标签:aaa R1 R2 练习 决策 192.168 ACL user time
需求分析:
ping:PC1不能ping通R1,但是可以ping通R2;PC2可以ping通R1,但是不能ping通R2
telnet:PC1不能telnet成功R2,但是可以telnetR1;PC2可以telnetR2,但是不能telnetR1
解:
此时分析需要进行的ACL决策为高级ACL,因为已经给定了源ip和目标ip
对于给出的三个接口,此时需要选择R1的g0/0/0口,因为此时为了不浪费资源,所以选择R1的g0/0/0口的inband
思考:R1有两个接口G0/0/0和G0/0/1两个接口,此时如果去设置ACL策略需要两个接口都要去设置,所以总共需要设置的ACL决策为2+2+1+1=6(每个端口都要把关)
配置:
首先是R1和R2的基础配置:
//R2的配置
[R2]interface G0/0/0
[R2-GigabitEthernet0/0/0]ip a
[R2-GigabitEthernet0/0/0]ip accounting
[R2-GigabitEthernet0/0/0]ip address 192.168.2.2 24
Nov 16 2021 20:08:12-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
//R1的配置
[R1]interface G0/0/0
[R1-GigabitEthernet0/0/0]ip a
[R1-GigabitEthernet0/0/0]ip accounting
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
Nov 16 2021 20:08:12-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R1]interface G0/0/1
[R1-GigabitEthernet0/0/1]ip a
[R1-GigabitEthernet0/0/1]ip accounting
[R1-GigabitEthernet0/0/1]ip address 192.168.1.2 24
Nov 16 2021 20:08:12-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
然后开始去配置telnet接口配置
//设置R2的telnet,权限为15,密码为654321(密文),账号为xlb
[R2]aaa
[R2-aaa]loca
[R2-aaa]local-user xlb pr
[R2-aaa]local-user xlb privilege
[R2-aaa]local-user xlb privilege l
[R2-aaa]local-user xlb privilege level 15 p
[R2-aaa]local-user xlb privilege level 15 password c
[R2-aaa]local-user xlb privilege level 15 password cipher 654321
Info: Add a new user.
//选择为xlb设置telnet
[R2-aaa]loca
[R2-aaa]local-user xlb s
[R2-aaa]local-user xlb service-type t
[R2-aaa]local-user xlb service-type terminal
[R2-aaa]local-user xlb service-type telnet
[R2-aaa]q
//分配端口
[R2]us
[R2]user-group
[R2]user-interface vty
[R2]user-interface vty 0 4
//配置模式
[R2-ui-vty0-4]au
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]q
//
//设置R1的telnet,权限为15,密码为123456(密文),账号为lxb
[R1]aaa
[R1-aaa]loca
[R1-aaa]local-user lxb pr
[R1-aaa]local-user lxb privilege
[R1-aaa]local-user lxb privilege l
[R1-aaa]local-user lxb privilege level 15 p
[R1-aaa]local-user lxb privilege level 15 password c
[R1-aaa]local-user lxb privilege level 15 password cipher 123456
Info: Add a new user.
//选择为lbb设置telnet
[R1-aaa]loca
[R1-aaa]local-user lxb s
[R1-aaa]local-user lxb service-type t
[R1-aaa]local-user lxb service-type terminal
[R1-aaa]local-user lxb service-type telnet
[R1-aaa]q
//分配端口
[R1]us
[R1]user-group
[R1]user-interface vty
[R1]user-interface vty 0 4
//配置模式
[R1-ui-vty0-4]au
[R1-ui-vty0-4]authentication-mode aaa
[R1-ui-vty0-4]q此时开始配置ACL策略,在R1的g0/0/0口:
//截取部分,总计需要2+2+1+1,即6个指令
[R1-acl-adv-3000]rule 10 deny icmp source 192.168.1.11 0.0.0.0 destinatio
n 192.168.2.2 0.0.0.0
[R1-acl-adv-3000]di
[R1-acl-adv-3000]dialer
[R1-acl-adv-3000]display acl 3000
Advanced ACL 3000, 6 rules
Acl's step is 5
rule 5 deny tcp source 192.168.1.11 0 destination 192.168.1.1 0 destination-por
t eq telnet
rule 6 deny tcp source 192.168.1.11 0 destination 192.168.2.1 0 destination-por
t eq telnet
rule 7 deny icmp source 192.168.1.10 0 destination 192.168.1.1 0
rule 8 deny icmp source 192.168.1.10 0 destination 192.168.2.1 0
rule 9 deny tcp source 192.168.1.10 0 destination 192.168.2.2 0 destination-por
t eq telnet
rule 10 deny icmp source 192.168.1.11 0 destination 192.168.2.2 0
//然后开始配置R1的G0/0/0的进接口,设置ACL 3000
[R1]inter
[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ta
[R1-GigabitEthernet0/0/0]tr
[R1-GigabitEthernet0/0/0]tracert
[R1-GigabitEthernet0/0/0]traffic-filter in
[R1-GigabitEthernet0/0/0]traffic-filter inbound acl 3000
[R1-GigabitEthernet0/0/0]q开始进行ACL调试,先测试PC1功能
//PC1分别尝试ping R2的G0/0/0 和 R1的G0/0/0与G0/0/1
[PC 1]ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.2: bytes=56 Sequence=1 ttl=254 time=40 ms
Reply from 192.168.2.2: bytes=56 Sequence=2 ttl=254 time=50 ms
Reply from 192.168.2.2: bytes=56 Sequence=3 ttl=254 time=50 ms
Reply from 192.168.2.2: bytes=56 Sequence=4 ttl=254 time=40 ms
Reply from 192.168.2.2: bytes=56 Sequence=5 ttl=254 time=40 ms
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/44/50 ms
[PC 1]ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[PC 1]ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//PC1去telentR1和R2
//telnetR1的192.168.1.1 用户名为lxb ,密码为123456(密文)
<PC 1>telnet 192.168.1.1
Press CTRL_] to quit telnet mode
Trying 192.168.1.1 ...
Connected to 192.168.1.1 ...
Login authentication
Username:lxb
Password:
<R1>q
Configuration console exit, please retry to log on
The connection was closed by the remote host
//telnet R1 的192.168.2.1 用户名为lxb ,密码为123456(密文)
<PC 1>telnet 192.168.2.1
Press CTRL_] to quit telnet mode
Trying 192.168.2.1 ...
Connected to 192.168.2.1 ...
Login authentication
Username:lxb
Password:
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: Telnet
IP-Address : 192.168.1.10
Time : 2021-11-16 20:57:49-08:00
-----------------------------------------------------------------------------
<R1>q
Configuration console exit, please retry to log on
The connection was closed by the remote host
//telnetR2的192.168.2.2 失败
<PC 1>telnet 192.168.2.2
Press CTRL_] to quit telnet mode
Trying 192.168.2.2 ...然后开始测试PC2的功能
//R2开始进行ping操作
<PC 2>ping 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=30 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=50 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 30/44/50 ms
<PC 2>ping 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 192.168.2.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/52/60 ms
<PC 2>ping 192.168.2.2
PING 192.168.2.2: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.2.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
//R2开始telnet操作
<PC 2>telnet 192.168.2.2
Press CTRL_] to quit telnet mode
Trying 192.168.2.2 ...
Connected to 192.168.2.2 ...
Login authentication
Username:xlb
Password:
<R2>q
//此时R2的telnet设置为xlb ,密码为654321(密文)
Configuration console exit, please retry to log on
The connection was closed by the remote host
<PC 2>telnet 192.168.1.1
Press CTRL_] to quit telnet mode
Trying 192.168.1.1 ...
Error: Can't connect to the remote host
//无法telnetR1的g0/0/0口
<PC 2>telnet 192.168.2.1
Press CTRL_] to quit telnet mode
Trying 192.168.2.1 ...
//无法telnetR1的g0/0/1口完成!
标签:aaa,R1,R2,练习,决策,192.168,ACL,user,time 来源: https://blog.csdn.net/qq_44685426/article/details/121365326
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。