实验内容
- 完成各设备配置是的全网互通
- 在R2上部部署标准访问控制列表,只允许192.168.12.0/24网段的用户穿越R2访问3.3.3.3,其他进入R2 S0/0接口的流量全部丢弃。
- 在R2上部署ACL,只允许从1.1.1.1到3.3.3.3的ICMP流量以及R1到3.3.3.3的Telnet流量经过
- 经过R2,其他从R2的S0/0接口进入的流量过滤掉
实验目的
掌握标准ACL的配置
理解标准ACL的接入控制中的应用
实验步骤
要求一:
绘制网络拓扑图如下所示:
IP基本地址信息为:
PC1
的IP地址:1.1.1.1
网关地址:1.1.1.254
PC2
的IP地址:3.3.3.3
网关地址:3.3.3.254
路由器地址信息为:
路由器其他配置信息
R1:
R2:
R3:
连通性测试
PC>ipconfig FastEthernet0 Connection:(default port) Link-local IPv6 Address.........: FE80::204:9AFF:FEB1:913D IP Address......................: 1.1.1.1 Subnet Mask.....................: 255.255.255.0 Default Gateway.................: 1.1.1.254 PC>ping 1.1.1.254 Pinging 1.1.1.254 with 32 bytes of data: Reply from 1.1.1.254: bytes=32 time=0ms TTL=255 Reply from 1.1.1.254: bytes=32 time=0ms TTL=255 Reply from 1.1.1.254: bytes=32 time=1ms TTL=255 Reply from 1.1.1.254: bytes=32 time=0ms TTL=255 Ping statistics for 1.1.1.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms PC>ping 192.168.12.1 Pinging 192.168.12.1 with 32 bytes of data: Reply from 192.168.12.1: bytes=32 time=0ms TTL=255 Reply from 192.168.12.1: bytes=32 time=0ms TTL=255 Reply from 192.168.12.1: bytes=32 time=0ms TTL=255 Reply from 192.168.12.1: bytes=32 time=0ms TTL=255 Ping statistics for 192.168.12.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms PC>ping 192.168.12.2 Pinging 192.168.12.2 with 32 bytes of data: Reply from 192.168.12.2: bytes=32 time=1ms TTL=254 Reply from 192.168.12.2: bytes=32 time=5ms TTL=254 Reply from 192.168.12.2: bytes=32 time=4ms TTL=254 Reply from 192.168.12.2: bytes=32 time=5ms TTL=254 Ping statistics for 192.168.12.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 5ms, Average = 3ms PC>ping 192.168.23.2 Pinging 192.168.23.2 with 32 bytes of data: Reply from 192.168.23.2: bytes=32 time=1ms TTL=254 Reply from 192.168.23.2: bytes=32 time=1ms TTL=254 Reply from 192.168.23.2: bytes=32 time=2ms TTL=254 Reply from 192.168.23.2: bytes=32 time=5ms TTL=254 Ping statistics for 192.168.23.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 5ms, Average = 2ms PC>ping 192.168.23.3 Pinging 192.168.23.3 with 32 bytes of data: Reply from 192.168.23.3: bytes=32 time=12ms TTL=253 Reply from 192.168.23.3: bytes=32 time=2ms TTL=253 Reply from 192.168.23.3: bytes=32 time=2ms TTL=253 Reply from 192.168.23.3: bytes=32 time=14ms TTL=253 Ping statistics for 192.168.23.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 14ms, Average = 7ms PC>ping 3.3.3.3. PC>ping 3.3.3.3 Pinging 3.3.3.3 with 32 bytes of data: Request timed out. Reply from 3.3.3.3: bytes=32 time=7ms TTL=125 Reply from 3.3.3.3: bytes=32 time=2ms TTL=125 Reply from 3.3.3.3: bytes=32 time=3ms TTL=125 Ping statistics for 3.3.3.3: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 7ms, Average = 4ms PC>
基于以上验证,说明全网通!
要求二:
在R2上部署标准访问控制列表,只允许192.168.12.0/24网段的用户穿越R2访问3.3.3.3,其他进入R2 s0/0/0接口的流量全部丢弃。
R2的配置如下:
用ip地址为192.168.12.1的R1测试的时候发现可以ping通
用PC1(ip地址为1.1.1.1),发现不可以ping通
结论:发现其他进入R2 s0/0/0接口的流量全部丢弃,无法到达3.3.3.3。
要求三:
在R2上部署ACL,只允许从1.1.1.1到3.3.3.3的ICMP流量以及R1到3.3.3.3的telnet流经过R2,其他从R2 s0/0/0接口进入的流量过滤掉。R2的配置如下:
开启R3的Telnet:
测试:
由测试内容我们可以发现ICMP的流量可以到达3.3.3.3,同时可以Telnet到3.3.3.3
至此,该实验结束!