Cisco访问控制列表_第1张图片


PC1配置

PC1#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

PC1(config)#int e0/1

PC1(config-if)#ip add

PC1(config-if)#ip address 10.10.1.10 255.255.255.0

PC1(config-if)#no sh

PC1(config-if)#exit

PC1(config)#ip route 0.0.0.0 0.0.0.0 10.10.1.1

PC1(config)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is 10.10.1.1 to network 0.0.0.0


     10.0.0.0/24 is subnetted, 1 subnets

C       10.10.1.0 is directly connected, Ethernet0/1

S*   0.0.0.0/0 [1/0] via 10.10.1.1


PC2配置

PC2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

PC2(config)#int e0/0

PC2(config-if)#ip add

PC2(config-if)#ip address 10.10.2.10 255.255.255.0

PC2(config-if)#no sh

PC2(config-if)#exit

PC2(config)#ip route 0.0.0.0 0.0.0.0 10.10.2.1

PC2(config)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is 10.10.2.1 to network 0.0.0.0


     10.0.0.0/24 is subnetted, 1 subnets

C       10.10.2.0 is directly connected, Ethernet0/0

S*   0.0.0.0/0 [1/0] via 10.10.2.1


公共外部路由器配置

gonggongwaibu>en

gonggongwaibu#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

gonggongwaibu(config)#int e0/0

gonggongwaibu(config-if)#ip add 192.168.1.10 255.255.255.0

gonggongwaibu(config-if)#no sh

gonggongwaibu(config-if)#int e0/1

gonggongwaibu(config-if)#ip add 10.10.1.1 255.255.255.0

gonggongwaibu(config-if)#no sh

gonggongwaibu(config-if)#int e0/2

gonggongwaibu(config-if)#ip add 10.10.2.1 255.255.255.0

gonggongwaibu(config-if)#no sh

gonggongwaibu(config)#ip route 172.16.1.0 255.255.255.0 192.168.1.1

gonggongwaibu(config)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is not set


     172.16.0.0/24 is subnetted, 1 subnets

S       172.16.1.0 [1/0] via 192.168.1.1

     10.0.0.0/24 is subnetted, 2 subnets

C       10.10.1.0 is directly connected, Ethernet0/1

C       10.10.2.0 is directly connected, Ethernet0/2

C    192.168.1.0/24 is directly connected, Ethernet0/0

gonggongwaibu(config)#do sh ip int br

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                192.168.1.10    YES manual up                    up

Ethernet0/1                10.10.1.1       YES manual up                    up

Ethernet0/2                10.10.2.1       YES manual up                    up

Ethernet0/3                unassigned      YES unset  administratively down down


实验路由器配置

shiyan#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

shiyan(config)#int e0/0

shiyan(config-if)#ip add 192.168.1.1 255.255.255.0

shiyan(config-if)#no sh

shiyan(config-if)#int e0/1

shiyan(config-if)#ip add 172.16.1.1 255.255.255.0

shiyan(config-if)#no sh

shiyan(config-if)#exit

shiyan(config)#ip route 10.10.1.0 255.255.255.0 192.168.1.10

shiyan(config)#ip route 10.10.2.0 255.255.255.0 192.168.1.10

shiyan(config)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is not set


     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Ethernet0/1

     10.0.0.0/24 is subnetted, 2 subnets

S       10.10.1.0 [1/0] via 192.168.1.10

S       10.10.2.0 [1/0] via 192.168.1.10

C    192.168.1.0/24 is directly connected, Ethernet0/0


测试路由器配置

ceshi>en

ceshi#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

ceshi(config)#int e0/0

ceshi(config-if)#ip address 172.16.1.10 255.255.255.0

ceshi(config-if)#no sh

ceshi(config-if)#exit

ceshi(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1

ceshi(config)#do sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is 172.16.1.1 to network 0.0.0.0


     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, Ethernet0/0

S*   0.0.0.0/0 [1/0] via 172.16.1.1


  1. 标准ACL:

允许10.10.1.0子网内的主机访问测试服务器

拒绝10.10.2.0子网内的主机访问测试服务器

在实验路由器上加命令

access-list 1 permit 10.10.1.10 0.0.0.255

interface f0/0

ip access-group 1 in

2.扩展ACL

允许网段一及网段二ping通测试服务器

允许网段一但不允许网段二访问内部网络的TELNET服务

在实验路由器上加命令

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp 10.10.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 23

interface f0/0

ip access-group 101 in

在测试服务器上

enable password 123

line vty 0 4

password 123

login

在PC1和PC2上ping测试服务器,再telnet

查看ACL

show access-list

show ip route