ACL之基础实验配置
【实验拓扑】
R1 s0/0 <--12.12.12.0---------> s0/0 R2 s0/1 <-----23.23.23.0---------->s0/0 R3
loop 0:1.1.1.1
【实验内容】
1.基本的访问控制列表。
2.扩展的访问控制列表
3.命名的访问控制列表
【实验配置】
1. 基本的访问控制列表 1-99
要求:只允许主机A访问主机B,环回口访问不了。
access-list 1 permit 12.12.12.1
interface Serial0/0
ip address 12.12.12.2 255.255.255.0
ip access-group 1 in
也可以在int s0/1上:
interface serial0/1
ip address 23.23.23.2 255.255.255.0
ip access-group 1 out
主要命令:
access-list {1-99} {permit|deny} {host | address}
ip access-group {list} {in | out}
interface Serial0/0
ip address 12.12.12.2 255.255.255.0
ip access-group 1 in
也可以在int s0/1上:
interface serial0/1
ip address 23.23.23.2 255.255.255.0
ip access-group 1 out
主要命令:
access-list {1-99} {permit|deny} {host | address}
ip access-group {list} {in | out}
测试:
R1#ping
Protocol [ip]:
Target IP address: 23.23.23.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Protocol [ip]:
Target IP address: 23.23.23.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
一个不可达,一个超时。说明数据包不可以从R1到R2,但是可以从R2到R1.
2.扩展的访问控制列表 100-199
(1)R1不能telnet R2,但是可以ping通。
(2)R1能telnetR2,但是不可以ping通。
(1)先配置成可以telnel(未配置访问控制列表前)
R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open
User Access Verification
Password:
R3>
Trying 23.23.23.3 ... Open
User Access Verification
Password:
R3>
配置acl:
access-list 100 deny tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet
access-list 100 permit ip any any
应用到接口上:
ip access-group 100 in
R1#telnet 23.23.23.3
Trying 23.23.23.3 ...
% Destination unreachable; gateway or host down
R1#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/87/168 ms
access-list 100 permit ip any any
应用到接口上:
ip access-group 100 in
R1#telnet 23.23.23.3
Trying 23.23.23.3 ...
% Destination unreachable; gateway or host down
R1#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/87/168 ms
(2)
show access-lists
Extended IP access list 101
10 permit tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet (25 matches)
R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open
User Access Verification
Password:
R3>
R3>
R3>exit
[Connection to 23.23.23.3 closed by foreign host]
R1#
R1#
R1#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
Extended IP access list 101
10 permit tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet (25 matches)
R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open
User Access Verification
Password:
R3>
R3>
R3>exit
[Connection to 23.23.23.3 closed by foreign host]
R1#
R1#
R1#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
3.基于名称的访问控制列表:
优势:可以对访问列表进行修改和删除,上面两种一旦修改或删除,则全部要重新配置列表,推荐使用这种。
Standard IP access list sf
10 permit 1.1.1.1 (5 matches)
R1#ping 23.23.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#ping
Protocol [ip]:
Target IP address: 23.23.23.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/75/104 ms
【实验总结】
此次实验复习了一下基本的acl表。后续将对acl有更进一步的实验,比如自反列表,基于时间的列表等等,敬请关注。
本文转自wzhj132 51CTO博客,原文链接:http://blog.51cto.com/wzhj132/187835
