ACL基礎綜合實驗

一、實驗拓撲

二、實驗要求
1、全網可達
2、公司內網所有pc都可以訪問外網，
3、pc0不能ping通R3，但是R3能夠ping通pc0
4、pc1可以ping通R2，但是不能夠遠程登錄到R2
5、PC8遠程登錄R0實際上登錄到R3
6、pc1可以ping通pc5但是不能夠ping通pc4
7、pc7不能夠訪問服務器

三、地址規劃
1、網段設置如拓撲圖中所示
2、內網中的PC自動獲取IP地址，IP地址所處網段如拓撲圖所示

四、測試
本實驗可以實現以上所有要求，以下測試第3、4、5項要求
測試3：pc0不能ping通R3，但是R3能夠ping通pc0


相應的配置：
使用擴展列表，配置的是第10條項目，並在R0的f1/0.1接口的in方向調用


測試4：pc1可以ping通R2，但是不能夠遠程登錄到R2

相應的配置：
使用擴展列表，配置的是第15條項目，並在R0的f1/0.1接口的in方向調用

測試5：PC8遠程登錄R0實際上登錄到R3,此處使用的是一對一靜態轉換

五、實驗配置
pc9所在的交換機sw2上沒有做配置，以下給出其他設備的配置
——————————————————————————————————————————————————————————————————————
R0#sh running-config
Building configuration...

Current configuration : 1625 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R0
!
!
!
!
!
ip dhcp pool v2
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 45.1.1.100
ip dhcp pool v3
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
dns-server 45.1.1.100
!
no ip cef
no ipv6 cef
!
!
!
username zhejiang privilege 15 password 0 123456
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 11.1.1.2 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 12.1.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.1
encapsulation dot1Q 2
ip address 172.16.1.1 255.255.255.0
ip access-group 100 in
!
interface FastEthernet1/0.2
encapsulation dot1Q 3
ip address 172.16.2.1 255.255.255.0
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 90
network 11.0.0.0
network 12.0.0.0
network 172.16.0.0
no auto-summary
!
ip nat inside source static 34.1.1.4 11.1.1.2
ip classless
!
ip flow-export version 9
!
!
access-list 100 deny icmp host 172.16.1.2 host 34.1.1.4 echo
access-list 100 permit ip any any
access-list 100 deny tcp host 172.16.1.3 host 23.1.1.3 eq telnet
access-list 100 deny icmp host 172.16.1.3 host 192.168.1.2 echo
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
line aux 0
!
line vty 0 4
login local
!
!
!
end
——————————————————————————————————————————————————————————————————————
R1#sho running-config
Building configuration...

Current configuration : 886 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 12.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 23.1.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.5.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 90
network 12.0.0.0
network 23.0.0.0
network 192.168.5.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
line aux 0
!
line vty 0 4
login
!
!
!
end
——————————————————————————————————————————————————————————————————————
R2#sho running-config
Building configuration...

Current configuration : 1442 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R2
!
!
!
!
!
ip dhcp pool v4
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 45.1.1.100
ip dhcp pool v5
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 45.1.1.100
!
no ip cef
no ipv6 cef
!
!
!
username zhejiang privilege 15 password 0 123456
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 23.1.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 34.1.1.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
!
interface FastEthernet1/0.1
encapsulation dot1Q 4
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet1/0.2
encapsulation dot1Q 5
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 90
network 23.0.0.0
network 34.0.0.0
network 192.168.1.0
network 192.168.2.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
access-list 101 permit ip any any
access-list 101 deny ip host 192.168.2.3 host 45.1.1.100
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
line aux 0
!
line vty 0 4
login local
!
!
!
end
——————————————————————————————————————————————————————————————————————
R3#sho running-config
Building configuration...

Current configuration : 909 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R3
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
username zhejiang privilege 15 password 0 123456
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
ip address 34.1.1.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 45.1.1.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 90
network 34.0.0.0
network 45.0.0.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
!
line aux 0
!
line vty 0 4
login local
!
!
!
end
——————————————————————————————————————————————————————————————————————
sw0#sho running-config
Building configuration...

Current configuration : 1322 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname sw0
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
!
!
!
line con 0
logging synchronous
exec-timeout 0 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
——————————————————————————————————————————————————————————————————————
sw1#sho running-config
Building configuration...

Current configuration : 1322 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname sw1
!
!
!
no ip domain-lookup
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport mode trunk
!
interface FastEthernet0/2
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 5
switchport mode access
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
!
!
!
line con 0
logging synchronous
exec-timeout 0 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
——————————————————————————————————————————————————————————————————————
六、注意事項
在調用ACL時，需要注意調用的接口和方向，如：本實驗中調用的接口是子接口，而不是物理接口。