资源描述
实验1:标准ACL
一 实验目的
通过本实验可以掌握:
(1) ACL设计原则和工作过程
(2) 定义标准ACL
(3) 应用ACL
(4) 标准ACL调试
二 拓扑结构
三 实验环节
(1)环节1:配置路由器R1
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host R1
R1(config)#int fa 0/0
R1(config-if)#ip add 10.1.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#int fa 0/1
R1(config-if)#ip add 172.16.1.0 255.255.255.0
Bad mask /24 for address 172.16.1.0
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R1(config-if)#no shut
R1(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#int s0/0/0
R1(config-if)#ip add 192.168.12.1 255.255.255.0
R1(config-if)#clock rate 64000
R1(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#router eigrp 1
R1(config-router)#network 10.1.1.0 0.0.0.255
R1(config-router)#network 172.16.1.0 0.0.0.255
R1(config-router)#network 192.168.12.0
R1(config-router)#no auto
(2)环节2:配置路由器R2
Router>en
Router#conft
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line con 0
Router(config-line)#logg s
Router(config-line)#no ip domain-l
Router(config)#host R2
R2(config)#int s0/0/0
R2(config-if)#ip add 192.168.12.2 255.255.255.0
R2(config-if)#no shut
R2(config-if)#
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R2(config-if)#int s0/0/1
R2(config-if)#ip add 192.168.23.2 25
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up5
R2(config-if)#ip add 192.168.23.2 255.255.255.0
R2(config-if)#clock rate 64000
R2(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/0/1, changed state to down
R2(config)#int lo0
R2(config-if)#
%LINK-5-CHANGED: Interface Loopback0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R2(config-if)#ip add 2.2.2.2 255.255.255.0
R2(config-if)#exit
R2(config)#router eigrp 1
R2(config-router)#network 2.2.2.0 0.0.0.255
R2(config-router)#network 192.168.12.0 0.0.0.255
R2(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.12.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#network 192.168.23.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.12.1 (Serial0/0/0) is up: new adjacency
R2(config-router)#exit
R2(config)#access-list 1 deny 172.16.1.0 0.0.0.255 //定义标准ACL
R2(config)#access-list 1 permit any
R2(config)#interface s0/0/0
R2(config-if)#ip access-group 1 in //在接口上启动ACL
R2(config-if)#access-list 2 permit 172.16.3.1 //定义标准ACL
R2(config)#line vty 0 4
R2(config-line)#access-class 2 in //在vty上启动ACL
R2(config-line)#password cisco
R2(config-line)#login
(3)环节3:配置路由器R3
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line con 0
Router(config-line)#logg s
Router(config-line)#no ip domain-l
Router(config)#host R3
R3(config)#int fa 0/0
R3(config-if)#ip add 172.16.3.3 255.255.255.0
R3(config-if)#no shut
R3(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#int s0/0/1
R3(config-if)#ip add 192.168.23.3 255.255.255.0
R3(config-if)#no shut
%LINK-5-CHANGED: Interface Serial0/0/1, changed state to up
R3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#exit
R3(config)#router eigrp 1
R3(config-router)#network 172.16.3.0 0.0.0.255
R3(config-router)#network 192.168.23.0 0.0.0.255
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.23.2 (Serial0/0/1) is up: new adjacency
R3(config-router)#no auto-summary
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 192.168.23.2 (Serial0/0/1) is up: new adjacency
四 实验调试
在PC1网络所在主机上ping 2.2.2.2,应当通,在PC2网络所在的主机上ping 2.2.2.2 应当不通,在主机PC3上Telnet 2.2.2.2,应当成功。
(1) show ip access-lists
R2#show ip access-lists
Standard IP access list 1
deny 172.16.1.0 0.0.0.255
permit any (104 match(es))
Standard IP access list 2
permit host 172.16.3.1
(2) show ip interface
R2#show ip interface s0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Internet address is 192.168.12.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1 //说明在接口s0/0/0的入方向应用了ACL
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP Fast switching turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
WCCP Redirect outbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled
实验2:扩展ACL
一 实验目的
通过本实验可以掌握:
(5) 定义扩展ACL
(6) 应用扩展ACL
(7) 扩展ACL调试
二 拓扑结构
本实验规定只允许PC2所在网段的主机访问路由器R2的WWW和Telnet服务,并拒绝PC3所在网段ping路由器R2。删除标准ACL实验中定义的ACL,保存EIGRP的配置
三 实验环节
(1)环节1:配置路由器R1
R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq www
R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq www
R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq www
R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnet
R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq telnet
R1(config)#access-list 100 permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnet
(2)环节2:配置路由器R2
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#no access-list 1
R2(config)#no access-list 2
R2(config)#line vty 0 4
R2(config-line)#password cisco
R2(config-line)#login
(3)环节3:配置路由器R3
R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.255 host 2.2.2.2
R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.255 host 192.168.12.2 ?
<0-256> type-num
echo echo
echo-reply echo-reply
host-unreachable host-unreachable
net-unreachable net-unreachable
port-unreachable port-unreachable
protocol-unreachable protocol-unreachable
ttl-exceeded ttl-exceeded
unreachable unreachable
<cr>
R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.255 host 192.168.12.2
R3(config)#access-list 101 deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2
R3(config)#access-list 101 permit ip any any
R3(config)#int fa 0/0
R3(config-if)#ip access-group 101 in
四 实验调试
查看ACL
R1#show ip access-lists
Extended IP access list 100
permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq www
permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq www
permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq www
permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnet
permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq telnet
permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnet
R3#show access-lists
Extended IP access list 101
deny icmp 172.16.3.0 0.0.0.255 host 2.2.2.2
deny icmp 172.16.3.0 0.0.0.255 host 192.168.12.2
deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2
permit ip any any
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
