华三ACL扩展与Telnet配置实验报告

发布网友发布时间：2022-11-08 05:47

共1个回答

热心网友时间：2023-11-07 18:06

实验目的：

1.理解并掌握ACL的工作原理

2.学会扩展ACL的工作方法

3.通过Telnet远程登录路由器的配置

实验拓扑图：

实验步骤：

1.实现多区域OSPF全网互通

在RT1中如下

sys

[RT1]int l0

[RT1-LoopBack0]ipaddress 172.16.70.1 32

[RT1-LoopBack0]intl1

[RT1-LoopBack1]ipaddress 172.16.80.1 32

[RT1-LoopBack1]ints0/1/0

[RT1-Serial0/1/0]ipaddress 10.0.0.1 24

[RT1-Serial0/1/0]quit

[RT1]router id1.1.1.1

[RT1]ospf

[RT1-ospf-1]area 0

[RT1-ospf-1-area-0.0.0.0]network172.16.70.1 0.0.0.0

[RT1-ospf-1-area-0.0.0.0]network172.16.80.1 0.0.0.0

[RT1-ospf-1-area-0.0.0.0]network10.0.0.0 0.0.0.255

在RT2中如下：

sys

[RT2]int s0/1/1

[RT2-Serial0/1/1]ipaddress 10.0.0.2 24

[RT2-Serial0/1/1]intg0/0/0

[RT2-GigabitEthernet0/0/0]ipaddress 20.0.0.1 24

[RT2-GigabitEthernet0/0/0]quit

[RT2]router id2.2.2.2

[RT2]ospf

[RT2-ospf-1]area 0

[RT2-ospf-1-area-0.0.0.0]network10.0.0.0 0.0.0.255

[RT2-ospf-1-area-0.0.0.0]quit

[RT2-ospf-1]area

[RT2-ospf-1-area-0.0.0.1]network20.0.0.0 0.0.0.255

在RT3中如下：

sys

[RT3]interfaceg0/0/1

[RT3-GigabitEthernet0/0/1]ipad

[RT3-GigabitEthernet0/0/1]ipaddress 20.0.0.2 24

[RT3-GigabitEthernet0/0/1]intl0

[RT3-LoopBack0]ipad

[RT3-LoopBack0]ipaddress 192.168.1.1 32

[RT3-LoopBack0]intl1

[RT3-LoopBack1]ipaddress 192.168.2.1 32

[RT3-LoopBack1]intl2

[RT3-LoopBack2]ipaddress 192.168.3.1 32

[RT3-LoopBack2]quit

[RT3]router id3.3.3.3

[RT3]ospf

[RT3-ospf-1]area 1

[RT3-ospf-1-area-0.0.0.1]network192.168.1.1 0.0.0.0

[RT3-ospf-1-area-0.0.0.1]network192.168.2.1 0.0.0.0

[RT3-ospf-1-area-0.0.0.1]network192.168.3.1 0.0.0.0

[RT3-ospf-1-area-0.0.0.1]network20.0.0.0 0.0.0.255

2.设置RT3 Telnet服务，刚开始全网都可以远程登录RT3并验证

[RT3]telnet serverenable

[RT3]user-interfacevty 0 1

[RT3-ui-vty0-1]authentication-modepassword

[RT3-ui-vty0-1]setauthentication password simple 123

[RT3-ui-vty0-1]userprivilege level 3

验证：从RT2远程登录RT3

telnet192.168.1.1

Trying 192.168.1.1...

Press CTRL+K toabort

Connected to192.168.1.1 ...

***********SIMWAER版权归华三公司所有*********************内核部分修改*********

* Copyright (c)2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without theowner's prior written consent,*

* no decompilingor reverse-engineering shall be allowed.*

Loginauthentication

Password:

从RT1远程登录RT3

telnet192.168.1.1

Trying 192.168.1.1...

Press CTRL+K toabort

Connected to192.168.1.1 ...

***********SIMWAER版权归华三公司所有*********************内核部分修改*********

* Copyright (c)2004-2010 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without theowner's prior written consent,*

* no decompilingor reverse-engineering shall be allowed.*

Loginauthentication

Password:

3.配置ACL包过滤，要求RT2可以telnetRT3，RT1不允许Telnet RT3。

[RT2]firewallenable

[RT2]firewalldefault permit

[RT2]acl number3000

[RT2-acl-adv-3000]ruledenytcp destination 192.168.0.00.0.255.255 source 17ination-port eq 23

[RT2-acl-adv-3000]ruledeny tcp destination 20.0.0.0 0.0.0.255 source 172.16.0.0 0.0.255.255destination-port eq 23

[RT2-acl-adv-3000]ruledeny tcp destination 20.0.0.0 0.0.0.255 source 10.0.0.0 0.0.0.255destination-port eq 23

[RT2-acl-adv-3000]ruledeny tcp destination 192.168.0.0 0.0.255.255 source 10.0.0.0 0.0.0.255destination-port eq 23

[RT2-acl-adv-3000]ints0/1/1

[RT2-Serial0/1/1]firewallpacket-filter 3000 inbound

4.配置ACL包过滤，网络172.16.0.0/16不能PING网络192.168.0.0/22反过来是能PING通

[RT2]firewallenable

[RT2]firewalldefault permit

[RT2]acl number3001

[RT2-acl-adv-3001]ruledeny icmp destination 192.168.0.0 0.0.3.255source 172.16.0.0 0.0.255.255 icmp-type echo

[RT2-acl-adv-3001]intg0/0/0

[RT2-GigabitEthernet0/0/0]firewallpacket-filter 3001 outbound

结果如下

ping -a172.16.70.1 192.168.1.1

PING 192.168.1.1: 56data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- 192.168.1.1 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss

ping -a 192.168.1.1 172.16.70.1

PING172.16.70.1: 56data bytes, press CTRL_Cto break

Reply from172.16.70.1: bytes=56 Sequence=1 ttl=254 time=15 ms

Reply from172.16.70.1: bytes=56 Sequence=2 ttl=254 time=4 ms

Reply from172.16.70.1: bytes=56 Sequence=3 ttl=254 time=10 ms

Reply from172.16.70.1: bytes=56 Sequence=4 ttl=254 time=21 ms

Reply from172.16.70.1: bytes=56 Sequence=5 ttl=254 time=4 ms

---172.16.70.1 ping statistics ---

5 packet(s)transmitted

5 packet(s)received

0.00% packetloss

round-tripmin/avg/max = 4/10/21 ms

实验完成！