acl访问控制列表实验
实验拓扑图如上 www.2cto.com 1.配置IP地址R1与R3 Loopback0=x.x.x.x/24 IP=192.168.yx.x/242.用rip宣告,测通信 3. R1与R3配置VTY与特权口令cisco,测试能否TELNET配置R1R1(config)#i
acl访问控制列表实验
实验拓扑图如上 www.zhishiwu.com 1.配置IP地址R1与R3 Loopback0=x.x.x.x/24 IP=192.168.yx.x/24 2.用rip宣告,测通信 3. R1与R3配置VTY与特权口令cisco,测试能否TELNET 配置R1 R1(config)#int s0/3/0 R1(config-if)#clo rat 64000 R1(config-if)#ip add 192.168.21.1 255.255.255.0 R1(config-if)#no sh R1(config-if)#exit R1(config)#int l 0 R1(config-if)#ip add 1.1.1.1 255.255.255.0 R1(config-if)#exit R1(config)#router rip R1(config-router)#net 1.0.0.0 R1(config-router)#net 192.168.21.0 R1(config-router)#exit R1(config)#ena pass cisco R1(config)#line vty 0 4 R1(config-line)#pass cisco R1#tel 3.3.3.3 Trying 3.3.3.3 ... User Access Verification Password: R3>en(R1telnetR3成功) Password: R3# 配置R2 R2(config)#int s0/3/1 R2(config-if)#cl ra 64000 R2(config-if)#no sh R2(config-if)#ip add 192.168.32.2 255.255.255.0 R2(config-if)#int s0/3/0 R2(config-if)#no sh R2(config-if)#ip add 192.168.21.2 255.255.255.0 R2(config-if)#exit R2(config)#router rip R2(config-router)#net 192.168.21.0 R2(config-router)#net 192.168.32.0 配置R3 R3(config)#int s0/3/0 R3(config-if)#no sh %LINK-5-CHANGED: Interface Serial0/3/0, changed state to up R3(config-if)# R3(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up R3(config-if)#ip add 192.168.32.3 255.255.255.0 R3(config-if)#int l 0 %LINK-5-CHANGED: Interface Loopback0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up R3(config-if)# R3(config-if)# ip add 3.3.3.3 255.255.255.0 R3(config-if)#exit R3(config)#router rip R3(config-router)#net 192.168.32.0 R3(config-router)#net 3.0.0.0 R3(config)#ena pass cisco R3(config)#line vty 0 4 R3(config-line)#pass cisco R3(config-line)# 4.禁止R2访问R1:(R3能否PING通R1的s0//3/0.反之) 查看通信 清除路由表信息或邻居 R1--pingR2/R3,查看连通,为什么PIng不通(刚开始能够ping通,因为路由表没有更新,清理路由表之后ping不通因为acl)
在R1上面配置 R1(config)#access-list 1 deny 192.168.21.2 R1(config)#access-list 1 deny 192.168.32.2 R1(config)#access-list 1 per any R1(config)#int s0/3/0 R1(config-if)#ip acc R1(config-if)#ip access-group 1 in R1(config-if)#exi R1(config)#exi R1#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 R 3.0.0.0/8 [120/2] via 192.168.21.2, 00:00:35, Serial0/3/0 C 192.168.21.0/24 is directly connected, Serial0/3/0 R 192.168.32.0/24 [120/1] via 192.168.21.2, 00:00:35, Serial0/3/0 R1#clear ip route * R1#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnets C 1.1.1.0 is directly connected, Loopback0 C 192.168.21.0/24 is directly connected, Serial0/3/0 R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms R3#ping 1.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5
5.(删除前ACL配置)禁止R1 telnet R3使用扩展, R3配置 R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#no acc R1(config)#no access-list 1 R3(config)#access-list 101 deny tcp host 1.1.1.1 host 192.168.32.3 eq 23 R3(config)#acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 ea 23 ^ % Invalid input detected at '^' marker. R3(config)#acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 eq 23 R3(config)#acc 101 per ip any any R3(config)#int s0/3/0 R3(config-if)#ip acc R3(config-if)#ip access-group 101 in R1#tel 192.168.32.3 Trying 192.168.32.3 ... % Connection timed out; remote host not responding
