网络技术 订阅所有【网络技术】的日志

实验:单向ACL-ping

作者:锋.com 日期:2010-08-29

字体大小:

实验:单向ACL-ping

1、实验拓扑:

2、实验要求:
(1)PC1可以ping通PC2
(2)PC2不能ping通PC1
3、具体的配置过程:
r1的配置:
Router>enable
Router#configure terminal
Router(config)#hostname r1
r1(config)#enable secret cisco
r1(config)#no ip domain-lookup
r1(config)#line console 0
r1(config-line)#no exec-timeout
r1(config-line)#logging synchronous
r1(config-line)#exit
r1(config)#interface f0/0
r1(config-if)#ip address 1.1.1.1 255.255.255.0
r1(config-if)#no shutdown
r1(config-if)#exit
r1(config)#interface s0/0
r1(config-if)#ip address 2.2.2.1 255.255.255.0
//通过命令 show controllers serial 0/0 ,可知此接口为DTE端,不需要配置时钟
r1(config-if)#no shutdown
r1(config-if)#exit
r1(config)#ip route 3.3.3.0 255.255.255.0 2.2.2.2
r1(config)#exit
r1#ping 3.3.3.2        //测试网络连通性

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms

r1#show ip route        //查看路由表
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Serial0/0
     3.0.0.0/24 is subnetted, 1 subnets
S       3.3.3.0 [1/0] via 2.2.2.2

---------------------------------------------------------------------------------------------------------
r2的配置:
Router>enable
Router#configure terminal
Router(config)#hostname r2
r2(config)#no ip domain-lookup
r2(config)#enable secret cisco
r2(config)#line console 0
r2(config-line)#no exec-timeout
r2(config-line)#logging synchronous
r2(config-line)#exit
r2(config)#interface f0/0
r2(config-if)#ip address 3.3.3.1 255.255.255.0
r2(config-if)#no shutdown
r2(config-if)#exit
r2(config)#interface s0/0
r2(config-if)#ip address 2.2.2.2 255.255.255.0
//通过命令 show controllers serial 0/0 ,可知此接口为DCE端,因此需配置时钟
r2(config-if)#clock rate 64000
r2(config-if)#no shutdown
r2(config-if)#exit
r2(config)#ip route 1.1.1.0 255.255.255.0 2.2.2.1
r2(config)#exit
r2#ping 1.1.1.2        //测试网络连通性

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 63/66/78 ms

r2#show ip route        //查看路由表
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 1 subnets
S       1.1.1.0 [1/0] via 2.2.2.1
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, Serial0/0
     3.0.0.0/24 is subnetted, 1 subnets
C       3.3.3.0 is directly connected, FastEthernet0/0
---------------------------------------------------------------------------------------------------------
未配置访问控制列表前测试
PC1 ping PC2

PC2 ping PC1


---------------------------------------------------------------------------------------------------------

r2#configure terminal
r2(config)#access-list 101 permit icmp 3.3.3.0 0.0.0.255 any 0
//配置访问控制列表,规则1允许源网络3.3.3.0到任意网络any的icmp响应包("0"表示icmp响应包)
r2(config)#access-list 101 deny icmp 3.3.3.0 0.0.0.255 any
//规则2拒绝源网络3.3.3.0到任意网络的icmp包(包括请求和响应包)
r2(config)#access-list 101 permit ip any any
//规则3允许任意网络到任意网络的ip协议包
r2(config)#interface f0/0        //将访问控制列表绑定在f0/0端口上
r2(config-if)#ip access-group 101 in
r2(config-if)#exit
r2(config)#exit
---------------------------------------------------------------------------------------------------------
配置访问控制列表后测试
PC1 ping PC2

PC2 ping PC1


锋.com博客  http://www.feelfeng.com

[本日志由 锋.com 于 2011-03-04 11:23 AM 编辑]
上一篇: 主流开源博客程序简介
下一篇: 巧妙测出电话号码
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: cisco ACL ping
相关日志:
评论: 0 | 引用: 0 | 查看次数: -
发表评论
昵 称:
密 码: 游客发言不需要密码.
邮 箱: 支持Gravatar头像.
网 址: 输入网址便于回访.
内 容:
验证码:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.