标准ACL实验

标准ACL试验

实验目的：通过本实验掌握： 1、ACL的设计原则和工作过程； 2、定义标准ACL； 3、应用ACL；

4、标准ACL调试。 实验要求：本实验拒绝PC2所在网段访问路由器R2，同时只允许PC3访问路由器R2的telnet服务，整个网络配置rip保证ip的连通性。 实验过程： 一、基本配置： 对R1：

R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int e0/1 R1(config-if)#ip add 11.1.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#duplex full *Mar 1 00:09:31.259: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Mar 1 00:09:32.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R1(config-if)#int e0/2 R1(config-if)#ip add 12.1.1.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#duplex full *Mar 1 00:09:59.023: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to up *Mar 1 00:10:00.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to up R1(config-if)#int e0/0 R1(config-if)#ip add 10.1.12.1 255.255.255.0 R1(config-if)#no shut R1(config-if)#duplex full *Mar 1 00:10:25.387: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Mar 1 00:10:26.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R1(config-if)#exit R1(config)# 对R2： R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int e0/1 R2(config-if)#ip add 10.1.12.2 255.255.255.0 R2(config-if)#no shut R2(config-if)#duplex full *Mar 1 00:12:59.079: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Mar 1 00:13:00.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R2(config-if)#int e0/0 R2(config-if)#ip add 10.1.23.2 255.255.255.0 R2(config-if)#no shut R2(config-if)#duplex full R2(config-if)#exit *Mar 1 00:13:36.955: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up *Mar 1 00:13:37.955: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up R2(config)#int lo 0 *Mar 1 01:17:55.339: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up R2(config-if)#ip add 2.2.2.2 255.255.255.0 R2(config-if)#exit R2(config)# 对R3： R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int e0/1 R3(config-if)#ip add 10.1.23.3 255.255.255.0 R3(config-if)#no shut R3(config-if)#duplex full *Mar 1 00:15:14.703: %LINK-3-UPDOWN: Interface Ethernet0/1, changed state to up *Mar 1 00:15:15.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to up R3(config-if)#int e0/2 R3(config-if)#ip add 33.1.1.1 255.255.255.0 R3(config-if)#no shut R3(config-if)#duplex full R3(config-if)#exit *Mar 1 00:15:54.655: %LINK-3-UPDOWN: Interface Ethernet0/2, changed state to up *Mar 1 00:15:55.655: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to up R3(config)# 对PC1： PC1#config t Enter configuration commands, one per line. End with CNTL/Z. PC1(config)#no ip routing PC1(config)#int f0/0 PC1(config-if)#ip add 11.1.1.2 255.255.255.0 PC1(config-if)#no shut PC1(config-if)#exit PC1(config)# 对PC2： PC2#config t Enter configuration commands, one per line. End with CNTL/Z. PC2(config)#no ip routing PC2(config)#int f0/0 PC2(config-if)#ip add 12.1.1.2 255.255.255.0 PC2(config-if)#no shut PC2(config-if)#exit *Mar 1 00:25:07.759: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:25:08.759: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up PC2(config)# 对PC3： PC3#config t Enter configuration commands, one per line. End with CNTL/Z. PC3(config)#no ip routing PC3(config)#int f0/0 PC3(config-if)#ip add 33.1.1.2 255.255.255.0 PC3(config-if)#no shut PC3(config-if)#exit *Mar 1 00:25:35.479: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:25:36.479: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up PC3(config)# 二、配置rip： 对R1：

R1(config)#router rip R1(config-router)#network 11.0.0.0 R1(config-router)#network 12.0.0.0 R1(config-router)#network 10.0.0.0 R1(config-router)#no auto-summary R1(config-router)#exit R1(config)# 对R2：

R2(config)#router rip R2(config-router)#network 10.0.0.0 R2(config-router)#network 2.0.0.0 R2(config-router)#no auto-summary R2(config-router)#exit R2(config)# 对R3： R3(config)#router rip R3(config-router)#network 10.0.0.0 R3(config-router)#network 33.0.0.0 R3(config-router)#no auto-summary R3(config-router)#exit R3(config)# 三、对R2进行标准ACL配置：

R2(config)#access-list 1 deny 12.1.1.0 0.0.0.255 //定义ACL R2(config)#access-list 1 permit any R2(config)#int e0/1 R2(config-if)#ip access-group 1 in //在接口下应用ACL R2(config-if)#exit R2(config)#access-list 2 permit 33.1.1.2 R2(config)#line vty 0 4 R2(config-line)#access-class 2 in //在vty下应用ACL R2(config-line)#password ccna R2(config-line)#login R2(config-line)#exit R2(config)# 四、实验调试：

用PC1去ping 2.2.2.2：

PC1#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 60//68 ms PC1# 用PC2去ping 2.2.2.2：

PC2#ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) PC2# 在PC3上telnet 2.2.2.2： PC3#telnet 2.2.2.2 Trying 2.2.2.2 ... Open User Access Verification Password: R2> 查看R2上的ACL： R2#show ip access-lists Standard IP access list 1 10 deny 12.1.1.0, wildcard bits 0.0.0.255 (11 matches) 20 permit any (141 matches) Standard IP access list 2 10 permit 33.1.1.2 (2 matches) R2# 查看R2的端口e0/1的状态：

R2#show ip int e0/1 Ethernet0/1 is up, line protocol is up Internet address is 10.1.12.2/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.9 Outgoing access list is not set Inbound access list is 1 //在e0/1的入方向访问控制列表1 Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP CEF Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Policy routing is disabled Network address translation is disabled BGP Policy Mapping is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled R2# 实验成功。