完成初始配置:
r1:!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 1.0.0.0
network 192.168.1.0
no auto-summary
r2:interface Serial0/0
ip address 192.168.1.2 255.255.255.0
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.2.2 255.255.255.0
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 192.168.1.0
network 192.168.2.0
auto-summary
r3:interface Loopback0
ip address 3.3.3.3 255.255.255.0
!
interface Serial0/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/1
ip address 192.168.2.3 255.255.255.0
serial restart-delay 0
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
!
router eigrp 1
network 3.0.0.0
network 192.168.2.0
no auto-summary
标准的ACL 针对源地址做控制
拒绝路由1访问路由3
!r1#ping 3.3.3.3Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/72 ms
r1(config)#access-list 1 deny 3.3.3.3
r1(config)#access-list 1 permit any
r1(config)#int s0/0
r1(config-if)#ip access-group 1 in
r1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.....
Success rate is 0 percent (0/5)
扩展访问列表
不允许r1 192.168.1.1 访问r3 3.3.3 网络
;r2(config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 3.3.3.3 0.0.0.0
r2(config)#access-list 101 permit ip any any
r2(config)#int s0/0
r2(config-if)#ip acce
r2(config-if)#ip access-group 101 in
r1#ping 3.3.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
U.U.U
Success rate is 0 percent (0/5)
3.禁止R1telnet R3
R3配置
r3(config)#username liang pass
r3(config)#username liang password rui
r3(config)#line vty 0 4
r3(config-line)#login local
r3(config-line)#end
r2(config)#access-list 100 deny tcp any any eq 23
r2(config)#access-list 100 permit any any
r2(config)#int s0/0
r2(config-if)#ip access-group 100 in
r1#telnet 3.3.3.3
Trying 3.3.3.3 ...
% Destination unreachable; gateway or host down
命名访问列表
r2(config)#ip access-list extended liang
r2(config-ext-nacl)#deny tcp 192.168.1.1 0.0.0.0 3.3.3.3 0.0.0.0
r2(config-ext-nacl)#permit tcp any any
r2(config-ext-nacl)#int s0/0
r2(config-if)#ip access-group liang in
r1#ping 3.3.3.3 sou
r1#ping 3.3.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
....
*Mar 1 01:08:04.515: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial0/0) is down: retry limit exceeded.
Success rate is 0 percent (0/5)
使用时间ACL:
r2(config)#time-range liang
r2(config-time-range)#periodic thursday 0:50 to 0:53
r2(config)#access-list 100 deny tcp 192.168.1.1 0.0.0.0 3.3.3.3 0.0.0.0
r2(config)#access-list 100 permit tcp any any
r2(config)#int s0/0
r2(config-if)#ip acc
r2(config-if)#ip acce
r2(config-if)#ip access-group 100 in
r1#ping 3.3.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
扩展acl,要靠近源 ,标准acl靠近目标地址
本文转自q狼的诱惑 51CTO博客,原文链接:http://blog.51cto.com/liangrui/411736,如需转载请自行联系原作者
