需求分析:
ping:PC1不能ping通R1,但是可以ping通R2;PC2可以ping通R1,但是不能ping通R2
telnet:PC1不能telnet成功R2,但是可以telnetR1;PC2可以telnetR2,但是不能telnetR1
解:
此时分析需要进行的ACL决策为高级ACL,因为已经给定了源ip和目标ip
对于给出的三个接口,此时需要选择R1的g0/0/0口,因为此时为了不浪费资源,所以选择R1的g0/0/0口的inband
思考:R1有两个接口G0/0/0和G0/0/1两个接口,此时如果去设置ACL策略需要两个接口都要去设置,所以总共需要设置的ACL决策为2+2+1+1=6(每个端口都要把关)
配置:
首先是R1和R2的基础配置:
//R2的配置
[R2]interface G0/0/0
[R2-GigabitEthernet0/0/0]ip a
[R2-GigabitEthernet0/0/0]ip accounting
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
Nov 16 2021 20:08:12-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
//R1的配置
[R1]interface G0/0/0
[R1-GigabitEthernet0/0/0]ip a
[R1-GigabitEthernet0/0/0]ip accounting
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
Nov 16 2021 20:08:12-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R1]interface G0/0/1
[R1-GigabitEthernet0/0/1]ip a
[R1-GigabitEthernet0/0/1]ip accounting
[R1-GigabitEthernet0/0/1]ip address 192.168.1.2 24
Nov 16 2021 20:08:12-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
然后开始去配置telnet接口配置
//设置R2的telnet,权限为15,密码为654321(密文),账号为xlb
[R2]aaa
[R2-aaa]loca
[R2-aaa]local-user xlb pr
[R2-aaa]local-user xlb privilege
[R2-aaa]local-user xlb privilege l
[R2-aaa]local-user xlb privilege level 15 p
[R2-aaa]local-user xlb privilege level 15 password c
[R2-aaa]local-user xlb privilege level 15 password cipher 654321
Info: Add a new user.
//选择为xlb设置telnet
[R2-aaa]loca
[R2-aaa]local-user xlb s
[R2-aaa]local-user xlb service-type t
[R2-aaa]local-user xlb service-type terminal
[R2-aaa]local-user xlb service-type telnet
[R2-aaa]q
//分配端口
[R2]us
[R2]user-group
[R2]user-interface vty
[R2]user-interface vty 0 4
//配置模式
[R2-ui-vty0-4]au
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]q
//
//设置R1的telnet,权限为15,密码为123456(密文),账号为lxb
[R1]aaa
[R1-aaa]loca
[R1-aaa]local-user lxb pr
[R1-aaa]local-user lxb privilege
[R1-aaa]local-user lxb privilege l
[R1-aaa]local-user lxb privilege level 15 p
[R1-aaa]local-user lxb privilege level 15 password c
[R1-aaa]local-user lxb privilege level 15 password cipher 123456
Info: Add a new user.
//选择为lbb设置telnet
[R1-aaa]loca
[R1-aaa]local-user lxb s
[R1-aaa]local-user lxb service-type t
[R1-aaa]local-user lxb service-type terminal
[R1-aaa]local-user lxb service-type telnet
[R1-aaa]q
//分配端口
[R1]us
[R1]user-group
[R1]user-interface vty
[R1]user-interface vty 0 4
//配置模式
[R1-ui-vty0-4]au
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]q此时开始配置ACL策略,在R1的g0/0/0口:
//截取部分,总计需要2+2+1+1,即6个指令
[R1-acl-adv-3000]rule 10 deny icmp source 192.168.1.11 0.0.0.0 destinatio
n 192.168.2.2 0.0.0.0
[R1-acl-adv-3000]di
[R1-acl-adv-3000]dialer
[R1-acl-adv-3000]display acl 3000
Advanced ACL 3000, 6 rules
Acl's step is 5
rule 5 deny tcp source 192.168.1.11 0 destination 192.168.1.1 0 destination-por
t eq telnet
rule 6 deny tcp source 192.168.1.11 0 destination 192.168.2.1 0 destination-por
t eq telnet
rule 7 deny icmp source 192.168.1.10 0 destination 192.168.1.1 0
rule 8 deny icmp source 192.168.1.10 0 destination 192.168.2.1 0
rule 9 deny tcp source 192.168.1.10 0 destination 192.168.2.2 0 destination-por
t eq telnet
rule 10 deny icmp source 192.168.1.11 0 destination 192.168.2.2 0
//然后开始配置R1的G0/0/0的进接口,设置ACL 3000
[R1]inter
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ta
[R1-GigabitEthernet0/0/0]tr
[R1-GigabitEthernet0/0/0]tracert
[R1-GigabitEthernet0/0/0]traffic-filter in
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[R1-GigabitEthernet0/0/0]q开始进行ACL调试,先测试PC1功能
//PC1分别尝试ping R2的G0/0/0 和 R1的G0/0/0与G0/0/1
[PC 1]ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=50 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=40 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/44/50 ms
[PC 1]ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[PC 1]ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//PC1去telentR1和R2
//telnetR1的192.168.1.1 用户名为lxb ,密码为123456(密文)
<PC 1>telnet 192.168.1.1
Press CTRL_] to quit telnet mode
Trying 192.168.1.1 ...
Connected to 192.168.1.1 ...
Login authentication
Username:lxb
Password:
<R1>q
Configuration console exit, please retry to log on
The connection was closed by the remote host
//telnet R1 的192.168.2.1 用户名为lxb ,密码为123456(密文)
<PC 1>telnet 192.168.2.1
Press CTRL_] to quit telnet mode
Trying 192.168.2.1 ...
Connected to 192.168.2.1 ...
Login authentication
Username:lxb
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 192.168.1.10
Time : 2021-11-16 20:57:49-08:00
-----------------------------------------------------------------------------
<R1>q
Configuration console exit, please retry to log on
The connection was closed by the remote host
//telnetR2的192.168.2.2 失败
<PC 1>telnet 192.168.2.2
Press CTRL_] to quit telnet mode
Trying 192.168.2.2 ...然后开始测试PC2的功能
//R2开始进行ping操作
<PC 2>ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/44/50 ms
<PC 2>ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/52/60 ms
<PC 2>ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//R2开始telnet操作
<PC 2>telnet 192.168.2.2
Press CTRL_] to quit telnet mode
Trying 192.168.2.2 ...
Connected to 192.168.2.2 ...
Login authentication
Username:xlb
Password:
<R2>q
//此时R2的telnet设置为xlb ,密码为654321(密文)
Configuration console exit, please retry to log on
The connection was closed by the remote host
<PC 2>telnet 192.168.1.1
Press CTRL_] to quit telnet mode
Trying 192.168.1.1 ...
Error: Can't connect to the remote host
//无法telnetR1的g0/0/0口
<PC 2>telnet 192.168.2.1
Press CTRL_] to quit telnet mode
Trying 192.168.2.1 ...
//无法telnetR1的g0/0/1口完成!