setp 1  基本配置
 
r1(config)#int fa0/0
r1(config-if)#ip add 192.168.10.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#int fa1/0
r1(config-if)#ip add 12.12.12.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#int fa2/0
r1(config-if)#ip add 13.13.13.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#router ospf 100
r1(config-router)#router-id 1.1.1.1
r1(config-router)#net 0.0.0.0 255.255.255.255 a 0
r1(config-router)#exit
 
r2(config)#int fa1/0
r2(config-if)#ip add 12.12.12.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#int fa0/0
r2(config-if)#ip add 192.168.20.1 255.255.255.0
r2(config-if)#no sh
r2(config-if)#exit
r2(config)#router ospf 100
r2(config-router)#router-id 2.2.2.2
r2(config-router)#net 0.0.0.0 255.255.255.255 a 0
r2(config-router)#exit
 
r3(config)#int fa1/0
r3(config-if)#ip add 13.13.13.3 255.255.255.0
r3(config-if)#no sh
r3(config-if)#exit
r3(config)#int fa0/0
r3(config-if)#ip add 192.168.30.1 255.255.255.0
r3(config-if)#no sh
r3(config-if)#exit
r3(config)#router ospf 100
r3(config-router)#router-id 3.3.3.3
r3(config-router)#net 0.0.0.0 255.255.255.255 area 0
r3(config-router)#exit
 
PC1
 
PC2
 
 
setp 2 实验
 
1.PC1 不能远程桌面到 PC2. 可以 ping 通及 telnet
 
r2(config)#ip access-list extended 100
r2(config-ext-nacl)#deny tcp host 192.168.10.10 host 192.168.20.10 eq 3389
r2(config-ext-nacl)#permit ip any any
r2(config)#int fa1/0
r2(config-if)#ip acce
r2(config-if)#ip access-group 100 in
r2(config-if)#exit
r2(config)#exit
 
r2#show ip access-lists
Extended IP access list 100
    10 deny tcp host 192.168.10.10 host 192.168.20.10 eq 3389 (6 matches)
    20 permit ip any any (8 matches)
 
 
2.要求 : 只允许 PC1 IP 地址为偶数的能 ping PC2
 
r2(config)#ip access-list extended 101
r2(config-ext-nacl)#deny ip 192.168.10.1 0.0.0.254 host 192.168.20.10
r2(config-ext-nacl)#permit ip any any
r2(config)#int fa1/0
r2(config-if)#ip access-group 101 in
r2(config-if)#no sh
r2(config-if)#exit
 
 
 
r2#show ip access-lists
Extended IP access list 101
    10 deny ip 192.168.10.1 0.0.0.254 host 192.168.20.10 (12 matches)
    20 permit ip any any (54 matches)
 
3. ACL 错误写法
 
r2(config)#ip access-list extended 100
r2(config)# deny ip 192.168.10.10 255.255.255.255 192.168.20.10 255.255.255.255    // 转换成 any any
r2(config-ext-nacl)#exit
r2#show ip access-lists
Extended IP access list 100
     10 deny ip any any
 
 
4.ACL标准写法 
deny PC1 192.168.10.10 ---->192.168.20.10
 
r1(config)#access-list 1 deny host 192.168.10.10        
r1(config)#access-list 1 permit any
r1(config)#int fa0/0
r1(config-if)#ip access-group 1 in
r1(config)#exit
r1#show ip access-lists
Standard IP access list 1
    10 deny    192.168.10.10 (12 matches)
    20 permit any (64 matches)
 
5. ACL 扩展写法 
要求 192.168.10.0 网段不能远程桌面到 192.168.20.10, 可以 ping telnet
 
 
r1(config)#access-list 101 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10   eq 3389
r1(config)#access-list 101 permit ip any any
r1(config)#int fa0/0            
r1(config-if)#ip access-group 101 in
r1(config-if)#exit
r1#show ip access-lists
Extended IP access list 101
    10 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq 3389 (9 matches)
    20 permit ip any any (39 matches)
 
6. 命名 ACL
好处 : 可以对单独的某一条语句进行修改
 
r1(config)#ip access-list extended a
r1(config-ext-nacl)#deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq 3389
r1(config-ext-nacl)#permit ip any any
r1(config-ext-nacl)#int fa0/0
r1(config-if)#ip access-group a in
r1(config)#ip access-list extended a     
r1(config-ext-nacl)#15 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq   telnet 
r1(config-ext-nacl)#do show ip access
Extended IP access list a
    10 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq 3389 (63 matches)
    15 deny tcp 192.168.10.0 0.0.0.255 host 192.168.20.10 eq telnet (6 matches)
    20 permit ip any any (125 matches)
 
7. ICMP ACL
要求 : 192.168.10.10 不能 ping 192.168.20.10, 192.168.20.10 ping 192.168.10.10
 
8. ACL     对自己出包不起作用  
R2 上做 ACL, 使 R2 不能对 R1telnet
 
r2#telnet 12.12.12.1
Trying 12.12.12.1 ... Open
User Access Verification
Password:
r1>exit
[Connection to 12.12.12.1 closed by foreign host]
 
r2(config)# access-list 100 deny tcp host 12.12.12.1 eq 23 host 12.12.12.2
r2(config)# access-list 100 permit ip any any
r2(config)#int fa1/0
r2(config-if)# ip access-group 100 in
r2(config-if)#no sh
r2(config-if)#exit
r2(config)#exit   
r2#show ip access-lists 100
Extended IP access list 100
    10 deny tcp host 12.12.12.1 eq telnet host 12.12.12.2
 
   20 permit ip any any (2 matches)
r2#telnet 12.12.12.1
Trying 12.12.12.1 ...
% Connection timed out; remote host not responding
r2#show ip access-lists
Extended IP access list 100
    10 deny tcp host 12.12.12.1 eq telnet host 12.12.12.2 (12 matches)
    20 permit ip any any (7 matches)
 
9. VTY 应用ACL
 
r1(config)#access-list 10 per
r1(config)#access-list 10 permit 192.168.20.10      // 只允许 192.168.20.10 对此设备 telnet
r1(config)#line vty 0 4
r1(config-line)#acc
r1(config-line)#access-class 10 in
r1(config-line)#exit