本帖最后由 碧云天 于 2020-3-30 21:09 编辑 一.测试拓扑需求:
1.拒绝172.16.1.0/24网段访问172.16.3.0/24网段的所有访问
2.允许其他所有访问,包括172.16.3.0/24网段到172.16.1.0/24网段的访问
二.基本配置
1.PC1hostname PC1
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.1.254
line vty 0 4
password cisco
login
ip host www.yuntian.com 172.16.1.1
ip dns server
2.R1hostname R1
interface FastEthernet0/0
ip address 172.16.12.1 255.255.255.0
no shutdown
interface FastEthernet1/0
ip address 172.16.1.254 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.12.2
3.R2hostname R2
interface FastEthernet0/0
ip address 172.16.12.2 255.255.255.0
no shutdown
interface FastEthernet1/0
ip address 172.16.23.2 255.255.255.0
no shutdown
ip route 172.16.1.0 255.255.255.0 172.16.12.1
ip route 172.16.3.0 255.255.255.0 172.16.23.3
4.R3hostname R3
interface FastEthernet0/0
ip address 172.16.3.254 255.255.255.0
no shutdown
interface FastEthernet1/0
ip address 172.16.23.3 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.23.2
5.PC2hostname PC2
interface FastEthernet0/0
ip address 172.16.3.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.3.254
line vty 0 4
password cisco
login
ip domain-lookup
ip name-server 172.16.1.1
四.实现需求1.使用标准ACL,会导致172.16.3.0/24网段无法访问172.16.1.0/24网段①R3配置ACLaccess-list 13 deny 172.16.1.0 0.0.0.255
access-list 13 permit any
②在R3的F0/0接口应用ACLinterface FastEthernet0/0
ip access-group 13 out
③172.16.1.0/24网段访问不了172.16.3.0/24网段PC1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1#
④172.16.3.0/24网段也访问不了172.16.1.0/24网段PC2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC2#
2.使用扩展ACL,会导致172.16.3.0/24网段到172.16.1.0/24网段UDP无法访问--如果是动态端口的应用,比如FTP也无法正常访问①先清除R3的ACL配置interface FastEthernet0/0
no ip access-group 13 out
②R1配置扩展ACLip access-list extended Outside-control
permit tcp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 established
deny ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip any any
③在R1的F1/0接口应用ACLinterface FastEthernet1/0
ip access-group Outside-control in
④172.16.1.0/24网段访问不了172.16.3.0/24网段PC1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1#telnet 172.16.3.1
Trying 172.16.3.1 ...
% Destination unreachable; gateway or host down
PC1#
⑤172.16.3.0/24网段能TCP访问172.16.1.0/24网段PC2#telnet 172.16.1.1
Trying 172.16.1.1 ... Open
User Access Verification
Password:
PC1>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:15
* 2 vty 0 idle 00:00:00 172.16.3.1
Interface User Mode Idle Peer Address
PC1>exit
⑥172.16.3.0/24网段不能ping以及udp访问172.16.1.0/24网段PC2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PC2#ping www.yuntian.com
*Mar 30 19:56:35.203: %SYS-5-CONFIG_I: Configured from console by console
PC2#ping www.yuntian.com
Translating "www.yuntian.com"...domain server (172.16.1.1)
% Unrecognized host or address, or protocol not running.
PC2#
3.R1使用CBAC可以满足要求①先清除R1的扩展ACL配置interface FastEthernet1/0
no ip access-group Outside-control in
②R1配置CBACip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect name CBAC ftp
③R1上重新配置扩展ACLno ip access-list extended Outside-control
ip access-list extended Outside-control
deny ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip any any
④在R1的F1/0接口配置ACL和CBAC(最优,推荐,因为离源最近)interface FastEthernet1/0
ip access-group Outside-control
inip inspect CBAC
out⑤也可以在R1的F0/0接口配置ACL和CBAC (次优)interface FastEthernet0/0
ip access-group Outside-control
out ip inspect CBAC
in⑥172.16.1.0/24网段访问不了172.16.3.0/24网段PC1#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC1# telnet 172.16.3.1
Trying 172.16.3.1 ...
% Destination unreachable; gateway or host down
PC1#
⑦172.16.3.0/24网段能访问172.16.1.0/24网段PC2#PING 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/88/96 ms
PC2#ping www.yuntian.com
Translating "www.yuntian.com"...domain server (172.16.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/87/92 ms
PC2#ping www.yuntian.com
Translating "www.yuntian.com"...domain server (172.16.1.1) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/87/92 ms
PC2#telnet 172.16.1.1
Trying 172.16.1.1 ... Open
User Access Verification
Password:
PC1>show users
Line User Host(s) Idle Location
0 con 0 idle 00:01:11
* 2 vty 0 idle 00:00:00 172.16.3.1
Interface User Mode Idle Peer Address
PC1>
4.R3使用CBAC也可以满足要求(不推荐,离源较远)
①先清除R1的ACL和CBAC配置interface FastEthernet1/0
no ip access-group Outside-control in
no ip inspect CBAC out
interface FastEthernet0/0
no ip access-group Outside-control out
no ip inspect CBAC in
②R3配置CBACip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect name CBAC ftp
③R3上配置扩展ACL
no ip access-list extended Outside-control
ip access-list extended Outside-control
deny ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
permit ip any any
④在R3的F1/0接口配置ACL和CBACinterface FastEthernet1/0
ip access-group Outside-control in
ip inspect CBAC out
⑤也可以在R3的F0/0接口配置ACL和CBAC interface FastEthernet0/0
ip access-group Outside-control out
ip inspect CBAC in
⑥验证(省略)