实验来源:工大瑞普Cisco网络技术论坛
要求:
1.允许192.168.1.1的主机对
R4访问
2.允许192.168.1.3的主机对
R4 访问
3.允许131.16.24.0的网段主机对
R4访问
4.不允许192.168.1.2的主机对
R4 访问
1.按照拓扑配置好各个路由器的接口IP地址;
2.在每台路由器上配置OSPF路由协议:
r1(config)#router ospf 100
r1(config-router)#net
r1(config-router)#net 192.168.1.0 0.0.0.255 area 0
r2(config)#router ospf 100
r2(config-router)#net
r2(config-router)#network 131.16.24.0 0.0.0.255 area 0
r2(config-router)#net 192.168.1.0 0.0.0.255 area 0
r3(config)#router ospf 100
r3(config-router)#network 192.168.1.0 0.0.0.255 area 0
r3(config-router)#network 172.16.1.0 0.0.0.255 area 0
r4(config)#router ospf 100
r4(config-router)#network 172.16.1.0 0.0.0.255 area 0
r4(config-router)#network 10.1.1.0 0.0.0.255 area 0
r4(config-router)#network 10.2.2.0 0.0.0.255 area 0
分别在每台路由器上使用命令:show ip route查看路由表,例R3:
r3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external,
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial1/2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 10.2.2.0/24 [110/65] via 172.16.1.2, 00:00:03, Serial1/2
O 10.1.1.1/32 [110/65] via 172.16.1.2, 00:00:03, Serial1/2
C 192.168.1.0/24 is directly connected, FastEthernet0/0
上面红颜色的标记表示从S1/2口学习到两条路由,,下一跳地址为172.16.1.2.[110/65]表示OSPF默认的管理距离为110,路径花费为65.
3.设置ACL(注:标准ACL应该在距离目标近的地方设置,扩展ACL应该在距离源较近的地方设置)
方法1:
r4(config)#access-list 10 permit host 192.168.1.1 //编辑阿ACL 10允许主机192.168.1.1访问
r4(config)#access-list 10 permit host 192.168.1.3
r4(config)#access-list 10 permit 131.16.24.0 0.0.0.255
r4(config)#access-list 10 permit host 172.16.1.1
r4(config)#int s1/2
r4(config-if)#ip access-group 10 in //在接口进入的方向应用ACL 10
方法2:
r4(config)#access-list 10 deny host 192.168.1.2
r4(config)#access-list 10 permit any any
r4(config)#int s1/2
r4(config-if)#ip access-group 10 in
这两种方法都可以实现我们的要求。我们可以使用命令察看ACL的配置:
r4#show ip access-lists
Standard IP access list 10
10 permit 192.168.1.1 (45 matches)
20 permit 192.168.1.3 (15 matches)
40 permit 172.16.1.1 (63 matches)
30 permit 131.16.24.0, wildcard bits 0.0.0.255 (45 matches)
查看接口ACL配置:
r4#show ip int s1/2
Serial1/2 is up, line protocol is up
Internet address is 172.16.1.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.5
Outgoing access list is not set
Inbound access list is 10
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF Feature Fast switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
测试:
r1#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/140/164 ms
r2#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
U.U.U.
Success rate is 0 percent (0/5)
r2#ping
Protocol [ip]:
Target IP address: 172.16.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 131.16.24.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 131.16.24.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/124/140 ms
r3#ping
Protocol [ip]:
Target IP address: 172.16.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/80 ms
OK,实验完。