acl，nat和dhcp的使用和配置

ACL，NAT和DHCP的使用和配置实验目的：熟练掌握ACL，NAT和DHCP的原理以及在CISCOIOS上对它们进行配置的方法实验内容：ACL的配置NAT的配置DHCP的配置实验条件：2600系列路由器两台，2900交换机一台，PC两台一．ACL的配置（一）标准ACLStep1在路由器上配置主机名和密码Step2配置以太网段上的PCa.PC1IPaddress192.168.14.2Subnetmask255.255.255.0Defaultgateway192.168.14.1b.PC2IPaddress192.168.14.3Subnetmask255.255.255.0Defaultgateway192.168.14.1Step3保存配置GAD#copyrunning-configstartup-configStep4通过ping命令测试两台PC到缺省网关的连接性Step5阻止PC访问路由器的以太口GAD(config)#access-list1deny192.168.14.00.0.0.255GAD(config)#access-list1permitanyStep6从路由器ping两台PCStep7把ACL应用到接口上GAD(config-if)#ipaccess-group1inStep8从两台PCping路由器Step9创建新的ACLaccess-list2permit192.168.14.10.0.0.254Step10把ACL应用的接口上ipaccess-group2inStep11从两台PCping路由器GAD#showrunning-configversion12.0servicetimestampsdebuguptimeservicetimestampsloguptimenoservicepassword-encryption!hostnameGAD!ipsubnet-zero!ipauditnotifylogipauditpomax-events100!interfaceFastEthernet0/0ipaddress192.168.14.1255.255.255.0ipaccess-group2innoipdirected-broadcast!interfaceSerial0/0noipaddressnoipdirected-broadcastnoipmroute-cacheshutdownnofair-queue!interfaceSerial0/1noipaddressnoipdirected-broadcastshutdown!ipclasslessnoiphttpserver!access-list1deny192.168.14.00.0.0.255access-list1permitanyaccess-list2permit192.168.14.10.0.0.254!linecon0transportinputnonelineaux0linevty04!end（二）扩展ACLStep1配置路由器GAD的主机名和密码Step2配置以太网段上的PCa.PC1IPaddress192.168.14.2Subnetmask255.255.255.0Defaultgateway192.168.14.1b.PC2IPaddress192.168.14.3Subnetmask255.255.255.0Defaultgateway192.168.14.1Step3保存配置GAD#copyrunning-configstartup-configStep4通过ping命令测试两台PC到缺省网关的连接性Step5用Web浏览器连接路由器Step6防止通过以太网接入80端口GAD(config)#access-list101denytcp192.168.14.00.0.0.255anyeq80GAD(config)#access-list101permitipanyanyStep7应用ACL到接口GAD(config-if)#ipaccess-group101inStep8从PCPing路由器Step9用Web浏览器连接路由器Step10从PC接入路由器GAD#showrunning-configBuildingconfiguration...Currentconfiguration:!version12.0servicetimestampsdebuguptimeservicetimestampsloguptimenoservicepassword-encryption!hostnameGAD!!memory-sizeiomem10ipsubnet-zeronoipdomain-lookup!ipauditnotifylogipauditpomax-events100!process-max-time200!interfaceFastEthernet0/0ipaddress192.168.14.1255.255.255.0ipaccess-group101innoipdirected-broadcast!interfaceSerial0/0ipaddress192.168.2.1255.255.255.0noipdirected-broadcast!interfaceSerial0/1noipaddressnoipdirected-broadcastshutdown!ipclasslessiphttpserver!access-list101denytcp192.168.14.00.0.0.255anyeq!linecon0passwordciscologintransportinputnonelineaux0linevty04passwordciscologin!noschedulerallocateend（三）命名ACLStep1配置路由器的主机名和密码Step2配置以太网段上的PCa.PC1IPaddress192.168.14.2Subnetmask255.255.255.0Defaultgateway192.168.14.1b.PC2IPaddress192.168.14.3Subnetmask255.255.255.0Defaultgateway192.168.14.1Step3保存配置GAD#copyrunning-configstartup-configStep4通过ping命令测试两台PC到缺省网关的连接性Step5阻止主机访问以太口GAD(config)#ipaccess-liststandardno_accessGAD(config-std-nacl)#deny192.168.14.00.0.0.255GAD(config-std-nacl)#permitanyStep6从PCPing路由器Step7应用ACL到接口上GAD(config-if)#ipaccess-groupno_accessinStep8从PCPing路由器GAD#showrunning-configBuildingconfiguration...Currentconfiguration:638bytes!version12.2!hostnameGAD!enablesecret5$1$rzr7$l9H/aXmOyxeCAiPAUoGLq.!ipsubnet-zero!interfaceFastEthernet0/0ipaddress192.168.14.1255.255.255.0ipaccess-groupno_accessin!interfaceSerial0/0noipaddressshutdownnofair-queue!interfaceSerial0/1noipaddressshutdown!ipclasslessnoiphttpserver!!ipaccess-liststandardno_accessdeny192.168.14.00.0.0.255permitany!linecon0passwordciscologinlineaux0passwordciscologinlinevty04passwordciscologin!endGAD#showipaccess-listsStandardIPaccesslistno_accessdeny192.168.14.0,wildcardbits0.0.0.255(18matches)permitany一．NAT的配置（一）静态和动态NATStep1配置路由器346-489CCNA4:WANTechnologiesv3.1-Lab1.1.4cCopyright粕2003,CiscoSystems,Inc.ISPRouter#configureterminalRouter(config)#hostnameISPISP(config)#enablepasswordciscoISP(config)#enablesecretclassISP(config)#lineconsole0ISP(config-line)#passwordciscoISP(config-line)#loginISP(config-line)#exitISP(config)#linevty04ISP(config-line)#passwordciscoISP(config-line)#loginISP(config-line)#exitISP(config)#interfaceloopback0ISP(config-if)#ipaddress172.16.1.1255.255.255.255ISP(config-if)#exitISP(config)#interfaceserial0ISP(config-if)#ipaddress200.2.2.17255.255.255.252ISP(config-if)#clockrate64000ISP(config)#iproute199.99.9.32255.255.255.224200.2.2.18ISP(config)#endISP#copyrunning-configstartup-configGatewayRouter#configureterminalRouter(config)#hostnameGatewayGateway(config)#enablepasswordciscoGateway(config)#enablesecretclassGateway(config)#lineconsole0Gateway(config-line)#passwordciscoGateway(config-line)#loginGateway(config-line)#exitGateway(config)#linevty04Gateway(config-line)#passwordciscoGateway(config-line)#loginGateway(config-line)#exitGateway(config)#interfacefastethernet0Gateway(config-if)#ipaddress10.10.10.1255.255.255.0Gateway(config-if)#noshutdownGateway(config-if)#exitGateway(config)#interfaceserial0Gateway(config-if)#ipaddress200.2.2.18255.255.255.252Gateway(config-if)#noshutdownGateway(config)#iproute0.0.0.00.0.0.0200.2.2.17Step2保存配置copyrunning-configstartup-config.Step3