标准ACL(Standard ACL)

实验来源:工大瑞普Cisco网络技术论坛

要求:
1.允许192.168.1.1的主机对 R4访问
2.允许192.168.1.3的主机对 R4 访问
3.允许131.16.24.0的网段主机对 R4访问
4.不允许192.168.1.2的主机对 R4 访问

1.按照拓扑配置好各个路由器的接口IP地址;
2.在每台路由器上配置OSPF路由协议:
r1(config)#router ospf 100
r1(config-router)#net
r1(config-router)#net 192.168.1.0 0.0.0.255 area 0

r2(config)#router ospf 100
r2(config-router)#net
r2(config-router)#network 131.16.24.0 0.0.0.255 area 0
r2(config-router)#net 192.168.1.0 0.0.0.255 area 0

r3(config)#router ospf 100
r3(config-router)#network 192.168.1.0 0.0.0.255 area 0
r3(config-router)#network 172.16.1.0 0.0.0.255 area 0

r4(config)#router ospf 100
r4(config-router)#network 172.16.1.0 0.0.0.255 area 0
r4(config-router)#network 10.1.1.0 0.0.0.255 area 0
r4(config-router)#network 10.2.2.0 0.0.0.255 area 0
分别在每台路由器上使用命令:show ip route查看路由表,例R3:
r3#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Serial1/2
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O       10.2.2.0/24 [110/65] via 172.16.1.2, 00:00:03, Serial1/2
O       10.1.1.1/32 [110/65] via 172.16.1.2, 00:00:03, Serial1/2
C    192.168.1.0/24 is directly connected, FastEthernet0/0
上面红颜色的标记表示从S1/2口学习到两条路由,,下一跳地址为172.16.1.2.[110/65]表示OSPF默认的管理距离为110,路径花费为65.
3.设置ACL(注:标准ACL应该在距离目标近的地方设置,扩展ACL应该在距离源较近的地方设置)
方法1:
r4(config)#access-list 10 permit host 192.168.1.1 //编辑阿ACL 10允许主机192.168.1.1访问
r4(config)#access-list 10 permit host 192.168.1.3
r4(config)#access-list 10 permit 131.16.24.0 0.0.0.255
r4(config)#access-list 10 permit host 172.16.1.1
r4(config)#int s1/2
r4(config-if)#ip access-group 10 in          //在接口进入的方向应用ACL 10
方法2:
r4(config)#access-list 10 deny host 192.168.1.2
r4(config)#access-list 10 permit any any
r4(config)#int s1/2
r4(config-if)#ip access-group 10 in
这两种方法都可以实现我们的要求。我们可以使用命令察看ACL的配置:
r4#show ip access-lists
Standard IP access list 10
    10 permit 192.168.1.1 (45 matches)
    20 permit 192.168.1.3 (15 matches)
    40 permit 172.16.1.1 (63 matches)
    30 permit 131.16.24.0, wildcard bits 0.0.0.255 (45 matches)
查看接口ACL配置:
r4#show ip int s1/2
Serial1/2 is up, line protocol is up
  Internet address is 172.16.1.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.5
  Outgoing access list is not set
  Inbound  access list is 10
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled

测试:
r1#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/140/164 ms

r2#ping 172.16.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
U.U.U.
Success rate is 0 percent (0/5)

r2#ping
Protocol [ip]:
Target IP address: 172.16.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 131.16.24.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 131.16.24.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/124/140 ms

r3#ping
Protocol [ip]:
Target IP address: 172.16.1.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/80 ms
OK,实验完。

你可能感兴趣的:(职场,acl,休闲,Standard,标准ACL)