实验36:扩展ACL
1.实验目的
通过本实验可以掌握:
(1)定义扩展ACL
(2)应用扩展ACL
(3)扩展ACL 调试
2.拓扑结构
实验拓扑如图所示。
3.实验步骤
注:本实验要求不允许1.1.1 .1 所在网段访问路由器R2 2.2.2.2所在的网段
r0(config)#int loo 1
r0(config-if)#ip add 1.
*Mar 1 00:08:34.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
r0(config-if)#ip add 1.1.1 .1 255.255.255.0
r0(config-if)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar 1 00:09:47.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#do ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/25/76 ms
r0(config-if)#exit
r0(config)#router ospf 1
r0(config-router)#net 1.1.1 .0 0.0.0.255 area 0
r0(config-router)#net 172.16.1.0 0.0.0 .255 area 0
r0(config-router)#
*Mar 1 00:12:03.559: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.1 on Serial0/0 from LOADING to FULL, Loading Done
r0(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.1.1 .0 is directly connected, Loopback1
O 2.2.2 .2 [110/129] via 172.16.1.2, 00:00:19, Serial0/0在OSPF路由中出现主机条目是不太允许,所以用ip ospf net point-to-point 来解决,如下
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0/0
O 172.16.2.0 [110/128] via 172.16.1.2, 00:01:02, Serial0/0
r0(config-router)#exit
r0(config)#int loo 1
r0(config-if)#ip ospf net point-to-point
r0(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.1.1 .0 is directly connected, Loopback1
O 2.2.2 .0 [110/129] via 172.16.1.2, 00:00:05, Serial0/0
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0/0
O 172.16.2.0 [110/128] via 172.16.1.2, 00:00:37, Serial0/0
r0(config-if)#do ping 2.2.2 .2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2 .2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r0(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.1.1 .0 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial0/0
r0(config-if)#do ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
上面PING不通是因为在R1上配置ACL时,漏了一条语句:r1(config)#access-list 101 permit ip any any
r0(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.1.1 .0 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial0/0
r0(config-if)#exit
r0(config)#
*Mar 1 00:20:43.583: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.1 on Serial0/0 from LOADING to FULL, Loading Done
r0(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 1.1.1 .0 is directly connected, Loopback1
O 2.2.2 .0 [110/129] via 172.16.1.2, 00:01:48, Serial0/0
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0/0
O 172.16.2.0 [110/128] via 172.16.1.2, 00:01:48, Serial0/0
r0(config)#do ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/36/72 ms
r0(config)#do ping 2.2.2 .2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2 .2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/51/92 ms
r0(config)#do ping 2.2.2 .2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2 .2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1 .1
U.U.U
Success rate is 0 percent (0/5)
r0(config)#
r1(config)#int s0/0
r1(config-if)#ip add 172.16.1.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#int
*Mar 1 00:09:45.027: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
r1(config)#int s0
*Mar 1 00:09:46.031: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar 1 00:10:04.615: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
r1(config-if)#
*Mar 1 00:10:05.619: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
r1(config-if)#exit
r1(config)#router ospf 1
r1(config-router)#net 172.16.1.0 0.0.0 .255 area 0
r1(config-router)#net 172
*Mar 1 00:12:03.719: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1 .1 on Serial0/0 from LOADING to FULL, Loading Done
r1(config-router)#net 172.16.2.0 0.0.0 .255 area 0
r1(config-router)#
*Mar 1 00:12:46.567: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2 .2 on Serial0/1 from LOADING to FULL, Loading Done
r1(config-router)#exit
r1(config)#access-list 101 deny ip 1.1.1 .0 0.0.0.255 2.2.2.0 0.0.0.255
r1(config)#int s0/0
r1(config-if)#ip access-group 101 in
r1(config-if)#do sh access-list 101
Extended IP access list 101
10 deny ip 1.1.1 .0 0.0.0.255 2.2.2.0 0.0.0.255
r1(config-if)#
*Mar 1 00:17:03.847: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1 .1 on Serial0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
r1(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O 2.2.2 .0 [110/65] via 172.16.2.2, 00:04:06, Serial0/1
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0/0
C 172.16.2.0 is directly connected, Serial0/1
r1(config-if)#exit
r1(config)#no access-list 101
r1(config)#do sh
*Mar 1 00:20:43.723: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1 .1 on Serial0/0 from LOADING to FULL, Loading Done
r1(config)#access-list 101 deny ip 1.1.1 .0 0.0.0.255 2.2.2.0 0.0.0.255
r1(config)#access-list 101 permit ip any any
r1(config)#int s0/0
r1(config-if)#ip access 101 in
r1(config-if)#do sh access-list 101
Extended IP access list 101
10 deny ip 1.1.1 .0 0.0.0.255 2.2.2.0 0.0.0.255
20 permit ip any any (4 matches)
r1(config-if)#
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#exit
r2(config)#int loo
*Mar 1 00:10:37.303: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:10:38.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config)#int loo 1
r2(config-if)#ip add 2..2
*Mar 1 00:10:40.707: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
r2(config-if)#ip add 2.2.2 .2 255.255.255.0
r2(config-if)#do ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/21/40 ms
r2(config-if)#exit
r2(config)#router ospf 1
r2(config-router)#net 2.2.2 .0 0.0.0.255 area 0
r2(config-router)#net 172.16.2.0 0.0.0 .255 area 0
r2(config-router)#
*Mar 1 00:12:46.399: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.1 on Serial0/0 from LOADING to FULL, Loading Done
r2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O 1.1.1 .1 [110/129] via 172.16.2.1, 00:00:18, Serial0/0
C 2.2.2 .0 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/128] via 172.16.2.1, 00:00:18, Serial0/0
C 172.16.2.0 is directly connected, Serial0/0
r2(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O 1.1.1 .0 [110/129] via 172.16.2.1, 00:00:04, Serial0/0
C 2.2.2 .0 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/128] via 172.16.2.1, 00:01:11, Serial0/0
C 172.16.2.0 is directly connected, Serial0/0
r2(config-router)#exit
r2(config)#int loo 1
r2(config-if)#ip ospf net point-to-point
r2(config-if)#do ping 1.1.1 .1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1 .1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C 2.2.2 .0 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/128] via 172.16.2.1, 00:03:01, Serial0/0
C 172.16.2.0 is directly connected, Serial0/0
r2(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF , IA
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
O 1.1.1 .0 [110/129] via 172.16.2.1, 00:01:53, Serial0/0
C 2.2.2 .0 is directly connected, Loopback1
172.16.0.0/24 is subnetted, 2 subnets
O 172.16.1.0 [110/128] via 172.16.2.1, 00:08:21, Serial0/0
C 172.16.2.0 is directly connected, Serial0/0
r2(config-if)#
