实验内容
- 完成各设备配置是的全网互通
- 在R2上部部署标准访问控制列表,只允许192.168.12.0/24网段的用户穿越R2访问3.3.3.3,其他进入R2 S0/0接口的流量全部丢弃。
- 在R2上部署ACL,只允许从1.1.1.1到3.3.3.3的ICMP流量以及R1到3.3.3.3的Telnet流量经过
- 经过R2,其他从R2的S0/0接口进入的流量过滤掉
实验目的
掌握标准ACL的配置
理解标准ACL的接入控制中的应用
实验步骤
要求一:
绘制网络拓扑图如下所示:
IP基本地址信息为:
PC1
的IP地址:1.1.1.1
网关地址:1.1.1.254
PC2
的IP地址:3.3.3.3
网关地址:3.3.3.254
路由器地址信息为:
路由器其他配置信息
R1:
R2:
R3:
连通性测试
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::204:9AFF:FEB1:913D
IP Address......................: 1.1.1.1
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 1.1.1.254
PC>ping 1.1.1.254
Pinging 1.1.1.254 with 32 bytes of data:
Reply from 1.1.1.254: bytes=32 time=0ms TTL=255
Reply from 1.1.1.254: bytes=32 time=0ms TTL=255
Reply from 1.1.1.254: bytes=32 time=1ms TTL=255
Reply from 1.1.1.254: bytes=32 time=0ms TTL=255
Ping statistics for 1.1.1.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>ping 192.168.12.1
Pinging 192.168.12.1 with 32 bytes of data:
Reply from 192.168.12.1: bytes=32 time=0ms TTL=255
Reply from 192.168.12.1: bytes=32 time=0ms TTL=255
Reply from 192.168.12.1: bytes=32 time=0ms TTL=255
Reply from 192.168.12.1: bytes=32 time=0ms TTL=255
Ping statistics for 192.168.12.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
PC>ping 192.168.12.2
Pinging 192.168.12.2 with 32 bytes of data:
Reply from 192.168.12.2: bytes=32 time=1ms TTL=254
Reply from 192.168.12.2: bytes=32 time=5ms TTL=254
Reply from 192.168.12.2: bytes=32 time=4ms TTL=254
Reply from 192.168.12.2: bytes=32 time=5ms TTL=254
Ping statistics for 192.168.12.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 3ms
PC>ping 192.168.23.2
Pinging 192.168.23.2 with 32 bytes of data:
Reply from 192.168.23.2: bytes=32 time=1ms TTL=254
Reply from 192.168.23.2: bytes=32 time=1ms TTL=254
Reply from 192.168.23.2: bytes=32 time=2ms TTL=254
Reply from 192.168.23.2: bytes=32 time=5ms TTL=254
Ping statistics for 192.168.23.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 5ms, Average = 2ms
PC>ping 192.168.23.3
Pinging 192.168.23.3 with 32 bytes of data:
Reply from 192.168.23.3: bytes=32 time=12ms TTL=253
Reply from 192.168.23.3: bytes=32 time=2ms TTL=253
Reply from 192.168.23.3: bytes=32 time=2ms TTL=253
Reply from 192.168.23.3: bytes=32 time=14ms TTL=253
Ping statistics for 192.168.23.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 14ms, Average = 7ms
PC>ping 3.3.3.3.
PC>ping 3.3.3.3
Pinging 3.3.3.3 with 32 bytes of data:
Request timed out.
Reply from 3.3.3.3: bytes=32 time=7ms TTL=125
Reply from 3.3.3.3: bytes=32 time=2ms TTL=125
Reply from 3.3.3.3: bytes=32 time=3ms TTL=125
Ping statistics for 3.3.3.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 7ms, Average = 4ms
PC>
基于以上验证,说明全网通!
要求二:
在R2上部署标准访问控制列表,只允许192.168.12.0/24网段的用户穿越R2访问3.3.3.3,其他进入R2 s0/0/0接口的流量全部丢弃。
R2的配置如下:
用ip地址为192.168.12.1的R1测试的时候发现可以ping通
用PC1(ip地址为1.1.1.1),发现不可以ping通
结论:发现其他进入R2 s0/0/0接口的流量全部丢弃,无法到达3.3.3.3。
要求三:
在R2上部署ACL,只允许从1.1.1.1到3.3.3.3的ICMP流量以及R1到3.3.3.3的telnet流经过R2,其他从R2 s0/0/0接口进入的流量过滤掉。R2的配置如下:
开启R3的Telnet:
测试:
由测试内容我们可以发现ICMP的流量可以到达3.3.3.3,同时可以Telnet到3.3.3.3
至此,该实验结束!