20201125 cisco EIGRP (三)

課堂資料

ACL

R1
R2
R3
int e0/0
ip add 12.1.1.1 255.255.255.0
no shut
int lo1
ip add 1.1.1.1 255.255.255.0
no shut
int lo2
ip add 2.2.2.2 255.255.255.0
no shut
router rip
ver 2
network 12.1.1.0
no auto-summary
exit
router rip
ver 2
network 1.1.1.0
network 2.2.2.0
exit
do ping 3.3.3.3 source 1.1.1.1
do ping 4.4.4.4 source 1.1.1.1
do ping 3.3.3.3 source 2.2.2.2
do ping 4.4.4.4 source 2.2.2.2
exit
telnet 4.4.4.4
cisco
telnet 3.3.3.3
cisco
int e0/0
ip add 12.1.1.2 255.255.255.0
no shut
int e0/1
ip add 23.1.1.2 255.255.255.0
no shut
router rip
ver 2
network 12.1.1.0
network 23.1.1.0
no auto-summary
exit
access-list 100 deny icmp 1.1.1.0 0.0.0.255 4.4.4.0 0.0.0.255
access-list 100 deny icmp 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255
access-list 100 permit ip any any
int e0/0
ip access-group 100 in
exit
end
sh access-lists
conf t
access-list 101 permit tcp any 3.3.3.0 0.0.0.255 eq 23
int e0/1
ip access-group 101 out
end
sh access-lists
conf t
no access-list 101
int e0/1
no ip access-group 101 out
do sh access-lists
exit
ip access-list extended telnet-acl
deny tcp any 4.4.4.0 0.0.0.255 eq 23
permit ip any any
int e0/1
ip access-group telnet-acl out
end
sh access-lists
int e0/0
ip add 23.1.1.3 255.255.255.0
no shut
int lo1
ip add 3.3.3.3 255.255.255.0
no shut
int lo2
ip add 4.4.4.4 255.255.255.0
no shut
router rip
ver 2
network 23.1.1.0
network 3.3.3.0
network 4.4.4.0
no auto-summary
line vty 4
password cisco
login
transport input telnet
do sh run

課堂練習

Part 01. Using extended access-lists

  • R1 can telnet R3
  • R1 can not ping R3
R1
R2
R3
ip route 23.1.1.0 255.255.255.0 e0/0 12.1.1.2
int e0/0
ip addr 12.1.1.1 255.255.255.0
no shut
do ping 23.1.1.3
do telnet 23.1.1.3
ip access-list ex rule
permit tcp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255 eq 23
deny icmp 12.1.1.0 0.0.0.255 23.1.1.0 0.0.0.255
int e0/0
ip access-group rule in
ip addr 12.1.1.2 255.255.255.0
no shut
int e0/1
ip addr 23.1.1.2 255.255.255.0
no shut
do sh access-lists
ip route 12.1.1.0 255.255.255.0 e0/0 23.1.1.2
line vty 0 4
password cisco
login
transport input telnet
int e0/0
ip addr 23.1.1.3 255.255.255.0
no shut

Part 02. Using named ACL

  • 讓 172.16.4.0/24 的流量都無法到 R1
  • 插入規則,讓 Linux4 可以 ping R1,但 Linux5 不可
  • 插入規則,讓 Linux5 可以 telnet R1,但 Linux4 不可
R1
R2
Linux4
Linux5
ip route 172.16.4.0 255.255.255.0 e0/0 172.16.3.2
int e0/0
ip addr 172.16.3.1 255.255.255.0
no shut
exit
line vty 0 4
password cisco
login
transport input ssh
ip access-list ex rule
deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255
int e0/0
ip addr 172.16.3.2 255.255.255.0
no shut
int e0/1
ip access-group rule in
ip addr 172.16.4.2 255.255.255.0
no shut
exit
ip access-list ex rule
5 permit icmp 172.16.4.100 0.0.0.0 172.16.3.0 0.0.0.255
6 permit tcp 172.16.4.200 0.0.0.0 172.16.3.0 0.0.0.255 eq 22
ip addr add 172.16.4.200/24 brd + dev eth0
ip route add default via 172.16.4.2
timedatectl set-timezone Asia/Taipei
systemctl restart ntp.service
apt update
apt install telnet
telnet 172.16.3.1
ip addr add 172.16.4.100/24 brd + dev eth0
ip route add default via 172.16.4.2
timedatectl set-timezone Asia/Taipei
systemctl restart ntp.service
apt update
apt install telnet
ping 172.16.3.1