访问控制列表举例解析

 

访问控制列表举例解析_第1张图片

完成初始配置:

r1:!

interface Loopback0

 ip address 1.1.1.1 255.255.255.0

!

interface Serial0/0

 ip address 192.168.1.1 255.255.255.0

 serial restart-delay 0

!

interface Serial0/1

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

router eigrp 1

 network 1.0.0.0

 network 192.168.1.0

 no auto-summary

r2:interface Serial0/0

 ip address 192.168.1.2 255.255.255.0

 serial restart-delay 0

!

interface Serial0/1

 ip address 192.168.2.2 255.255.255.0

 serial restart-delay 0

!

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

router eigrp 1

 network 192.168.1.0

 network 192.168.2.0

 auto-summary

r3:interface Loopback0

 ip address 3.3.3.3 255.255.255.0

!

interface Serial0/0

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/1

 ip address 192.168.2.3 255.255.255.0

 serial restart-delay 0

!

interface Serial0/2

 no ip address

 shutdown

 serial restart-delay 0

!

interface Serial0/3

 no ip address

 shutdown

 serial restart-delay 0

!

router eigrp 1

 network 3.0.0.0

 network 192.168.2.0

 no auto-summary

标准的ACL  针对源地址做控制

拒绝路由1访问路由3

 

!r1#ping 3.3.3.3Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/72 ms

r1(config)#access-list 1 deny 3.3.3.3

r1(config)#access-list 1 permit any

 

 

r1(config)#int s0/0

r1(config-if)#ip access-group 1 in

 

r1#ping 3.3.3.3 source 1.1.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 1.1.1.1 

.....

Success rate is 0 percent (0/5)

扩展访问列表

不允许r1 192.168.1.1 访问r3 3.3.3 网络

;r2(config)#access-list 101 deny ip 192.168.1.0 0.0.0.255 3.3.3.3 0.0.0.0

r2(config)#access-list 101 permit  ip any any

 

r2(config)#int s0/0

r2(config-if)#ip acce

r2(config-if)#ip access-group 101 in

 

r1#ping 3.3.3.3 source 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1 

U.U.U

Success rate is 0 percent (0/5)

3.禁止R1telnet R3

R3配置

r3(config)#username liang pass

r3(config)#username liang password rui

r3(config)#line vty 0 4

 

r3(config-line)#login local 

r3(config-line)#end

r2(config)#access-list 100 deny tcp any any eq 23

r2(config)#access-list 100 permit any any

 

r2(config)#int s0/0

r2(config-if)#ip access-group 100 in

 

r1#telnet 3.3.3.3

Trying 3.3.3.3 ... 

% Destination unreachable; gateway or host down

命名访问列表

r2(config)#ip access-list extended liang

r2(config-ext-nacl)#deny tcp 192.168.1.1 0.0.0.0 3.3.3.3 0.0.0.0

r2(config-ext-nacl)#permit tcp any any

r2(config-ext-nacl)#int s0/0

r2(config-if)#ip access-group liang in

 

r1#ping 3.3.3.3 sou

r1#ping 3.3.3.3 source 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1 

....

*Mar  1 01:08:04.515: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.2 (Serial0/0) is down: retry limit exceeded.

Success rate is 0 percent (0/5)

使用时间ACL:

r2(config)#time-range liang

r2(config-time-range)#periodic thursday 0:50 to 0:53

r2(config)#access-list 100 deny tcp 192.168.1.1 0.0.0.0 3.3.3.3 0.0.0.0

 

r2(config)#access-list 100 permit tcp any any 

r2(config)#int s0/0

r2(config-if)#ip acc

r2(config-if)#ip acce

r2(config-if)#ip access-group 100 in

 

 

r1#ping 3.3.3.3 source 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1 

.....

Success rate is 0 percent (0/5)

扩展acl,要靠近源 ,标准acl靠近目标地址

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

本文出自 “cisco network” 博客,谢绝转载!

你可能感兴趣的:(职场,访问控制,休闲)