NA-NP-IE系列实验39:动态ACL
2009-12-09 13:21
405 查看
[align=left]实验39:动态ACL[/align]
[align=left]1.实验目的[/align]
[align=left]通过本实验可以掌握:[/align]
[align=left](1)动态ACL 工作原理[/align]
[align=left](2)配置动态ACL[/align]
[align=left](3)动态ACL 调试[/align]
[align=left]2.拓扑结构[/align]
[align=left]实验拓扑如图所示。[/align]
[align=left] [/align]
[align=left]3.实验步骤[/align]
[align=left]注:动态ACL 是Cisco IOS 的一种安全特性,它使用户能在防火墙中临时打开一个缺口,而[/align]
[align=left]不会破坏其它已配置了的安全限制。[/align]
本实验要求如果PC0 所在网段想要访问路由器R1 的WWW 服务
r0(config)#int f1/0
r0(config-if)#ip add 192.168.64.10 255.255.255.0
r0(config-if)#no sh
r0(config-if)#do ping 192
*Mar 1 00:10:48.919: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:10:49.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
r0(config-if)#do ping 192.168.64.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/18/36 ms
r0(config-if)#exit
r0(config)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar 1 00:11:19.499: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:11:20.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#
*Mar 1 00:11:43.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r0(config-if)#
*Mar 1 00:12:13.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0
r0(config-router)#net
*Mar 1 00:14:19.343: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
r0(config-router)#net 192.168.64.0
r0(config-router)#
r0(config-router)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/60 ms
r0(config-router)#do ping 192.168.64.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/23/40 ms
r0(config-router)#exit
r0(config-if)#exit
*Mar 1 00:31:15.763: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
R1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar 1 00:12:17.699: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar 1 00:12:18.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
R1(config-if)#exit
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.2.0
r1(config-router)#net 1.1.1.0
r1(config-router)#net 172.16.1.0
r1(config-router)#exit
r1(config)#
*Mar 1 00:13:59.363: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is up: new adjacency
r1(config)#
*Mar 1 00:14:18.843: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config)#do sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.1.2 YES manual up up
Serial0/1 172.16.2.1 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback1 1.1.1.1 YES manual up up
r1(config)#$ 101 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
[align=left]r1(config)#$ 101 dynamic test timeout 100 permit tcp host 192.168.64.134 host 1.1.1.1 eq www //“dynamic”定义动态ACL,“timeout”定义动态ACL 绝对的超时时间[/align]
r1(config)#int s0/0
r1(config-if)#ip access-group 101 in
r1(config-if)#do ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/52 ms
r1(config-if)#
*Mar 1 00:31:10.871: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: holding time expired
r1(config-if)#
Success rate is 0 percent (0/5)
r1(config-if)#do sh access-list 101
Extended IP access list 101
10 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
20 Dynamic test permit tcp host 192.168.64.134 host 1.1.1.1 eq www
[align=left]此时在主机192.168.64.134 上访问1.1.1.1 的Web 服务,成[/align]
[align=left]功。[/align]
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#
*Mar 1 00:09:52.643: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:09:53.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#
*Mar 1 00:10:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r2(config-if)#
*Mar 1 00:12:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp
% Incomplete command.
r2(config)#router eigrp 1
r2(config-router)#no au
r2(config-router)#net 172.16.2.0
r2(config-router)#no
*Mar 1 00:13:59.039: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)# 本文出自 “柯浩坚” 博客,转载请与作者联系!
[align=left]1.实验目的[/align]
[align=left]通过本实验可以掌握:[/align]
[align=left](1)动态ACL 工作原理[/align]
[align=left](2)配置动态ACL[/align]
[align=left](3)动态ACL 调试[/align]
[align=left]2.拓扑结构[/align]
[align=left]实验拓扑如图所示。[/align]
[align=left] [/align]
[align=left]3.实验步骤[/align]
[align=left]注:动态ACL 是Cisco IOS 的一种安全特性,它使用户能在防火墙中临时打开一个缺口,而[/align]
[align=left]不会破坏其它已配置了的安全限制。[/align]
本实验要求如果PC0 所在网段想要访问路由器R1 的WWW 服务
r0(config)#int f1/0
r0(config-if)#ip add 192.168.64.10 255.255.255.0
r0(config-if)#no sh
r0(config-if)#do ping 192
*Mar 1 00:10:48.919: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:10:49.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
r0(config-if)#do ping 192.168.64.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/18/36 ms
r0(config-if)#exit
r0(config)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar 1 00:11:19.499: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:11:20.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#
*Mar 1 00:11:43.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r0(config-if)#
*Mar 1 00:12:13.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0
r0(config-router)#net
*Mar 1 00:14:19.343: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
r0(config-router)#net 192.168.64.0
r0(config-router)#
r0(config-router)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/60 ms
r0(config-router)#do ping 192.168.64.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/23/40 ms
r0(config-router)#exit
r0(config-if)#exit
*Mar 1 00:31:15.763: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
R1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar 1 00:12:17.699: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar 1 00:12:18.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
R1(config-if)#exit
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.2.0
r1(config-router)#net 1.1.1.0
r1(config-router)#net 172.16.1.0
r1(config-router)#exit
r1(config)#
*Mar 1 00:13:59.363: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is up: new adjacency
r1(config)#
*Mar 1 00:14:18.843: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config)#do sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.1.2 YES manual up up
Serial0/1 172.16.2.1 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback1 1.1.1.1 YES manual up up
r1(config)#$ 101 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
[align=left]r1(config)#$ 101 dynamic test timeout 100 permit tcp host 192.168.64.134 host 1.1.1.1 eq www //“dynamic”定义动态ACL,“timeout”定义动态ACL 绝对的超时时间[/align]
r1(config)#int s0/0
r1(config-if)#ip access-group 101 in
r1(config-if)#do ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/52 ms
r1(config-if)#
*Mar 1 00:31:10.871: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: holding time expired
r1(config-if)#
Success rate is 0 percent (0/5)
r1(config-if)#do sh access-list 101
Extended IP access list 101
10 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
20 Dynamic test permit tcp host 192.168.64.134 host 1.1.1.1 eq www
[align=left]此时在主机192.168.64.134 上访问1.1.1.1 的Web 服务,成[/align]
[align=left]功。[/align]
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#
*Mar 1 00:09:52.643: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:09:53.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#
*Mar 1 00:10:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r2(config-if)#
*Mar 1 00:12:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp
% Incomplete command.
r2(config)#router eigrp 1
r2(config-router)#no au
r2(config-router)#net 172.16.2.0
r2(config-router)#no
*Mar 1 00:13:59.039: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)# 本文出自 “柯浩坚” 博客,转载请与作者联系!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- NA-NP-IE系列实验37:命名ACL
- NA-NP-IE系列实验36:扩展ACL
- NA-NP-IE系列实验38:基于时间ACL
- NA-NP-IE系列实验35:标准ACL
- NA-NP-IE系列实验41:动态NAT
- NA-NP-IE系列实验3:配置终端访问服务器
- NA-NP-IE系列实验13:使用子网地址
- NA-NP-IE系列实验21: EIGRP 路由汇总
- NA-NP-IE系列实验29:PAP 认证
- NA-NP-IE系列实验42: PAT 配置
- NA-NP-IE系列实验51: 三层交换实现VLAN 间路由
- NA-NP-IE系列实验53:帧中继环境下BMA 模式
- NA-NP-IE系列实验54:帧中继环境下点到点模式
- NA-NP-IE系列实验56:多区域OSPF 手工汇总
- NA-NP-IE系列实验之前三个实验小结
- NA-NP-IE系列实验14:RIPv2 基本配置
- NA-NP-IE系列实验实验15:RIPv2 手工汇总
- NA-NP-IE系列实验24: 广播多路访问链路上的OSPF
- NA-NP-IE系列实验46:VTP 配置
- NA-NP-IE系列实验57:多区域OSPF 末节区域和完全末节区域