NA-NP-IE系列实验37:命名ACL

实验37:命名ACL
1. 实验目的
通过本实验可以掌握:
1)定义命名ACL
2)应用命名ACL
2. 拓扑结构
实验拓扑如图所示。
3. 实验步骤
注:
1. 命名ACL 允许在标准ACL 和扩展ACL 中,使用字符串代替前面所使用的数字来表示ACL
命名ACL 还可以被用来从某一特定的ACL 中删除个别的控制条目,这样可以让网络管理员方
便地修改ACL
2. 有标准命名ACL设置 2.2.2 .2不能访问1.1.1.1,用扩展命名ACL设置172.16.1.2不能访问2.2.2.2
 
 
 
 
 
r0(config)#int loo 1
r0(config-if)#ip add 172.
*Mar  1 00:01:39.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
r0(config-if)#ip add 1.1.1 .1 255.255.255.0
r0(config-if)#int s0/0
r0(config-if)#ip add 172.16.1.1 255.255.255.0
r0(config-if)#no sh
r0(config-if)#
*Mar  1 00:02:12.139: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:02:13.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r0(config-if)#exit
r0(config)#router ospf 1
r0(config-router)#net 1.1.1 .0 0.0.0.255 area 0
r0(config-router)#net 172.16.1.0 0.0.0 .255 area 0
r0(config-router)#
*Mar  1 00:05:56.863: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.1 on Serial0/0 from LOADING to FULL, Loading Done
r0(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF , IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     1.0.0 .0/24 is subnetted, 1 subnets
C       1.1.1 .0 is directly connected, Loopback1
     2.0.0 .0/32 is subnetted, 1 subnets
O       2.2.2 .2 [110/129] via 172.16.1.2, 00:00:05, Serial0/0
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/0
O       172.16.2.0 [110/128] via 172.16.1.2, 00:00:05, Serial0/0
r0(config-router)#exit
r0(config)#int loo 1
r0(config-if)#ip ospf net point-to-point
 
r0(config-if)#ip access-list standard cisco
r0(config-std-nacl)#deny host 2.2.2 .2
r0(config-std-nacl)#permit any
r0(config-std-nacl)#exit
// 配置标准命名 ACL
r0(config)#int s0/0
r0(config-if)#ip access-group cisco in
r0(config-if)#do sh access-list cisco
Standard IP access list cisco
    10 deny   2.2.2 .2
    20 permit any (2 matches)
r0(config-if)#do ping 2.2.2 .2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2 .2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r0(config-if)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF , IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     1.0.0 .0/24 is subnetted, 1 subnets
C       1.1.1 .0 is directly connected, Loopback1
     2.0.0 .0/24 is subnetted, 1 subnets
O       2.2.2 .0 [110/129] via 172.16.1.2, 00:03:22, Serial0/0
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/0
O       172.16.2.0 [110/128] via 172.16.1.2, 00:03:22, Serial0/0
r0(config-if)#do ping 172.16.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/29/56 ms
r0(config-if)#
 
 
 
r1(config)#int s0/0
r1(config-if)#ip add 172.16.1.2 255.255.255.0
r1(config-if)#no sh
r1(config-if)#exit
r1(config)#int
*Mar  1 00:02:30.487: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:02:31.487: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r1(config)#int loo 1
r1(config-if)#
*Mar  1 00:02:36.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
r1(config-if)#int s0/1
r1(config-if)#ip add 172.16.2.1 255.255.255.0
r1(config-if)#no sh
r1(config-if)#
*Mar  1 00:02:58.987: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up
*Mar  1 00:02:59.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
r1(config-if)#
*Mar  1 00:03:22.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to down
r1(config-if)#
*Mar  1 00:03:42.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state to up
r1(config-if)#do ping 172.16.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/27/72 ms
r1(config-if)#exit
r1(config)#router ospf 1
r1(config-router)#net 172.16.1.0 0.0.0 .255 area 0
r1(config-router)#net 17
*Mar  1 00:05:56.539: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1 .1 on Serial0/0 from LOADING to FULL, Loading Done
r1(config-router)#net 172.16.2.0 0.0.0 .255 area 0 
r1(config-router)#
*Mar  1 00:06:10.875: %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2 .2 on Serial0/1 from LOADING to FULL, Loading Done
r1(config-router)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF , IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
 
Gateway of last resort is not set
 
     1.0.0 .0/32 is subnetted, 1 subnets
O       1.1.1 .1 [110/65] via 172.16.1.1, 00:00:08, Serial0/0
     2.0.0 .0/32 is subnetted, 1 subnets
O       2.2.2 .2 [110/65] via 172.16.2.2, 00:00:08, Serial0/1
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Serial0/0
C       172.16.2.0 is directly connected, Serial0/1
r1(config-router)#do ping 2.2.2 .2 source 172.16.1.2// 调试能不能符合要求
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2 .2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.2
U.U.U
Success rate is 0 percent (0/5)
r1(config-router)#
 
 
 
r2(config)#int loo 1
r2(config-if)#ip add
*Mar  1 00:03:02.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
r2(config-if)#ip add 2.2.2 .2 255.255.255.0
r2(config-if)#int s0/0
r2(config-if)#ip add 172.16.2.2 255.255.255.0
r2(config-if)#no sh
r2(config-if)#exit
r2(config)#do ping
*Mar  1 00:03:29.735: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar  1 00:03:30.735: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
r2(config)#do ping 172.16.2.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds:
....!
Success rate is 20 percent (1/5), round-trip min/avg/max = 68/68/68 ms
r2(config)#router ospf 1
r2(config-router)#net 2.2.2 .0 0.0.0.255 area 0
r2(config-router)#net 172.16.2.0 0.0.0 .255 area 0
r2(config-router)#
*Mar  1 00:06:10.539: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.2.1 on Serial0/0 from LOADING to FULL, Loading Done
r2(config-router)#exit
r2(config)#int loo 1
r2(config-if)#ip ospf net point
r2(config-if)#ip ospf net point-to-
% Ambiguous command:  "ip ospf net point-to-"
r2(config-if)#ip ospf net point-to-point
r2(config-if)#do ping 1.1.1 .1 source 2.2.2.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1 .1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2 .2
U.U.U
Success rate is 0 percent (0/5)
r2(config-if)#ip access-list extend cisco
r2(config-ext-nacl)#deny ip  host 172.16.1.2 host 2.2.2 .2
r2(config-ext-nacl)#permit ip any any
r2(config-ext-nacl)#exit
配置扩展命名 ACL
r2(config)#int s0/0
r2(config-if)#ip access-group cisco in
r2(config-if)#do sh access-list cisco 查看 ACL
Extended IP access list cisco
    10 deny ip host 172.16.1.2 host 2.2.2 .2
    20 permit ip any any (1 match)
r2(config-if)#do ping 172.16.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/64 ms
r2(config-if)#

本文出自 “柯浩坚” 博客,转载请与作者联系!

你可能感兴趣的:(系列,休闲,实验,NA-NP-IE,命名ACL)