本文介绍如何使用标准和扩展访问列表来控制网络访问。通过配置路由器,可以实现对外部网络的访问限制,包括特定IP地址的访问控制及特定端口的数据包过滤。
实现1:
标准控制访问列表:用于控制远程计算机TELNET,在默认情况下路由器是不允许任何计算机登录的,开启标准访问列表后就允许指定的IP地址的主机访问。
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
Router(config)#access-list 50 permit 192.168.1.2
Router(config)#line vty 0 4
in Filter incoming connections
out Filter outgoing connections
Router(config-line)#access-class 50 in
Router(config-line)#line vty 0 4
Router(config-line)#password 1
Router(config-line)#login
结果:
PC>telnet 192.168.1.1
Trying 192.168.1.1 ...
% Connection refused by remote host
PC>
PC>telnet 192.168.1.1
Trying 192.168.1.1 ...Open
User Access Verification
Password:
Router>en
指定对特定的IP主机限制其能否访问外网(阻止)。
Router(config)#access-list 1 deny 192.168.1.2
Router(config)#access-list 1 permit any
Router(config)#int s0/0
Router(config-if)#ip access-group 1 out
结果:没限制前:
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Request timed out.
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Reply from 10.0.0.3: bytes=32 time=157ms TTL=126
Reply from 10.0.0.3: bytes=32 time=156ms TTL=126
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 157ms, Average = 146ms
限制后:
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
实现 2:
扩展控制访问列表:对特定的IP地址段的主机限制其访问外网的能力
Router(config)#access-list 105 permit icmp 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
Router(config)#int s0/0
Router(config-if)#ip access-group 105 out
限制前192.168.2.0|24主机PC3
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Reply from 10.0.0.3: bytes=32 time=157ms TTL=126
Reply from 10.0.0.3: bytes=32 time=157ms TTL=126
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 157ms, Average = 141ms
限制后PC3:
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
而192.168.1.0|24网段的PC机配置前后都为:
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Reply from 10.0.0.3: bytes=32 time=157ms TTL=126
Reply from 10.0.0.3: bytes=32 time=157ms TTL=126
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 157ms, Average = 141ms
注:先对端口s0/0 no
ip access-group 105 out
命令
对特定端口的IP数据包进行过滤(阻止);
Router(config)#access-list 101 deny tcp any 192.168.2.0 0.0.0.255 eq www
Router(config)#access-list 101 permit tcp any any eq www
Router(config)#int s0/0
Router(config-if)#p access-group 101 out
限制前:
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Reply from 10.0.0.3: bytes=32 time=157ms TTL=126
Reply from 10.0.0.3: bytes=32 time=141ms TTL=126
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Reply from 10.0.0.3: bytes=32 time=125ms TTL=126
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 157ms, Average = 137ms
限制后:
PC>ping 10.0.0.3
Pinging 10.0.0.3 with 32 bytes of data:
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.
Ping statistics for 10.0.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
HTTP:
Welcome to Cisco Packet Tracer, the best thing since..... Packet Tracer 4.x. Quick Links:
A small page
Copyrights
Image page
Image
对特定端口的IP数据包进行过滤(阻止)。
转载于:https://blog.51cto.com/netspider/264460
扫一扫
5254
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
