HCIA---ACL实验
一、实验要求
要求:
1.PC可以telnet R1 ,但不能ping R1 ;PC1 可以ping R2,但不能Telnet R2
2.PC2 与 PC1 相反
注意:因为模拟器PC不能做telnet,所以用俩太路由器模拟PC
二、拓扑图
三、IP地址规划
这图很简单,所用的IP也很少
| 设备 | IP地址 |
|---|---|
| R1 | g0/0/0 192.168.1.1 /24 g0/0/1 192.168.2.1/ 24 |
| R2 | g0/0/0 192.168.2.2 /24 |
| PC1 | 192.168.1.10 |
| PC2 | 192.168.1.11 |
四、配置信息
R1的IP配置:
[r1]int g 0/0/0
[r1-GigabitEthernet0/0/0]ip add 192.168.1.1 24
[r1-GigabitEthernet0/0/0]int g 0/0/1
[r1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
R2的IP配置:
[r2]int g 0/0/0
[r2-GigabitEthernet0/0/0]ip add 192.168.2.2 24
PC1配置信息:
[pc1]int g 0/0/0
[pc1-GigabitEthernet0/0/0]ip add 192.168.1.10 24
PC2配置信息:
[pc2]int g 0/0/0
[pc2-GigabitEthernet0/0/0]ip add 192.168.1.11 24
R1 R2开启 aaa认证:
[r1]aaa
[r1-aaa]local-user an privilege level 15 password cipher 123456
Info: Add a new user.
[r1-aaa]local-user an service-type telnet
[r1-aaa]quit
[r1]user-interface vty 0
[r1-ui-vty0]authentication-mode aaa
[r2]aaa
[r2-aaa]local-user an privilege level 15 password cipher 123456
Info: Add a new user.
[r2-aaa]local-user an service-type telnet
[r2]user-interface vty 0 4
[r2-ui-vty0-4]authentication-mode aaa
IP配置完后,做一个缺省路由
[pc1]ip route-static 0.0.0.0 0 192.168.1.1
[pc2]ip route-static 0.0.0.0 0 192.168.1.1
此时可以全网可达;测试结果:
接下来做ACL来抓取感兴趣流量:
根据题目要求,这里需要做一个高级ACL,配置如下:
[r1-acl-adv-3000]display this
[V200R003C00]
#
acl number 3000
rule 5 deny icmp source 192.168.1.10 0 destination 192.168.1.1 0
rule 10 deny icmp source 192.168.1.10 0 destination 192.168.2.1 0
rule 15 deny tcp source 192.168.1.10 0 destination 192.168.2.2 0
rule 20 deny tcp source 192.168.1.10 0 destination 192.168.2.2 0 destination-po
rt eq telnet
rule 25 deny tcp source 192.168.1.11 0 destination 192.168.1.1 0 destination-po
rt eq telnet
rule 30 deny tcp source 192.168.1.11 0 destination 192.168.2.1 0 destination-po
rt eq telnet
rule 35 deny icmp source 192.168.1.11 0 destination 192.168.2.2 0
#
return
[r1]acl 3000
[r1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.
1.1 0.0.0.0
[r1-acl-adv-3000]rule deny icmp source 192.168.1.10 0.0.0.0 destination 192.168.
2.1 0.0.0.0
[r1-acl-adv-3000]rule deny tcp source 192.168.1.10 0.0.0.0 destination 192.168.2
.2 0.0.0.0 destination-port eq 23
[r1]int g0/0/0
[r1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[r1]acl 3000
[r1-acl-adv-3000]rule deny tcp source 192.168.1.11 0.0.0.0 destination 192.168.
2.1 0.0.0.0 destination-port eq 23
[r1-acl-adv-3000]rule deny icmp source 192.168.1.11 0.0.0.0 destination 192.168.
2.2 0.0.0.0
最终测试结果:
PC1测试结果:
PC2 测试结果:
作者:ChAn
-------------------------------------------
个性签名:今天做了别人不想做的事,明天你就做得到别人做不到的事,尝试你都不敢,你拿什么赢!
如果觉得这篇文章对你有小小的帮助的话,记得在右下角点个“推荐”哦,博主在此感谢!
