基于ACL的訪問控制及安全策略的設(shè)計實驗報告_第1頁
基于ACL的訪問控制及安全策略的設(shè)計實驗報告_第2頁
基于ACL的訪問控制及安全策略的設(shè)計實驗報告_第3頁
基于ACL的訪問控制及安全策略的設(shè)計實驗報告_第4頁
基于ACL的訪問控制及安全策略的設(shè)計實驗報告_第5頁
已閱讀5頁,還剩25頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、實 驗 報 告課程名稱稱思科路由由器開放放實驗實驗名稱稱基于ACCL的訪訪問控制制及安全全策略的的設(shè)計實實驗實驗時間間20122年6月2-3日實 驗 報 告告實驗名稱稱基于ACCL的訪訪問控制制及安全全策略的的設(shè)計實實驗實驗類型型開放實驗驗實驗學(xué)時時16實驗時間間20122.6.1-220122.6.2實驗?zāi)康牡暮鸵笄笤L問控制制列表(Acccesss Coontrrol Lisst,AACL) 是 HYPERLINK /view/1360.htm 路路由器和和 HYPERLINK /view/1077.htm 交換機機接口的的指令列列表,用用來 HYPERLINK /view/798022.

2、htm 控制制端口進(jìn)進(jìn)出的數(shù)數(shù)據(jù)包。驗要求求學(xué)生掌掌握訪問問控制列列表的配配置,理理解ACCL的執(zhí)執(zhí)行過程程;能夠夠根據(jù)AACL設(shè)設(shè)計安全全的網(wǎng)絡(luò)絡(luò)。實驗要求求完成以以下工作作:標(biāo)準(zhǔn)ACCL。實實驗?zāi)繕?biāo)標(biāo):本實實驗拒絕絕stuudennt所在在網(wǎng)段訪訪問路由由器R22,同時時只允許許主機tteaccherr訪問路路由器RR2的ttelnnet服服務(wù)。擴展ACCL實驗驗:實驗驗?zāi)繕?biāo):學(xué)生不不能訪問問ftpp,但能能訪問wwww,教師不不受限制制。防止地址址欺騙。外部網(wǎng)網(wǎng)絡(luò)的用用戶可能能會偽裝裝自己的的ip地地址,比比如使用用內(nèi)部網(wǎng)網(wǎng)的合法法IP地地址或者者回環(huán)地地址作為為源地址址,從而而實現(xiàn)非非

3、法訪問問。解決決辦法:將可能能偽裝到到的ipp地址拒拒絕掉。二、實驗驗環(huán)境(實驗設(shè)設(shè)備)PC機,并安裝裝Cissco Pacckett Trraceer軟件件或者是是真實的的思科網(wǎng)網(wǎng)絡(luò)設(shè)備備(路由由器交換換機)。三、實驗驗原理及及內(nèi)容一 基本本ACLL實驗:1.標(biāo)準(zhǔn)準(zhǔn)ACLL。實驗驗?zāi)繕?biāo):本實驗驗拒絕sstuddentt所在網(wǎng)網(wǎng)段訪問問路由器器R2,同時只只允許主主機teeachher訪訪問路由由器R22的teelneet服務(wù)務(wù)。實驗拓補補圖如下下:實驗配置置如下:RoutterenRoutter#connf ttEnteer cconffiguurattionn coommaandss, o

4、one perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R1R1(cconffig)#innt f0/0R1(cconffig-if)#ipp addd 10.20.1700.1 2555.2255.2555.0R1(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to up%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfa

5、cce FFasttEthhernnet00/0, chhangged staate to upR1(cconffig-if)#exxitR1(cconffig)#innt ss0/00/0R1(cconffig-if)#ipp addd 1922.1668.112.11 2255.2555.2555.00R1(cconffig-if)#cllockk raate 640000R1(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/0, chaangeed sstatte tto ddownnR1(ccon

6、ffig-if)#exxitR1(cconffig)#roouteer eeigrrp 1100R1(cconffig-rouuterr)#nnetwworkk 100.200.1770.00 0.0.00.2555R1(cconffig-rouuterr)#nnetwworkk 1992.1168.12.0 R1(cconffig-rouuterr)#nno aautooR1(cconffig-rouuterr)#eendR1#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR1#ccopyy ruun ssta

7、rrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOKRoutterenRoutter#connf ttEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R22R2(cconffig)#innt s0/0/11R2(cconffig-if)#ipp addd 1192.1688.122.2 2555.2555.2255.0 R2(ccon

8、ffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/1, chaangeed sstatte tto uupR2(cconffig-if)#%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce SSeriial00/0/1, chaangeed sstatte tto uupR2(cconffig-if)#exxitR2(cconffig)#innt s0/0/00R2(cconffig-if)#ipp addd 1192.1688.233.1 2

9、555.2555.2255.0R2(cconffig-if)#cllockk raate 640000R2(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/0, chaangeed sstatte tto ddownnR2(cconffig-if)#exxitR2(cconffig)#innt f0/0R2(cconffig-if)#ipp addd 110.220.1168.1 2255.2555.2555.00R2(cconffig-if)#noo shhutR2(cconffig-if)#%LINN

10、K-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to upR2(cconffig-if)#exxit%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce FFasttEthhernnet00/0, chhangged staate to upR2(cconffig)#roouteer eeigrrp 1100R2(cconffig-rouuterr)#nnet 1922.1668.112.00 R2(cconffig-rouuterr)#

11、%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000: NNeigghboor 1192.1688.122.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR2(cconffig-rouuterr)#nnet 1922.1668.223.00 R2(cconffig-rouuterr)#nnet 10.20.1688.0 0.00.0.2555R2(cconffig-rouuterr)#nno aautooR2(cconffig-rouuterr)#%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000:

12、NNeigghboor 1192.1688.122.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR2(cconffig-rouuterr)#eexittR2(cconffig)#exxitR2#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR2#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOKRoutterenRoutter

13、#connf ttEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R33R3(cconffig)#innt ss0/00/1R3(cconffig-if)#ipp addd 1192.1688.233.2 2555.2255.2555.0R3(cconffig-if)#noo shhutR3(cconffig-if)#%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/1, chaangeed sst

14、atte tto uupR3(cconffig-if)#exxitR3(cconffig)#innt ff0/00R3(cconffig-if)#ipp addd 110.220.666.11 2555.2255.2555.0R3(cconffig-if)#noo shhutR3(cconffig-if)#%LINNK-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to up%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce FFastt

15、Ethhernnet00/0, chhangged staate to upR3(cconffig-if)#exxitR3(cconffig)#roouteer eeigrrp 1100R3(cconffig-rouuterr)#nnet 0255R3(cconffig-rouuterr)#nnet 1922.1668.223.00R3(cconffig-rouuterr)#nno aautooR3(cconffig-rouuterr)#%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000: NNeigghboor 1192.1688

16、.233.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR3(cconffig-rouuterr)#eendR3#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR3#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOK配ACLL之前,stuudennt去ppingg RR2的三三個接口口的ipp地址,也可以以pinng 服務(wù)器器

17、100.200.1668.77,應(yīng)該該pinng得通通。R2#cconff tEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.R2(cconffig)#acccesss-llistt 11 deeny 100.200.1770.00 0.0.00.2555R2(cconffig)#acccesss-llistt 11 peermiit anyyR2(cconffig)#innt s0/0/11R2(cconffig-if)#ipp acccesss-ggrouup 11 innR2(ccon

18、ffig-if)#exxitR2(cconffig)#acccesss-llistt 2 perrmitt hoost 0R2(cconffig)#liine vtyy 0 4R2(cconffig-linne)#passswoord 5011R2(cconffig-linne)#logginR2(cconffig-linne)#acccesss-cllasss 2 innR2(cconffig-linne)#enddR2#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR2#ccopyy ru

19、un sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionn配ACLL之后,stuudennt去ppingg RR2的三三個接口口的ipp地址,也可以以pinng 服務(wù)器器 100.200.1668.77,應(yīng)該該pinng不通通。PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuest

20、t tiimedd ouut.Requuestt tiimedd ouut.Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 0, Losst = 4 (1000% losss),OKPCppingg 1192.1688.122.2Pinggingg 1992.1168.12.2 wwithh 322 byytess off daata:Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuest

21、t tiimedd ouut.Pingg sttatiistiics forr 1992.1168.12.2: Paccketts: Sennt = 4, Reeceiivedd = 0, Losst = 4 (1000% losss),配ACLL之后,teaacheer機可可以teelneet RR2 ,效果如如下。PCttelnnet 1922.1668.223.11Tryiing 1922.1668.223.11 OppenUserr Acccesss VVeriificcatiionPasssworrd: 5011R2een% Noo paasswwordd seet.R2但只允許許t

22、eaacheer 機機tellnett R22,在RR3上ttelnnet R22 不成成功。R3#ttelnnet 1922.1668.223.11Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoote hosstR3#ttelnnet 1922.1668.112.22Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstR3#ttelnnet 10.20.1688.1Tryiing 10.20.1688.1 % Coonneectiio

23、n reffuseed bby rremoote hosst在stuudennt機上上tellnett RR2 不不成功。PCttelnnet 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngPCttelnnet 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngPCttelnnet 100.

24、200.1668.11Tryiing 10.20.1688.1 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinng在R1上上tellnett RR2 不不成功。R1#ttelnnet 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstR1#ttelnnet 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoot

25、e hosstR1#ttelnnet 100.200.1668.11Tryiing 10.20.1688.1 % Coonneectiion reffuseed bby rremoote hosstTeaccherr機:PCttelnnet 1922.1668.112.11Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstPCttelnnet 10.20.1700.1Tryiing 10.20.1700.1 % Coonneectiion timmed outt

26、; rremoote hosst nnot ressponndinngPCttelnnet 10.20.1700.100Tryiing 10.20.1700.100 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngR1#ttelnnet 100.200.666.1Tryiing OOpennConnnecctioon tto 110.220.666.11 clloseed bby fforeeignn hoostR1#ttelnnet 1992.1168.23.2Tryiing 1922.1668

27、.223.22 OppenConnnecctioon tto 1192.1688.233.2 cloosedd byy fooreiign hosstR3eenR3#ttelnnet 1922.1668.112.11Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstR3#ttelnnet 10.20.1700.1Tryiing 10.20.1700.1 % Coonneectiion timmed outt; rremoote hosst nnot resspo

28、nndinngSERVVERtellnett 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstSERVVERtellnett 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoote hosstSERVVERtellnett 100.200.1668.11Tryiing 10.20.1688.1 % Coonneectiion reffuseed bby rremoote hoss

29、tSERVVERtellnett 1992.1168.12.1Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstSERVVERtellnett 100.200.1770.11Tryiing 10.20.1700.1 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngSERVVERtellnett 1992.1168.23.2Tryiing 1922.1668.223.22 OppenCon

30、nnecctioon tto 1192.1688.233.2 cloosedd byy fooreiign hosstSERVVERtellnett 100.200.666.1Tryiing OOpennConnnecctioon tto 110.220.666.11 clloseed bby fforeeignn hoostSERVVERtellnett 100.200.666.100Tryiing 0 % Coonneectiion reffuseed bby rremoote hosstSERVVER2擴展AACL實實驗:實實驗?zāi)繕?biāo)標(biāo):學(xué)生生不能

31、訪訪問fttp,但但能訪問問wwww,教師師不受限限制。實驗拓補補圖如下下:實驗配置置如下:R2#ssh aacceess-lisstsStanndarrd IIP aacceess lisst 11 denny 110.220.1170.0 0255 perrmitt anny (11 mattch(es)Stanndarrd IIP aacceess lisst 22 perrmitt hoost 0R2#ssh rruninteerfaace Serriall0/00/1 ip adddresss 1192.1688.122.2 2555.2555.22

32、55.0 ip acccesss-grroupp 1 in!linee vtty 00 4 acccesss-cllasss 2 in passswoord 5011 loggin!刪除ACCL:R2#cconff tEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.R2(cconffig)#innt ss0/00/1R2(cconffig-if)#noo ipp acccesss-ggrouup 11 innR2(cconffig-if)#exxitR2(cconffig)#noo accc

33、esss-llistt 1R2(cconffig)#liine vtyy 0 4R2(cconffig-linne)#no acccesss-cllasss 2 inR2(cconffig-linne)#no passswoord R2(connfigg-iff)#eexittR2(cconffig)#noo acccesss-llistt 2可以用ssh aacceess-lissts 和sh runn查看。R2#ssh aacceess-lisstsR2#ssh rrunR2#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-c

34、conffig? Builldinng cconffiguurattionnOK配ACLL之前測測試:studdentt的pcc機測試試結(jié)果如如下:PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Replly ffromm 100.200.1668.77: bbytees=332 ttimee=2003mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1441mss TTTL=1126Replly ffromm 100

35、.200.1668.77: bbytees=332 ttimee=1557mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1443mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1441mss,

36、 MMaxiimumm = 2033ms, Avveraage = 1161mmsstuddentt機上測測試:PCfftp 10.20.1688.7Tryiing to connnecct100.200.1668.77Connnectted to 10.20.1688.7220- Weelcoome to PT Ftpp seerveerUserrnamme:cciscco331- Ussernnamee okk, nneedd paasswworddPasssworrd:cciscco230- Looggeed iin(passsivve mmodee Onn)ftpftpctrrl+cc

37、Packket Traacerr PCC Coommaand Linne 11.0PC配dnss之后,也就是是指定了了服務(wù)器器的ipp地址110.220.1168.7 和和域名 HYPERLINK http:/wwww.fillm.ccom wwww.ffilmm.coom 的的對應(yīng)關(guān)關(guān)系之后后,也可可以以域域名的方方式登錄錄到fttp服務(wù)務(wù)器。PCfftp mTryiing to connnecctwwww.ffilmm.coomConnnectted to m220- Weelcoome to PT Ftpp seerveerUserrnamme:cciscco331- Ussernnam

38、ee okk, nneedd paasswworddPasssworrd:cciscco230- Looggeed iin(passsivve mmodee Onn)ftpexiit Invvaliid oor nnon suppporrtedd coommaand.ftpctrrl+ccPackket Traacerr PCC Coommaand Linne 11.0PCPCppingg 100.200.666.100Pinggingg 100.200.666.100 wiith 32 byttes of datta:Replly ffromm 100.200.666.100: bbytee

39、s=332 ttimee=1888mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1772mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1887mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1887mss TTTL=1125Pingg sttatiistiics forr 100.200.666.100: Paccketts: Sennt = 4, Reece

40、iivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1772mss, MMaxiimumm = 1888ms, Avveraage = 1183mms配dnss之前,pinng teaacheer 的的ip地地址,但但pinng不了了域名;配dnns之后后,ipp地址和和域名都都可以ppingg通。TTeaccherr的域名名 HYPERLINK m,服務(wù)務(wù)器的域域名 HYPERLINK wwww.ffilmm.coom,sstudde

41、ntt的域名名 HYPERLINK m wwww.sstuddentt.coom。PCppingg wwww.tteaccherr.coomPinggingg 100.200.666.100 wiith 32 byttes of datta:Replly ffromm 100.200.666.100: bbytees=332 ttimee=1556mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1559mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 tt

42、imee=1772mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1556mss TTTL=1125Pingg sttatiistiics forr 100.200.666.100: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1556mss, MMaxiimumm = 1722ms, Avvera

43、age = 1160mmsPCppingg wwww.ffilmm.coomPinggingg 100.200.1668.77 wiith 32 byttes of datta:Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1557mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1556mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1441mss TTTL=1126Replly ffr

44、omm 100.200.1668.77: bbytees=332 ttimee=1225mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1225mss, MMaxiimumm = 1577ms, Avveraage = 1144mms在stuudennt上測測試wwww服

45、務(wù)務(wù)。在stuudennt機的的桌面,在WEEB瀏覽覽器的地地址欄里里輸入 HYPERLINK hhttpp:/10.20.1688.7/ htttp:/110.220.1168.7/顯示網(wǎng)頁頁內(nèi)容:Ciscco PPackket TraacerrWelccomee too njjuptt fiilm sitte. youu caan ddownnloaad ffilmms. Quiick Linnks: A smmalll paage Copyyrigghtss Imagge ppagee Imagge在stuudennt機的的桌面,在WEEB瀏覽覽器的地地址欄里里輸入 HYPERLINK

46、/ hhttpp:/m/,同同樣可以以顯示網(wǎng)網(wǎng)頁內(nèi)容容。teaccherr 的ppc機測測試結(jié)果果如下:PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Requuestt tiimedd ouut.Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1443mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1440mss TTTL=1126Replly ffromm 10

47、0.200.1668.77: bbytees=332 ttimee=1227mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 3, Losst = 1 (255% llosss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds:Miniimumm = 1277ms, Maaximmum = 1143mms, Aveeragge = 1336mss在R1上上配ACCL。R1(cconffig)#

48、acccesss-llistt 1001 deeny ttcp 110.220.1170.0 0.0.00.2555 hoost 110.220.1168.7 eq 211R1(cconffig)#acccesss-llistt 1001 deeny ttcp 110.220.1170.0 0.0.00.2555 hoost 110.220.1168.7 eq 200R1(cconffig)#acccesss-llistt 1001 peermiit ipp 110.220.1170.0 0.0.00.2555 anyy R1(connfigg)#iint f00/0R1(cconffig-i

49、f)#ipp acccesss-ggrouup 1101 inR1#ssh aacceess-lisstsExteendeed IIP aacceess lisst 1101 denny ttcp 10.20.1700.0 0.00.0.2555 hoost 10.20.1688.7 eq ftpp denny ttcp 10.20.1700.0 0.00.0.2555 hoost 10.20.1688.7 eq 20 perrmitt ipp 100.200.1770.00 0.0.00.2555 aany R1#sh runnBuilldinng cconffiguurattionnCur

50、rrentt coonfiigurratiion : 220044 byytess!verssionn 122.4no sservvicee tiimesstammps logg daatettimee mssecno sservvicee tiimesstammps debbug dattetiime mseecno sservvicee paasswwordd-enncryyptiion!hosttnamme RR1!inteerfaace FasstEttherrnett0/00 ip adddresss 110.220.1170.1 2255.2555.2555.00 ip accce

51、sss-grroupp 1001 iin dupplexx auuto speeed auttoStuddentt上配好好acll后,再再測Studdentt能否訪訪問服務(wù)務(wù)器的fftp服服務(wù)和wwww服服務(wù)。PCfftp mTryiing to connnecctwwww.ffilmm.coom%Errror opeeninng fftp:/wwww.fillm.ccom/ (TTimeed oout).Packket Traacerr PCC Coommaand Linne 11.0PC(Dissconnnecctinng ffromm fttp sservver)PCfftp 100.2

52、00.1668.77Tryiing to connnecct100.200.1668.77%Errror opeeninng fftp:/110.220.1168.7/ (Tiimedd ouut).Packket Traacerr PCC Coommaand Linne 11.0PC(Dissconnnecctinng ffromm fttp sservver)Packket Traacerr PCC Coommaand Linne 11.0說明sttudeent機機已不能能訪問服服務(wù)器的的ftpp服務(wù)了了。二 高級級ACLL擴展ACCL的應(yīng)應(yīng)用1.防止止地址欺欺騙。R1是內(nèi)內(nèi)網(wǎng)的邊邊界路由

53、由器,RR2是外外網(wǎng)的邊邊界路由由器。外部網(wǎng)絡(luò)絡(luò)的用戶戶可能會會偽裝自自己的iip地址址,比如如使用內(nèi)內(nèi)部網(wǎng)的的合法IIP地址址或者回回環(huán)地址址作為源源地址,從而實實現(xiàn)非法法訪問。解決辦辦法:將將可能偽偽裝到的的ip地地址拒絕絕掉。Routter(connfigg)#hhostt R11R1(cconffig)#innt ss0/00/1R1(cconffig-if)#ipp addd 2201.1000.111.1 2555.2555.2255.0R1(cconffig-if)#cllockk raate 640000R1(cconffig-if)#noo shhutR1(cconffig)

54、#innt ff0/00R1(cconffig-if)#ipp addd 1 2555.2555.2255.0R1(cconffig-if)#noo shhutR1(cconffig)#roouteer eeigrrp 1100R1(cconffig-rouuterr)#nnet 2011.1000.111.00*Mayy 100 111:299:299.3774: %DUUAL-5-NNBRCCHANNGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss upp: nnew adj

55、jaceencyyR1(cconffig-rouuterr)#nnet 190R1(cconffig-rouuterr)#nno aautoo/*MMay 10 11:29:57.0100: IIP-EEIGRRP(DDefaaultt-IPP-Rooutiing-Tabble:1000): Neiighbbor 1922.1668.11.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00R1(cconffig-rouuterr)#*Mayy 100 111:300:000.6666: %DUUAL-5-NNBRCCHAN

56、NGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss reesynnc: summmarry cconffiguureddR1(cconffig-rouuterr)#*Mayy 100 111:300:000.6666: %DUUAL-5-NNBRCCHANNGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss reesynnc: summmarry cconffiguuredd*Mayy 100 111:30

57、0:100.9442: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy 100 111:300:244.9334: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy

58、100 111:300:388.8338: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy 100 111:300:533.0990: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett

59、0/00*Mayy 100 111:311:077.2222: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00/以上系統(tǒng)統(tǒng)顯示異異常的原原因是網(wǎng)網(wǎng)絡(luò)有環(huán)環(huán)路,這這里產(chǎn)生生環(huán)路的的連接是是因為335600交換機機和兩臺臺29550交換換機分別別用交叉叉線連接接,三臺臺路由器器兩兩連連接,三三臺路由由器分別別與三臺臺交換機機連接。R1(cconffig)#ipp acccesss-llistt

60、 exxtenndedd inngreess-anttspooofR1(cconffig-extt-naacl)#deeny ip 10.0.00.0 0.2255.2555.2555 aanyR1(cconffig-extt-naacl)#deeny ip 1922.1668.00.0 0.00.2555.2255 anyyR1(cconffig-extt-naacl)#deeny ip 1772.116.00.0 0.115.2255.2555 anny /阻阻止源地地址為私私有地址址的所有有通信流流。1772.116.00.0/12,17到1172.31.2555.2

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論