ACL基础综合实验

原创

qieziboy 2021-01-29 16:26:16 ©著作权

文章标签 ACL 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者qieziboy的原创作品，请联系作者获取转载授权，否则将追究法律责任

一、实验拓扑 二、实验要求 1、全网可达 2、公司内网所有pc都可以访问外网， 3、pc0不能ping通R3，但是R3能够ping通pc0 4、pc1可以ping通R2，但是不能够远程登录到R2 5、PC8远程登录R0实际上登录到R3 6、pc1可以ping通pc5但是不能够ping通pc4 7、pc7不能够访问服务器

三、地址规划 1、网段设置如拓扑图中所示 2、内网中的PC自动获取IP地址，IP地址所处网段如拓扑图所示

四、测试 本实验可以实现以上所有要求，以下测试第3、4、5项要求测试3：pc0不能ping通R3，但是R3能够ping通pc0 相应的配置：使用扩展列表，配置的是第10条项目，并在R0的f1/0.1接口的in方向调用测试4：pc1可以ping通R2，但是不能够远程登录到R2 相应的配置：使用扩展列表，配置的是第15条项目，并在R0的f1/0.1接口的in方向调用测试5：PC8远程登录R0实际上登录到R3,此处使用的是一对一静态转换

五、实验配置 pc9所在的交换机sw2上没有做配置，以下给出其他设备的配置 —————————————————————————————————————————————————————————————————————— **R0#sh running-config ** Building configuration...

Current configuration : 1625 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname R0 ! ! ! ! ! ip dhcp pool v2 network 172.16.1.0 255.255.255.0 default-router 172.16.1.1 dns-server 45.1.1.100 ip dhcp pool v3 network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 dns-server 45.1.1.100 ! no ip cef no ipv6 cef ! ! ! username zhejiang privilege 15 password 0 123456 ! ! ! ! ! ! ! ! no ip domain-lookup ! ! spanning-tree mode pvst ! ! ! ! ! ! interface FastEthernet0/0 ip address 11.1.1.2 255.255.255.0 ip nat outside duplex auto speed auto ! interface FastEthernet0/1 ip address 12.1.1.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet1/0 no ip address duplex auto speed auto ! interface FastEthernet1/0.1 encapsulation dot1Q 2 ip address 172.16.1.1 255.255.255.0 ip access-group 100 in ! interface FastEthernet1/0.2 encapsulation dot1Q 3 ip address 172.16.2.1 255.255.255.0 ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! interface Vlan1 no ip address shutdown ! router eigrp 90 network 11.0.0.0 network 12.0.0.0 network 172.16.0.0 no auto-summary ! ip nat inside source static 34.1.1.4 11.1.1.2 ip classless ! ip flow-export version 9 ! ! access-list 100 deny icmp host 172.16.1.2 host 34.1.1.4 echo access-list 100 permit ip any any access-list 100 deny tcp host 172.16.1.3 host 23.1.1.3 eq telnet access-list 100 deny icmp host 172.16.1.3 host 192.168.1.2 echo ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous ! line aux 0 ! line vty 0 4 login local ! ! ! end —————————————————————————————————————————————————————————————————————— **R1#sho running-config ** Building configuration...

Current configuration : 886 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname R1 ! ! ! ! ! ! no ip cef no ipv6 cef ! ! ! ! ! ! ! ! ! ! no ip domain-lookup ! ! spanning-tree mode pvst ! ! ! ! ! ! interface FastEthernet0/0 ip address 12.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 23.1.1.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 ip address 192.168.5.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! interface Vlan1 no ip address shutdown ! router eigrp 90 network 12.0.0.0 network 23.0.0.0 network 192.168.5.0 no auto-summary ! ip classless ! ip flow-export version 9 ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous ! line aux 0 ! line vty 0 4 login ! ! ! end —————————————————————————————————————————————————————————————————————— **R2#sho running-config ** Building configuration...

Current configuration : 1442 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname R2 ! ! ! ! ! ip dhcp pool v4 network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 45.1.1.100 ip dhcp pool v5 network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 45.1.1.100 ! no ip cef no ipv6 cef ! ! ! username zhejiang privilege 15 password 0 123456 ! ! ! ! ! ! ! ! no ip domain-lookup ! ! spanning-tree mode pvst ! ! ! ! ! ! interface FastEthernet0/0 ip address 23.1.1.3 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 34.1.1.3 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 no ip address duplex auto speed auto ! interface FastEthernet1/0.1 encapsulation dot1Q 4 ip address 192.168.1.1 255.255.255.0 ! interface FastEthernet1/0.2 encapsulation dot1Q 5 ip address 192.168.2.1 255.255.255.0 ip access-group 101 in ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! interface Vlan1 no ip address shutdown ! router eigrp 90 network 23.0.0.0 network 34.0.0.0 network 192.168.1.0 network 192.168.2.0 no auto-summary ! ip classless ! ip flow-export version 9 ! ! access-list 101 permit ip any any access-list 101 deny ip host 192.168.2.3 host 45.1.1.100 ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous ! line aux 0 ! line vty 0 4 login local ! ! ! end —————————————————————————————————————————————————————————————————————— **R3#sho running-config ** Building configuration...

Current configuration : 909 bytes ! version 12.4 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname R3 ! ! ! ! ! ! no ip cef no ipv6 cef ! ! ! username zhejiang privilege 15 password 0 123456 ! ! ! ! ! ! ! ! no ip domain-lookup ! ! spanning-tree mode pvst ! ! ! ! ! ! interface FastEthernet0/0 ip address 34.1.1.4 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 45.1.1.4 255.255.255.0 duplex auto speed auto ! interface FastEthernet1/0 no ip address duplex auto speed auto shutdown ! interface FastEthernet1/1 no ip address duplex auto speed auto shutdown ! interface Vlan1 no ip address shutdown ! router eigrp 90 network 34.0.0.0 network 45.0.0.0 no auto-summary ! ip classless ! ip flow-export version 9 ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous ! line aux 0 ! line vty 0 4 login local ! ! ! end —————————————————————————————————————————————————————————————————————— **sw0#sho running-config ** Building configuration...

Current configuration : 1322 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname sw0 ! ! ! no ip domain-lookup ! ! spanning-tree mode pvst ! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 switchport access vlan 2 switchport mode access ! interface FastEthernet0/3 switchport access vlan 2 switchport mode access ! interface FastEthernet0/4 switchport access vlan 3 switchport mode access ! interface FastEthernet0/5 switchport access vlan 3 switchport mode access ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address shutdown ! ! ! ! line con 0 logging synchronous exec-timeout 0 0 ! line vty 0 4 login line vty 5 15 login ! ! end —————————————————————————————————————————————————————————————————————— **sw1#sho running-config ** Building configuration...

Current configuration : 1322 bytes ! version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname sw1 ! ! ! no ip domain-lookup ! ! spanning-tree mode pvst ! interface FastEthernet0/1 switchport mode trunk ! interface FastEthernet0/2 switchport access vlan 4 switchport mode access ! interface FastEthernet0/3 switchport access vlan 4 switchport mode access ! interface FastEthernet0/4 switchport access vlan 5 switchport mode access ! interface FastEthernet0/5 switchport access vlan 5 switchport mode access ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address shutdown ! ! ! ! line con 0 logging synchronous exec-timeout 0 0 ! line vty 0 4 login line vty 5 15 login ! ! end —————————————————————————————————————————————————————————————————————— 六、注意事项 在调用ACL时，需要注意调用的接口和方向，如：本实验中调用的接口是子接口，而不是物理接口。