CBAC配置
做了個CBAC實驗: 如下圖: <?xml:namespace prefix = v ns = "urn:schemas-microsoft-com:vml" />?步驟一:接口連通性配置<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> R1(config)#int s0 R1(config-if)#ip add <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />10.1.1.1 255.255.255.0 R1(config-if)#clock rate 64000 R1(config-if)#no shutdown R1(config)#ip route 20.1.1.0 255.255.255.0 10.1.1.2? à啟用靜態路由使R3可達
?
由于R2全部是相連接口不需配置路由 R2(config)#int s1 R2(config-if)#ip address 10.1.1.2 255.255.255.0 R2(config-if)#no shutdown R2(config-if)#int s0 R2(config-if)#ip add 20.1.1.1 255.255.255.0 R2(config-if)#clock rate 64000 R2(config-if)#no shutdown?
R3(config)#int s1 R3(config-if)#ip add 20.1.1.2 255.255.255.0 R3(config-if)#clock rate 64000 R3(config-if)#no sh R3(config)#ip route 10.1.1.0 255.255.255.0 20.1.1.1? à啟用靜態路由使R1可達?
步驟二:測試連通性 R1#ping 20.1.1.2? àR3的接口地址 !!!!!?
?
?
R3#ping 10.1.1.1? àR1的接口地址 !!!!!?
步驟三:配置R3為telnet SERVER,并設置特權密碼 R3(config)#username cisco password cisco? à設置用戶名及密碼 R3(config)#enable secret cisco?? à特權密碼,否則不允許遠程連接 R3(config)#line vty 0 4 R3(config-line)#login local?? à遠程登錄使用本地數據庫 ?????????????????????????????????????? 步驟四:測試telnet配置 R1#telnet 20.1.1.2? àtelnetR3,已經連接上了 Trying 20.1.1.2 ... Open?
?
User Access Verification?
Username: cisco? à輸入設置的用戶名及密碼 Password: R3>en Password: R3#?
步驟五:設置CBAC及訪問控制 R2(config)#access-list 100 permit ip 10.1.1.0 0.0.0.255 any? à允許內網所有流量 R2(config)#access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply à允許ping的回流 R2(config)#access-list 101 deny ip any any? à拒絕其它所有流量 R2(config)#ip inspect name cbac_telnet tcp? à定義CBAC開啟TCP和UDP R2(config)#ip inspect name cbac_telnet udp R2(config)#int s1 R2(config-if)#ip access-group 100 in à內網加載訪問列表,但沒加CBAC R2(config)#int s0 R2(config-if)#ip access-group 101 in? à外網加載列表?
步驟六:測試沒有加載CBAC的效果,并查看R2的訪問列表 R1#telnet 20.1.1.2? à沒有成功的進行遠程連接 Trying 20.1.1.2 ... % Connection timed out; remote host not responding?
R2#show ip access-lists? à查看R2的訪問列表 Extended IP access list 100 ??? permit ip 10.1.1.0 0.0.0.255 any (30 matches) Extended IP access list 101 ?? ??
permit icmp any 10.1.1.0 0.0.0.255 echo-reply (5 matches) deny ip any any? à沒有加載任何條目?
步驟七:將CBAC加載到接口 R2(config)#int s1 R2(config-if)#ip inspect cbac_telnet in? à加載CBAC?
步驟八:在R1測試telnet連接并在R2上查看訪問列表條目 R1#telnet 20.1.1.2 Trying 20.1.1.2 ... Open? à連接成功?
?
User Access Verification?
Username: cisco Password: R3>en Password: R3#?
R2#show ip access-lists à查看訪問列表條目 Extended IP access list 100 ??? permit ip 10.1.1.0 0.0.0.255 any (65 matches) Extended IP access list 101 permit tcp host 20.1.1.2 eq telnet host 10.1.1.1 eq 11005 (27 matches) ?????????????? à發現動態的加載條目,CBAC實驗成功 ??? permit icmp any 10.1.1.0 0.0.0.255 echo-reply (5 matches) ??? deny ip any any?
步驟九:顯示當前配置 R1#show run hostname R1 ! interface Serial0 ?ip address 10.1.1.1 255.255.255.0 ?clockrate 64000 ! ip route 20.1.1.0 255.255.255.0 10.1.1.2 ! end?
R2#show run hostname R2 ! ip inspect name cbac_telnet tcp ip inspect name cbac_telnet udp ! interface Serial0 ?ip address 20.1.1.1 255.255.255.0 ?ip access-group 101 in ! interface Serial1 ?ip address 10.1.1.2 255.255.255.0 ?ip access-group 100 in ?ip inspect cbac_telnet in ! access-list 100 permit ip 10.1.1.0 0.0.0.255 any access-list 101 permit icmp any 10.1.1.0 0.0.0.255 echo-reply access-list 101 deny?? ip any any ! end?
R3#show run hostname R3 ! enable secret 5 $1$61vK$zLV502ahdm0EMkg/rhcHW1 ! username cisco password 0 cisco ! interface Serial1 ?ip address 20.1.1.2 255.255.255.0 ?clockrate 64000 ! ip route 10.1.1.0 255.255.255.0 20.1.1.1 ! line vty 0 4 ?login local ! end轉載于:https://blog.51cto.com/dnsdhcp/287044
總結
- 上一篇: 职场 | 3天准备5天面试,跳槽完成
- 下一篇: JEECG Online Coding