西安某公司网络改造方案实施v2.doc

西安某公司网络改造方案实施项目拓扑：项目要求：1、 路由器R1和R3上分别启用回环地址1.1.1.1 3.3.3.32、 路由器R2和R3之间要求采用密文认证（双向），全网使用RIPv2协议3、 现在在要求3.3.3.3不能ping通1.1.1.1，但是可以远程登录，其它数据均被拒绝。不走R1、R3实验步骤：1、初始配置:R1：RouterenableRouter#configRouter(config)#hostname R1R1(config)#no ip domain-looku R1(config)#line console 0R1(config-line)#no exec-timeoutR1(config-line)#logging synchronous R1(config-line)#exitR2：RouterenableRouter#configRouter(config)#hostname R1R1(config)#no ip domain-looku R1(config)#line console 0R1(config-line)#no exec-timeoutR1(config-line)#logging synchronous R1(config-line)#exitR3：RouterenableRouter#configRouter(config)#hostname R3R3(config)#no ip domain-lookupR3(config)#line console 0R3(config-line)#no exec-timeoutR3(config-line)#logging synchronous R3(config-line)#exit2、地址配置R1: R1#configR1(config)#int lo0R1(config-if)#ip ad 1.1.1.1 255.255.255.0R1(config-if)#int s1/2R1(config-if)#ip ad 12.1.1.1 255.255.255.0R1(config-if)#no shR1(config-if)#int s1/3R1(config-if)#ip ad 13.1.1.1 255.255.255.0R1(config-if)#no shR2: R2(config)#int lo0R2(config-if)#ip ad 2.2.2.2 255.255.255.0R2(config-if)#int s2/1R2(config-if)#ip ad 12.1.1.2 255.255.255.0R2(config-if)#no shR2(config-if)#int s2/3R2(config-if)#ip ad 23.1.1.1 255.255.255.0R2(config-if)#no shR3: R3(config)#int lo0R3(config-if)#ip ad 3.3.3.3 255.255.255.0R3(config-if)#int s3/1R3(config-if)#ip ad 13.1.1.2 255.255.255.0R3(config-if)#no shR3(config-if)#int s3/2R3(config-if)#ip ad 23.1.1.2 255.255.255.0R3(config-if)#no sh3、全网通R1：R1(config)#router ripR1(config-router)#version 2R1(config-router)#network 1.0.0.0R1(config-router)#network 12.1.1.0R1(config-router)#network 13.1.1.0R2：R2(config)#router ripR2(config-router)#network 2.0.0.0 R2(config-router)#network 12.1.1.0R2(config-router)#network 23.1.1.0R2(config-router)#version 2R3：R3(config)#router ripR3(config-router)#version 2R3(config-router)#network 3.0.0.0R3(config-router)#network 13.1.1.0R3(config-router)#network 23.1.1.0Ping 验证R1#ping 3.3.3.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/41/48 R2#ping 13.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 13.1.1.2, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 28/51/80 R3#ping 12.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/120 4、路由器R2和R3之间要求采用密文认证（双向）R2: R2(config)#key chain R2R2(config-keychain)#key 1R2(config-keychain-key)#key-string 123R2(config-keychain-key)#exitR2(config-keychain)#key 2R2(config-keychain-key)#key-string 456R2(config)#int s2/3R2(config-if)#ip rip authentication mode md5R2(config-if)#ip rip authentication key-chain R2R3：R3(config)#key chain R3R3(config-keychain)#key 1R3(config-keychain-key)#key-string 123R3(config-keychain-key)#exitR3(config-keychain)#key 2R3(config-keychain-key)#key-string 456R3(config)#int s3/2R3(config-if)#ip rip authentication mode md5R3(config-if)#ip rip authentication key-chain R3认证R2#debug ip ripRIP protocol debugging is onR2#00:59:11: RIP: received packet with MD5 authentication (MD5认证通过)00:59:11: RIP: received v2 update from 23.1.1.2 on Serial2/300:59:11: 1.0.0.0/8 - 0.0.0.0 in 2 hops00:59:11: 3.0.0.0/8 - 0.0.0.0 in 1 hops00:59:11: 13.0.0.0/8 - 0.0.0.0 in 1 hopsR3#debug ip ripRIP protocol debugging is onR3#00:57:17: RIP: received packet with MD5 authentication(MD5认证通过)00:57:17: RIP: received v2 update from 23.1.1.1 on Serial3/200:57:17: 1.0.0.0/8 - 0.0.0.0 in 2 hops00:57:17: 2.0.0.0/8 - 0.0.0.0 in 1 hops00:57:17: 12.0.0.0/8 - 0.0.0.0 in 1 hops5、现在要求3.3.3.3不能ping通1.1.1.1，但是可以远程登录，其它数据均被拒绝R2(config)#access-list 100 deny icmp host 3.3.3.3 host 1.1.1.1R2(config)#access-list 100 permit tcp host 3.3.3.3 host 1.1.1.1 eq 23R2(config)#access-list 100 deny ip any any.R2(config)#interface s2/3R2(config-if)#ip access-group 100 inR2(config-if)#end01:04:25: %SYS-5-CONFIG_I: Configured from console by consoleR3#pingProtocol ip: Target IP address: 1.1.1.1Repeat count 5: Datagram size 100: Timeout in seconds 2: Extended commands n: ySource address or interface: 3.3.3.3Type of service 0: Set DF bit in IP header? no: Validate reply data? no: Data pattern 0xABCD: Loose, Strict, Record, Timestamp, Verbosenone: Sweep range of sizes n: Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:U.U.USuccess rate is 0 percent (0/5)R3#telnet 1.1.1.1 /source-interface loopback 0Trying 1.1.1.1 . OpenPassword required, but none set Connection to