配置篇 之ACL基础

ACL之基础实验配置

【实验拓扑】

 

R1 s0/0 <--12.12.12.0--------->  s0/0 R2 s0/1 <-----23.23.23.0---------->s0/0 R3

loop 0:1.1.1.1

 

【实验内容】

 

1.基本的访问控制列表。

2.扩展的访问控制列表

3.命名的访问控制列表

 

 

【实验配置】

 

1.  基本的访问控制列表 1-99

要求：只允许主机A访问主机B,环回口访问不了。

access-list 1 permit 12.12.12.1
interface Serial0/0
ip address 12.12.12.2 255.255.255.0
ip access-group 1 in

也可以在int s0/1上：
interface serial0/1
ip address 23.23.23.2 255.255.255.0
ip access-group 1 out

主要命令：
access-list {1-99} {permit|deny} {host | address}

ip access-group {list} {in | out}

测试：

R1#ping                
Protocol [ip]:    
Target IP address: 23.23.23.3
Repeat count [5]:    
Datagram size [100]:    
Timeout in seconds [2]:    
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:    
Set DF bit in IP header? [no]:    
Validate reply data? [no]:    
Data pattern [0xABCD]:    
Loose, Strict, Record, Timestamp, Verbose[none]:    
Sweep range of sizes [n]:    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1    
U.U.U
Success rate is 0 percent (0/5)


R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

一个不可达，一个超时。说明数据包不可以从R1到R2，但是可以从R2到R1.

 

 

2.扩展的访问控制列表  100-199

 

（1）R1不能telnet R2，但是可以ping通。

（2）R1能telnetR2，但是不可以ping通。

 

（1）先配置成可以telnel（未配置访问控制列表前）

R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open


User Access Verification

Password:    
R3>

 

配置acl：

access-list 100 deny     tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet
access-list 100 permit ip any any

应用到接口上：
ip access-group 100 in

R1#telnet 23.23.23.3
Trying 23.23.23.3 ...    
% Destination unreachable; gateway or host down


R1#ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/87/168 ms

 

 

(2)

 

show access-lists
Extended IP access list 101
        10 permit tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet (25 matches)


R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open


User Access Verification

Password:    
R3>
R3>
R3>exit

[Connection to 23.23.23.3 closed by foreign host]
R1#
R1#
R1#ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

 

 

3.基于名称的访问控制列表：

 

优势：可以对访问列表进行修改和删除，上面两种一旦修改或删除，则全部要重新配置列表，推荐使用这种。

 

Standard IP access list sf
        10 permit 1.1.1.1 (5 matches)





R1#ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#ping    
Protocol [ip]:    
Target IP address: 23.23.23.3
Repeat count [5]:    
Datagram size [100]:    
Timeout in seconds [2]:    
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:    
Set DF bit in IP header? [no]:    
Validate reply data? [no]:    
Data pattern [0xABCD]:    
Loose, Strict, Record, Timestamp, Verbose[none]:    
Sweep range of sizes [n]:    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1    
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/75/104 ms

 

【实验总结】

 

      此次实验复习了一下基本的acl表。后续将对acl有更进一步的实验，比如自反列表，基于时间的列表等等，敬请关注。