Acl Access Control List Experiment

Acl Access Control List Experiment
The experiment topology is shown in www.2cto.com 1. configure the IP addresses R1 and R3 Loopback0 = x. x. x. x/24 IP address = 192.168.yx.x/242. use rip to declare and test communication 3. configure VTY and the privileged password cisco for R1 and R3, and test whether R1R1 (config) # int s0/3/0R1 (config-if) # clo rat 64000R1 (config-if) can be configured through TELNET) # ip add 192.168.21.1 255.255.255.0R1 (config-if) # no shR1 (config-if) # exitR1 (config) # int l 0R1 (config-if) # ip add 1.1.1.1 255.255.255.0R1 (config-if) # exitR1 (config) # router rip R1 (config-router) # net 1.0.0.0R1 (config-router) # net 192.168.21.0R1 (config-router) # exitR1 (config) # ena pass ciscoR1 (config) # line vty 0 4R1 (config-line) # pass ciscoR1 # tel 3.3.3.3Trying 3.3.3.3... user Access VerificationPassword: R3> en (R1telnetR3 successful) Password: R3 # configure R2R2 (config) # int s0/3/1R2 (config-if) # cl ra 64000R2 (config-if) # no shR2 (config-if) # ip add 192.168.32.2 255.255.255.0R2 (config-if) # int s0/3/0R2 (config-if) # no shR2 (config-if) # ip add 192.168.21.2 255.255.255.0R2 (config-if) # exitR2 (config) # router ripR2 (config-router) # net 192.168.21.0R2 (config-router) # net 192.168.32.0 configure R3R3 (config) # int s0/3/0R3 (config-if) # no sh % LINK-5-CHANGED: Interface Serial0/3/0, changed state to upR3 (config-if) # R3 (config-if) # % LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to upR3 (config-if) # ip add 192.168.32.3 255.255.255.0R3 (config-if) # int l 0% LINK-5-CHANGED: Interface Loopback0, changed state to up % LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upR3 (config-if) # R3 (config-if) # ip add 3.3.3.3 255.255.255.0R3 (config-if) # exitR3 (config) # router ripR3 (config-router) # net 192.168.32.0R3 (config-router) # net 3.0.0.0R3 (config) # ena pass ciscoR3 (config) # line vty 0 4R3 (config-line) # pass ciscoR3 (config-line) #4. deny R2 access to R1: (can R3 PING the s0 of R1/3/0. on the other hand, check the communication to clear the route table information or the neighbor R1 -- pingR2/R3. Check the connection. Why can't PIng (the ping is successful at the beginning, because the route table is not updated, ping failed after the route table is cleared because of acl)
Configure R1 (config) # access-list 1 deny 192.168.21.2R1 (config) # access-list 1 deny 192.168.32.2R1 (config) # access-list 1 per anyR1 (config) on R1) # int s0/3/0R1 (config-if) # ip accR1 (config-if) # ip access-group 1 inR1 (config-if) # exiR1 (config) # exiR1 # sh ip routeCodes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, B-BGP D-VPN, EX-VPN external, o-OSPF, IA-OSPF inter area N1-ospf nssa externa L type 1, N2-ospf nssa external type 2 E1-OSPF external type 1, E2-OSPF external type 2, E-EGP I-IS, l1-IS level-1, L2-IS level-2, ia-IS inter area *-candidate default, U-per-user static route, o-odr p-periodic downloaded static routeGateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected and Loopback0R 3.0.0.0/8 [120/2] Via 192.168.21.2, 00:00:35, Serial0/3/0C 192.168.21.0/24 is directly connected, Serial0/3/0R 192.168.32.0/24 [120/1] via 192.168.21.2, 00:00:35, serial0/3/0R1 # clear ip route * R1 # sh ip routeCodes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, b-BGP D-OSPF, EX-OSPF external, O-OSPF, IA-OSPF inter area N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF ex Ternal type 1, E2-OSPF external type 2, E-EGP I-IS, L1-IS level-1, L2-IS level-2, ia-IS inter area *-candidate default, U-per-user static route, o-odr p-periodic downloaded static routeGateway of last resort is not set 1.0.0.0/24 is subnetted, 1 subnetsC 1.1.1.0 is directly connected, Loopback0C 192.168.21.0/24 is directly connected, serial0/3/0R3 # ping 1.1.1.1Type e Scape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 msR3 # ping 1.1.1.1Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds :..... success rate is 0 percent (0/5
5. (Pre-deletion ACL configuration) Disable R1 telnet R3 from using extensions. R3 is configured with R1 # conf tEnter configuration commands, one per line. end with CNTL/Z. r1 (config) # no accR1 (config) # no access-list 1R3 (config) # access-list 101 deny tcp host 1.1.1.1 host 192.168.32.3 eq 23R3 (config) # acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 ea 23 ^ % Invalid input detected at '^' marker. r3 (config) # acc 101 deny tcp ho 192.168.21.1 ho 192.168.32.3 eq 23R3 (config) # acc 101 per ip any anyR3 (config) # int s0/3/0R3 (config-if) # ip accesskey (config-if) # ip access-group 101 inR1 # tel 192.168.32.3Trying 192.168.32.3... % Connection timed out; remote host not responding