登录站点

用户名

密码

ACL 扩展访问控制列表

2已有 2814 次阅读  2012-05-11 09:22   标签alt  blank  target  拓扑图  color 

实验拓扑图和标准ACL的一样,如下:

  • 步骤一:配置各路由器的IP地址,并使用ping命令确认直连接口相互可以ping通。

基础配置省略。

  • 步骤二:在各台路由器上启用OSPF 协议。

基础配置省略。

  • 步骤三:网络配置要求:

禁止R1 telnet r4
禁止R2 ping r4
其它访问均允许

  • 步骤四:配置ACL

注意:扩展的访问控制列表,应放置离源最近的接口

access-list 100 deny tcp host 192.168.1.1 host 172.16.1.2 eq 23
access-list 100 deny tcp host 192.168.1.1 10.0.0.0 0.255.255.255 eq telnet
access-list 100 deny tcp host 12.1.1.1 host 172.16.1.2 eq telnet
access-list 100 deny tcp host 12.1.1.1 10.0.0.0 0.255.255.255 eq telnet
access-list 100 deny icmp host 192.168.1.2 host 172.16.1.2
access-list 100 deny icmp host 192.168.1.2 10.0.0.0 0.255.255.255
access-list 100 deny icmp host 131.16.24.1 host 172.16.1.2
access-list 100 deny icmp host 131.16.24.1 10.0.0.0 0.255.255.255
access-list 100 permit ip any any

  • 步骤五:将ACL 应用到接口

R3(config)#interface fastethernet 0/0
R3(config-if)#ip access-group 100 in
R3(config-if)#exit

  • 步骤六:测试

R1>ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/163/204 ms
R1>
R1>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 172/188/220 ms
R1>
R1>ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/176/252 ms
R1>
R1>telnet 172.16.1.2
Trying 172.16.1.2 …
% Destination unreachable; gateway or host down
R1>telnet 10.1.1.1
Trying 10.1.1.1 …
% Destination unreachable; gateway or host down
R1>telnet 10.2.2.1
Trying 10.2.2.1 …
% Destination unreachable; gateway or host down

R2#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#
R2#telnet 172.16.1.2
Trying 172.16.1.2 … Open
User Access Verification
Password:
R4>
R2#telnet 10.1.1.1
Trying 10.1.1.1 … Open
User Access Verification
Password:
R4>
R2#telnet 10.2.2.1
Trying 10.2.2.1 … Open
User Access Verification
Password:
R4>

分享 举报

发表评论 评论 (3 个评论)

涂鸦板