实验38:基于时间ACL
1.
实验目的
通过本实验可以掌握:
(1)定义time-range
(2)配置基于时间ACL
(3)基于时间ACL 调试
2.
拓扑结构
实验拓扑如图 所示。
3.
实验步骤
注:
本实验要求只允许PC0主机在周一到周五的每天的7:11-14:110 访问路由器R2 的TELNET
服务。
r0(config)#int f1/0
r0(config-if)#ip add 192.168.64.2 255.255.255.0
r0(config-if)#no sh
r0(config-if)#ping 172.1
*Mar 1 00:03:32.127: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:03:33.127: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
r0(config-if)#do ping 192.168.64.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/21/48 ms
r0(config-if)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar 1 00:06:32.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0
r0(config-router)#net 192.168.64.0
r0(config-router)#
*Mar 1 00:08:20.235: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
r0(config-router)#exit
r0(config)#time-range time
r0(config-time-range)#periodic weekdays 7:11 to 14:11
r0(config-time-range)#$4.129 host 172.16.2.2 eq telnet time-range time //
命令太长的话,用
$
代替不能显示的部分:
access-list 101 permit tcp host 192.168.64.129 host 172.16.2.2 eq telnet
time-range time
//
在访问控制列表中调用time-range
r0(config)#int f1/0
r0(config-if)#ip access-group 101 in
r0(config-if)#^Z
r0#ping 172.16.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/104 ms
r0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r0(config-if)#do sh access-list 101
Extended IP access list 101
10 permit tcp host 192.168.64.129 host 172.16.2.2 eq telnet time-range time (active)
r0(config-if)#do sh time-range
该命令用来查看定义的时间范围。
time-range entry: time (active)
periodic weekdays 7:11 to 14:11
used in: IP ACL entry
r1(config)#int s0/0
r1(config-if)#ip add 172.16.1.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#int s0
*Mar 1 00:06:16.023: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:06:17.023: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar 1 00:06:31.283: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar 1 00:06:32.283: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
r1(config-if)#
*Mar 1 00:06:52.667: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to down
r1(config-if)#
*Mar 1 00:07:12.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
r1(config-if)#exit
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.1.0
r1(config-router)#net
*Mar 1 00:08:19.939: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is up: new adjacency
*Mar 1 00:08:19.943: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config-router)#net 172.16.2.0
r1(config-router)#
*Mar 1 00:25:06.027: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: Interface Goodbye received
r1(config-router)#
*Mar 1 00:25:10.983: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config-router)#
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#exi
*Mar 1 00:06:58.111: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:06:59.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp 1
r2(config-router)#no au
r2(config-router)#net 172.16.2.0
r2(config-router)#
*Mar 1 00:08:19.535: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)#do ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/39/60 ms
r2(config-router)#do ping 192.16.64.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.16.64.129, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2(config-router)#^Z
r2#
r2#
*Mar 1 00:09:20.743: %SYS-5-CONFIG_I: Configured from console by console
r2#ping 192.168.64.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/37/76 ms
r2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
本文出自 “柯浩坚” 博客,转载请与作者联系!