20201125 cisco EIGRP (三)

課堂資料

ACL 封包過濾表

Access List設定 @ 小網管筆記 :: 痞客邦 ::小網管筆記

ACL

R1

int e0/0

ip add 12.1.1.1 255.255.255.0

no shut

int lo1

ip add 1.1.1.1 255.255.255.0

no shut

int lo2

ip add 2.2.2.2 255.255.255.0

no shut

router rip

ver 2

network 12.1.1.0

no auto-summary

exit

router rip

ver 2

network 1.1.1.0

network 2.2.2.0

exit

do ping 3.3.3.3 source 1.1.1.1

do ping 4.4.4.4 source 1.1.1.1

do ping 3.3.3.3 source 2.2.2.2

do ping 4.4.4.4 source 2.2.2.2

exit

telnet 4.4.4.4

cisco

telnet 3.3.3.3

cisco

R2

int e0/0

ip add 12.1.1.2 255.255.255.0

no shut

int e0/1

ip add 23.1.1.2 255.255.255.0

no shut

router rip

ver 2

network 12.1.1.0

network 23.1.1.0

no auto-summary

exit

access-list 100 deny icmp 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255

access-list 100 deny icmp 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 100 permit ip any any

int e0/0

ip access-group 100 in

exit

end

sh access-lists

conf t

access-list 101 permit tcp any 3.3.3.0 0.0.0.255 eq 23

int e0/1

ip access-group 101 out

end

sh access-lists

conf t

no access-list 101

int e0/1

no ip access-group 101 out

do sh access-lists

exit

ip access-list extended telnet-acl

deny tcp any 4.4.4.0 0.0.0.255 eq 23

permit ip any any

int e0/1

ip access-group telnet-acl out

end

sh access-lists

R3

int e0/0

ip add 23.1.1.3 255.255.255.0

no shut

int lo1

ip add 3.3.3.3 255.255.255.0

no shut

int lo2

ip add 4.4.4.4 255.255.255.0

no shut

router rip

ver 2

network 23.1.1.0

network 3.3.3.0

network 4.4.4.0

no auto-summary

line vty 4

password cisco

login

transport input telnet

do sh run

課堂練習

Part 01. Using extended access-lists

• R1 can telnet R3

• R1 can not ping R3

R1

ip route 23.1.1.0 255.255.255.0 e0/0 12.1.1.2

int e0/0

ip addr 12.1.1.1 255.255.255.0

no shut

do ping 23.1.1.3

do telnet 23.1.1.3

R2

ip access-list ex rule

permit tcp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255 eq 23

deny icmp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255

int e0/0

ip access-group rule in

ip addr 12.1.1.2 255.255.255.0

no shut

int e0/1

ip addr 23.1.1.2 255.255.255.0

no shut

do sh access-lists

R3

ip route 12.1.1.0 255.255.255.0 e0/0 23.1.1.2

line vty 0 4

password cisco

login

transport input telnet

int e0/0

ip addr 23.1.1.3 255.255.255.0

no shut

Part 02. Using named ACL

• 讓 172.16.4.0/24 的流量都無法到 R1

• 插入規則，讓 Linux4 可以 ping R1，但 Linux5 不可

• 插入規則，讓 Linux5 可以 telnet R1，但 Linux4 不可

R1

ip route 172.16.4.0 255.255.255.0 e0/0 172.16.3.2

int e0/0

ip addr 172.16.3.1 255.255.255.0

no shut

exit

line vty 0 4

password cisco

login 

transport input ssh

R2

ip access-list ex rule

deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255

int e0/0

ip addr 172.16.3.2 255.255.255.0

no shut

int e0/1

ip access-group rule in

ip addr 172.16.4.2 255.255.255.0

no shut

exit

ip access-list ex rule

5 permit icmp 172.16.4.100 0.0.0.0 172.16.3.0 0.0.0.255

6 permit tcp 172.16.4.200 0.0.0.0 172.16.3.0 0.0.0.255 eq 22

Linux4

ip addr add 172.16.4.200/24 brd + dev eth0

ip route add default via 172.16.4.2

timedatectl set-timezone Asia/Taipei

systemctl restart ntp.service

apt update

apt install telnet

telnet 172.16.3.1

Linux5

ip addr add 172.16.4.100/24 brd + dev eth0

ip route add default via 172.16.4.2

timedatectl set-timezone Asia/Taipei

systemctl restart ntp.service

apt update

apt install telnet

ping 172.16.3.1