知识屋:更实用的电脑技术知识网站
所在位置:首页 > 电脑知识 > 路由器

acl访问控制列表实验

发布时间:2015-06-17 12:09:28作者:知识屋


acl访问控制列表实验
 

 
实验拓扑图如上     www.zhishiwu.com  
1.配置IP地址R1与R3
  Loopback0=x.x.x.x/24 
  IP=192.168.yx.x/24
2.用rip宣告,测通信
 
3. R1与R3配置VTY与特权口令cisco,测试能否TELNET
配置R1
R1(config)#int s0/3/0
R1(config-if)#clo rat 64000
R1(config-if)#ip add 192.168.21.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#int l 0
R1(config-if)#ip add 1.1.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#router rip 
R1(config-router)#net 1.0.0.0
R1(config-router)#net 192.168.21.0
R1(config-router)#exit
R1(config)#ena pass cisco
R1(config)#line vty 0 4
R1(config-line)#pass cisco
R1#tel 3.3.3.3
Trying 3.3.3.3 ...
 
User Access Verification
Password: 
R3>en(R1telnetR3成功)
Password: 
R3#
配置R2
R2(config)#int s0/3/1
R2(config-if)#cl ra 64000
R2(config-if)#no sh
R2(config-if)#ip add 192.168.32.2 255.255.255.0
R2(config-if)#int s0/3/0
R2(config-if)#no sh
R2(config-if)#ip add 192.168.21.2 255.255.255.0
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#net 192.168.21.0
R2(config-router)#net 192.168.32.0
配置R3
R3(config)#int s0/3/0
R3(config-if)#no sh
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
R3(config-if)#
R3(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R3(config-if)#ip add 192.168.32.3 255.255.255.0
R3(config-if)#int l 0
%LINK-5-CHANGED: Interface Loopback0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R3(config-if)#
R3(config-if)# ip add 3.3.3.3 255.255.255.0
R3(config-if)#exit
R3(config)#router rip
R3(config-router)#net 192.168.32.0
R3(config-router)#net 3.0.0.0
R3(config)#ena pass cisco
R3(config)#line vty 0 4
R3(config-line)#pass cisco
R3(config-line)#
4.禁止R2访问R1:(R3能否PING通R1的s0//3/0.反之)
  查看通信 
  清除路由表信息或邻居
  R1--pingR2/R3,查看连通,为什么PIng不通(刚开始能够ping通,因为路由表没有更新,清理路由表之后ping不通因为acl)
 
在R1上面配置
R1(config)#access-list 1 deny 192.168.21.2
R1(config)#access-list 1 deny 192.168.32.2
R1(config)#access-list 1 per any
R1(config)#int s0/3/0
R1(config-if)#ip acc
R1(config-if)#ip access-group 1 in
R1(config-if)#exi
R1(config)#exi
R1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
R    3.0.0.0/8 [120/2] via 192.168.21.2, 00:00:35, Serial0/3/0
C    192.168.21.0/24 is directly connected, Serial0/3/0
R    192.168.32.0/24 [120/1] via 192.168.21.2, 00:00:35, Serial0/3/0
R1#clear ip route *
R1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
C    192.168.21.0/24 is directly connected, Serial0/3/0
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5
 
5.(删除前ACL配置)禁止R1 telnet R3使用扩展, R3配置
R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no acc
R1(config)#no access-list 1
R3(config)#access-list 101 deny tcp host 1.1.1.1 host 192.168.32.3 eq 23
R3(config)#acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 ea 23
^
% Invalid input detected at '^' marker.
 
R3(config)#acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 eq 23
R3(config)#acc 101 per ip any any
R3(config)#int s0/3/0
R3(config-if)#ip acc
R3(config-if)#ip access-group 101 in
R1#tel 192.168.32.3
Trying 192.168.32.3 ...
% Connection timed out; remote host not responding
 
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
收藏
  • 人气文章
  • 最新文章
  • 下载排行榜
  • 热门排行榜