关于 访问控制列表的问题
本帖最后由 huzhanhu 于 2012-12-5 15:02 编辑需求是 以199.200.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0 以 3.3.3.3为源不能评通192.168.2.0 但是可以ping通192.168.1.0
这个怎么实现
R1配置:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
router ospf 100
log-adjacency-changes
redistribute connected subnets
network 12.1.1.1 0.0.0.0 area 0
R2配置:
interface FastEthernet0/0
ip address 23.1.1.2 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
router eigrp 100
redistribute ospf 100 metric 100000 10 255 1 1500
network 23.0.0.0
auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 100 subnets
network 12.1.1.2 0.0.0.0 area 0
R3配置:
interface Loopback0
ip address 200.199.1.1 255.255.255.0
!
interface Loopback1
ip address 200.199.2.1 255.255.255.0
!
interface Loopback2
ip address 200.199.3.1 255.255.255.0
!
interface Loopback3
ip address 200.199.4.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
ip access-group 100 in
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
router eigrp 100
redistribute connected metric 100000 10 255 1 1500
network 23.0.0.0
no auto-summary
还有我在R2的f0/0口配置in方向的ACLaccess-list 100 denyicmp 199.200.0.0 0.0.255.255 192.168.2.0 0.0.0.255 echo
access-list100 permit icmp icmp any any
然后R3 的f0/0 口就 不停的UP down并且学不到R1 那边的路由
请问下大家这个怎么实现还有后面的问题是怎么引起的呢? 把接口写清楚,以及配置贴上来~ Jeff. 发表于 2012-12-5 14:50 static/image/common/back.gif
把接口写清楚,以及配置贴上来~
重新编辑了下帖子 您再看看
本帖最后由 wantccie 于 2012-12-5 20:14 编辑
先看配置
R2:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
redistribute connected subnets
network 12.1.1.2 0.0.0.0 area 0
R1:
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
!
router eigrp 90
redistribute ospf 100 metric 10000 100 255 1 1500
network 13.1.1.1 0.0.0.0
auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 90 subnets
network 12.1.1.1 0.0.0.0 area 0
!
ip http server
ip forward-protocol nd
!
!
!
access-list 100 permit eigrp any any
access-list 100 deny icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit icmp any any
R3:
interface Loopback0
ip address 200.199.1.1 255.255.255.0
!
interface Loopback1
ip address 200.199.2.1 255.255.255.0
!
interface Loopback2
ip address 200.199.3.1 255.255.255.0
!
interface Loopback3
ip address 200.199.4.1 255.255.255.0
!
interface Loopback333
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 13.1.1.3 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 90
redistribute connected metric 10000 1500 255 1 1500
network 13.1.1.3 0.0.0.0
auto-summary
需求
200.199.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0
以3.3.3.3为源不能ping通192.168.2.0 但是可以ping通192.168.1.0
以上需求可以在R1的F1/0的in方向配置ACL或R2的F0/0的in方向配置ACL,略有区别
在R1上配置ACL
需求1
200.199.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0
R1上配置ACL
access-list 100 permit eigrp any any
access-list 100 deny icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit icmp any any
在接口上应用
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
测试:
R3上
Rack30R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/35/92 ms
Rack30R3#ping 192.168.1.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.2.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/32/76 ms
需求2
以3.3.3.3为源不能ping通192.168.2.0 但是可以ping通192.168.1.0
R1上添加ACL
access-list 100 deny icmp host 3.3.3.3 192.168.2.0 0.0.0.255
R3上
Rack30R3#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/50/116 ms
Rack30R3#ping 192.168.2.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/47/100 ms
在R2上配置ACL
access-list 100 permit ospf any any(为什么要加这条可以考虑一下,如果不加的话会有什么后果)
access-list 100 deny icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 deny icmp host 3.3.3.3 192.168.2.0 0.0.0.255
access-list 100 permit icmp any any
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
测试:
Rack30R3#ping 192.168.2.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/47/88 ms
Rack30R3#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/40/108 ms
Rack30R3#ping 192.168.1.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.2.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/55/92 ms
总结:
1、做ACL实验时,先保证全网都互通
2、当deny icmp和permit icmp后,R1与R3的eigrp邻居会down掉,因为IP协议为88的eigrp被拒绝掉了,因此R3只有直连路由
3、做测试时,记得要加上source,才能更为准确的看是否满足需求
了解中啊,学习中啊!!! wantccie 发表于 2012-12-5 20:03 static/image/common/back.gif
先看配置
R2:
interface Loopback0
做控制的时候不是限定了icmp吗怎么会把
ip 88 拒绝呢
access-list 100 permit ospf any any
access-list 100 permit eigrp any any在ospf 和EIGRP 必须要加 这两条吗 wantccie 发表于 2012-12-5 20:03 static/image/common/back.gif
先看配置
R2:
interface Loopback0
wantccie 一直都这么热心。。。
看到你的出现真是高兴呢……--
huzhanhu 发表于 2012-12-5 22:34 static/image/common/back.gif
做控制的时候不是限定了icmp吗怎么会把
ip 88 拒绝呢
access-list 100 permit ospf any any
必须要加的~因为默认 ACL在没有匹配任何条目的时候 最后的动作是拒绝。EIGRP和OSPF的更新包不会匹配你的ICMP条目,而ACL条目中也没有显示的说明允许这些更新。
访问控制列表学的好,网络水平能提高!-- huzhanhu 发表于 2012-12-5 22:34 static/image/common/back.gif
做控制的时候不是限定了icmp吗怎么会把
ip 88 拒绝呢
access-list 100 permit ospf any any
因为你的最后一条是permit icmp any any,所以eigrp和ospf分别为IP协议号88和89的被最后一条隐含拒绝
所以当这种情况下,是学不到路由的。因为路由协议的邻居down掉了。
页:
[1]
2