Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to self-make ACL+DHCP experiment". In daily operation, I believe many people have doubts about how to make self-made ACL+DHCP experiment. The editor consulted all kinds of data and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to self-make ACL+DHCP experiment"! Next, please follow the editor to study!

(experimental gns simulator)

ACL

Lab Topology:

Experimental requirements:

1.1.1.1 → 3.3.3.3 does not work

11.11.11.11 → 3.3.3.3

2.2.2.2 → 3.3.3.3

The steps of the experiment:

Step 1: basic configuration

R1:

R1#conf t

R1 (config) # int lo0

R1 (config-if) # ip add 1.1.1.1 255.255.255.0

R1 (config-if) # int lo1

R1 (config-if) # ip add 11.11.11 255.255.255.0

R1 (config-if) # int e0Universe 0

R1 (config-if) # ip add 12.12.12.1 255.255.255.0

R1 (config-if) # no shut

R1 (config-if) # end

R2:

R2#CONF T

R2 (config) # int lo0

R2 (config-if) # ip add 2.2.2.2 255.255.255.0

R2 (config-if) # no shut

R2 (config-if) # int e0Universe 0

R2 (config-if) # ip add 12.12.2 255.255.255.0

R2 (config-if) # no shut

R2 (config) # int e0Compact 1

R2 (config-if) # ip add 23.23.23.2 255.255.255.0

R2 (config-if) # no shut

R2 (config-if) # end

R3:

R3#conf t

R3 (config) # int e0swap 1

R3 (config-if) # ip add 23.23.23.3 255.255.255.0

R3 (config-if) # no shut

R3 (config-if) # int lo0

R3 (config-if) # ip add 3.3.3.3 255.255.255.0

R3 (config-if) # no shut

R3 (config-if) # end

Step 2: static route settings

R1 (config) # ip route 0.0.0.0 0.0.0.0 e0swap 0 12.12.12.2 / / if the destination ip is not in the routing table, go to R2 with e0exex0.

R2 (config) # ip route 1.1.1.0 255.255.255.0 e0UP 0 12.12.12.1

R2 (config) # ip route 11.11.0 255.255.255.255.0 e0Universe 0 12.12.12.1

R2 (config) # ip route 3.3.3.0 255.255.255.0 e0UBG 1 23.23.23.3

R3 (config) # ip route 0.0.0.0 0.0.0.0 e0 bank 1 23.23.23.2

/ / the directly connected network itself exists in the routing table and does not need to be static

Inspection:

R1#ping 3.3.3.3

R3#ping 1.1.1.1

Step 3:

Write ACL statements:

R2#conf t

R2 (config) # ip access-list extended IT / / named acl is called IT (extended acl)

R2 (config-ext-nacl) # deny ip 1.1.1.1 0.0.0.0 3.3.3.3 0.0.0.0

R2 (config-ext-nacl) # permit ip host 2.2.2.2 host 3.3.3.3

R2 (config-ext-nacl) # permit ip host 11.11.11.11 host 3.3.3.3

Inspection:

R2#show access-list

Extended IP access list IT

10 deny ip host 1.1.1.1 host 3.3.3.3

20 permit ip host 2.2.2.2 host 3.3.3.3

30 permit ip host 11.11.11.11 host 3.3.3.3

Step 4:

Reference ACL under the API

R2#conf t

R2 (config) # int e0Compact 1

R2 (config-if) # ip access-group IT out

R2 (config-if) # end

Inspection:

R1#ping 3.3.3.3 so 1.1.1.1 is not available / / this tag is the source of modification, same as below

R1#ping 3.3.3.3 so 11.11.11.11

R2#ping 3.3.3.3 pass

R2#ping 1.1.1.1 pass

!! Supplement

Reflexive ACL

Experimental topology: same as above (R1--R2 is intranet, R3 is extranet)

Experimental requirements:

OK from internal network to public network

NO from public network to private network

The steps of the experiment:

R2#conf t

R2 (config) # ip access-list extended inside

R2 (config-ext-nacl) # permit ip any any reflect CHINA

/ / grab the traffic from the private network to the external network to generate temporary entries and put them into the CHINA

R2 (config) # ip access-list extended outside

R2 (config-ext-nacl) # evaluate CHINA

/ / match all traffic originating from the public network

R2 (config) # int e0Universe 0

R2 (config-if) # ip access-group inside in

R2 (config-if) # int e0Compact 1

R2 (config-if) # ip access-group outside in

Phenomenon:

11.11.11.11 à 3.3.3.3 accessible

3.3.3.3 à 11.11.11.11 cannot be reached

2.2.2.2 à 3.3.3.3 does not work

3.3.3.3 à 2.2.2.2 does not work

DHCP

Lab Topology:

The steps of the experiment:

Step 1: basic configuration

R4#conf t

R4 (config) # no ip routing

R4 (config) # ip default-gateway 172.16.1.1

R4 (config) # int e0Let0

R4 (config-if) # ip add dhcp

R5#conf t

R5 (config) # no ip routing

R5 (config) # ip default-gateway 172.16.1.1

R5 (config) # int e0Let0

R5 (config-if) # ip add dhcp

R6#conf t

R6 (config) # int e0Let0

R6 (config-if) # ip add 172.16.1.1 255.255.255.0

R6 (config-if) # no shut

R6 (config-if) # int e0swap 1

R6 (config-if) # ip add 67.67.67.6 255.255.255.0

R6 (config-if) # no shut

R7#conf t

R7 (config) # int e0swap 1

R7 (config-if) # ip add 67.67.67.7 255.255.255.0

R7 (config-if) # no shut

R7 (config-if) # int lo0

R7 (config-if) # ip add 7.7.7.7 255.255.255.0

R7 (config-if) # end

Step 2: set up static routes on R6 and R7

R6 (config) # ip route 7.7.7.0 255.255.255.0 e0Uniplet 1 67.67.67.7

R7 (config) # ip route 0.0.0.0 0.0.0.0 e0 bank 1 67.67.67.6

Step 3: configure the address pool

R6 (config) # ip dhcp pool CHINA-Telecom

R6 (dhcp-config) # network 172.16.1.0 / 24

R6 (dhcp-config) # default-router 172.16.1.1

R6 (dhcp-config) # dns-server 172.16.1.1

R6 (dhcp-config) # lease 7

R6 (dhcp-config) # exit

R6 (config) # ip dhcp excluded-address 172.16.1.1

R5#conf t

R5 (config) # int e0Let0

R5 (config-if) # no shut

R4#conf t

R4 (config) # int e0Let0

R4 (config-if) # no shut

Inspection:

R4#show ip int br

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 172.16.1.2 YES DHCP up up

Ethernet0/1 unassigned YES unset administratively down down

Ethernet0/2 unassigned YES unset administratively down down

Ethernet0/3 unassigned YES unset administratively down down

R5#show ip int br

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 172.16.1.3 YES DHCP up up

Ethernet0/1 unassigned YES unset administratively down down

Ethernet0/2 unassigned YES unset administratively down down

Ethernet0/3 unassigned YES unset administratively down down

R4:ping 7.7.7.7

R5:ping 7.7.7.7

R7:ping 172.16.1.2

Ping 172.16.1.3

Step 4:

R6 sets up reflexive ACL to ensure the internal network security of 172.16.1.0 Universe 24 network segment.

R6#conf t

R6 (config) # ip access-list extend inside

R6 (config-ext-nacl) # permit ip any any reflect Greatwall

R6 (config-ext-nacl) # exit

R6 (config) # ip access-list extend outside

R6 (config-ext-nacl) # evaluate Greatwall

R6 (config-ext-nacl) # exit

R6 (config) # int e0Let0

R6 (config-if) # ip access-group inside in

R6 (config-if) # int e0swap 1

R6 (config-if) # ip access-group outside in

R6 (config-if) # exit

Inspection:

R4:ping 7.7.7.7

R5:ping 7.7.7.7

R7:ping 172.16.1.2 does not work

Ping 172.16.1.3 does not work

At this point, the study of "how to self-make ACL+DHCP experiment" is over. I hope it can solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.