高级ACL列表应用实验

 实验拓扑图：

实验要求：

1. PC1可以telnet R1，但不能ping R1；PC1可以ping R2但不能telnet R2；
2. PC2和PC1相反

 1、配置IP让整个网络互通

[PC1]ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

[PC2]ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

[R2]ip route-static 192.168.1.0 24 192.168.2.1

[PC1]ping 192.168.2.1
  PING 192.168.2.1: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=50 ms
    Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=50 ms
    Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=50 ms
    Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=70 ms

  --- 192.168.2.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 50/54/70 ms

[PC1]ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=60 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=50 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=40 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=50 ms

  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/48/60 ms

[PC1]

[PC2]ping 192.168.2.2
  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=150 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=40 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=50 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=40 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=60 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/68/150 ms

[PC2]

<PC2>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Reply from 192.168.1.254: bytes=56 Sequence=1 ttl=255 time=50 ms
    Reply from 192.168.1.254: bytes=56 Sequence=2 ttl=255 time=40 ms
    Reply from 192.168.1.254: bytes=56 Sequence=3 ttl=255 time=60 ms
    Reply from 192.168.1.254: bytes=56 Sequence=4 ttl=255 time=60 ms
    Reply from 192.168.1.254: bytes=56 Sequence=5 ttl=255 time=40 ms

  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/50/60 ms

<PC2>

在R1上开启telnet服务

[R1]aaa     
[R1-aaa]local-user huangfei privilege level 15 password cipher 123456
Info: Add a new user.
[R1-aaa]local-user huangfei service-type telnet 
[R1]user-interface vty 0 4
[R1-ui-vty0-4]authentication-mode aaa 

PC1可以正常telnet R1

<PC1>telnet 192.168.1.254
  Press CTRL_] to quit telnet mode
  Trying 192.168.1.254 ...
  Connected to 192.168.1.254 ...

Login authentication


Username:huangfei
Password:
<R1>q

做策略，实现PC1可以telnet R1，但不能ping R1

[R1]acl name nopingr1 3000             
[R1-acl-adv-nopingr1]rule deny icmp source 192.168.1.10 0 destination 192.168.1.254 0
[R1-acl-adv-nopingr1]rule deny icmp source 192.168.1.10 0 destination 192.168.2.1 0
[R1-acl-adv-nopingr1]q
[R1]interface GigabitEthernet 0/0/1
#在0/0/1接口的入方向调用策略
[R1-GigabitEthernet0/0/1]traffic-filter inbound acl name nopingr1 

检查可以看出无法ping通，但是可以telnet

<PC1>ping 192.168.1.254
  PING 192.168.1.254: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 192.168.1.254 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

<PC1>ping 192.168.2.1
  PING 192.168.2.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 192.168.2.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

<PC1>

<PC1>telnet  192.168.1.254
  Press CTRL_] to quit telnet mode
  Trying 192.168.1.254 ...
  Connected to 192.168.1.254 ...

Login authentication


Username:huangfei
Password:
  -----------------------------------------------------------------------------     
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: Telnet      
  IP-Address : 192.168.1.10     
  Time       : 2023-07-20 14:41:53-08:00     
  -----------------------------------------------------------------------------
<R1>q

  Configuration console exit, please retry to log on

  The connection was closed by the remote host
<PC1>tel
<PC1>telnet 192.168.2.1
  Press CTRL_] to quit telnet mode
  Trying 192.168.2.1 ...
  Connected to 192.168.2.1 ...

Login authentication


Username:huangfei
Password:
  -----------------------------------------------------------------------------     
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: Telnet      
  IP-Address : 192.168.1.10     
  Time       : 2023-07-20 14:44:25-08:00     
  -----------------------------------------------------------------------------
<R1>

PC1可以ping R2，但不能telnet R2

R2开启telnet服务

[R2]aaa
[R2-aaa]local-user huangfei privilege level 15 password cipher 123456
Info: Add a new user.
[R2-aaa]local-user huangfei service-type telnet
[R2-aaa]q
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]

<PC1>telnet 192.168.2.2
  Press CTRL_] to quit telnet mode
  Trying 192.168.2.2 ...
  Connected to 192.168.2.2 ...

Login authentication


Username:huangefi
Password:
Error: Failed to send authen-req.

  Logged Fail!

Username:huangfei
Password:
<R2>

高级ACL在离源近的路由器上做策略，所以该策略仍然在R1上进行。

[R1]acl name notelnetr2 3001
[R1-acl-adv-notelnetr2]rule deny tcp source 192.168.1.10 0 destination 192.168.2.2 0 destination-port eq 23

由于在路由器的一个接口上只能在出入方向各使用一个acl列表，上面我们在R1上的0/0/1接口的入方向上调用了acl nopingr1，所以在删除上一个调用之前，不能再在该接口入方向调用acl列表

[R1-GigabitEthernet0/0/1]traffic-filter inbound acl name notelnetr2 
Error: A simplified ACL has been applied in this view.

删除之前调用的acl nopingr1列表

[R1-GigabitEthernet0/0/1]undo traffic-filter inbound   

重新调用acl notelnetr2列表

[R1-GigabitEthernet0/0/1]traffic-filter inbound acl name notelnetr2

 

完成策略  PC1可以ping R2，但不能telnet R2

<PC1>ping 192.168.2.2
  PING 192.168.2.2: 56  data bytes, press CTRL_C to break
    Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=50 ms
    Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=70 ms
    Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=60 ms
    Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=60 ms
    Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=40 ms

  --- 192.168.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 40/56/70 ms

<PC1>telnet
<PC1>telnet 192.168.2.2
  Press CTRL_] to quit telnet mode
  Trying 192.168.2.2 ...
  Error: Can't connect to the remote host
<PC1>

实验完成！！！