CCNA实验之――访问控制列表与telnet访问控制
2010-02-18 15:53
232 查看
近来在家复习NA和NE的内容,今天正好有开始用blog(真是落伍了),顺手写批实验报告吧,也算对最近复习的总结,有什么不足希望“同志们”能及时指出,让我们在通往梦想的道路上前进,前进,再前进。。。那,废话不说了,开始了。
实验环境:
R1基本配置:
Router>enable
Router#conf t
Router(config)#hostname Router1
Router1(config)#interface serial 1/0
Router1(config-if)#ip address 192.168.0.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config)#router eigrp 100
Router1(config-router)#network 192.168.0.0
Router1(config-router)#end
R2基本配置:
Router>enable
Router#conf t
Router2(config)#hostname Router2
Router2(config)#interface serial 1/0
Router2(config-if)#no shutdown
Router2(config-if)#clock rate 64000 //DCE端要配置时钟频率,否则无法保持激活信息
Router2(config)#interface serial 1/1
Router2(config-if)#no shutdown
Router2(config-if)#clock rate 64000
Router2(config)#router eigrp 100
Router2(config-router)#network 192.168.0.0
Router2(config-router)#network 192.168.1.0
Router2(config-router)#end
R3基本配置:
Router>enable
Router#conf t
Router(config)#hostname Router3
Router3(config)#interface serial 1/1
Router3(config-if)#ip address 192.168.1.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config)#router eigrp 100
Router3(config-router)#network 192.168.1.0
Router3(config-router)#end
基本配置完毕,我们在Router1上检测连通性,
Router1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
C 192.168.0.0/24 is directly connected, Serial1/0
D 192.168.1.0/24 [90/21024000] via 192.168.0.2, 00:56:19, Serial1/0
//可见到192.168.1.0网段的路由
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
连通性正常。
然后在Router2上配置并应用基本访问控制列表,
Router2(config)#access-list 1 //编号1-99是基本访问控制列表
Router2(config)#access-list 1 deny 192.168.0.0
Router2(config)#access-list 1 permit any //Cisco默认拒绝所有流量,所以这里要允许其他流量通过
Router2(config)#interface serial 1/0
Router2(config-if)#ip access-group 1 in //在接口上in方向上应用
接下来回到Router1上测试连通性,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
显然不能通信了,然而并不是路由的问题,而是在Router2的S1/0口拒绝从源192.168.0.0/24网段来的信息通过。
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
C 192.168.0.0/24 is directly connected, Serial1/0
D 192.168.1.0/24 [90/21024000] via 192.168.0.2, 00:14:39, Serial1/0 //还是有路由的
下面我们实现扩展的访问控制列表,先在Router3上开启Telnet服务,
Router3(config)#enable password 123
Router3(config)#line vty 0 15
Router3(config-line)#password admin
Router3(config-line)#login
在Router1上验证Telnet,
Router1#192.168.1.2
Trying 192.168.1.2 ...
User Access Verification
Password:
Router3>en
Password:
Router3#
可以登录的,然后再Router2上配置扩展的访问列表,
Router2(config)#access-list 101 deny tcp 192.168.0.0 0.0.0.255 192.168.1.2 0.0.0.255 eq 23
Router2(config)#access-list 101 permit ip any any
Router2(config-if)#ip access-group 101 out
在Router1上再次验证telnet,
Router1#192.168.1.2
Trying 192.168.1.2 ...
% Connection timed out; remote host not responding
原因是,我们在Router2的serial1/1上配置了拒绝源192.168.0.0向192.168.1.0网段的主机的23号端口发起连接,但这并不影响Router1和Router3之间的连通性,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/59/63 ms
下面我们在做一个扩展实验,允许Telnet,但不允许ping通,
Router2(config-if)#no ip access-group 101 out //先删除刚才的配置
Router2(config)#access-list 110 deny icmp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 echo
Router2(config)#access-list 110 permit ip any any
Router2(config)#int serial 1/0
Router2(config-if)#ip access-group 110 in
在Router1上验证一下,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router1#telnet 192.168.1.2
Trying 192.168.1.2 ...
User Access Verification
Password:
Router3>en
Password:
Router3#
结果表明,能Telnet但不能Ping通。
恩,就到这里吧,实验结束,访问控制列表其实是很灵活的,一定要多加练习才能熟能生巧,嘎嘎。
实验环境:
R1基本配置:
Router>enable
Router#conf t
Router(config)#hostname Router1
Router1(config)#interface serial 1/0
Router1(config-if)#ip address 192.168.0.1 255.255.255.0
Router1(config-if)#no shutdown
Router1(config)#router eigrp 100
Router1(config-router)#network 192.168.0.0
Router1(config-router)#end
R2基本配置:
Router>enable
Router#conf t
Router2(config)#hostname Router2
Router2(config)#interface serial 1/0
Router2(config-if)#no shutdown
Router2(config-if)#clock rate 64000 //DCE端要配置时钟频率,否则无法保持激活信息
Router2(config)#interface serial 1/1
Router2(config-if)#no shutdown
Router2(config-if)#clock rate 64000
Router2(config)#router eigrp 100
Router2(config-router)#network 192.168.0.0
Router2(config-router)#network 192.168.1.0
Router2(config-router)#end
R3基本配置:
Router>enable
Router#conf t
Router(config)#hostname Router3
Router3(config)#interface serial 1/1
Router3(config-if)#ip address 192.168.1.2 255.255.255.0
Router3(config-if)#no shutdown
Router3(config)#router eigrp 100
Router3(config-router)#network 192.168.1.0
Router3(config-router)#end
基本配置完毕,我们在Router1上检测连通性,
Router1#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
C 192.168.0.0/24 is directly connected, Serial1/0
D 192.168.1.0/24 [90/21024000] via 192.168.0.2, 00:56:19, Serial1/0
//可见到192.168.1.0网段的路由
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
连通性正常。
然后在Router2上配置并应用基本访问控制列表,
Router2(config)#access-list 1 //编号1-99是基本访问控制列表
Router2(config)#access-list 1 deny 192.168.0.0
Router2(config)#access-list 1 permit any //Cisco默认拒绝所有流量,所以这里要允许其他流量通过
Router2(config)#interface serial 1/0
Router2(config-if)#ip access-group 1 in //在接口上in方向上应用
接下来回到Router1上测试连通性,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
显然不能通信了,然而并不是路由的问题,而是在Router2的S1/0口拒绝从源192.168.0.0/24网段来的信息通过。
Router1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
C 192.168.0.0/24 is directly connected, Serial1/0
D 192.168.1.0/24 [90/21024000] via 192.168.0.2, 00:14:39, Serial1/0 //还是有路由的
下面我们实现扩展的访问控制列表,先在Router3上开启Telnet服务,
Router3(config)#enable password 123
Router3(config)#line vty 0 15
Router3(config-line)#password admin
Router3(config-line)#login
在Router1上验证Telnet,
Router1#192.168.1.2
Trying 192.168.1.2 ...
User Access Verification
Password:
Router3>en
Password:
Router3#
可以登录的,然后再Router2上配置扩展的访问列表,
Router2(config)#access-list 101 deny tcp 192.168.0.0 0.0.0.255 192.168.1.2 0.0.0.255 eq 23
Router2(config)#access-list 101 permit ip any any
Router2(config-if)#ip access-group 101 out
在Router1上再次验证telnet,
Router1#192.168.1.2
Trying 192.168.1.2 ...
% Connection timed out; remote host not responding
原因是,我们在Router2的serial1/1上配置了拒绝源192.168.0.0向192.168.1.0网段的主机的23号端口发起连接,但这并不影响Router1和Router3之间的连通性,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/59/63 ms
下面我们在做一个扩展实验,允许Telnet,但不允许ping通,
Router2(config-if)#no ip access-group 101 out //先删除刚才的配置
Router2(config)#access-list 110 deny icmp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 echo
Router2(config)#access-list 110 permit ip any any
Router2(config)#int serial 1/0
Router2(config-if)#ip access-group 110 in
在Router1上验证一下,
Router1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router1#telnet 192.168.1.2
Trying 192.168.1.2 ...
User Access Verification
Password:
Router3>en
Password:
Router3#
结果表明,能Telnet但不能Ping通。
恩,就到这里吧,实验结束,访问控制列表其实是很灵活的,一定要多加练习才能熟能生巧,嘎嘎。
相关文章推荐
- 实验五、访问列表与telnet访问控制
- CCNA之五:访问列表与telnet访问控制
- telnet 的访问控制列表
- ceph存储 网络层访问权限控制技术-acl(访问控制列表)
- RHCE——使用访问控制列表(ACL)控制对文件的访问
- 访问列表与telnet访问控制
- [转载]ACM(访问控制模型),Security Identifiers(SID),Security Descriptors(安全描述符),ACL(访问控制列表),Access Tokens(访问令牌)
- 嵌入式linux下的web和telnet访问控制的实现思路
- 基于(cisco)ACS的mac地址访问控制和telnet,ssh的访问控制
- [转载]ACM(访问控制模型),Security Identifiers(SID),Security Descriptors(安全描述符),ACL(访问控制列表),Access Tokens(访问令牌)
- ACM(访问控制模型),Security Identifiers(SID),Security Descriptors(安全描述符),ACL(访问控制列表),Access Tokens(访问令牌)
- IOS中Telnet的访问控制
- 控制VTY (Telnet/SSH) 访问
- 文件和目录的访问控制(1) 访问控制列表
- Android 学习 - Telnet 控制AVD
- Vlan访问控制ACL
- 程序控制过程机器级表示(访问条件码)-《深入理解计算机系统》笔记
- CCNA学习笔记13-IP访问控制列表
- squid 访问控制
- 网页访问控制