实验目的:
通过实验可以掌握:
a. 标准ACL
b. 扩展ACLL
c. 基于时间ACL调试

实验拓扑:
四台路由器,连接及IP配置如图所示,使用了循回口模拟内部网络。

 

ACL综合实验_第1张图片

 

 要求说明:
1.不允许R1访问R4及其内部网络
2.不允许10.1.1.0网段在工作时间(周一至同五,8:00-18:00)内ping或者telnet R4及其内部网络
3.不允许R2 ping R4
4.不允许10.2.2.0网段访问R4及其内部网络
5.使用OSPF动态路由协议

本实验在模拟器下进行。
具体配置如下:

1.基本配置及密码设置

R1,R2,R3,R4启动后,首先进行如下配置
Router#
Router#conf terminal
Router(config)#no ip domain look
Router(config)#lin cons 0
Router(config-line)# logging synchronous
Router(config-line)#exec-time 0 0
Router(config-line)#exit
Router(config)#
Router(config)#enable password cisco
Router(config)#line vty 0 4
Router(config-line)#password ciscovty
Router(config-line)#login
Router(config-line)#hostname RX //(4台路由器分别命令为R1,R2,R3,R4)

2.配置接口地址,这个就不多说了,以R3为例

R3(config)#
R3(config)#int f1/1
R3(config-if)#ip address 192.168.13.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#int f1/3
R3(config-if)#ip address 192.168.23.3 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#int s3/0
R3(config-if)#ip address 172.16.34.3 255.255.255.0
R3(config-if)#clock rate 64000
R3(config-if)#no shutdown
R3(config-if)#


3.设置OSPF路由协议

R1(config)#
R1(config)#router ospf 10
R1(config-router)#network 10.1.1.0 0.0.0.255 area 0
R1(config-router)#network 192.168.13.0 0.0.0.255 area 0
R1(config-router)#exit
R1(config)#

R2(config)#
R2(config)#router ospf 20
R2(config-router)#network 10.2.2.0 0.0.0.255 area 0
R2(config-router)#network 192.168.23.0 0.0.0.255 area 0
R2(config-router)#exit
R2(config)#

R3(config)#
R3(config)#router ospf 30
R3(config-router)#network 10.3.3.0 0.0.0.255 area 0
R3(config-router)#network 192.168.13.0 0.0.0.255 area 0
R3(config-router)#network 192.168.23.0 0.0.0.255 area 0
R3(config-router)#network 172.16.34.0 0.0.0.255 area 0
R3(config-router)#exit
R3(config)#

R4(config)#
R4(config)#router ospf 40
R4(config-router)#network 10.4.4.0 0.0.0.255 area 0
R4(config-router)#network 172.16.34.0 0.0.0.255 area 0
R4(config-router)#exit
R4(config)#


4.在R3上查看学到的路由
以下数据表明,整个网络已经互通的,经测试各网段间可相互ping通。

R3#
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.13.0/24 is directly connected, FastEthernet1/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.34.0 is directly connected, Serial3/0
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O       10.2.2.2/32 [110/2] via 192.168.23.2, 00:00:43, FastEthernet1/3
C       10.3.3.0/24 is directly connected, Loopback0
O       10.1.1.1/32 [110/2] via 192.168.13.1, 00:00:43, FastEthernet1/1
O       10.4.4.4/32 [110/65] via 172.16.34.4, 00:00:43, Serial3/0
C    192.168.23.0/24 is directly connected, FastEthernet1/3
R3#


5.设置标准ACL,禁止R1和10.2.2.0/24访问R4及其内部网络
该标准ACL应用到R4的S3/0端口入方向

R4(config)#
R4(config)#access-list 10 deny host 192.168.13.1
R4(config)#access-list 10 deny 10.2.2.0 0.0.0.255
R4(config)#access-list 10 permit any
R4(config)#int s3/0
R4(config-if)#ip access-group 10 in
R4(config-if)#end
R4#

6.设置扩展ACL,禁止R2 ping R4,禁止10.1.1.0/24网段在工作时间内 ping或者telnet R4及10.4.4.0/24网段
该扩展ACL应用到R3的S3/0端口出方向

R3(config)#
R3(config)#time-range time  //定义时间范围
R3(config-time-range)#periodic weekdays 8:00 to 18:00
R3(config-time-range)#exit
R3(config)#access-list 100 deny icmp host 192.168.23.2 host 172.16.34.4
R3(config)#access-list 100 deny icmp 10.1.1.0 0.0.0.255 any time-range time
R3(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 any eq telnet time-range time  
R3(config)#access-list 100 permit ip any any
R3(config)#int s3/0
R3(config-if)#ip access-group 100 out
R3(config-if)#end
R3#


7.查看ACL

R3#
R3#show time-range              
time-range entry: time (active)
   periodic weekdays 8:00 to 18:00
   used in: IP ACL entry
   used in: IP ACL entry
R3#
R3#show access-lists            
Extended IP access list 100
    10 deny icmp host 192.168.23.2 host 172.16.34.4 (16 matches)
    20 deny icmp 10.1.1.0 0.0.0.255 any time-range time (active) (16 matches)
    30 deny tcp 10.1.1.0 0.0.0.255 any eq telnet time-range time (active) (6 matches)
    40 permit ip any any (133 matches)
R3#

R4#
R4#show access-lists
Standard IP access list 10
    10 deny   192.168.13.1
    20 deny   10.2.2.0, wildcard bits 0.0.0.255 (19 matches)
    30 permit any (737 matches)
R4#


8.测试

查看R3学到的路由条目
R3#
R3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.13.0/24 is directly connected, FastEthernet1/1
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.34.0 is directly connected, Serial3/0
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O       10.2.2.2/32 [110/2] via 192.168.23.2, 00:03:00, FastEthernet1/3
C       10.3.3.0/24 is directly connected, Loopback0
O       10.1.1.1/32 [110/2] via 192.168.13.1, 00:03:00, FastEthernet1/1
O       10.4.4.4/32 [110/65] via 172.16.34.4, 00:03:00, Serial3/0
C    192.168.23.0/24 is directly connected, FastEthernet1/3

以上表明R3学到的路由跟先前查看的一样,经测试,R3能ping通网络内的所有地址
======================================================================

R1 ping R4
R1#ping 172.16.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
---------------------------------------------------
R1 telnet R4
R1#telnet 172.16.34.4
Trying 172.16.34.4 ...
% Destination unreachable; gateway or host down
---------------------------------------------------
R1 ping 10.4.4.4
R1#ping 10.4.4.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

以上表明,R1不能访问R4及其内部网段
======================================================================

(在R3上通过clock set hh:mm:ss moon date year 命令设置时钟,通过show clock命令查看时钟)

10.1.1.1 在非工作时间—16:30:06.587 UTC Sun Nov 21 2010 内—ping R4
R1#ping 172.16.34.4 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/48/92 ms
---------------------------------------------------
10.1.1.1 在非工作时间—18:31:42.871 UTC Mon Nov 22 2010 内—telnet R4
R1#telnet 172.16.34.4 /source-interface lo0
Trying 172.16.34.4 ... Open
---------------------------------------------------
10.1.1.1 在工作时间—16:30:16.531 UTC Mon Nov 22 2010 内—ping 10.4.4.4
R1#ping 10.4.4.4 source 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
U.U.U
Success rate is 0 percent (0/5)
---------------------------------------------------
10.1.1.1 在工作时间—16:32:04.331 UTC Mon Nov 22 2010 内—telnet R4
R1#telnet 172.16.34.4 /source-interface lo0
Trying 172.16.34.4 ...
% Destination unreachable; gateway or host down

以上表明,10.1.1.0网段,在工作时间内不可以ping或者telnet R4及其内部网络
======================================================================

R2 ping R4
R2#ping 172.16.34.4 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
---------------------------------------------------
R2 ping 10.4.4.4
R2#ping 10.4.4.4    

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/58/120 ms
---------------------------------------------------
R2 telnet R4
R2#telnet 172.16.34.4
Trying 172.16.34.4 ... Open

以上表明,R2不能pingR4,但可以telnetR4,并且能与R4内部网络进行正常通信
======================================================================

10.2.2.2 ping R4
R2#ping 172.16.34.4 source 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
U.U.U
Success rate is 0 percent (0/5)
---------------------------------------------------
10.2.2.2 ping 10.4.4.4
R2#ping 10.4.4.4 source 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
U.U.U
Success rate is 0 percent (0/5)
---------------------------------------------------
10.2.2.2 telnet 172.16.34.4
R2#telnet 172.16.34.4 /source-interface lo0
Trying 172.16.34.4 ...
% Destination unreachable; gateway or host down

以上表明,10.2.2.0网段不能访问R4及其内部网段
=============================================================