acl访问控制列表实验
实验拓扑图如上 www.zhishiwu.com 1.配置IP地址R1与R3 Loopback0=x.x.x.x/24 IP=192.168.yx.x/242.用rip宣告,测通信 3. R1与R3配置VTY与特权口令cisco,测试能否TELNET配置R1R1(config)#int s0/3/0R1(config-if)#clo rat 64000R1(config-if)#ip add 192.168.21.1 255.255.255.0R1(config-if)#no shR1(config-if)#exitR1(config)#int l 0R1(config-if)#ip add 1.1.1.1 255.255.255.0R1(config-if)#exitR1(config)#router rip R1(config-router)#net 1.0.0.0R1(config-router)#net 192.168.21.0R1(config-router)#exitR1(config)#ena pass ciscoR1(config)#line vty 0 4R1(config-line)#pass ciscoR1#tel 3.3.3.3Trying 3.3.3.3 ... User Access VerificationPassword: R3>en(R1telnetR3成功)Password: R3#配置R2R2(config)#int s0/3/1R2(config-if)#cl ra 64000R2(config-if)#no shR2(config-if)#ip add 192.168.32.2 255.255.255.0R2(config-if)#int s0/3/0R2(config-if)#no shR2(config-if)#ip add 192.168.21.2 255.255.255.0R2(config-if)#exitR2(config)#router ripR2(config-router)#net 192.168.21.0R2(config-router)#net 192.168.32.0配置R3R3(config)#int s0/3/0R3(config-if)#no sh%LINK-5-CHANGED: Interface Serial0/3/0, changed state to upR3(config-if)#R3(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to upR3(config-if)#ip add 192.168.32.3 255.255.255.0R3(config-if)#int l 0%LINK-5-CHANGED: Interface Loopback0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upR3(config-if)#R3(config-if)# ip add 3.3.3.3 255.255.255.0R3(config-if)#exitR3(config)#router ripR3(config-router)#net 192.168.32.0R3(config-router)#net 3.0.0.0R3(config)#ena pass ciscoR3(config)#line vty 0 4R3(config-line)#pass ciscoR3(config-line)#4.禁止R2访问R1:(R3能否PING通R1的s0//3/0.反之) 查看通信 清除路由表信息或邻居 R1--pingR2/R3,查看连通,为什么PIng不通(刚开始能够ping通,因为路由表没有更新,清理路由表之后ping不通因为acl)
在R1上面配置R1(config)#access-list 1 deny 192.168.21.2R1(config)#access-list 1 deny 192.168.32.2R1(config)#access-list 1 per anyR1(config)#int s0/3/0R1(config-if)#ip accR1(config-if)#ip access-group 1 inR1(config-if)#exiR1(config)#exiR1#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0R 3.0.0.0/8 [120/2] via 192.168.21.2, 00:00:35, Serial0/3/0C 192.168.21.0/24 is directly connected, Serial0/3/0R 192.168.32.0/24 [120/1] via 192.168.21.2, 00:00:35, Serial0/3/0R1#clear ip route *R1#sh ip routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static routeGateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0C 192.168.21.0/24 is directly connected, Serial0/3/0R3#ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 msR3#ping 1.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5
5.(删除前ACL配置)禁止R1 telnet R3使用扩展, R3配置R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#no accR1(config)#no access-list 1R3(config)#access-list 101 deny tcp host 1.1.1.1 host 192.168.32.3 eq 23R3(config)#acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 ea 23^% Invalid input detected at '^' marker. R3(config)#acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 eq 23R3(config)#acc 101 per ip any anyR3(config)#int s0/3/0R3(config-if)#ip accR3(config-if)#ip access-group 101 inR1#tel 192.168.32.3Trying 192.168.32.3 ...% Connection timed out; remote host not responding
