基础ACL基本实验-网络协议

setp 1  基本配置

 

r1(config)#int fa0/0

r1(config-if)#ip add 192.168.10.1 255.255.255.0

r1(config-if)#no sh

r1(config-if)#int fa1/0

r1(config-if)#ip add 12.12.12.1 255.255.255.0

r1(config-if)#no sh

r1(config-if)#int fa2/0

r1(config-if)#ip add 13.13.13.1 255.255.255.0

r1(config-if)#no sh

r1(config-if)#exit

r1(config)#router ospf 100

r1(config-router)#router-id 1.1.1.1

r1(config-router)#net 0.0.0.0 255.255.255.255 a 0

r1(config-router)#exit

  www.2cto.com  

r2(config)#int fa1/0

r2(config-if)#ip add 12.12.12.2 255.255.255.0

r2(config-if)#no sh

r2(config-if)#int fa0/0

r2(config-if)#ip add 192.168.20.1 255.255.255.0

r2(config-if)#no sh

r2(config-if)#exit

r2(config)#router ospf 100

r2(config-router)#router-id 2.2.2.2

r2(config-router)#net 0.0.0.0 255.255.255.255 a 0

r2(config-router)#exit

 

r3(config)#int fa1/0

r3(config-if)#ip add 13.13.13.3 255.255.255.0

r3(config-if)#no sh

r3(config-if)#exit

r3(config)#int fa0/0

r3(config-if)#ip add 192.168.30.1 255.255.255.0

r3(config-if)#no sh

r3(config-if)#exit

r3(config)#router ospf 100

r3(config-router)#router-id 3.3.3.3

r3(config-router)#net 0.0.0.0 255.255.255.255 area 0

r3(config-router)#exit

 

PC1
  www.2cto.com  

 

PC2

 

 

setp 2 实验

 

1.PC1不能远程桌面到PC2.可以ping通及telnet

 

r2(config)#ip access-list extended 100

r2(config-ext-nacl)#deny tcp host 192.168.10.10 host 192.168.20.10 eq 3389

r2(config-ext-nacl)#permit ip any any

r2(config)#int fa1/0

r2(config-if)#ip acce

r2(config-if)#ip access-group 100 in

r2(config-if)#exit

r2(config)#exit

 

r2#show ip access-lists

Extended IP access list 100

10 deny tcp host 192.168.10.10 host 192.168.20.10 eq 3389 (6 matches)

20 permit ip any any (8 matches)

 

2.要求:只允许PC1中IP地址为偶数的能ping通PC2

 

r2(config)#ip access-list extended 101

r2(config-ext-nacl)#deny ip 192.168.10.1 0.0.0.254 host 192.168.20.10

r2(config-ext-nacl)#permit ip any any

r2(config)#int fa1/0

r2(config-if)#ip access-group 101 in

r2(config-if)#no sh

r2(config-if)#exit

 

 

r2#show ip access-lists

Extended IP access list 101

10 deny ip 192.168.10.1 0.0.0.254 host 192.168.20.10 (12 matches)

20 permit ip any any (54 matches)

 

3. ACL错误写法   www.2cto.com  

 

r2(config)#ip access-list extended 100

r2(config)#deny ip 192.168.10.10 255.255.255.255 192.168.20.10 255.255.255.255 //转换成any 到any了

r2(config-ext-nacl)#exit

r2#show ip access-lists

Extended IP access list 100

10 deny ip any any

 

 

4.ACL标准写法 

deny PC1 192.168.10.10 —->192.168.20.10

 

r1(config)#access-list 1 deny host 192.168.10.10 

r1(config)#access-list 1 permit any

r1(config)#int fa0/0

r1(config-if)#ip access-group 1 in

r1(config)#exit

r1#show ip access-lists

Standard IP access list 1

10 deny 192.168.10.10 (12 matches)

20 permit any (64 matches)

 

5. ACL扩展写法 

要求192.168.10.0网段不能远程桌面到192.168.20.10,可以ping及telnet

 

r1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10eq 3389

r1(config)#access-list 101 permit ip any any

r1(config)#int fa0/0 

r1(config-if)#ip access-group 101 in

r1(config-if)#exit

r1#show ip access-lists

Extended IP access list 101

10 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq 3389 (9 matches)

20 permit ip any any (39 matches)

 

6. 命名ACL

好处:可以对单独的某一条语句进行修改

 

r1(config)#ip access-list extended a

r1(config-ext-nacl)#deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq 3389

r1(config-ext-nacl)#permit ip any any

r1(config-ext-nacl)#int fa0/0

r1(config-if)#ip access-group a in

r1(config)#ip access-list extended a

r1(config-ext-nacl)#15 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eqtelnet 

r1(config-ext-nacl)#do show ip access

Extended IP access list a

10 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq 3389 (63 matches)

15 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq telnet (6 matches)

20 permit ip any any (125 matches)

 

7. ICMP的ACL

要求: 192.168.10.10 不能ping 192.168.20.10,而192.168.20.10能ping 192.168.10.10

 

8. ACL 对自己出包不起作用 

在R2上做ACL,使R2不能对R1telnet

 

r2#telnet 12.12.12.1

Trying 12.12.12.1 … Open

User Access Verification

Password:

r1>exit

[Connection to 12.12.12.1 closed by foreign host]

 

r2(config)#access-list 100 deny tcp host 12.12.12.1 eq 23 host 12.12.12.2

r2(config)#access-list 100 permit ip any any

r2(config)#int fa1/0

r2(config-if)#ip access-group 100 in

r2(config-if)#no sh

r2(config-if)#exit

r2(config)#exit

r2#show ip access-lists 100

Extended IP access list 100

10 deny tcp host 12.12.12.1 eq telnet host 12.12.12.2

 

 20 permit ip any any (2 matches)

r2#telnet 12.12.12.1

Trying 12.12.12.1 …

% Connection timed out; remote host not responding

r2#show ip access-lists

Extended IP access list 100

10 deny tcp host 12.12.12.1 eq telnet host 12.12.12.2 (12 matches)

20 permit ip any any (7 matches)

 

9. VTY 应用ACL

 

r1(config)#access-list 10 per

r1(config)#access-list 10 permit 192.168.20.10 //只允许192.168.20.10对此设备telnet

r1(config)#line vty 0 4

r1(config-line)#acc

r1(config-line)#access-class 10 in

r1(config-line)#exit
 

Leave A Comment