关于 访问控制列表的问题

huzhanhu

需求是 以199.200.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0 以 3.3.3.3为源不能评通192.168.2.0 但是可以ping通192.168.1.0   
这个怎么实现
R1配置：
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto

router ospf 100
log-adjacency-changes
redistribute connected subnets
network 12.1.1.1 0.0.0.0 area 0

R2配置：
interface FastEthernet0/0
ip address 23.1.1.2 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto

router eigrp 100
redistribute ospf 100 metric 100000 10 255 1 1500
network 23.0.0.0
auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 100 subnets
network 12.1.1.2 0.0.0.0 area 0


R3配置：
interface Loopback0
ip address 200.199.1.1 255.255.255.0
!
interface Loopback1
ip address 200.199.2.1 255.255.255.0
!
interface Loopback2
ip address 200.199.3.1 255.255.255.0
!
interface Loopback3
ip address 200.199.4.1 255.255.255.0
!
interface FastEthernet0/0
no ip address
ip access-group 100 in
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto

router eigrp 100
redistribute connected metric 100000 10 255 1 1500
network 23.0.0.0
no auto-summary



还有我在R2的f0/0口配置in方向的ACL  access-list 100 deny  icmp 199.200.0.0 0.0.255.255 192.168.2.0 0.0.0.255 echo
                                                           access-list  100 permit icmp icmp any any
然后R3 的f0/0 口就 不停的UP down  并且学不到R1 那边的路由

请问下大家这个怎么实现  还有后面的问题是怎么引起的呢？

Jeff.

把接口写清楚，以及配置贴上来~

huzhanhu

Jeff. 发表于 2012-12-5 14:50
把接口写清楚，以及配置贴上来~

重新编辑了下帖子 您再看看

wantccie

先看配置
R2:
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
!
router ospf 100
router-id 2.2.2.2
log-adjacency-changes
redistribute connected subnets
network 12.1.1.2 0.0.0.0 area 0

R1:
interface FastEthernet0/0
ip address 12.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
!
router eigrp 90
redistribute ospf 100 metric 10000 100 255 1 1500
network 13.1.1.1 0.0.0.0
auto-summary
!
router ospf 100
log-adjacency-changes
redistribute eigrp 90 subnets
network 12.1.1.1 0.0.0.0 area 0
!
ip http server
ip forward-protocol nd
!
!
!
access-list 100 permit eigrp any any
access-list 100 deny   icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit icmp any any

R3:
interface Loopback0
ip address 200.199.1.1 255.255.255.0
!
interface Loopback1
ip address 200.199.2.1 255.255.255.0
!
interface Loopback2
ip address 200.199.3.1 255.255.255.0
!
interface Loopback3
ip address 200.199.4.1 255.255.255.0
!
interface Loopback333
ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
ip address 13.1.1.3 255.255.255.0
duplex auto
speed auto
!
!
router eigrp 90
redistribute connected metric 10000 1500 255 1 1500
network 13.1.1.3 0.0.0.0
auto-summary

需求
200.199.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0
以3.3.3.3为源不能ping通192.168.2.0 但是可以ping通192.168.1.0

以上需求可以在R1的F1/0的in方向配置ACL或R2的F0/0的in方向配置ACL，略有区别

在R1上配置ACL

需求1
200.199.0.0 为源 不能ping通192.168.1.0 但是可以ping通192.168.2.0

R1上配置ACL
access-list 100 permit eigrp any any
access-list 100 deny   icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 permit icmp any any

在接口上应用
interface FastEthernet1/0
ip address 13.1.1.1 255.255.255.0
ip access-group 100 in
duplex auto
speed auto

测试：
R3上
Rack30R3#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/35/92 ms
Rack30R3#ping 192.168.1.1 source 200.199.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.2.1 source 200.199.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/32/76 ms

需求2
以3.3.3.3为源不能ping通192.168.2.0 但是可以ping通192.168.1.0

R1上添加ACL
access-list 100 deny icmp host 3.3.3.3 192.168.2.0 0.0.0.255

R3上
Rack30R3#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/50/116 ms
Rack30R3#ping 192.168.2.1 source 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.1.1 source 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/47/100 ms

在R2上配置ACL
access-list 100 permit ospf any any（为什么要加这条可以考虑一下，如果不加的话会有什么后果）
access-list 100 deny   icmp 200.199.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 deny   icmp host 3.3.3.3 192.168.2.0 0.0.0.255
access-list 100 permit icmp any any

interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
ip access-group 100 in
duplex auto
speed auto

测试：
Rack30R3#ping 192.168.2.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/47/88 ms
Rack30R3#ping 192.168.1.1        
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/40/108 ms
Rack30R3#ping 192.168.1.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
U.U.U
Success rate is 0 percent (0/5)
Rack30R3#ping 192.168.2.1 source 200.199.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 200.199.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/55/92 ms


总结：
1、做ACL实验时，先保证全网都互通
2、当deny icmp和permit icmp后，R1与R3的eigrp邻居会down掉，因为IP协议为88的eigrp被拒绝掉了，因此R3只有直连路由
3、做测试时，记得要加上source，才能更为准确的看是否满足需求

WindowsAndLinux

了解中啊，学习中啊！！！

huzhanhu

wantccie 发表于 2012-12-5 20:03
先看配置
R2:
interface Loopback0

做控制的时候不是限定了icmp吗  怎么会把
  ip 88 拒绝呢   
access-list 100 permit ospf any any
access-list 100 permit eigrp any any  在ospf 和EIGRP 必须要加 这两条吗

bookpig

wantccie 发表于 2012-12-5 20:03
先看配置
R2:
interface Loopback0

wantccie 一直都这么热心。。。

看到你的出现真是高兴呢……

magic_os

huzhanhu 发表于 2012-12-5 22:34
做控制的时候不是限定了icmp吗  怎么会把
  ip 88 拒绝呢   
access-list 100 permit ospf any any

必须要加的~因为默认 ACL在没有匹配任何条目的时候 最后的动作是拒绝。EIGRP和OSPF的更新包不会匹配你的ICMP条目，而ACL条目中也没有显示的说明允许这些更新。

linda.!

访问控制列表学的好，网络水平能提高！

wantccie

huzhanhu 发表于 2012-12-5 22:34
做控制的时候不是限定了icmp吗  怎么会把
  ip 88 拒绝呢   
access-list 100 permit ospf any any

因为你的最后一条是permit icmp any any，所以eigrp和ospf分别为IP协议号88和89的被最后一条隐含拒绝

所以当这种情况下，是学不到路由的。因为路由协议的邻居down掉了。