huzhanhu 发表于 2012-12-5 13:47:52

关于 访问控制列表的问题

本帖最后由 huzhanhu 于 2012-12-5 15:02 编辑

需求是 以199.200.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0 以 3.3.3.3为源不能评通192.168.2.0 但是可以ping通192.168.1.0   
这个怎么实现
R1配置:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto

router ospf 100
log-adjacency-changes
redistribute connected subnets
network 12.1.1.1 0.0.0.0 area 0

R2配置:
interface FastEthernet0/0
ip address 23.1.1.2 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto

router eigrp 100
redistribute ospf 100 metric 100000 10 255 1 1500
network 23.0.0.0
auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 100 subnets
network 12.1.1.2 0.0.0.0 area 0


R3配置:
interface Loopback0
ip address 200.199.1.1 255.255.255.0
!
interface Loopback1
ip address 200.199.2.1 255.255.255.0
!
interface Loopback2
ip address 200.199.3.1 255.255.255.0
!
interface Loopback3
ip address 200.199.4.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
ip access-group 100 in
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto

router eigrp 100
redistribute connected metric 100000 10 255 1 1500
network 23.0.0.0
no auto-summary



还有我在R2的f0/0口配置in方向的ACLaccess-list 100 denyicmp 199.200.0.0 0.0.255.255 192.168.2.0 0.0.0.255 echo
                                                         access-list100 permit icmp icmp any any
然后R3 的f0/0 口就 不停的UP down并且学不到R1 那边的路由

请问下大家这个怎么实现还有后面的问题是怎么引起的呢?

Jeff. 发表于 2012-12-5 14:50:23

把接口写清楚,以及配置贴上来~

huzhanhu 发表于 2012-12-5 15:02:48

Jeff. 发表于 2012-12-5 14:50 static/image/common/back.gif
把接口写清楚,以及配置贴上来~

重新编辑了下帖子 您再看看

wantccie 发表于 2012-12-5 20:03:37

本帖最后由 wantccie 于 2012-12-5 20:14 编辑

先看配置
R2:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
redistribute connected subnets
network 12.1.1.2 0.0.0.0 area 0

R1:
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
!
router eigrp 90
redistribute ospf 100 metric 10000 100 255 1 1500
network 13.1.1.1 0.0.0.0
auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 90 subnets
network 12.1.1.1 0.0.0.0 area 0
!
ip http server
ip forward-protocol nd
!
!
!
access-list 100 permit eigrp any any
access-list 100 deny   icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit icmp any any

R3:
interface Loopback0
ip address 200.199.1.1 255.255.255.0
!
interface Loopback1
ip address 200.199.2.1 255.255.255.0
!
interface Loopback2
ip address 200.199.3.1 255.255.255.0
!
interface Loopback3
ip address 200.199.4.1 255.255.255.0
!
interface Loopback333
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 13.1.1.3 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 90
redistribute connected metric 10000 1500 255 1 1500
network 13.1.1.3 0.0.0.0
auto-summary

需求
200.199.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0
以3.3.3.3为源不能ping通192.168.2.0 但是可以ping通192.168.1.0

以上需求可以在R1的F1/0的in方向配置ACL或R2的F0/0的in方向配置ACL,略有区别

在R1上配置ACL

需求1
200.199.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0

R1上配置ACL
access-list 100 permit eigrp any any
access-list 100 deny   icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit icmp any any

在接口上应用
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto

测试:
R3上
Rack30R3#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/35/92 ms
Rack30R3#ping 192.168.1.1 source 200.199.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.2.1 source 200.199.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/32/76 ms

需求2
以3.3.3.3为源不能ping通192.168.2.0 但是可以ping通192.168.1.0

R1上添加ACL
access-list 100 deny icmp host 3.3.3.3 192.168.2.0 0.0.0.255

R3上
Rack30R3#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/50/116 ms
Rack30R3#ping 192.168.2.1 source 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.1.1 source 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/47/100 ms

在R2上配置ACL
access-list 100 permit ospf any any(为什么要加这条可以考虑一下,如果不加的话会有什么后果)
access-list 100 deny   icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 deny   icmp host 3.3.3.3 192.168.2.0 0.0.0.255
access-list 100 permit icmp any any

interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
ip access-group 100 in
duplex auto
speed auto

测试:
Rack30R3#ping 192.168.2.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/47/88 ms
Rack30R3#ping 192.168.1.1      
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/40/108 ms
Rack30R3#ping 192.168.1.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.2.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/55/92 ms


总结:
1、做ACL实验时,先保证全网都互通
2、当deny icmp和permit icmp后,R1与R3的eigrp邻居会down掉,因为IP协议为88的eigrp被拒绝掉了,因此R3只有直连路由
3、做测试时,记得要加上source,才能更为准确的看是否满足需求

WindowsAndLinux 发表于 2012-12-5 22:14:11

了解中啊,学习中啊!!!

huzhanhu 发表于 2012-12-5 22:34:08

wantccie 发表于 2012-12-5 20:03 static/image/common/back.gif
先看配置
R2:
interface Loopback0


做控制的时候不是限定了icmp吗怎么会把
ip 88 拒绝呢   
access-list 100 permit ospf any any
access-list 100 permit eigrp any any在ospf 和EIGRP 必须要加 这两条吗

bookpig 发表于 2012-12-6 10:53:28

wantccie 发表于 2012-12-5 20:03 static/image/common/back.gif
先看配置
R2:
interface Loopback0


wantccie 一直都这么热心。。。

看到你的出现真是高兴呢……--

magic_os 发表于 2012-12-6 10:56:38

huzhanhu 发表于 2012-12-5 22:34 static/image/common/back.gif
做控制的时候不是限定了icmp吗怎么会把
ip 88 拒绝呢   
access-list 100 permit ospf any any


必须要加的~因为默认 ACL在没有匹配任何条目的时候 最后的动作是拒绝。EIGRP和OSPF的更新包不会匹配你的ICMP条目,而ACL条目中也没有显示的说明允许这些更新。

linda.! 发表于 2012-12-6 15:23:49

访问控制列表学的好,网络水平能提高!--

wantccie 发表于 2012-12-6 19:18:23

huzhanhu 发表于 2012-12-5 22:34 static/image/common/back.gif
做控制的时候不是限定了icmp吗怎么会把
ip 88 拒绝呢   
access-list 100 permit ospf any any


因为你的最后一条是permit icmp any any,所以eigrp和ospf分别为IP协议号88和89的被最后一条隐含拒绝

所以当这种情况下,是学不到路由的。因为路由协议的邻居down掉了。
页: [1] 2
查看完整版本: 关于 访问控制列表的问题