标准ACL和扩展ACL.doc_咨信网zixin.com.cn

资源描述

1、实验1：标准ACL一实验目的通过本实验可以掌握：（1） ACL设计原则和工作过程（2）定义标准ACL（3）应用ACL（4）标准ACL调试二拓扑结构三实验环节（1）环节1：配置路由器R1RouterenRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#host R1R1(config)#int fa 0/0R1(config-if)#ip add 10.1.1.1 255.255.255.0R1(config-if)#no shutR1(config-if)#

2、%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR1(config-if)#int fa 0/1R1(config-if)#ip add 172.16.1.0 255.255.255.0Bad mask /24 for address 172.16.1.0R1(config-if)#ip add 172.16.1.1 255.255.255.0R1(c

3、onfig-if)#no shutR1(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upR1(config-if)#int s0/0/0R1(config-if)#ip add 192.168.12.1 255.255.255.0R1(config-if)#clock rate 64000R1(config-if)#no shut

4、%LINK-5-CHANGED: Interface Serial0/0/0, changed state to downR1(config-if)#exitR1(config)#router eigrp 1R1(config-router)#network 10.1.1.0 0.0.0.255R1(config-router)#network 172.16.1.0 0.0.0.255R1(config-router)#network 192.168.12.0R1(config-router)#no auto（2）环节2：配置路由器R2RouterenRouter#conftEnter con

5、figuration commands, one per line. End with CNTL/Z.Router(config)#line con 0Router(config-line)#logg sRouter(config-line)#no ip domain-lRouter(config)#host R2R2(config)#int s0/0/0R2(config-if)#ip add 192.168.12.2 255.255.255.0R2(config-if)#no shutR2(config-if)#%LINK-5-CHANGED: Interface Serial0/0/0,

6、 changed state to upR2(config-if)#int s0/0/1R2(config-if)#ip add 192.168.23.2 25%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up5R2(config-if)#ip add 192.168.23.2 255.255.255.0R2(config-if)#clock rate 64000R2(config-if)#no shut%LINK-5-CHANGED: Interface Serial0/0/1, c

7、hanged state to downR2(config)#int lo0R2(config-if)#%LINK-5-CHANGED: Interface Loopback0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upR2(config-if)#ip add 2.2.2.2 255.255.255.0R2(config-if)#exitR2(config)#router eigrp 1R2(config-router)#network 2.

8、2.2.0 0.0.0.255R2(config-router)#network 192.168.12.0 0.0.0.255R2(config-router)#%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.12.1 (Serial0/0/0) is up: new adjacencyR2(config-router)#network 192.168.23.0 0.0.0.255R2(config-router)#no auto-summaryR2(config-router)#%DUAL-5-NBRCHANGE: IP-EIGRP 1: Ne

9、ighbor 192.168.12.1 (Serial0/0/0) is up: new adjacencyR2(config-router)#exitR2(config)#access-list 1 deny 172.16.1.0 0.0.0.255 /定义标准ACLR2(config)#access-list 1 permit anyR2(config)#interface s0/0/0R2(config-if)#ip access-group 1 in /在接口上启动ACLR2(config-if)#access-list 2 permit 172.16.3.1 /定义标准ACLR2(c

10、onfig)#line vty 0 4R2(config-line)#access-class 2 in /在vty上启动ACLR2(config-line)#password ciscoR2(config-line)#login（3）环节3：配置路由器R3RouterenRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line con 0Router(config-line)#logg sRouter(config-line)#no ip domain-lRoute

11、r(config)#host R3R3(config)#int fa 0/0R3(config-if)#ip add 172.16.3.3 255.255.255.0R3(config-if)#no shutR3(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR3(config-if)#int s0/0/1R3(config-i

12、f)#ip add 192.168.23.3 255.255.255.0R3(config-if)#no shut%LINK-5-CHANGED: Interface Serial0/0/1, changed state to upR3(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to upR3(config-if)#exitR3(config)#router eigrp 1R3(config-router)#network 172.16.3.0 0.0.0.255R

13、3(config-router)#network 192.168.23.0 0.0.0.255%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.23.2 (Serial0/0/1) is up: new adjacencyR3(config-router)#no auto-summary%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.23.2 (Serial0/0/1) is up: new adjacency四实验调试在PC1网络所在主机上ping 2.2.2.2，应当通，在PC2网络所在的主机上

14、ping 2.2.2.2 应当不通，在主机PC3上Telnet 2.2.2.2，应当成功。(1) show ip access-listsR2#show ip access-listsStandard IP access list 1 deny 172.16.1.0 0.0.0.255 permit any (104 match(es)Standard IP access list 2 permit host 172.16.3.1(2) show ip interfaceR2#show ip interface s0/0/0Serial0/0/0 is up, line protocol is

15、 up (connected) Internet address is 192.168.12.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 /说明在接口s0/0/0的入方向应用了ACL Proxy ARP is en

16、abled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Fast switching turbo vector IP

17、 multicast fast switching is disabled IP multicast distributed fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name repli

18、es are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled实验2：扩展ACL一实验目的通过本实验可以掌握：（5）定义扩展ACL（6）应用扩展ACL（7）扩展ACL调试二拓扑结构本实验规定只允许PC2所在网段的主机访问路由器R2的WWW和Telnet服务，并拒绝PC3所在网段ping路

19、由器R2。删除标准ACL实验中定义的ACL，保存EIGRP的配置三实验环节（1）环节1：配置路由器R1R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq wwwR1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq wwwR1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq wwwR1(c

20、onfig)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnetR1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq telnetR1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnet（2）环节2：配置路由器R2R2#conf tEnter configuration commands

21、, one per line. End with CNTL/Z.R2(config)#no access-list 1R2(config)#no access-list 2R2(config)#line vty 0 4R2(config-line)#password ciscoR2(config-line)#login（3）环节3：配置路由器R3R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.255 host 2.2.2.2 R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.2

22、55 host 192.168.12.2 ? type-num echo echo echo-reply echo-reply host-unreachable host-unreachable net-unreachable net-unreachable port-unreachable port-unreachable protocol-unreachable protocol-unreachable ttl-exceeded ttl-exceeded unreachable unreachable R3(config)#access-list 101 deny icmp 172.16.

23、3.0 0.0.0.255 host 192.168.12.2 R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2 R3(config)#access-list 101 permit ip any anyR3(config)#int fa 0/0R3(config-if)#ip access-group 101 in四实验调试查看ACLR1#show ip access-listsExtended IP access list 100 permit tcp 172.16.1.0 0.0.0.2

24、55 host 2.2.2.2 eq www permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq www permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq www permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnet permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq telnet permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnetR3#show access-listsExtended IP access list 101 deny icmp 172.16.3.0 0.0.0.255 host 2.2.2.2 deny icmp 172.16.3.0 0.0.0.255 host 192.168.12.2 deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2 permit ip any any

展开阅读全文