1、實 驗 報 告課程名稱稱思科路由由器開放放實驗實驗名稱稱基于ACCL的訪訪問控制制及安全全策略的的設計實實驗實驗時間間20122年6月2-3日實 驗 報 告告實驗名稱稱基于ACCL的訪訪問控制制及安全全策略的的設計實實驗實驗類型型開放實驗驗實驗學時時16實驗時間間20122.6.1-220122.6.2實驗目的的和要求求訪問控制制列表（Acccesss Coontrrol Lisst，AACL） 是 HYPERLINK /view/1360.htm 路路由器和和 HYPERLINK /view/1077.htm 交換機機接口的的指令列列表，用用來 HYPERLINK /view/798022.

2、htm 控制制端口進進出的數數據包。驗要求求學生掌掌握訪問問控制列列表的配配置，理理解ACCL的執執行過程程；能夠夠根據AACL設設計安全全的網絡絡。實驗要求求完成以以下工作作：標準ACCL。實實驗目標標：本實實驗拒絕絕stuudennt所在在網段訪訪問路由由器R22，同時時只允許許主機tteaccherr訪問路路由器RR2的ttelnnet服服務。擴展ACCL實驗驗：實驗驗目標：學生不不能訪問問ftpp,但能能訪問wwww，教師不不受限制制。防止地址址欺騙。外部網網絡的用用戶可能能會偽裝裝自己的的ip地地址，比比如使用用內部網網的合法法IP地地址或者者回環地地址作為為源地址址，從而而實現非非

3、法訪問問。解決決辦法：將可能能偽裝到到的ipp地址拒拒絕掉。二、實驗驗環境(實驗設設備)PC機，并安裝裝Cissco Pacckett Trraceer軟件件或者是是真實的的思科網網絡設備備（路由由器交換換機）。三、實驗驗原理及及內容一 基本本ACLL實驗：1.標準準ACLL。實驗驗目標：本實驗驗拒絕sstuddentt所在網網段訪問問路由器器R2，同時只只允許主主機teeachher訪訪問路由由器R22的teelneet服務務。實驗拓補補圖如下下：實驗配置置如下：RoutterenRoutter#connf ttEnteer cconffiguurattionn coommaandss, o

4、one perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R1R1(cconffig)#innt f0/0R1(cconffig-if)#ipp addd 10.20.1700.1 2555.2255.2555.0R1(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to up%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfa

5、cce FFasttEthhernnet00/0, chhangged staate to upR1(cconffig-if)#exxitR1(cconffig)#innt ss0/00/0R1(cconffig-if)#ipp addd 1922.1668.112.11 2255.2555.2555.00R1(cconffig-if)#cllockk raate 640000R1(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/0, chaangeed sstatte tto ddownnR1(ccon

6、ffig-if)#exxitR1(cconffig)#roouteer eeigrrp 1100R1(cconffig-rouuterr)#nnetwworkk 100.200.1770.00 0.0.00.2555R1(cconffig-rouuterr)#nnetwworkk 1992.1168.12.0 R1(cconffig-rouuterr)#nno aautooR1(cconffig-rouuterr)#eendR1#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR1#ccopyy ruun ssta

7、rrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOKRoutterenRoutter#connf ttEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R22R2(cconffig)#innt s0/0/11R2(cconffig-if)#ipp addd 1192.1688.122.2 2555.2555.2255.0 R2(ccon

8、ffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/1, chaangeed sstatte tto uupR2(cconffig-if)#%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce SSeriial00/0/1, chaangeed sstatte tto uupR2(cconffig-if)#exxitR2(cconffig)#innt s0/0/00R2(cconffig-if)#ipp addd 1192.1688.233.1 2

9、555.2555.2255.0R2(cconffig-if)#cllockk raate 640000R2(cconffig-if)#noo shhut%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/0, chaangeed sstatte tto ddownnR2(cconffig-if)#exxitR2(cconffig)#innt f0/0R2(cconffig-if)#ipp addd 110.220.1168.1 2255.2555.2555.00R2(cconffig-if)#noo shhutR2(cconffig-if)#%LINN

10、K-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to upR2(cconffig-if)#exxit%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce FFasttEthhernnet00/0, chhangged staate to upR2(cconffig)#roouteer eeigrrp 1100R2(cconffig-rouuterr)#nnet 1922.1668.112.00 R2(cconffig-rouuterr)#

11、%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000: NNeigghboor 1192.1688.122.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR2(cconffig-rouuterr)#nnet 1922.1668.223.00 R2(cconffig-rouuterr)#nnet 10.20.1688.0 0.00.0.2555R2(cconffig-rouuterr)#nno aautooR2(cconffig-rouuterr)#%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000:

12、NNeigghboor 1192.1688.122.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR2(cconffig-rouuterr)#eexittR2(cconffig)#exxitR2#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR2#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOKRoutterenRoutter

13、#connf ttEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.Routter(connfigg)#hhostt R33R3(cconffig)#innt ss0/00/1R3(cconffig-if)#ipp addd 1192.1688.233.2 2555.2255.2555.0R3(cconffig-if)#noo shhutR3(cconffig-if)#%LINNK-55-CHHANGGED: Innterrfacce SSeriial00/0/1, chaangeed sst

14、atte tto uupR3(cconffig-if)#exxitR3(cconffig)#innt ff0/00R3(cconffig-if)#ipp addd 110.220.666.11 2555.2255.2555.0R3(cconffig-if)#noo shhutR3(cconffig-if)#%LINNK-55-CHHANGGED: Innterrfacce FFasttEthhernnet00/0, chhangged staate to up%LINNEPRROTOO-5-UPDDOWNN: LLinee prrotoocoll onn Innterrfacce FFastt

15、Ethhernnet00/0, chhangged staate to upR3(cconffig-if)#exxitR3(cconffig)#roouteer eeigrrp 1100R3(cconffig-rouuterr)#nnet 0255R3(cconffig-rouuterr)#nnet 1922.1668.223.00R3(cconffig-rouuterr)#nno aautooR3(cconffig-rouuterr)#%DUAAL-55-NBBRCHHANGGE: IP-EIGGRP 1000: NNeigghboor 1192.1688

16、.233.1 (Seeriaal0/0/11) iis uup: neww addjaccenccyR3(cconffig-rouuterr)#eendR3#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR3#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionnOK配ACLL之前，stuudennt去ppingg RR2的三三個接口口的ipp地址，也可以以pinng 服務器器

17、100.200.1668.77，應該該pinng得通通。R2#cconff tEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.R2(cconffig)#acccesss-llistt 11 deeny 100.200.1770.00 0.0.00.2555R2(cconffig)#acccesss-llistt 11 peermiit anyyR2(cconffig)#innt s0/0/11R2(cconffig-if)#ipp acccesss-ggrouup 11 innR2(ccon

18、ffig-if)#exxitR2(cconffig)#acccesss-llistt 2 perrmitt hoost 0R2(cconffig)#liine vtyy 0 4R2(cconffig-linne)#passswoord 5011R2(cconffig-linne)#logginR2(cconffig-linne)#acccesss-cllasss 2 innR2(cconffig-linne)#enddR2#%SYSS-5-CONNFIGG_I: Coonfiigurred froom cconssolee byy coonsooleR2#ccopyy ru

19、un sstarrtDesttinaatioon ffileenamme staartuup-cconffig? Builldinng cconffiguurattionn配ACLL之后，stuudennt去ppingg RR2的三三個接口口的ipp地址，也可以以pinng 服務器器 100.200.1668.77，應該該pinng不通通。PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuest

20、t tiimedd ouut.Requuestt tiimedd ouut.Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 0, Losst = 4 (1000% losss),OKPCppingg 1192.1688.122.2Pinggingg 1992.1168.12.2 wwithh 322 byytess off daata:Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuestt tiimedd ouut.Requuest

21、t tiimedd ouut.Pingg sttatiistiics forr 1992.1168.12.2: Paccketts: Sennt = 4, Reeceiivedd = 0, Losst = 4 (1000% losss),配ACLL之后，teaacheer機可可以teelneet RR2 ，效果如如下。PCttelnnet 1922.1668.223.11Tryiing 1922.1668.223.11 OppenUserr Acccesss VVeriificcatiionPasssworrd: 5011R2een% Noo paasswwordd seet.R2但只允許許t

22、eaacheer 機機tellnett R22，在RR3上ttelnnet R22 不成成功。R3#ttelnnet 1922.1668.223.11Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoote hosstR3#ttelnnet 1922.1668.112.22Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstR3#ttelnnet 10.20.1688.1Tryiing 10.20.1688.1 % Coonneectiio

23、n reffuseed bby rremoote hosst在stuudennt機上上tellnett RR2 不不成功。PCttelnnet 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngPCttelnnet 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngPCttelnnet 100.

24、200.1668.11Tryiing 10.20.1688.1 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinng在R1上上tellnett RR2 不不成功。R1#ttelnnet 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstR1#ttelnnet 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoot

25、e hosstR1#ttelnnet 100.200.1668.11Tryiing 10.20.1688.1 % Coonneectiion reffuseed bby rremoote hosstTeaccherr機：PCttelnnet 1922.1668.112.11Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstPCttelnnet 10.20.1700.1Tryiing 10.20.1700.1 % Coonneectiion timmed outt

26、; rremoote hosst nnot ressponndinngPCttelnnet 10.20.1700.100Tryiing 10.20.1700.100 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngR1#ttelnnet 100.200.666.1Tryiing OOpennConnnecctioon tto 110.220.666.11 clloseed bby fforeeignn hoostR1#ttelnnet 1992.1168.23.2Tryiing 1922.1668

27、.223.22 OppenConnnecctioon tto 1192.1688.233.2 cloosedd byy fooreiign hosstR3eenR3#ttelnnet 1922.1668.112.11Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstR3#ttelnnet 10.20.1700.1Tryiing 10.20.1700.1 % Coonneectiion timmed outt; rremoote hosst nnot resspo

28、nndinngSERVVERtellnett 1992.1168.12.2Tryiing 1922.1668.112.22 % Coonneectiion reffuseed bby rremoote hosstSERVVERtellnett 1992.1168.23.1Tryiing 1922.1668.223.11 % Coonneectiion reffuseed bby rremoote hosstSERVVERtellnett 100.200.1668.11Tryiing 10.20.1688.1 % Coonneectiion reffuseed bby rremoote hoss

29、tSERVVERtellnett 1992.1168.12.1Tryiing 1922.1668.112.11 OppenConnnecctioon tto 1192.1688.122.1 cloosedd byy fooreiign hosstSERVVERtellnett 100.200.1770.11Tryiing 10.20.1700.1 % Coonneectiion timmed outt; rremoote hosst nnot ressponndinngSERVVERtellnett 1992.1168.23.2Tryiing 1922.1668.223.22 OppenCon

30、nnecctioon tto 1192.1688.233.2 cloosedd byy fooreiign hosstSERVVERtellnett 100.200.666.1Tryiing OOpennConnnecctioon tto 110.220.666.11 clloseed bby fforeeignn hoostSERVVERtellnett 100.200.666.100Tryiing 0 % Coonneectiion reffuseed bby rremoote hosstSERVVER2擴展AACL實實驗：實實驗目標標：學生生不能

31、訪訪問fttp,但但能訪問問wwww，教師師不受限限制。實驗拓補補圖如下下：實驗配置置如下：R2#ssh aacceess-lisstsStanndarrd IIP aacceess lisst 11 denny 110.220.1170.0 0255 perrmitt anny (11 mattch(es)Stanndarrd IIP aacceess lisst 22 perrmitt hoost 0R2#ssh rruninteerfaace Serriall0/00/1 ip adddresss 1192.1688.122.2 2555.2555.22

32、55.0 ip acccesss-grroupp 1 in!linee vtty 00 4 acccesss-cllasss 2 in passswoord 5011 loggin!刪除ACCL：R2#cconff tEnteer cconffiguurattionn coommaandss, oone perr liine. EEnd witth CCNTLL/Z.R2(cconffig)#innt ss0/00/1R2(cconffig-if)#noo ipp acccesss-ggrouup 11 innR2(cconffig-if)#exxitR2(cconffig)#noo accc

33、esss-llistt 1R2(cconffig)#liine vtyy 0 4R2(cconffig-linne)#no acccesss-cllasss 2 inR2(cconffig-linne)#no passswoord R2(connfigg-iff)#eexittR2(cconffig)#noo acccesss-llistt 2可以用ssh aacceess-lissts 和sh runn查看。R2#ssh aacceess-lisstsR2#ssh rrunR2#ccopyy ruun sstarrtDesttinaatioon ffileenamme staartuup-c

34、conffig? Builldinng cconffiguurattionnOK配ACLL之前測測試：studdentt的pcc機測試試結果如如下：PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Replly ffromm 100.200.1668.77: bbytees=332 ttimee=2003mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1441mss TTTL=1126Replly ffromm 100

35、.200.1668.77: bbytees=332 ttimee=1557mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1443mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1441mss,

36、 MMaxiimumm = 2033ms, Avveraage = 1161mmsstuddentt機上測測試：PCfftp 10.20.1688.7Tryiing to connnecct100.200.1668.77Connnectted to 10.20.1688.7220- Weelcoome to PT Ftpp seerveerUserrnamme:cciscco331- Ussernnamee okk, nneedd paasswworddPasssworrd:cciscco230- Looggeed iin(passsivve mmodee Onn)ftpftpctrrl+cc

37、Packket Traacerr PCC Coommaand Linne 11.0PC配dnss之后，也就是是指定了了服務器器的ipp地址110.220.1168.7 和和域名 HYPERLINK http:/wwww.fillm.ccom wwww.ffilmm.coom 的的對應關關系之后后，也可可以以域域名的方方式登錄錄到fttp服務務器。PCfftp mTryiing to connnecctwwww.ffilmm.coomConnnectted to m220- Weelcoome to PT Ftpp seerveerUserrnamme:cciscco331- Ussernnam

38、ee okk, nneedd paasswworddPasssworrd:cciscco230- Looggeed iin(passsivve mmodee Onn)ftpexiit Invvaliid oor nnon suppporrtedd coommaand.ftpctrrl+ccPackket Traacerr PCC Coommaand Linne 11.0PCPCppingg 100.200.666.100Pinggingg 100.200.666.100 wiith 32 byttes of datta:Replly ffromm 100.200.666.100: bbytee

39、s=332 ttimee=1888mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1772mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1887mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1887mss TTTL=1125Pingg sttatiistiics forr 100.200.666.100: Paccketts: Sennt = 4, Reece

40、iivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1772mss, MMaxiimumm = 1888ms, Avveraage = 1183mms配dnss之前，pinng teaacheer 的的ip地地址，但但pinng不了了域名；配dnns之后后，ipp地址和和域名都都可以ppingg通。TTeaccherr的域名名 HYPERLINK m，服務務器的域域名 HYPERLINK wwww.ffilmm.coom，sstudde

41、ntt的域名名 HYPERLINK m wwww.sstuddentt.coom。PCppingg wwww.tteaccherr.coomPinggingg 100.200.666.100 wiith 32 byttes of datta:Replly ffromm 100.200.666.100: bbytees=332 ttimee=1556mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1559mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 tt

42、imee=1772mss TTTL=1125Replly ffromm 100.200.666.100: bbytees=332 ttimee=1556mss TTTL=1125Pingg sttatiistiics forr 100.200.666.100: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1556mss, MMaxiimumm = 1722ms, Avvera

43、age = 1160mmsPCppingg wwww.ffilmm.coomPinggingg 100.200.1668.77 wiith 32 byttes of datta:Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1557mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1556mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1441mss TTTL=1126Replly ffr

44、omm 100.200.1668.77: bbytees=332 ttimee=1225mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 4, Losst = 0 (0% looss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds: Minnimuum = 1225mss, MMaxiimumm = 1577ms, Avveraage = 1144mms在stuudennt上測測試wwww服

45、務務。在stuudennt機的的桌面，在WEEB瀏覽覽器的地地址欄里里輸入 HYPERLINK hhttpp:/10.20.1688.7/ htttp:/110.220.1168.7/顯示網頁頁內容：Ciscco PPackket TraacerrWelccomee too njjuptt fiilm sitte. youu caan ddownnloaad ffilmms. Quiick Linnks: A smmalll paage Copyyrigghtss Imagge ppagee Imagge在stuudennt機的的桌面，在WEEB瀏覽覽器的地地址欄里里輸入 HYPERLINK

46、/ hhttpp:/m/，同同樣可以以顯示網網頁內容容。teaccherr 的ppc機測測試結果果如下：PCppingg 100.200.1668.77Pinggingg 100.200.1668.77 wiith 32 byttes of datta:Requuestt tiimedd ouut.Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1443mss TTTL=1126Replly ffromm 100.200.1668.77: bbytees=332 ttimee=1440mss TTTL=1126Replly ffromm 10

47、0.200.1668.77: bbytees=332 ttimee=1227mss TTTL=1126Pingg sttatiistiics forr 100.200.1668.77: Paccketts: Sennt = 4, Reeceiivedd = 3, Losst = 1 (255% llosss),Apprroxiimatte rrounnd ttripp tiimess inn miillii-seeconnds:Miniimumm = 1277ms, Maaximmum = 1143mms, Aveeragge = 1336mss在R1上上配ACCL。R1(cconffig)#

48、acccesss-llistt 1001 deeny ttcp 110.220.1170.0 0.0.00.2555 hoost 110.220.1168.7 eq 211R1(cconffig)#acccesss-llistt 1001 deeny ttcp 110.220.1170.0 0.0.00.2555 hoost 110.220.1168.7 eq 200R1(cconffig)#acccesss-llistt 1001 peermiit ipp 110.220.1170.0 0.0.00.2555 anyy R1(connfigg)#iint f00/0R1(cconffig-i

49、f)#ipp acccesss-ggrouup 1101 inR1#ssh aacceess-lisstsExteendeed IIP aacceess lisst 1101 denny ttcp 10.20.1700.0 0.00.0.2555 hoost 10.20.1688.7 eq ftpp denny ttcp 10.20.1700.0 0.00.0.2555 hoost 10.20.1688.7 eq 20 perrmitt ipp 100.200.1770.00 0.0.00.2555 aany R1#sh runnBuilldinng cconffiguurattionnCur

50、rrentt coonfiigurratiion : 220044 byytess!verssionn 122.4no sservvicee tiimesstammps logg daatettimee mssecno sservvicee tiimesstammps debbug dattetiime mseecno sservvicee paasswwordd-enncryyptiion!hosttnamme RR1!inteerfaace FasstEttherrnett0/00 ip adddresss 110.220.1170.1 2255.2555.2555.00 ip accce

51、sss-grroupp 1001 iin dupplexx auuto speeed auttoStuddentt上配好好acll后，再再測Studdentt能否訪訪問服務務器的fftp服服務和wwww服服務。PCfftp mTryiing to connnecctwwww.ffilmm.coom%Errror opeeninng fftp:/wwww.fillm.ccom/ (TTimeed oout).Packket Traacerr PCC Coommaand Linne 11.0PC(Dissconnnecctinng ffromm fttp sservver)PCfftp 100.2

52、00.1668.77Tryiing to connnecct100.200.1668.77%Errror opeeninng fftp:/110.220.1168.7/ (Tiimedd ouut).Packket Traacerr PCC Coommaand Linne 11.0PC(Dissconnnecctinng ffromm fttp sservver)Packket Traacerr PCC Coommaand Linne 11.0說明sttudeent機機已不能能訪問服服務器的的ftpp服務了了。二 高級級ACLL擴展ACCL的應應用1.防止止地址欺欺騙。R1是內內網的邊邊界路由

53、由器，RR2是外外網的邊邊界路由由器。外部網絡絡的用戶戶可能會會偽裝自自己的iip地址址，比如如使用內內部網的的合法IIP地址址或者回回環地址址作為源源地址，從而實實現非法法訪問。解決辦辦法：將將可能偽偽裝到的的ip地地址拒絕絕掉。Routter(connfigg)#hhostt R11R1(cconffig)#innt ss0/00/1R1(cconffig-if)#ipp addd 2201.1000.111.1 2555.2555.2255.0R1(cconffig-if)#cllockk raate 640000R1(cconffig-if)#noo shhutR1(cconffig)

54、#innt ff0/00R1(cconffig-if)#ipp addd 1 2555.2555.2255.0R1(cconffig-if)#noo shhutR1(cconffig)#roouteer eeigrrp 1100R1(cconffig-rouuterr)#nnet 2011.1000.111.00*Mayy 100 111:299:299.3774: %DUUAL-5-NNBRCCHANNGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss upp: nnew adj

55、jaceencyyR1(cconffig-rouuterr)#nnet 190R1(cconffig-rouuterr)#nno aautoo/*MMay 10 11:29:57.0100: IIP-EEIGRRP(DDefaaultt-IPP-Rooutiing-Tabble:1000): Neiighbbor 1922.1668.11.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00R1(cconffig-rouuterr)#*Mayy 100 111:300:000.6666: %DUUAL-5-NNBRCCHAN

56、NGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss reesynnc: summmarry cconffiguureddR1(cconffig-rouuterr)#*Mayy 100 111:300:000.6666: %DUUAL-5-NNBRCCHANNGE: IPP-EIIGRPP(0) 1000: Neiighbbor 2011.1000.111.22(Serriall0/00/1) iss reesynnc: summmarry cconffiguuredd*Mayy 100 111:30

57、0:100.9442: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy 100 111:300:244.9334: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy

58、100 111:300:388.8338: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00*Mayy 100 111:300:533.0990: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett

59、0/00*Mayy 100 111:311:077.2222: IP-EIGGRP(Deffaullt-IIP-RRouttingg-Taablee:1000): Neeighhborr 1992.1168.1.1 nnot on commmonn suubneet ffor FasstEttherrnett0/00/以上系統統顯示異異常的原原因是網網絡有環環路，這這里產生生環路的的連接是是因為335600交換機機和兩臺臺29550交換換機分別別用交叉叉線連接接，三臺臺路由器器兩兩連連接，三三臺路由由器分別別與三臺臺交換機機連接。R1(cconffig)#ipp acccesss-llistt

60、 exxtenndedd inngreess-anttspooofR1(cconffig-extt-naacl)#deeny ip 10.0.00.0 0.2255.2555.2555 aanyR1(cconffig-extt-naacl)#deeny ip 1922.1668.00.0 0.00.2555.2255 anyyR1(cconffig-extt-naacl)#deeny ip 1772.116.00.0 0.115.2255.2555 anny /阻阻止源地地址為私私有地址址的所有有通信流流。1772.116.00.0/12，17到1172.31.2555.2