Detailed process of the router ACL Experiment (Graphic Analysis)

Lab Environment Description:

1. Set the ip address of the Fa0/0 interface of router R1 to 192.168.0.1/24, and the ip address of interface S1/2 To 192.168.1.1/24;

2. Set the ip address of the Fa0/0 interface of router R2 to 192.168.2.2/24, and the ip address of interface S1/2 To 192.168.1.2/24;

3. Set the ip address of the Fa0/0 interface of router R3 to 192.168.0.3/24. Disable the routing function to simulate PC use;

Lab result requirements:

1. Configure an access control list on R2 so that R3 cannot telnet to R2;

2. Configure an access control list on R1 so that R1 cannot ping R2.

Experiment topology:

Basic configuration of the experiment environment:

R1 configuration list:

1. Configure the IP address for the Fa0/0 interface of R1 and set it to full duplex mode:

R1 (config) # int fa0/0

R1 (config-if) # speed100

R1 (config-if) # duplex full

R1 (config-if) # ip add 192.168.0.1 255.255.255.0

R1 (config-if) # no shut

R1 (config-if) # exit

2. Configure the IP address for the S1/2 interface of R1:

R1 (config) # int s1/2

R1 (config-if) # ip add 192.168.1.1 255.255.255.0

R1 (config-if) # no shut

R1 (config-if) # exit

R2 configuration list:

1. Configure the IP address for the Fa0/0 interface of R2 and set it to full duplex mode:

R2 (config) # int fa0/0

R2 (config-if) # speed100

R2 (config-if) # duplex full

R2 (config-if) # ip add 192.168.2.2 255.255.255.0

R2 (config-if) # no shut

R2 (config-if) # exit

2. Configure the IP address for the S1/2 interface of R2:

R2 (config) # int s1/2

R2 (config-if) # ip add 192.168.1.2 255.255.255.0

R2 (config-if) # no shut

R2 (config-if) # exit

3. Add a static route on R2 to communicate with R3:

R2 (config) # ip route 192.168.0.0 255.255.255.0 192.168.1.1

4. Set the user password and line password on R2 for the next telnet Service:

R2 (config) # enable password 123456

R2 (config) # line vty 0 4

R2 (config-line) # password 123456

R3 configuration list:

R3 (config) # no ip routing // disable routing to simulate PC

R3 (config) # int fa0/0

R3 (config-if) # speed100

R3 (config-if) # duplex full

R3 (config-if) # ip add 192.168.0.3 255.255.255.0

R3 (config-if) # no shut

R3 (config-if) # exit

SW1 configuration list:

Set the fa1/13, fa1/14, and fa1/15 interfaces to full duplex mode respectively:

SW1 (config) # int fa1/13

SW1 (config-if) # speed 100

SW1 (config-if) # duplex full

SW1 (config-if) # exit

SW1 (config) # int fa1/14

SW1 (config-if) # speed 100

SW1 (config-if) # duplex full

SW1 (config-if) # exit

SW1 (config) # int fa1/15

SW1 (config-if) # speed 100

SW1 (config-if) # duplex full

SW1 (config-if) # exit

After all the basic configurations are complete, we test from R3tenlnet to R2. The results are as follows:

R3 # telnet 192.168.1.2

Trying 192.168.1.2... Open

User Access Verification

Password:

R2> en

Password:

R2 # exit

[Connection to 192.168.1.2 closed by foreign host]

The above results indicate that our configuration is correct. Now we will configure the access control list on R2 to implement the experiment requirement that "R3 cannot telnet to R2. Because we only use one router to simulate a PC in the topology, the access control list is set to deny the R3 source address and allow other hosts to access R2.

Implementation of lab result requirement 1:

1. Configure the access control list on R2 to deny access to the R3 Source Address:

R2 (config) # access-list 50 deny host 192.168.0.3

R2 (config) # access-list 50 permit any

2. Apply the access control list to the VTY virtual terminal line:

R2 (config) # line vty 0 4

R2 (config-line) # access-class 50 in

R2 (config-line) # exit

After configuring the access control list, let's verify:

R3 # telnet 192.168.1.2

Trying 192.168.1.2...

% Connection refused by remote host

From the above results, we can see that R3 cannot find the R2 host, indicating that the access to R3 was rejected by R2, let's take a look at whether the access control list on R2 contains matching data that denies access to R3:

R2 # show access-lists

Standard IP access list 50

10 deny 192.168.0.3 (1 match)

20 permit any

The access from R3192.168.0.3 is rejected! If we change the IP address of R3 to 192.168.0.4, it can telnet to R2, which confirms the second statement in the access control list: permit any

Implementation of experiment result requirement 2:

As we all know, the access control list can only filter the traffic flowing through the router, but it does not work for the packets sent by the router itself. The ping Command is the packet sent by the router itself, so we need to change our thinking. Since the packet cannot be filtered, we will reject the returned packet, in this way, R1 cannot ping R2. Because protocol checks are involved, we need to use the extended access control list:

1. Configure the access control list on R1:

R1 (config) # access-list 105 deny icmp host 192.168.1.2 host 192.168.1.1 echo-reply

R1 (config) # access-list 105 permit ip any

2. Apply the access control list to the S1/2 interface of R1:

R1 (config) # int s1/2

R1 (config-if) # ip access-group 105 in

Next let's verify that ping R2. The result is as follows:

R1 # ping 192.168.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

The above results show that R1 cannot ping R2. now let's see if the access control list on R1:

R1 # show access-list

Extended IP address access list 105

10 deny icmp host 192.168.1.2 host 192.168.1.1 echo-reply (15 matches)

20 permit ip any

Now, the experiment is complete!

(T113)