实验拓扑及网络规划:如上图。
实验任务和目标:
任务1.在ROUTER1上应用标准访问控制列表仅限制PC1对VS1的访问。
任务2.在ROUTER2上应用标准访问控制列表限制网络192.168.3.0/24访问VS2。
任务3.在ROUTER2上应用扩展访问控制列表拒绝VS1向VS2发起远程桌面,但是允许别的流量。
任务4.使用命名访问控制列表重复以上实验。
任务5.使用命名访问控制列表完成任务3后再修改列表,使ROUTER2拒绝VS1向VS2发起TELNET,仍
然允许别的流量。
实验操作过程及配置说明:
第一步:配置IP地址
r1(config)#int f0/0
r1(config-if)#no sw
r1(config-if)#ip add 192.168.4.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#int f0/1
r1(config-if)#no sw
r1(config-if)#ip add 192.168.1.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#end
r2(config)#int f0/0
r2(config-if)#no sw
r2(config-if)#ip add 192.168.4.2 255.255.255.0
r2(config-if)#no shut
r2(config-if)#int f0/1
r2(config-if)#no sw
r2(config-if)#ip add 192.168.2.1 255.255.255.0
r2(config-if)#no shut
r2(config-if)#end
r3(config)#int f0/0
r3(config-if)#no sw
r3(config-if)#ip add 192.168.4.3 255.255.255.0
r3(config-if)#no shut
r3(config-if)#int f0/1
r3(config-if)#no sw
r3(config-if)#ip add 192.168.3.1 255.255.255.0
r3(config-if)#no shut
r3(config-if)#end
第二步:启动RIP协议,让每个网段互通。
r1(config)#router rip
r1(config-router)#ver 2
r1(config-router)#no au
r1(config-router)#network 192.168.4.0
r1(config-router)#network 192.168.1.0
r1(config-router)#end
r2(config)#router rip
r2(config-router)#ver 2
r2(config-router)#no au
r2(config-router)#network 192.168.4.0
r2(config-router)#network 192.168.2.0
r2(config-router)#end
r3(config)#router rip
r3(config-router)#ver 2
r3(config-router)#no au
r3(config-router)#network 192.168.4.0
r3(config-router)#network 192.168.3.0
r3(config-router)#end
r1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
R 192.168.2.0/24 [120/1] via 192.168.4.2, 00:00:21, FastEthernet0/0
R 192.168.3.0/24 [120/1] via 192.168.4.3, 00:00:12, FastEthernet0/0
r2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, FastEthernet0/0
R 192.168.1.0/24 [120/1] via 192.168.4.1, 00:00:24, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
R 192.168.3.0/24 [120/1] via 192.168.4.3, 00:00:01, FastEthernet0/0
r3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.4.0/24 is directly connected, FastEthernet0/0
R 192.168.1.0/24 [120/1] via 192.168.4.1, 00:00:19, FastEthernet0/0
R 192.168.2.0/24 [120/1] via 192.168.4.2, 00:00:07, FastEthernet0/0
C 192.168.3.0/24 is directly connected, FastEthernet0/1
任务1.在ROUTER1上应用标准访问控制列表仅限制PC1对VS1的访问。
r1(config)#access-list 1 deny host 192.168.3.2
r1(config)#access-list 1 permit any
r1(config)#int f0/0
r1(config-if)#ip access-group 1 in
r1(config-if)#end
r3#ping 192.168.1.2 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/50/96 ms
只有主机IP 地址为192.168.3.2 的主机不能访问,其它地址都有可以访问。
任务2.在ROUTER2上应用标准访问控制列表限制网络192.168.3.0/24访问VS2。
r2(config)#access-list 1 deny 192.168.3.0 0.0.0.255
r2(config)#access-list 1 permit any
r2(config)#int f0/0
r2(config-if)#ip access-group 1 in
r2(config-if)#end
r3#ping 192.168.2.2 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/44/64 ms
r3#ping 192.168.2.2 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
U.U.U
Success rate is 0 percent (0/5)
任务3.在ROUTER2上应用扩展访问控制列表拒绝VS1向VS2发起远程桌面,但是允许别的流量。
r2(config)#no access-list 1
r2(config)#end
r2(config)#access-list 101 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389
r2(config)#access-list 101 permit ip any any
r2(config)#int f0/0
r2(config-if)#ip access-group 101 in
r2(config-if)#end
任务4.使用命名访问控制列表重复以上实验
r2(config)#ip access-list extended 101
r2(config-ext-nacl)#15 deny icmp host 192.168.1.2 host 192.168.2.2
r2(config-ext-nacl)#end
r2#show access-lists
Extended IP access list 101
10 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389 (9 matches)
15 deny icmp host 192.168.1.2 host 192.168.2.2
20 permit ip any any (544 matches
任务5.使用命名访问控制列表完成任务3后再修改列表,使ROUTER2拒绝VS1向VS2发起TELNET,仍
然允许别的流量。
r2(config)#ip access-list extended 101
r2(config-ext-nacl)#16 deny tcp host 192.168.1.2 host 192.168.2.2 eq 23
r2(config-ext-nacl)#end
r2#show access-lists 101
Extended IP access list 101
10 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389 (9 matches)
15 deny icmp host 192.168.1.2 host 192.168.2.2 (36 matches)
16 deny tcp host 192.168.1.2 host 192.168.2.2 eq telnet (9 matches)
20 permit ip any any (1580 matches)
r2(config)#ip access-list extended 101
r2(config-ext-nacl)#no 15 deny icmp host 192.168.1.2 host 192.168.2.2
r2(config-ext-nacl)#end
r2#show access-lists
Extended IP access list 101
10 deny tcp host 192.168.1.2 host 192.168.2.2 eq 3389 (9 matches)
16 deny tcp host 192.168.1.2 host 192.168.2.2 eq telnet (23 matches)
20 permit ip any any (1768 matches)