拓扑如上:两台路由器,已经配置好了IP地址,并且都已经启用了TELNET,密码为cisco .
实验一:我们都知道PING是双向的,但我们灵活应用ACL使R1可以拼通R2,但是R2不能拼通R1 !
步骤1:测试在R1拼R2与在R2拼R1
r1#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
r2#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r2#
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
r2#
步骤2:在R1上写ACL并应用在接口
r1(config)#access-list 100 permit icmp host 12.1.1.2 host 12.1.1.1 echo-relay
--允许12.1.1.2到12.1.1.1 返回的包,意思就是如果12.1.1.2回12.1.1.1的包就允许,而12.1.1.2主动发起的拼包就不允许。
r1(config)#interface e0/0
r1(config-if)#ip access-group 100 in --进入接口并启用ACL 100
r1(config-if)#ip access-group 100 in --进入接口并启用ACL 100
步骤3:验证R1拼R2与R2拼R1
r1#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
r2#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r2#
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r2#
实验二:使R1能TELNET进R2,而R2不能TELNET进R1
步骤1:在R1与R2测试相互TELNET对方
r1#telnet 12.1.1.2
Trying 12.1.1.2 ... Open
Trying 12.1.1.2 ... Open
User Access Verification
Password:
r2>
r2>
r2#telnet 12.1.1.1
Trying 12.1.1.1 ... Open
Trying 12.1.1.1 ... Open
User Access Verification
Password:
r1>
r1>
步骤2:在R1上写ACL并应用到接口
r1(config)#access-list 100 permit tcp host 12.1.1.2 eq 23 host 12.1.1.1 gt 1024
--- 只允许12.1.1.2的23端口访问12.1.1.1大于1024的端口,这样灵活应用TCP的端口号,实现了R1能TELNET进R2,而R2却不能TELNET进R1。
r1(config)#interface e0/0
r1(config-if)#ip access-group 100 in
r1(config-if)#end
r1#
步骤3:验证R1与R2互相TELNET对方
r1#telnet 12.1.1.2
Trying 12.1.1.2 ... Open
User Access Verification
Password:
r2>
r2#telnet 12.1.1.1
Trying 12.1.1.1 ...
% Destination unreachable; gateway or host down
r2#
总结:
|
在两个实例说明了ACL的强大,即可以实现软防火墙的功能,内部始发的流量FOWARD,而外部向内部始发的流量DROP,安全的关键在于构思,怎样去灵活运用,把功能实现最大化。
本文转自 meiyanaa 51CTO博客,原文链接:http://blog.51cto.com/justim/236719,如需转载请自行联系原作者