1、配置ACL实现访问控制
实验拓扑:
配置要求:
-
按照拓扑图要求配置实验环境
##给路由器配IP地址 [R1-GigabitEthernet0/0/0]ip address 192.168.1.10 24 [R2]int g0/0/0 [R2-GigabitEthernet0/0/0]ip address 192.168.1.1 24 [R2-GigabitEthernet0/0/0]int g0/0/1 [R2-GigabitEthernet0/0/1]ip address 192.168.2.1 24 [R2-GigabitEthernet0/0/1]int g0/0/2 [R2-GigabitEthernet0/0/2]ip address 192.168.3.1 24 [R3]int g0/0/0 [R3-GigabitEthernet0/0/0]ip address 192.168.2.10 24 [R4-GigabitEthernet0/0/0]ip address 192.168.3.10 24
-
按照拓扑图IP规划配置网络及地址,并保证AR1、AR3、AR4之间可以互相通信(必须保证互通)
##配静态路由 [R1]ip route-static 192.168.2.0 24 192.168.1.1 [R1]ip route-static 192.168.3.0 24 192.168.1.1 [R4]ip route-static 192.168.1.0 24 192.168.3.1 [R4]ip route-static 192.168.2.0 24 192.168.3.1 [R3]ip route-static 192.168.3.0 24 192.168.2.1 [R3]ip route-static 192.168.1.0 24 192.168.2.1 ##路由器之前可以通信 [R1]ping 192.168.2.10 PING 192.168.2.10: 56 data bytes, press CTRL_C to break Request time out Reply from 192.168.2.10: bytes=56 Sequence=2 ttl=254 time=40 ms [R4]ping 192.168.2.10 PING 192.168.2.10: 56 data bytes, press CTRL_C to break Reply from 192.168.2.10: bytes=56 Sequence=1 ttl=254 time=110 ms [R4]ping 192.168.1.10 PING 192.168.1.10: 56 data bytes, press CTRL_C to break Reply from 192.168.1.10: bytes=56 Sequence=1 ttl=254 time=40 ms
-
在AR4上开启SSH远程管理
[R4]stelnet server enable Info: Succeeded in starting the STELNET server. [R4]user-interface vty 0 4 [R4-ui-vty0-4]authentication-mode aaa [R4-ui-vty0-4]protocol inbound ssh [R4-ui-vty0-4]q [R4]aaa [R4-aaa]local-user lisi password cipher 123 Info: Add a new user. [R4-aaa]local-user lisi privilege level 3 [R4-aaa]q [R4]ssh client first-time enable
-
测试:在AR1和AR3上均可以远程管理到AR4
##R1远程管理R4 [R1]stelnet server enable Info: Succeeded in starting the STELNET server. [R1]ssh client first-time enable [R1]stelnet 192.168.3.10 Please input the username:lisi Trying 192.168.3.10 ... Press CTRL+K to abort Connected to 192.168.3.10 ... The server is not authenticated. Continue to access it? (y/n)[n]:y Feb 11 2020 10:31:41-08:00 R1 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[1]:The server ha d not been authenticated in the process of exchanging keys. When deciding whethe r to continue, the user chose Y. [R1] Save the server's public key? (y/n)[n]:y The server's public key will be saved with the name 192.168.3.10. Please wait... Feb 11 2020 10:31:43-08:00 R1 %%01SSH/4/SAVE_PUBLICKEY(l)[2]:When deciding wheth er to save the server's public key 192.168.3.10, the user chose Y. [R1] Enter password: <R4>sys Enter system view, return user view with Ctrl+Z. [R4] ##R3远程管理R4 [R3]stelnet server enable Info: Succeeded in starting the STELNET server. [R3]ssh client first-time enable [R3]stelnet 192.168.3.10 Please input the username:lisi Trying 192.168.3.10 ... Press CTRL+K to abort Connected to 192.168.3.10 ... The server is not authenticated. Continue to access it? (y/n)[n]:y Feb 11 2020 10:33:38-08:00 R3 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The server ha d not been authenticated in the process of exchanging keys. When deciding whethe r to continue, the user chose Y. [R3] Save the server's public key? (y/n)[n]:y The server's public key will be saved with the name 192.168.3.10. Please wait... Feb 11 2020 10:33:39-08:00 R3 %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding wheth er to save the server's public key 192.168.3.10, the user chose Y. [R3] Enter password: ----------------------------------------------------------------------------- User last login information: ----------------------------------------------------------------------------- Access Type: SSH IP-Address : 192.168.1.10 ssh Time : 2020-02-11 10:31:47-08:00 ----------------------------------------------------------------------------- <R4>sys Enter system view, return user view with Ctrl+Z. [R4]
-
通过配置ACL实现AR4只能被AR1通过SSH管理,其它设备不可以
[R4]ACL 3000 [R4-acl-adv-3000]rule permit tcp source 192.168.1.0 0.0.0.255 destination 192.168.3.10 0.0.0.255 destination-port eq 22 [R4]interface GigabitEthernet 0/0/0 [R4-GigabitEthernet0/0/0]traff