CCNA实验之——访问控制列表与telnet访问控制

近来在家复习NA和NE的内容，今天正好有开始用blog（真是落伍了），顺手写批实验报告吧，也算对最近复习的总结，有什么不足希望“同志们”能及时指出，让我们在通往梦想的道路上前进，前进，再前进。。。那，废话不说了，开始了。

 

 

实验环境：

 

 

R1基本配置：

Router>enable
Router#conf t

Router(config)#hostname Router1

 

Router1(config)#interface serial 1/0

Router1(config-if)#ip address 192.168.0.1 255.255.255.0

Router1(config-if)#no shutdown

 

Router1(config)#router eigrp 100

Router1(config-router)#network 192.168.0.0

Router1(config-router)#end

 

R2基本配置：

Router>enable
Router#conf t

Router2(config)#hostname Router2

 

Router2(config)#interface serial 1/0

Router2(config-if)#no shutdown

Router2(config-if)#clock rate 64000       //DCE端要配置时钟频率，否则无法保持激活信息

Router2(config)#interface serial 1/1

Router2(config-if)#no shutdown

Router2(config-if)#clock rate 64000

 

Router2(config)#router eigrp 100

Router2(config-router)#network 192.168.0.0

Router2(config-router)#network 192.168.1.0

Router2(config-router)#end

 

R3基本配置:

Router>enable

Router#conf t

Router(config)#hostname Router3

Router3(config)#interface serial 1/1

Router3(config-if)#ip address 192.168.1.2 255.255.255.0

Router3(config-if)#no shutdown

 

Router3(config)#router eigrp 100

Router3(config-router)#network 192.168.1.0

Router3(config-router)#end

 

基本配置完毕，我们在Router1上检测连通性，

Router1#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
C    192.168.0.0/24 is directly connected, Serial1/0
D    192.168.1.0/24 [90/21024000] via 192.168.0.2, 00:56:19, Serial1/0  

                                                                     //可见到192.168.1.0网段的路由

 

Router1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms

连通性正常。

 

然后在Router2上配置并应用基本访问控制列表，

Router2(config)#access-list 1                  //编号1-99是基本访问控制列表            

Router2(config)#access-list 1 deny 192.168.0.0

Router2(config)#access-list 1 permit any       //Cisco默认拒绝所有流量，所以这里要允许其他流量通过

Router2(config)#interface serial 1/0

Router2(config-if)#ip access-group 1 in        //在接口上in方向上应用

 

接下来回到Router1上测试连通性，

Router1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

显然不能通信了，然而并不是路由的问题，而是在Router2的S1/0口拒绝从源192.168.0.0/24网段来的信息通过。

Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Loopback0
C    192.168.0.0/24 is directly connected, Serial1/0
D    192.168.1.0/24 [90/21024000] via 192.168.0.2, 00:14:39, Serial1/0  //还是有路由的

 

下面我们实现扩展的访问控制列表，先在Router3上开启Telnet服务，

Router3(config)#enable password 123

Router3(config)#line vty 0 15

Router3(config-line)#password admin

Router3(config-line)#login

 

在Router1上验证Telnet，

Router1#192.168.1.2
Trying 192.168.1.2 ...

User Access Verification

Password:

Router3>en
Password:
Router3#

可以登录的，然后再Router2上配置扩展的访问列表，

Router2(config)#access-list 101 deny tcp 192.168.0.0 0.0.0.255 192.168.1.2 0.0.0.255 eq 23

Router2(config)#access-list 101 permit ip any any

Router2(config-if)#ip access-group 101 out

 

在Router1上再次验证telnet，

Router1#192.168.1.2
Trying 192.168.1.2 ...

% Connection timed out; remote host not responding 

原因是，我们在Router2的serial1/1上配置了拒绝源192.168.0.0向192.168.1.0网段的主机的23号端口发起连接，但这并不影响Router1和Router3之间的连通性，

Router1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/59/63 ms

 

 

下面我们在做一个扩展实验，允许Telnet，但不允许ping通，

Router2(config-if)#no ip access-group 101 out        //先删除刚才的配置

Router2(config)#access-list 110 deny icmp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 echo

Router2(config)#access-list 110 permit ip any any

Router2(config)#int serial 1/0

Router2(config-if)#ip access-group 110 in

 

在Router1上验证一下，

Router1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

 

Router1#telnet 192.168.1.2
Trying 192.168.1.2 ...

User Access Verification

Password:
Router3>en
Password:
Router3#

结果表明，能Telnet但不能Ping通。

 

恩，就到这里吧，实验结束，访问控制列表其实是很灵活的，一定要多加练习才能熟能生巧，嘎嘎。