1. 理解扩展ACL的应用
2. 掌握扩展ACL的配置
1. 根据实验拓扑图,完成设备的基本配置;
2. 配置EIGRP,使得全网路由可达;
3. 在R3上部署ACL,只允许192.168.1.0/24网段的用户Ping PC3;
4. 在R3上部署ACL,只允许192.168.2.0/24网段的用户Telnet PC3。
步骤1:设备的基本配置
配置PC1:
Router>enable Router#configure terminal Router(config)#hostname PC1 PC1(config)#no ip routing PC1(config)#ip default-gateway 192.168.1.254 PC1(config)#interface ethernet0/0 PC1(config-if)#ip address 192.168.1.1 255.255.255.0 PC1(config-if)#no shutdown PC1(config-if)#end PC1#
配置PC2:
Router>enable Router#configure terminal Router(config)#hostname PC2 PC2(config)#no ip routing PC2(config)#ip default-gateway 192.168.2.254 PC2(config)#interface ethernet0/0 PC2(config-if)#ip address 192.168.2.1 255.255.255.0 PC2(config-if)#no shutdown PC2(config-if)#end PC2#
配置PC3:
Router>enable Router#configure terminal Router(config)#hostname PC3 PC3(config)#no ip routing PC3(config)#line vty 0 4 PC3(config-line)#password xmws PC3(config-line)#login PC3(config-line)#transport input telnet PC3(config-line)#exit PC3(config)#ip default-gateway 192.168.3.254 PC3(config)#interface ethernet0/0 PC3(config-if)#ip address 192.168.3.1 255.255.255.0 PC3(config-if)#no shutdown PC3(config-if)#end PC3#
配置R1:
Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#no ip domain-lookup R1(config)#line console 0 R1(config-line)#exec-timeout 0 0 R1(config-line)#logging synchronous R1(config-line)#exit R1(config)#interface ethernet0/0 R1(config-if)#ip address 192.168.1.254 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface serial1/0 R1(config-if)#ip address 192.168.12.1 255.255.255.0 R1(config-if)#no shutdown R1(config-if)#end R1#
配置R2:
Router>enable Router#configure terminal Router(config)#hostname R2 R2(config)#no ip domain-lookup R2(config)#line console 0 R2(config-line)#exec-timeout 0 0 R2(config-line)#logging synchronous R2(config-line)#exit R2(config)#interface serial1/0 R2(config-if)#ip address 192.168.12.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface serial1/1 R2(config-if)#ip address 192.168.23.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface ethernet0/0 R2(config-if)#ip address 192.168.2.254 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#end R2#
配置R3:
Router>enable Router#configure terminal Router(config)#hostname R3 R3(config)#no ip domain-lookup R3(config)#line console 0 R3(config-line)#exec-timeout 0 0 R3(config-line)#logging synchronous R3(config-line)#exit R3(config)#interface ethernet0/0 R3(config-if)#ip address 192.168.3.254 255.255.255.0 R3(config-if)#no shutdown R3(config-if)#exit R3(config)#interface serial1/0 R3(config-if)#ip address 192.168.23.3 255.255.255.0 R3(config-if)#no shutdown R3(config-if)#end R3#
步骤2:配置静态路由
配置R1:
R1(config)#ip route 192.168.2.0 255.255.255.0 192.168.12.2 R1(config)#ip route 192.168.3.0 255.255.255.0 192.168.12.2 R1(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
配置R2:
R2(config)#ip route 192.168.1.0 255.255.255.0 serial1/0 R2(config)#ip route 192.168.3.0 255.255.255.0 serial1/1
配置R3:
R3(config)#ip route 192.168.1.0 255.255.255.0 192.168.23.2 R3(config)#ip route 192.168.2.0 255.255.255.0 192.168.23.2 R3(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2 这个时候任何一个网段都能访问PC3。
测试PC1ping PC3:
PC1#ping 192.168.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 19/20/22 ms
测试PC1 telnet PC3:
PC1#telnet 192.168.3.1 Trying 192.168.3.1 ... Open User Access Verification Password: PC3>
测试PC2ping PC3:
PC2#ping 192.168.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/11 ms
测试PC2 telnet PC3:
PC1#telnet 192.168.3.1 Trying 192.168.3.1 ... Open User Access Verification Password: PC3>
步骤3:配置扩展ACL
配置R3:
R3(config)#access-list 101 permit icmp 192.168.1.0 0.0.0.255 host 192.168.3.1 R3(config)#access-list 101 permit tcp 192.168.2.0 0.0.0.255 host 192.168.3.1 eq 23 R3(config)#interface serial 1/0 R3(config-if)#ip access-group 101 in R3(config-if)#end R3# 这个时候只有PC1能PingPC3,PC2能Telnet PC3。
测试PC1ping PC3: PC1#ping 192.168.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 19/20/22 ms 测试PC1 telnet PC3: PC1#telnet 192.168.3.1 Trying 192.168.3.1 ... % Destination unreachable; gateway or host down PC1#
测试PC2ping PC3:
PC2#ping 192.168.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5)
测试PC2 telnet PC3:
PC1#telnet 192.168.3.1 Trying 192.168.3.1 ... Open User Access Verification Password: PC3>
