1,外部接口配置
拓扑环境:R1属于内部路由器,R2为边界路由器,R3属于外部路由器。R1, R2通过局域网交换机相连。R2, R3通过FRAME-RELAY交换机相连。
配置实例
初始配置
R1
conf t
int f0/0
ip ad 10.1.1.1 255.255.255.0
no shut
router eigrp 1
no au
net 10.0.0.0
end
conf t
int f0/0
ip ad 10.1.1.1 255.255.255.0
no shut
router eigrp 1
no au
net 10.0.0.0
end
R2
conf t
int f 0/0
ip ad 10.1.1.2 255.255.255.0
no shut
int s2/0
ip ad 10.1.2.2 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.3 203 b
frame map ip 10.1.2.4 204 b
no shut
router eigrp 1
no au
net 10.0.0.0
exit
conf t
int f 0/0
ip ad 10.1.1.2 255.255.255.0
no shut
int s2/0
ip ad 10.1.2.2 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.3 203 b
frame map ip 10.1.2.4 204 b
no shut
router eigrp 1
no au
net 10.0.0.0
exit
R3
conf t
int s2/0
ip ad 10.1.2.3 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.2 302 b
frame map ip 10.1.2.4 302 b
no shut
router eigrp 1
no au
net 10.0.0.0
end
conf t
int s2/0
ip ad 10.1.2.3 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.2 302 b
frame map ip 10.1.2.4 302 b
no shut
router eigrp 1
no au
net 10.0.0.0
end
当EIGRP邻居建立后,对边界路由器(R2)配置自反访问列表类过虑内网用户对外网的访问
R2
conf t
ip access-list extended intraffic
per eigrp any any
deny icmp any any
evaluate tcptraffic
exit
ip access-list extended outtraffic
per tcp any any reflect tcptraffic
exit
int s2/0
ip access-group intraffic in
ip access-group outtraffic out
exit
ip reflexiver-list timeout 180
end
校验
在R3上配置
conf t
line v 0 4
password comeon
login
end
conf t
line v 0 4
password comeon
login
end
在R1上检验
R1#ping 10.1.2.3
R1#ping 10.1.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#telnet 10.1.2.3
Trying 10.1.2.3 ... Open
User Access Verification
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#telnet 10.1.2.3
Trying 10.1.2.3 ... Open
User Access Verification
Password:
R3>quit
R3>quit
[Connection to 10.1.2.3 closed by foreign host]
R1#
R1#
在R2上观察EIGRP邻居表
R2#sh ip ei n
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.1.2.4 Se2/0 20 00:04:31 1 5000 0 2
1 10.1.1.1 Fa0/0 13 00:04:33 784 4704 0 2
0 10.1.2.3 Se2/0 118 00:04:33 1 5000 0 2
说明R2是允许EIGRP和TCP流量通过的,而不允许ICMP流量通过。
R2#sh ip ei n
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.1.2.4 Se2/0 20 00:04:31 1 5000 0 2
1 10.1.1.1 Fa0/0 13 00:04:33 784 4704 0 2
0 10.1.2.3 Se2/0 118 00:04:33 1 5000 0 2
说明R2是允许EIGRP和TCP流量通过的,而不允许ICMP流量通过。
检验R2的ACL。
R2#sh access-list
Extended IP access list intraffic
10 permit tcp any any reflect tcptraffic (116 matches)
Extended IP access list outtraffic
10 permit eigrp any any (27 matches)
20 deny icmp any any (8 matches)
30 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 10.1.2.3 eq telnet host 10.1.1.1 eq 25369 (75 matches) (time left 2)
自动添加了一条自反访问控制列表。
R2#sh access-list
Extended IP access list intraffic
10 permit tcp any any reflect tcptraffic (116 matches)
Extended IP access list outtraffic
10 permit eigrp any any (27 matches)
20 deny icmp any any (8 matches)
30 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 10.1.2.3 eq telnet host 10.1.1.1 eq 25369 (75 matches) (time left 2)
自动添加了一条自反访问控制列表。
2,内部接口配置
拓扑图如上。R1为内部路由器,R2为边界路由器,R3为内部路由器,且属于内网的DMZ区域。R4为外部路由器。
R1, R2通过局域网交换机连接,R2, R3, R4通过FRAME-RELAY交换机连接
在R2上配置IP会话过虑后,R4不能访问R1,但是可以访问R3。当R1触发R2上的自反访问列表后,可以使R1与R4相互通信
R1, R2, R3初始配置同上
R4
conf t
int s2/0
ip ad 10.1.2.4 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.2 402 b
frame map ip 10.1.2.3 402 b
no shut
router eigrp 1
no au
net 10.0.0.0
conf t
int s2/0
ip ad 10.1.2.4 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.2 402 b
frame map ip 10.1.2.3 402 b
no shut
router eigrp 1
no au
net 10.0.0.0
line v 0 4
password come
login
end
end
当EIGRP邻居建立后,对边界路由器(R2)配置自反访问列表类过虑内网用户对外网的访问
R2
conf t
ip access-list extend intraffic
per eigrp any any
per tcp any any reflect tcptraffic
exit
ip access-list extended outtraffic
deny icmp any any
evaluate tcptraffic
exit
int f0/0
ip access-group intraffic in
ip access-group outtraffic out
exit
ip reflexive-list timeout 180
end
校验
R1#telnet 10.1.2.4
Trying 10.1.2.4 ... Open
User Access Verification
Trying 10.1.2.4 ... Open
User Access Verification
Password:
R4>quit
R4>quit
[Connection to 10.1.2.4 closed by foreign host]
R1#ping 10.1.2.4
R1#ping 10.1.2.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#sh access-l
Extended IP access list intraffic
10 permit eigrp any any (63 matches)
20 permit tcp any any reflect tcptraffic (119 matches)
Extended IP access list outtraffic
10 deny icmp any any
20 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 10.1.2.4 eq telnet host 10.1.1.1 eq 47535 (43 matches) (time left 177)
R2#sh ip ei n
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.1.1 Fa0/0 11 00:05:55 1 4500 0 8
2 10.1.2.4 Se2/0 147 00:12:40 1 3000 0 4
1 10.1.2.3 Se2/0 131 00:12:56 1 5000 0 6
Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#sh access-l
Extended IP access list intraffic
10 permit eigrp any any (63 matches)
20 permit tcp any any reflect tcptraffic (119 matches)
Extended IP access list outtraffic
10 deny icmp any any
20 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 10.1.2.4 eq telnet host 10.1.1.1 eq 47535 (43 matches) (time left 177)
R2#sh ip ei n
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.1.1 Fa0/0 11 00:05:55 1 4500 0 8
2 10.1.2.4 Se2/0 147 00:12:40 1 3000 0 4
1 10.1.2.3 Se2/0 131 00:12:56 1 5000 0 6
