配置篇 之ACL基礎

ACL之基礎實驗配置

【實驗拓撲】

 

R1 s0/0 <--12.12.12.0--------->  s0/0 R2 s0/1 <-----23.23.23.0---------->s0/0 R3

loop 0:1.1.1.1

 

【實驗內容】

 

1.基本的訪問控制列表。

2.擴展的訪問控制列表

3.命名的訪問控制列表

 

 

【實驗配置】

 

1.  基本的訪問控制列表 1-99

要求：只容許主機A訪問主機B,環回口訪問不了。

access-list 1 permit 12.12.12.1
interface Serial0/0
ip address 12.12.12.2 255.255.255.0
ip access-group 1 in

也能夠在int s0/1上：
interface serial0/1
ip address 23.23.23.2 255.255.255.0
ip access-group 1 out

主要命令：
access-list {1-99} {permit|deny} {host | address}

ip access-group {list} {in | out}

測試：

R1#ping                
Protocol [ip]:    
Target IP address: 23.23.23.3
Repeat count [5]:    
Datagram size [100]:    
Timeout in seconds [2]:    
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:    
Set DF bit in IP header? [no]:    
Validate reply data? [no]:    
Data pattern [0xABCD]:    
Loose, Strict, Record, Timestamp, Verbose[none]:    
Sweep range of sizes [n]:    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1    
U.U.U
Success rate is 0 percent (0/5)


R3#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

一個不可達，一個超時。說明數據包不能夠從R1到R2，可是能夠從R2到R1.

 

 

2.擴展的訪問控制列表  100-199

 

（1）R1不能telnet R2，可是能夠ping通。

（2）R1能telnetR2，可是不能夠ping通。

 

（1）先配置成能夠telnel（未配置訪問控制列表前）

R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open


User Access Verification

Password:    
R3>

 

配置acl：

access-list 100 deny     tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet
access-list 100 permit ip any any

應用到接口上：
ip access-group 100 in

R1#telnet 23.23.23.3
Trying 23.23.23.3 ...    
% Destination unreachable; gateway or host down


R1#ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/87/168 ms

 

 

(2)

 

show access-lists
Extended IP access list 101
        10 permit tcp 12.12.12.0 0.0.0.255 host 23.23.23.3 eq telnet (25 matches)


R1#telnet 23.23.23.3
Trying 23.23.23.3 ... Open


User Access Verification

Password:    
R3>
R3>
R3>exit

[Connection to 23.23.23.3 closed by foreign host]
R1#
R1#
R1#ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

 

 

3.基於名稱的訪問控制列表：

 

優點：能夠對訪問列表進行修改和刪除，上面兩種一旦修改或刪除，則所有要從新配置列表，推薦使用這種。

 

Standard IP access list sf
        10 permit 1.1.1.1 (5 matches)





R1#ping 23.23.23.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#ping    
Protocol [ip]:    
Target IP address: 23.23.23.3
Repeat count [5]:    
Datagram size [100]:    
Timeout in seconds [2]:    
Extended commands [n]: y
Source address or interface: 1.1.1.1
Type of service [0]:    
Set DF bit in IP header? [no]:    
Validate reply data? [no]:    
Data pattern [0xABCD]:    
Loose, Strict, Record, Timestamp, Verbose[none]:    
Sweep range of sizes [n]:    
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.23.23.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1    
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/75/104 ms

 

【實驗總結】

 

      這次實驗複習了一下基本的acl表。後續將對acl有更進一步的實驗，好比自反列表，基於時間的列表等等，敬請關注。