近来在家复习NA和NE的内容,今天正好有开始用blog(真是落伍了),顺手写批实验报告吧,也算对最近复习的总结,有什么不足希望“同志们”能及时指出,让我们在通往梦想的道路上前进,前进,再前进。。。那,废话不说了,开始了。
实验环境:
R1基本配置:
Router>enable
Router#conf t
Router(config)#hostname Router1
Router1(config)#interface serial 1/0
Router1(config-if)#ip address 192.168.0.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config)#router eigrp 100
Router1(config-router)#network 192.168.0.0
Router1(config-router)#end
R2基本配置:
Router>enable
Router#conf t
Router2(config)#hostname Router2
Router2(config)#interface serial 1/0
Router2(config-if)#no shutdown
Router2(config-if)#clock rate 64000
Router2(config)#interface serial 1/1
Router2(config-if)#no shutdown
Router2(config-if)#clock rate 64000
Router2(config)#router eigrp 100
Router2(config-router)#network 192.168.0.0
Router2(config-router)#network 192.168.1.0
Router2(config-router)#end
R3基本配置:
Router>enable
Router#conf t
Router(config)#hostname Router3
Router3(config)#interface serial 1/1
Router3(config-if)#ip address 192.168.1.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config)#router eigrp 100
Router3(config-router)#network 192.168.1.0
Router3(config-router)#end
基本配置完毕,我们在Router1上检测连通性,
Router1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
Gateway of last resort is not set
C
C
D
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
连通性正常。
然后在Router2上配置并应用基本访问控制列表,
Router2(config)#access-list 1
Router2(config)#access-list
Router2(config)#access-list
Router2(config)#interface serial 1/0
Router2(config-if)#ip access-group
接下来回到Router1上测试连通性,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
显然不能通信了,然而并不是路由的问题,而是在Router2的S1/0口拒绝从源192.168.0.0/24网段来的信息通过。
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
Gateway of last resort is not set
C
C
D
下面我们实现扩展的访问控制列表,先在Router3上开启Telnet服务,
Router3(config)#enable password 123
Router3(config)#line vty 0 15
Router3(config-line)#password admin
Router3(config-line)#login
在Router1上验证Telnet,
Router1#192.168.1.2
Trying 192.168.1.2 ...
User Access Verification
Password:
Router3>en
Password:
Router3#
可以登录的,然后再Router2上配置扩展的访问列表,
Router2(config)#access-list 101 deny tcp 192.168.0.0 0.0.0.255 192.168.1.2 0.0.0.255 eq 23
Router2(config)#access-list 101 permit ip any
Router2(config-if)#ip access-group 101 out
在Router1上再次验证telnet,
Router1#192.168.1.2
Trying 192.168.1.2 ...
% Connection timed out; remote host not responding
原因是,我们在Router2的serial1/1上配置了拒绝源192.168.0.0向192.168.1.0网段的主机的23号端口发起连接,但这并不影响Router1和Router3之间的连通性,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/59/63 ms
下面我们在做一个扩展实验,允许Telnet,但不允许ping通,
Router2(config-if)#no ip access-group 101 out
Router2(config)#access-list 110 deny icmp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 echo
Router2(config)#access-list 110 permit ip any any
Router2(config)#int serial 1/0
Router2(config-if)#ip access-group 110 in
在Router1上验证一下,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router1#telnet 192.168.1.2
Trying 192.168.1.2 ...
User Access Verification
Password:
Router3>en
Password:
Router3#
结果表明,能Telnet但不能Ping通。
恩,就到这里吧,实验结束,访问控制列表其实是很灵活的,一定要多加练习才能熟能生巧,嘎嘎。