NA-NP-IE系列實驗39:動態ACL
實驗39:動態ACL
1.實驗目的
通過本實驗可以掌握:
(1)動態ACL 工作原理
(2)配置動態ACL
(3)動態ACL 除錯
2.拓撲結構
實驗拓撲如圖所示。
3.實驗步驟
注:動態ACL 是Cisco IOS 的一種安全特性,它使使用者能在防火牆中臨時開啟一個缺口,而
不會破壞其它已配置了的安全限制。
本實驗要求如果PC0 所在網段想要訪問路由器R1 的WWW 服務
r0(config)#int f1/0
r0(config-if)#ip add 192.168.64.10 255.255.255.0
r0(config-if)#no sh
r0(config-if)#do ping 192
*Mar 1 00:10:48.919: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Mar 1 00:10:49.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
r0(config-if)#do ping 192.168.64.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/18/36 ms
r0(config-if)#exit
r0(config)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar 1 00:11:19.499: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:11:20.499: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#
*Mar 1 00:11:43.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r0(config-if)#
*Mar 1 00:12:13.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0
r0(config-router)#net
*Mar 1 00:14:19.343: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
r0(config-router)#net 192.168.64.0
r0(config-router)#
r0(config-router)#do ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/32/60 ms
r0(config-router)#do ping 192.168.64.134
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.64.134, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/23/40 ms
r0(config-router)#exit
r0(config-if)#exit
*Mar 1 00:31:15.763: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0) is up: new adjacency
R1(config)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar 1 00:12:17.699: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar 1 00:12:18.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
R1(config-if)#exit
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.2.0
r1(config-router)#net 1.1.1.0
r1(config-router)#net 172.16.1.0
r1(config-router)#exit
r1(config)#
*Mar 1 00:13:59.363: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.2 (Serial0/1) is up: new adjacency
r1(config)#
*Mar 1 00:14:18.843: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is up: new adjacency
r1(config)#do sh ip int b
Interface IP-Address OK? Method Status Protocol
Serial0/0 172.16.1.2 YES manual up up
Serial0/1 172.16.2.1 YES manual up up
Serial0/2 unassigned YES unset administratively down down
Serial0/3 unassigned YES unset administratively down down
Loopback1 1.1.1.1 YES manual up up
r1(config)#$ 101 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
r1(config)#$ 101 dynamic test timeout 100 permit tcp host 192.168.64.134 host 1.1.1.1 eq www //“dynamic”定義動態ACL,“timeout”定義動態ACL 絕對的超時時間
r1(config)#int s0/0
r1(config-if)#ip access-group 101 in
r1(config-if)#do ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/22/52 ms
r1(config-if)#
*Mar 1 00:31:10.871: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0) is down: holding time expired
r1(config-if)#
Success rate is 0 percent (0/5)
r1(config-if)#do sh access-list 101
Extended IP access list 101
10 permit tcp host 192.168.64.134 host 1.1.1.1 eq www
20 Dynamic test permit tcp host 192.168.64.134 host 1.1.1.1 eq www
此時在主機192.168.64.134 上訪問1.1.1.1 的Web 服務,成
功。
r2(config)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#
*Mar 1 00:09:52.643: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 00:09:53.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#
*Mar 1 00:10:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
r2(config-if)#
*Mar 1 00:12:22.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp
% Incomplete command.
r2(config)#router eigrp 1
r2(config-router)#no au
r2(config-router)#net 172.16.2.0
r2(config-router)#no
*Mar 1 00:13:59.039: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.2.1 (Serial0/0) is up: new adjacency
r2(config-router)#
本文轉自gauyanm 51CTO部落格,原文連結:http://blog.51cto.com/gauyanm/240651,如需轉載請自行聯絡原作者
相關文章
- 實驗11.ACL實驗
- 一個動態ACL的案例
- 配置rip動態路由實驗路由
- 演示:動態訪問控制列表(帶鎖的ACL)
- 華為動態NAT小實驗演示
- RCNA綜合實驗(Vlan+RIP+ACL+鏈路聚合)
- web動態驗證碼的實現Web
- 實驗十五————動態路由協議RIP路由協議
- 實驗十六——————動態路由OSPF基礎路由
- 實現動態驗證碼的思路
- 動態試驗
- 柱狀圖多系列php動態實現(ec)PHP
- 使用動態Proxy和Java ACL進行使用者訪問控制機制實現Java
- Linux udev 動態管理Oracle ASM磁碟-實驗LinuxdevOracleASM
- 【Gin-API系列】實現動態路由分組(七)API路由
- Jmeter系列(39)- Jmeter 分散式測試JMeter分散式
- 計算機網路實驗二:動態路由配置計算機網路路由
- 實戰Kafka ACL機制Kafka
- 實驗3.直連靜態路由實驗路由
- 靜態路由綜合實驗路由
- 影片直播原始碼,前端canvas動態驗證碼實現原始碼前端Canvas
- JqueryValidate 動態新增驗證jQuery
- Java基礎系列-靜態代理和動態代理Java
- java實現動態驗證碼原始碼——繪製驗證碼的jspJava原始碼JS
- Vue系列-import動態引入的坑VueImport
- Bootstrap系列 -- 39. 導航條新增標題boot
- ACL
- ACL主席:ACL不是AI會議AI
- vpd實驗:驗證動態、靜態、上下context相關三種型別的策略的執行機制Context型別
- 演算法系列-動態規劃(1):初識動態規劃演算法動態規劃
- Kubernetes 兩步驗證 - 使用 Serverless 實現動態准入控制Server
- vue+elementUI實現動態增加表單項並新增驗證VueUI
- 客戶端動態化系列之——URLRoute客戶端
- SAP PM入門系列30 - IW39 Display Orders
- 預設及非預設埠的動態監聽/靜態監聽實驗彙總
- Vue管理系統前端系列六動態路由-許可權管理實現Vue前端路由
- 動態規劃位置hdu 4540 威威貓系列故事——打地鼠(動態規劃)動態規劃
- SD & ACL