16.1.2 255.255.255.0 duplex auto speed auto!end,6、验证测试(1)验证工作时间的服务器访问PC ping 160.16.1.1 PC ping 160.16.1.5(2)验证非工作时间的服务器访问(修改router的时间为18:00)PC ping 160.16.1.1 PC ping 160.16.1.5,验证,实训内容,专家级访问列表,1、基本配置(配置路由器接口参数、配置PC1、PC2及Server的IP参数,网关应该是什么?)PC1、PC2及Server互相ping一下,保证互通。,实验步骤,2、
21、在交换机上配置专家级ACL6-S2128-2(config)#expert access-list extended test16-S2128-2(config-exp-nacl)#deny ip host 172.16.1.1 host 001b.fcee.9358 host 160.16.1.1 any6-S2128-2(config-exp-nacl)#permit any any any any6-S2128-2#show access-lists test1 Expert access list:test1 deny ip host 172.16.1.1 host 001b.fcee
22、.9358 host 160.16.1.1 any permit any any any any,实验步骤,3、在接口上应用专家级ACL6-S2128-2(config)#int fa 0/16-S2128-2(config-if)#expert access-group test1?in Specify filtering on inbound packets 6-S2128-2(config-if)#expert access-group test1 in6-S2128-2(config-if)#end6-S2128-2#show access-group Interface inbound access-list outbound access-list-Fa0/1 test1,实验步骤,4、验证测试PC1 ping 160.16.1.1 PC1 ping 172.16.1.3PC2 ping 160.16.1.1,验证,清除设备的当前配置,reload命令交换机重启时不要执行save命令,
