基于ACL的访问控制及安全策略的设计实验报告

1、实 验 报 告课程名称称思科路由由器开放放实验实验名称称基于ACCL的访访问控制制及安全全策略的的设计实实验实验时间间20122年6月2-3日实 验 报 告告实验名称称基于ACCL的访访问控制制及安全全策略的的设计实实验实验类型型开放实验验实验学时时16实验时间间20122.6.1-220122.6.2实验目的的和要求求访问控制制列表（Acccesss Coontrrol Lisst，AACL） 是 HYPERLINK /view/1360.htm 路路由器和和 HYPERLINK /view/1077.htm 交换机机接口的的指令列列表，用用来 HYPERLINK /view/798022.

2、htm 控制制端口进进出的数数据包。验要求求学生掌掌握访问问控制列列表的配配置，理理解ACCL的执执行过程程；能够够根据AACL设设计安全全的网络络。实验要求求完成以以下工作作：标准ACCL。实实验目标标：本实实验拒绝绝stuudennt所在在网段访访问路由由器R22，同时时只允许许主机tteaccherr访问路路由器RR2的ttelnnet服服务。扩展ACCL实验验：实验验目标：学生不不能访问问ftpp,但能能访问wwww，教师不不受限制制。防止地址址欺骗。外部网网络的用用户可能能会伪装装自己的的ip地地址，比比如使用用内部网网的合法法IP地地址或者者回环地地址作为为源地址址，从而而实现非非

3、法访问问。解决决办法：将可能能伪装到到的ipp地址拒拒绝掉。二、实验验环境(实验设设备)PC机，并安装装Cissco Pacckett Trraceer软件件或者是是真实的的思科网网络设备备（路由由器交换换机）。三、实验验原理及及内容一 基本本ACLL实验：1.标准准ACLL。实验验目标：本实验验拒绝sstuddentt所在网网段访问问路由器器R2，同时只只允许主主机teeachher访访问路由由器R22的teelneet服务务。实验拓补补图如下下：实验配置置如下：RoutterenRoutter#connf ttEnteer cconffiguurattionn coommaandss, o

4、one perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R1R1(cconffig)#innt f0/0R1(cconffig-if)#ipp addd 10.20.1700.1 2555.2255.2555.0R1(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to up%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfa

5、cce FFasttEthhernnet00/0, chhangged staate to upR1(cconffig-if)#exxitR1(cconffig)#innt ss0/00/0R1(cconffig-if)#ipp addd 1922.1668.112.11 2255.2555.2555.00R1(cconffig-if)#cllockk raate 640000R1(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/0, chaangeed sstatte tto ddownnR1(ccon

6、ffig-if)#exxitR1(cconffig)#roouteer eeigrrp 1100R1(cconffig-rouuterr)#nnetwworkk 100.200.1770.00 0.0.00.2555R1(cconffig-rouuterr)#nnetwworkk 1992.1168.12.0 R1(cconffig-rouuterr)#nno aautooR1(cconffig-rouuterr)#eendR1#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR1#ccopyy ruun ssta

7、rrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOKRoutterenRoutter#connf ttEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R22R2(cconffig)#innt s0/0/11R2(cconffig-if)#ipp addd 1192.1688.122.2 2555.2555.2255.0 R2(ccon

8、ffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/1, chaangeed sstatte tto uupR2(cconffig-if)#%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce SSeriial00/0/1, chaangeed sstatte tto uupR2(cconffig-if)#exxitR2(cconffig)#innt s0/0/00R2(cconffig-if)#ipp addd 1192.1688.233.1 2

9、555.2555.2255.0R2(cconffig-if)#cllockk raate 640000R2(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/0, chaangeed sstatte tto ddownnR2(cconffig-if)#exxitR2(cconffig)#innt f0/0R2(cconffig-if)#ipp addd 110.220.1168.1 2255.2555.2555.00R2(cconffig-if)#noo shhutR2(cconffig-if)#%LINN

10、K-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to upR2(cconffig-if)#exxit%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce FFasttEthhernnet00/0, chhangged staate to upR2(cconffig)#roouteer eeigrrp 1100R2(cconffig-rouuterr)#nnet 1922.1668.112.00 R2(cconffig-rouuterr)#

11、%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000: NNeigghboor 1192.1688.122.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR2(cconffig-rouuterr)#nnet 1922.1668.223.00 R2(cconffig-rouuterr)#nnet 10.20.1688.0 0.00.0.2555R2(cconffig-rouuterr)#nno aautooR2(cconffig-rouuterr)#%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000:

12、NNeigghboor 1192.1688.122.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR2(cconffig-rouuterr)#eexittR2(cconffig)#exxitR2#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR2#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOKRoutterenRoutter

13、#connf ttEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R33R3(cconffig)#innt ss0/00/1R3(cconffig-if)#ipp addd 1192.1688.233.2 2555.2255.2555.0R3(cconffig-if)#noo shhutR3(cconffig-if)#%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/1, chaangeed sst

14、atte tto uupR3(cconffig-if)#exxitR3(cconffig)#innt ff0/00R3(cconffig-if)#ipp addd 110.220.666.11 2555.2255.2555.0R3(cconffig-if)#noo shhutR3(cconffig-if)#%LINNK-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to up%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce FFastt

15、Ethhernnet00/0, chhangged staate to upR3(cconffig-if)#exxitR3(cconffig)#roouteer eeigrrp 1100R3(cconffig-rouuterr)#nnet 0255R3(cconffig-rouuterr)#nnet 1922.1668.223.00R3(cconffig-rouuterr)#nno aautooR3(cconffig-rouuterr)#%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000: NNeigghboor 1192.1688

16、.233.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR3(cconffig-rouuterr)#eendR3#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR3#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOK配ACLL之前，stuudennt去ppingg RR2的三三个接口口的ipp地址，也可以以pinng 服务器器

17、100.200.1668.77，应该该pinng得通通。R2#cconff tEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.R2(cconffig)#acccesss-llistt 11 deeny 100.200.1770.00 0.0.00.2555R2(cconffig)#acccesss-llistt 11 peermiit anyyR2(cconffig)#innt s0/0/11R2(cconffig-if)#ipp acccesss-ggrouup 11 innR2(ccon

18、ffig-if)#exxitR2(cconffig)#acccesss-llistt 2 perrmitt hoost 0R2(cconffig)#liine vtyy 0 4R2(cconffig-linne)#passswoord 5011R2(cconffig-linne)#logginR2(cconffig-linne)#acccesss-cllasss 2 innR2(cconffig-linne)#enddR2#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR2#ccopyy ru

19、un sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionn配ACLL之后，stuudennt去ppingg RR2的三三个接口口的ipp地址，也可以以pinng 服务器器 100.200.1668.77，应该该pinng不通通。PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuest

20、t tiimedd ouut.Requuestt tiimedd ouut.Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 0, Losst = 4 (1000% losss),OKPCppingg 1192.1688.122.2Pinggingg 1992.1168.12.2 wwithh 322 byytess off daata:Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuest

21、t tiimedd ouut.Pingg sttatiistiics forr 1992.1168.12.2: Paccketts: Sennt = 4, Reeceiivedd = 0, Losst = 4 (1000% losss),配ACLL之后，teaacheer机可可以teelneet RR2 ，效果如如下。PCttelnnet 1922.1668.223.11Tryiing 1922.1668.223.11 OppenUserr Acccesss VVeriificcatiionPasssworrd: 5011R2een% Noo paasswwordd seet.R2但只允许许t

22、eaacheer 机机tellnett R22，在RR3上ttelnnet R22 不成成功。R3#ttelnnet 1922.1668.223.11Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoote hosstR3#ttelnnet 1922.1668.112.22Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstR3#ttelnnet 10.20.1688.1Tryiing 10.20.1688.1 % Coonneectiio

23、n reffuseed bby rremoote hosst在stuudennt机上上tellnett RR2 不不成功。PCttelnnet 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngPCttelnnet 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngPCttelnnet 100.

24、200.1668.11Tryiing 10.20.1688.1 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinng在R1上上tellnett RR2 不不成功。R1#ttelnnet 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstR1#ttelnnet 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoot

25、e hosstR1#ttelnnet 100.200.1668.11Tryiing 10.20.1688.1 % Coonneectiion reffuseed bby rremoote hosstTeaccherr机：PCttelnnet 1922.1668.112.11Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstPCttelnnet 10.20.1700.1Tryiing 10.20.1700.1 % Coonneectiion timmed outt

26、; rremoote hosst nnot ressponndinngPCttelnnet 10.20.1700.100Tryiing 10.20.1700.100 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngR1#ttelnnet 100.200.666.1Tryiing OOpennConnnecctioon tto 110.220.666.11 clloseed bby fforeeignn hoostR1#ttelnnet 1992.1168.23.2Tryiing 1922.1668

27、.223.22 OppenConnnecctioon tto 1192.1688.233.2 cloosedd byy fooreiign hosstR3eenR3#ttelnnet 1922.1668.112.11Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstR3#ttelnnet 10.20.1700.1Tryiing 10.20.1700.1 % Coonneectiion timmed outt; rremoote hosst nnot resspo

28、nndinngSERVVERtellnett 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstSERVVERtellnett 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoote hosstSERVVERtellnett 100.200.1668.11Tryiing 10.20.1688.1 % Coonneectiion reffuseed bby rremoote hoss

29、tSERVVERtellnett 1992.1168.12.1Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstSERVVERtellnett 100.200.1770.11Tryiing 10.20.1700.1 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngSERVVERtellnett 1992.1168.23.2Tryiing 1922.1668.223.22 OppenCon

30、nnecctioon tto 1192.1688.233.2 cloosedd byy fooreiign hosstSERVVERtellnett 100.200.666.1Tryiing OOpennConnnecctioon tto 110.220.666.11 clloseed bby fforeeignn hoostSERVVERtellnett 100.200.666.100Tryiing 0 % Coonneectiion reffuseed bby rremoote hosstSERVVER2扩展AACL实实验：实实验目标标：学生生不能

31、访访问fttp,但但能访问问wwww，教师师不受限限制。实验拓补补图如下下：实验配置置如下：R2#ssh aacceess-lisstsStanndarrd IIP aacceess lisst 11 denny 110.220.1170.0 0255 perrmitt anny (11 mattch(es)Stanndarrd IIP aacceess lisst 22 perrmitt hoost 0R2#ssh rruninteerfaace Serriall0/00/1 ip adddresss 1192.1688.122.2 2555.2555.22

32、55.0 ip acccesss-grroupp 1 in!linee vtty 00 4 acccesss-cllasss 2 in passswoord 5011 loggin!删除ACCL：R2#cconff tEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.R2(cconffig)#innt ss0/00/1R2(cconffig-if)#noo ipp acccesss-ggrouup 11 innR2(cconffig-if)#exxitR2(cconffig)#noo accc

33、esss-llistt 1R2(cconffig)#liine vtyy 0 4R2(cconffig-linne)#no acccesss-cllasss 2 inR2(cconffig-linne)#no passswoord R2(connfigg-iff)#eexittR2(cconffig)#noo acccesss-llistt 2可以用ssh aacceess-lissts 和sh runn查看。R2#ssh aacceess-lisstsR2#ssh rrunR2#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-c

34、conffig? Builldinng cconffiguurattionnOK配ACLL之前测测试：studdentt的pcc机测试试结果如如下：PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Replly ffromm 100.200.1668.77: bbytees=332 ttimee=2003mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1441mss TTTL=1126Replly ffromm 100

35、.200.1668.77: bbytees=332 ttimee=1557mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1443mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1441mss,

36、 MMaxiimumm = 2033ms, Avveraage = 1161mmsstuddentt机上测测试：PCfftp 10.20.1688.7Tryiing to connnecct100.200.1668.77Connnectted to 10.20.1688.7220- Weelcoome to PT Ftpp seerveerUserrnamme:cciscco331- Ussernnamee okk, nneedd paasswworddPasssworrd:cciscco230- Looggeed iin(passsivve mmodee Onn)ftpftpctrrl+cc

37、Packket Traacerr PCC Coommaand Linne 11.0PC配dnss之后，也就是是指定了了服务器器的ipp地址110.220.1168.7 和和域名 HYPERLINK http:/wwww.fillm.ccom wwww.ffilmm.coom 的的对应关关系之后后，也可可以以域域名的方方式登录录到fttp服务务器。PCfftp mTryiing to connnecctwwww.ffilmm.coomConnnectted to m220- Weelcoome to PT Ftpp seerveerUserrnamme:cciscco331- Ussernnam

38、ee okk, nneedd paasswworddPasssworrd:cciscco230- Looggeed iin(passsivve mmodee Onn)ftpexiit Invvaliid oor nnon suppporrtedd coommaand.ftpctrrl+ccPackket Traacerr PCC Coommaand Linne 11.0PCPCppingg 100.200.666.100Pinggingg 100.200.666.100 wiith 32 byttes of datta:Replly ffromm 100.200.666.100: bbytee

39、s=332 ttimee=1888mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1772mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1887mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1887mss TTTL=1125Pingg sttatiistiics forr 100.200.666.100: Paccketts: Sennt = 4, Reece

40、iivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1772mss, MMaxiimumm = 1888ms, Avveraage = 1183mms配dnss之前，pinng teaacheer 的的ip地地址，但但pinng不了了域名；配dnns之后后，ipp地址和和域名都都可以ppingg通。TTeaccherr的域名名 HYPERLINK m，服务务器的域域名 HYPERLINK wwww.ffilmm.coom，sstudde

41、ntt的域名名 HYPERLINK m wwww.sstuddentt.coom。PCppingg wwww.tteaccherr.coomPinggingg 100.200.666.100 wiith 32 byttes of datta:Replly ffromm 100.200.666.100: bbytees=332 ttimee=1556mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1559mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 tt

42、imee=1772mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1556mss TTTL=1125Pingg sttatiistiics forr 100.200.666.100: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1556mss, MMaxiimumm = 1722ms, Avvera

43、age = 1160mmsPCppingg wwww.ffilmm.coomPinggingg 100.200.1668.77 wiith 32 byttes of datta:Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1557mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1556mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1441mss TTTL=1126Replly ffr

44、omm 100.200.1668.77: bbytees=332 ttimee=1225mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1225mss, MMaxiimumm = 1577ms, Avveraage = 1144mms在stuudennt上测测试wwww服

45、务务。在stuudennt机的的桌面，在WEEB浏览览器的地地址栏里里输入 HYPERLINK hhttpp:/10.20.1688.7/ htttp:/110.220.1168.7/显示网页页内容：Ciscco PPackket TraacerrWelccomee too njjuptt fiilm sitte. youu caan ddownnloaad ffilmms. Quiick Linnks: A smmalll paage Copyyrigghtss Imagge ppagee Imagge在stuudennt机的的桌面，在WEEB浏览览器的地地址栏里里输入 HYPERLINK

46、/ hhttpp:/m/，同同样可以以显示网网页内容容。teaccherr 的ppc机测测试结果果如下：PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Requuestt tiimedd ouut.Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1443mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1440mss TTTL=1126Replly ffromm 10

47、0.200.1668.77: bbytees=332 ttimee=1227mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 3, Losst = 1 (255% llosss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds:Miniimumm = 1277ms, Maaximmum = 1143mms, Aveeragge = 1336mss在R1上上配ACCL。R1(cconffig)#

48、acccesss-llistt 1001 deeny ttcp 110.220.1170.0 0.0.00.2555 hoost 110.220.1168.7 eq 211R1(cconffig)#acccesss-llistt 1001 deeny ttcp 110.220.1170.0 0.0.00.2555 hoost 110.220.1168.7 eq 200R1(cconffig)#acccesss-llistt 1001 peermiit ipp 110.220.1170.0 0.0.00.2555 anyy R1(connfigg)#iint f00/0R1(cconffig-i

49、f)#ipp acccesss-ggrouup 1101 inR1#ssh aacceess-lisstsExteendeed IIP aacceess lisst 1101 denny ttcp 10.20.1700.0 0.00.0.2555 hoost 10.20.1688.7 eq ftpp denny ttcp 10.20.1700.0 0.00.0.2555 hoost 10.20.1688.7 eq 20 perrmitt ipp 100.200.1770.00 0.0.00.2555 aany R1#sh runnBuilldinng cconffiguurattionnCur

50、rrentt coonfiigurratiion : 220044 byytess!verssionn 122.4no sservvicee tiimesstammps logg daatettimee mssecno sservvicee tiimesstammps debbug dattetiime mseecno sservvicee paasswwordd-enncryyptiion!hosttnamme RR1!inteerfaace FasstEttherrnett0/00 ip adddresss 110.220.1170.1 2255.2555.2555.00 ip accce

51、sss-grroupp 1001 iin dupplexx auuto speeed auttoStuddentt上配好好acll后，再再测Studdentt能否访访问服务务器的fftp服服务和wwww服服务。PCfftp mTryiing to connnecctwwww.ffilmm.coom%Errror opeeninng fftp:/wwww.fillm.ccom/ (TTimeed oout).Packket Traacerr PCC Coommaand Linne 11.0PC(Dissconnnecctinng ffromm fttp sservver)PCfftp 100.2

52、00.1668.77Tryiing to connnecct100.200.1668.77%Errror opeeninng fftp:/110.220.1168.7/ (Tiimedd ouut).Packket Traacerr PCC Coommaand Linne 11.0PC(Dissconnnecctinng ffromm fttp sservver)Packket Traacerr PCC Coommaand Linne 11.0说明sttudeent机机已不能能访问服服务器的的ftpp服务了了。二 高级级ACLL扩展ACCL的应应用1.防止止地址欺欺骗。R1是内内网的边边界路由

53、由器，RR2是外外网的边边界路由由器。外部网络络的用户户可能会会伪装自自己的iip地址址，比如如使用内内部网的的合法IIP地址址或者回回环地址址作为源源地址，从而实实现非法法访问。解决办办法：将将可能伪伪装到的的ip地地址拒绝绝掉。Routter(connfigg)#hhostt R11R1(cconffig)#innt ss0/00/1R1(cconffig-if)#ipp addd 2201.1000.111.1 2555.2555.2255.0R1(cconffig-if)#cllockk raate 640000R1(cconffig-if)#noo shhutR1(cconffig)

54、#innt ff0/00R1(cconffig-if)#ipp addd 1 2555.2555.2255.0R1(cconffig-if)#noo shhutR1(cconffig)#roouteer eeigrrp 1100R1(cconffig-rouuterr)#nnet 2011.1000.111.00*Mayy 100 111:299:299.3774: %DUUAL-5-NNBRCCHANNGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss upp: nnew adj

55、jaceencyyR1(cconffig-rouuterr)#nnet 190R1(cconffig-rouuterr)#nno aautoo/*MMay 10 11:29:57.0100: IIP-EEIGRRP(DDefaaultt-IPP-Rooutiing-Tabble:1000): Neiighbbor 1922.1668.11.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00R1(cconffig-rouuterr)#*Mayy 100 111:300:000.6666: %DUUAL-5-NNBRCCHAN

56、NGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss reesynnc: summmarry cconffiguureddR1(cconffig-rouuterr)#*Mayy 100 111:300:000.6666: %DUUAL-5-NNBRCCHANNGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss reesynnc: summmarry cconffiguuredd*Mayy 100 111:30

57、0:100.9442: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy 100 111:300:244.9334: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy

58、100 111:300:388.8338: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy 100 111:300:533.0990: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett

59、0/00*Mayy 100 111:311:077.2222: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00/以上系统统显示异异常的原原因是网网络有环环路，这这里产生生环路的的连接是是因为335600交换机机和两台台29550交换换机分别别用交叉叉线连接接，三台台路由器器两两连连接，三三台路由由器分别别与三台台交换机机连接。R1(cconffig)#ipp acccesss-llistt

60、 exxtenndedd inngreess-anttspooofR1(cconffig-extt-naacl)#deeny ip 10.0.00.0 0.2255.2555.2555 aanyR1(cconffig-extt-naacl)#deeny ip 1922.1668.00.0 0.00.2555.2255 anyyR1(cconffig-extt-naacl)#deeny ip 1772.116.00.0 0.115.2255.2555 anny /阻阻止源地地址为私私有地址址的所有有通信流流。1772.116.00.0/12，17到1172.31.2555.2