20201125 cisco EIGRP (三)
課堂資料
ACL
int e0/0ip add 12.1.1.1 255.255.255.0no shutint lo1ip add 1.1.1.1 255.255.255.0no shutint lo2ip add 2.2.2.2 255.255.255.0no shutrouter ripver 2network 12.1.1.0no auto-summaryexit
router ripver 2network 1.1.1.0network 2.2.2.0exit
do ping 3.3.3.3 source 1.1.1.1do ping 4.4.4.4 source 1.1.1.1do ping 3.3.3.3 source 2.2.2.2do ping 4.4.4.4 source 2.2.2.2
exittelnet 4.4.4.4ciscotelnet 3.3.3.3ciscoint e0/0ip add 12.1.1.2 255.255.255.0no shutint e0/1ip add 23.1.1.2 255.255.255.0no shutrouter ripver 2network 12.1.1.0network 23.1.1.0no auto-summaryexit
access-list 100 deny icmp 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255access-list 100 deny icmp 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255access-list 100 permit ip any anyint e0/0ip access-group 100 inexitendsh access-lists
conf taccess-list 101 permit tcp any 3.3.3.0 0.0.0.255 eq 23int e0/1ip access-group 101 outendsh access-listsconf tno access-list 101int e0/1no ip access-group 101 outdo sh access-listsexit
ip access-list extended telnet-acldeny tcp any 4.4.4.0 0.0.0.255 eq 23permit ip any anyint e0/1ip access-group telnet-acl outendsh access-lists
int e0/0ip add 23.1.1.3 255.255.255.0no shutint lo1ip add 3.3.3.3 255.255.255.0no shutint lo2ip add 4.4.4.4 255.255.255.0no shutrouter ripver 2network 23.1.1.0network 3.3.3.0network 4.4.4.0no auto-summaryline vty 4password ciscologintransport input telnet
do sh run課堂練習
Part 01. Using extended access-lists
R1 can telnet R3
R1 can not ping R3
ip route 23.1.1.0 255.255.255.0 e0/0 12.1.1.2int e0/0ip addr 12.1.1.1 255.255.255.0no shut
do ping 23.1.1.3do telnet 23.1.1.3
ip access-list ex rulepermit tcp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255 eq 23deny icmp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255int e0/0ip access-group rule inip addr 12.1.1.2 255.255.255.0no shutint e0/1ip addr 23.1.1.2 255.255.255.0no shut
do sh access-lists
ip route 12.1.1.0 255.255.255.0 e0/0 23.1.1.2line vty 0 4password ciscologintransport input telnetint e0/0ip addr 23.1.1.3 255.255.255.0no shut
Part 02. Using named ACL
讓 172.16.4.0/24 的流量都無法到 R1
插入規則,讓 Linux4 可以 ping R1,但 Linux5 不可
插入規則,讓 Linux5 可以 telnet R1,但 Linux4 不可
ip route 172.16.4.0 255.255.255.0 e0/0 172.16.3.2int e0/0ip addr 172.16.3.1 255.255.255.0no shutexitline vty 0 4password ciscologin transport input ssh
ip access-list ex ruledeny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255int e0/0ip addr 172.16.3.2 255.255.255.0no shutint e0/1ip access-group rule inip addr 172.16.4.2 255.255.255.0no shutexitip access-list ex rule5 permit icmp 172.16.4.100 0.0.0.0 172.16.3.0 0.0.0.2556 permit tcp 172.16.4.200 0.0.0.0 172.16.3.0 0.0.0.255 eq 22
ip addr add 172.16.4.200/24 brd + dev eth0ip route add default via 172.16.4.2timedatectl set-timezone Asia/Taipeisystemctl restart ntp.serviceapt updateapt install telnet
telnet 172.16.3.1ip addr add 172.16.4.100/24 brd + dev eth0ip route add default via 172.16.4.2timedatectl set-timezone Asia/Taipeisystemctl restart ntp.serviceapt updateapt install telnet
ping 172.16.3.1
Last updated
Was this helpful?