一、实验目的
通过本实验,可以掌握以下技能:
- 配置接口IP地址
- 配置访问控制列表
- 验证访问控制列表的配置
二、设备需求
- Cisco路由器3台,分别命名为R1、R2和R3
- 1台access server
- 1台PC机
三、拓扑结构及接口IP配置
实验拓扑图如下图所示
学院出口路由器R2与学校路由器R3之间通过串口连接。学校服务器上有各种服务,比如WWW、FTP、TELNET等。现为了网络安全,仅允许学院PC机访问学校服务器上的WWW服务,其他一概拒绝,包括ICMP协议(即不允许从PC机ping服务器)。各路由器使用的接口及其编号见图所示的标注,各接口IP地址分配如下:
PC机IP:172.16.1.2 子网掩码:255.255.255.0 网关:172.16.1.1
R1 Fa0/0端口IP:172.16.1.1子网掩码:255.255.255.0
R1 Fa1/0端口IP:172.16.2.1子网掩码:255.255.255.0
R2 Fa0/0端口IP:172.16.2.2子网掩码:255.255.255.0
R2 Se2/0端口IP:172.16.3.1子网掩码:255.255.255.0 时钟频率64000
R3 Se2/0端口IP:172.16.3.2子网掩码:255.255.255.0
R3 Fa1/0端口IP:172.16.4.1 子网掩码:255.255.255.0
ServerIP:172.16.4.2 子网掩码:255.255.255.0 网关:172.16.4.1
四、实验配置文件
1. 基本网络配置
PC-sjt:
R1-sjt:
Router>
Router>en
Router>enable
Router#conf
Router#configure ter
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hos
Router(config)#hostname R1-sjt
R1-sjt(config)#int
R1-sjt(config)#interface F
R1-sjt(config)#interface FastEthernet 0/0
R1-sjt(config-if)#ip add
R1-sjt(config-if)#ip address 172.16.1.1 255.255.255.0
R1-sjt(config-if)#no sh
R1-sjt(config-if)#no shutdown
R1-sjt(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1-sjt(config-if)#exit
R1-sjt(config)#int
R1-sjt(config)#interface F
R1-sjt(config)#interface FastEthernet 1/0
R1-sjt(config-if)#ip ad
R1-sjt(config-if)#ip address 172.16.2.1 255.255.255.0
R1-sjt(config-if)#no sh
R1-sjt(config-if)#no shutdown
R1-sjt(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
R1-sjt(config-if)#
R2-sjt:
Router>en
Router>enable
Router#conf
Router#configure ter
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#host
Router(config)#hostname R2-sjt
R2-sjt(config)#ip ad
R2-sjt(config)#inte
R2-sjt(config)#interface F
R2-sjt(config)#interface FastEthernet 0/0
R2-sjt(config-if)#ip ad
R2-sjt(config-if)#ip address 172.16.2.2 255.255.255.0
R2-sjt(config-if)#no sh
R2-sjt(config-if)#no shutdown
R2-sjt(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2-sjt(config-if)#exit
R2-sjt(config)#int
R2-sjt(config)#interface s
R2-sjt(config)#interface serial 2/0
R2-sjt(config-if)#ip ad
R2-sjt(config-if)#ip address 172.16.3.1 255.255.255.0
R2-sjt(config-if)#cl
R2-sjt(config-if)#clock r
R2-sjt(config-if)#clock rate 64000
R2-sjt(config-if)#no sh
R2-sjt(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial2/0, changed state to down
R2-sjt(config-if)#
R3-sjt:
Router>en
Router>enable
Router#conf
Router#configure ter
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hos
Router(config)#hostname R3-sjt
R3-sjt(config)#int
R3-sjt(config)#interface s
R3-sjt(config)#interface serial 2/0
R3-sjt(config-if)#ip ad
R3-sjt(config-if)#ip address 172.16.3.2 255.255.255.0
R3-sjt(config-if)#no sh
R3-sjt(config-if)#no shutdown
R3-sjt(config-if)#
%LINK-5-CHANGED: Interface Serial2/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R3-sjt(config-if)#exit
R3-sjt(config)#int
R3-sjt(config)#interface F
R3-sjt(config)#interface FastEthernet 1/0
R3-sjt(config-if)#ip ad
R3-sjt(config-if)#ip address 172.16.4.1 255.255.255.0
R3-sjt(config-if)#no sh
R3-sjt(config-if)#no shutdown
R3-sjt(config-if)#
%LINK-5-CHANGED: Interface FastEthernet1/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R3-sjt(config-if)#
Server-sjt:
2. 配置路由协议,实现全网通信
R1-sjt:
R1-sjt(config)#rout
R1-sjt(config)#router ei
R1-sjt(config)#router eigrp 100
R1-sjt(config-router)#net
R1-sjt(config-router)#network 172.16.1.0 0.0.0.255
R1-sjt(config-router)#network 172.16.2.0 0.0.0.255
R1-sjt(config-router)#
R2-sjt:
R2-sjt(config)#rou
R2-sjt(config)#router ei
R2-sjt(config)#router eigrp 100
R2-sjt(config-router)#net
R2-sjt(config-router)#network 172.16.2.0 0.0.0.255
R2-sjt(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.16.2.1 (FastEthernet0/0) is up: new adjacency
R2-sjt(config-router)#network 172.16.3.0 0.0.0.255
R2-sjt(config-router)#
R3-sjt:
R3-sjt(config)#rou
R3-sjt(config)#router ei
R3-sjt(config)#router eigrp 100
R3-sjt(config-router)#net
R3-sjt(config-router)#network 172.16.3.0 0.0.0.255
R3-sjt(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 100: Neighbor 172.16.3.1 (Serial2/0) is up: new adjacency
R3-sjt(config-router)#network 172.16.4.0 0.0.0.255
R3-sjt(config-router)#
3. 配置ACL
R2-sjt:
R2-sjt>en
R2-sjt>enable
R2-sjt#conf
R2-sjt#configure ter
R2-sjt#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2-sjt(config)#ip ac
R2-sjt(config)#ip access-list ex
R2-sjt(config)#ip access-list extended onlypermitwww
R2-sjt(config-ext-nacl)#permit
R2-sjt(config-ext-nacl)#permit t
R2-sjt(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 172.16.4.0 0.0.0.255 eq 80
R2-sjt(config-ext-nacl)#deny ip any any
R2-sjt(config-ext-nacl)#int
R2-sjt(config-ext-nacl)#exit
R2-sjt(config)#int
R2-sjt(config)#interface F
R2-sjt(config)#interface FastEthernet 0/0
R2-sjt(config-if)#ip ac
R2-sjt(config-if)#ip access-group onlypermitwww in
R2-sjt(config-if)#
五、验证实验结果
1. show access-list
该命令显示路由器的所有访问控制列表的内容:
2. show run
该命令show run 显示了访问控制列表的内容和所应用的接口:
3. ping指令的使用
在PC上ping 服务器不通,在PC机上可以访问服务器的WWW服务。单击PC机->选择WEB浏览器->在URL地址栏入“172.16.4.2”,应该可以看到服务器上网页的内容:先是使用pc去ping服务器,发现ping不通
ping指令ping不通
访问web服务器成功
六、实验总结
- 掌握了配置接口IP地址和访问控制列表
- 在配置ACL时需要注意允许和禁止的顺序,如果顺序不当可能导致整个网络出问题
- 配置ACL中主要源地址和目的地址的顺序,如果搞反的话也是会使得整个网络出错
七、附件
下面给出该实验的文件
链接:https://pan.baidu.com/s/1bnQ_ZcL-2XCsMqYA8Z61MA 密码:l4gz