ACL comprehensive experiment

Last Update:2013-11-19 Source: Internet

Author: User

Tags time 0

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Purpose:
You can learn through the experiment:
A. Standard ACL
B. Expand ACLL
C. debug the experiment topology based on the time ACL:
The four routers, the connection and IP configuration, use the loop port to simulate the internal network. Requirements:
1. R1 is not allowed to access R4 and its internal network
2. Do not allow the 10.1.1.0 network segment to ping or telnet the R4 and its internal network within the working period (from Monday to Friday, ).
3. R2 cannot ping R4
4. 10.2.2.0 network segment is not allowed to access R4 and its internal network
5. Use OSPF dynamic routing protocol. This experiment is conducted in the simulator.
Www.2cto.com
The specific configuration is as follows: 1. After the basic configuration and password settings are enabled
Router #
Router # conf terminal
Router (config) # no ip domain look
Router (config) # lin cons 0
Router (config-line) # logging synchronous
Router (config-line) # exec-time 0 0
Router (config-line) # exit
Router (config )#
Router (config) # enable password cisco
Router (config) # line vty 0 4
Router (config-line) # password ciscovty
Router (config-line) # login
Router (config-line) # hostname RX // (commands for the four routers are R1, R2, R3, and R4 respectively) 2. configure the interface address. This is not much to say. Let's take R3 as an example R3 (config )#
R3 (config) # int f1/1
R3 (config-if) # ip address 192.168.13.3 255.255.255.0
R3 (config-if) # no shutdown
R3 (config-if) # int f1/3
R3 (config-if) # ip address 192.168.23.3 255.255.255.0
R3 (config-if) # no shutdown
R3 (config-if) # int s3/0
R3 (config-if) # ip address 172.16.34.3 255.255.255.0
R3 (config-if) # clock rate 64000
R3 (config-if) # no shutdown
R3 (config-if )#
3. Set OSPF route protocol R1 (config )#
R1 (config) # router ospf 10
R1 (config-router) # network 10.1.1.0 0.0.255 area 0
R1 (config-router) # network 192.168.255.0.0.255 area 0
R1 (config-router) # exit
R1 (config) # R2 (config )#
R2 (config) # router ospf 20
R2 (config-router) # network 10.2.2.0 0.0.255 area 0
R2 (config-router) # network 192.168.23.0 0.0.255 area 0
R2 (config-router) # exit
R2 (config) # R3 (config )#
R3 (config) # router ospf 30
R3 (config-router) # network 10.3.3.0 0.0.255 area 0
R3 (config-router) # network 192.168.255.0.0.255 area 0
R3 (config-router) # network 192.168.23.0 0.0.255 area 0
R3 (config-router) # network 172.16.34.0 0.0.255 area 0
R3 (config-router) # exit
R3 (config) # R4 (config )#
R4 (config) # router ospf 40
R4 (config-router) # network 10.4.4.0 0.0.255 area 0
R4 (config-router) # network 172.16.34.0 0.0.255 area 0
R4 (config-router) # exit
R4 (config )#
4. view the learned routes on R3
The following data shows that the entire network is interconnected and the network segments can be pinged to each other. R3 #
R3 # show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2
I-IS, su-IS summary, L1-IS-level-1, L2-IS level-2
Ia-IS inter area, *-candidate default, U-per-user static route
O-ODR, P-periodic downloaded static routeGateway of last resort is not setC 192.168.20./ 24 is directly connected, FastEthernet1/1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.34.0 is directly connected, seri_3/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.2.2.2/32 [110/2] via 192.168.23.2, 00:00:43, FastEthernet1/3
C 10.3.3.0/24 is directly connected, Loopback0
O 10.1.1.1/32 [110/2] via 192.168.13.1, 00:00:43, FastEthernet1/1
O 10.4.4.4/32 [110/65] via 172.16.34.4, 00:00:43, seri_3/0
C 192.168.23.0/24 is directly connected, FastEthernet1/3
R3 # www.2cto.com
5. Set the standard ACL to prohibit R1 and 10.2.2.0/24 from accessing R4 and its internal network.
This standard ACL is applied to port S3/0 of R4 in the Inbound direction of R4 (config )#
R4 (config) # access-list 10 deny host 192.168.13.1
R4 (config) # access-list 10 deny 10.2.2.0 0.0.255
R4 (config) # access-list 10 permit any
R4 (config) # int s3/0
R4 (config-if) # ip access-group 10 in
R4 (config-if) # end
R4 #6. Set the extended ACL to prohibit R2 from pinging R4 and 10.1.1.0/24 network segments from pinging or telnet R4 and 10.4.4.0/24 network segments during working hours
This extended ACL is applied to port S3/0 of R3 to outbound R3 (config )#
R3 (config) # time-range time // defines the time range
R3 (config-time-range) # periodic weekdays
R3 (config-time-range) # exit
R3 (config) # access-list 100 deny icmp host 192.168.23.2 host 172.16.34.4
R3 (config) # access-list 100 deny icmp 10.1.1.0 0.0.255 any time-range time
R3 (config) # access-list 100 deny tcp 10.1.1.0 0.0.255 any eq telnet time-range time
R3 (config) # access-list 100 permit ip any
R3 (config) # int s3/0
R3 (config-if) # ip access-group 100 out
R3 (config-if) # end
R3 #
7. View ACLR3 #
R3 # show time-range
Time-range entry: time (active)
Periodic weekdays
Used in: ip acl entry
Used in: ip acl entry
R3 #
R3 # show access-lists
Extended IP address access list 100
10 deny icmp host 192.168.23.2 host 172.16.34.4 (16 matches)
20 deny icmp 10.1.1.0 0.0.255 any time-range time (active) (16 matches)
30 deny tcp 10.1.1.0 0.0.0.255 any eq telnet time-range time (active) (6 matches)
40 permit ip any (133 matches)
R3 # R4 #
R4 # show access-lists
Standard IP access list 10
10 deny 192.168.13.1
20 deny 10.2.2.0, wildcard bits 0.0.0.255 (19 matches)
30 permit any (737 matches)
R4 #
8. Test and view route entries learned by R3
R3 #
R3 # show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2
I-IS, su-IS summary, L1-IS-level-1, L2-IS level-2
Ia-IS inter area, *-candidate default, U-per-user static route
O-ODR, P-periodic downloaded static routeGateway of last resort is not setC 192.168.20./ 24 is directly connected, FastEthernet1/1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.34.0 is directly connected, seri_3/0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O 10.2.2.2/32 [110/2] via 192.168.23.2, 00:03:00, FastEthernet1/3
C 10.3.3.0/24 is directly connected, Loopback0
O 10.1.1.1/32 [110/2] via 192.168.13.1, 00:03:00, FastEthernet1/1
O 10.4.4.4/32 [110/65] via 172.16.34.4, 00:03:00, seri_3/0
C 192.168.23.0/24 is directly connected, FastEthernet1/3 or above indicates that the Routes learned by R3 are the same as those previously viewed. After testing, R3 can ping all the addresses in the network.
Www.2cto.com
========================================================== ============================== R1 ping R4
R1 # ping 172.16.34.4Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
U. U. U
Success rate is 0 percent (0/5)
---------------------------------------------------
R1 telnet R4
R1 # telnet 172.16.34.4
Trying 172.16.34.4...
% Destination unreachable; gateway or host down
---------------------------------------------------
R1 ping 10.4.4.4
R1 # ping 10.4.4type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
U. U. U
Success rate is 0 percent (0/5) or above indicates that R1 cannot access R4 and its internal network segments
========================================================== ======================================( On R3 through clock set hh: mm: ss moon date year command to set the clock, view the clock through the show clock command) 10.1.1.1 during off-Work Time-16:30:06. 587 UTC Sun Nov 21 2010-ping R4
R1 # ping 172.16.34.4 source 10.1.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/48/92 MS
---------------------------------------------------
10.1.1.1 during off-duty time-18:31:42. 871 UTC Mon Nov 22 2010-telnet R4
R1 # telnet 172.16.34.4/source-interface lo0
Trying 172.16.34.4... Open
---------------------------------------------------
10.1.1.1 during work time-16:30:16. 531 UTC Mon Nov 22 2010-ping 10.4.4.4
R1 # ping 10.4.4.4 source 10.1.1.1Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
U. U. U
Success rate is 0 percent (0/5)
---------------------------------------------------
10.1.1.1 working time-16:32:04. 331 UTC Mon Nov 22 2010-telnet R4
R1 # telnet 172.16.34.4/source-interface lo0
Trying 172.16.34.4...
% Destination unreachable; gateway or host down indicates that the 10.1.1.0 network segment cannot be pinged or telnet R4 and its internal network during working hours.
========================================================== ============================== R2 ping R4
R2 # ping 172.16.34.4 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
U. U. U
Success rate is 0 percent (0/5)
---------------------------------------------------
R2 ping 10.4.4.4
R2 # ping 10.4.4type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/58/120 MS
---------------------------------------------------
R2 telnet R4
R2 # telnet 172.16.34.4
Trying 172.16.34.4... Open indicates that R2 cannot be pingR4, but it can be telnetR4 and can communicate with the internal network of R4.
========================================================== ================================== 10.2.2.2 ping R4
R2 # ping 172.16.34.4 source 10.2.2.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.34.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
U. U. U
Success rate is 0 percent (0/5)
---------------------------------------------------
10.2.2.2 ping 10.4.4.4
R2 # ping 10.4.4.4 source 10.2.2.2Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
U. U. U
Success rate is 0 percent (0/5)
---------------------------------------------------
10.2.2.2 telnet 172.16.34.4
R2 # telnet 172.16.34.4/source-interface lo0
Trying 172.16.34.4...
% Destination unreachable; gateway or host down indicates that the 10.2.2.0 network segment cannot access R4 and its Intranet segment
========================================================== ==================================

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More