标准ACL访问控制列表实验
- 格式:pdf
- 大小:188.31 KB
- 文档页数:6
标准ACL(海映蓝天)
实验拓扑
实验目的
定义标准ACL
应用标准ACL
access-class 应用
定义命名标准ACL
基本配置
R1(config)# access-list 2 remark ONLY HOST PC1 CAN TELNET R1(config)# access-list 2 permit host 192.168.1.2
R1(config)# line vty 0 4
R1(config-line)# access-class 2 in
R1(config-line)# password cisco
R1(config-line)# login
R2(config)# access-list 2 remark ONLY HOST PC1 CAN TELNET R2(config)# access-list 2 permit host 192.168.1.2
R2(config)# line vty 0 4
R2(config-line)# access-class 2 in
R2(config-line)# password cisco
R2(config-line)# login
R3(config)# access-list 2 remark ONLY HOST PC1 CAN TELNET R3(config)# access-list 2 permit host 192.168.1.2
R3(config)#access-list 1 remark DENY NETWORK 192.168.2.0 FROM R1
R3(config)# access-list 1 deny 192.168.2.0 0.0.0.255
R3(config)# access-list 1 permit any
R3(config)# interface serial3/0
R3(config-if)# ip access-group 1 in
R3(config-if)# line vty 0 4
R3(config-line)# access-class 2 in
R3(config-line)# password cisco
R3(config-line)# login
定义ACL应用:
接口应用
router map中的match应用
vty下access-class命令调用来控制Telnet的访问access-class只对标准ACL有效
R3#show ip access-list
Standard IP access list 2
permit host 192.168.1.2
Standard IP access list 1
deny 192.168.2.0 0.0.0.255 (20 match(es))
permit any (252 match(es))
括号中的数目表示匹配条件数据包的个数,可以用命令clear access-list counters 将ACL计数器清零
R3#show ip interface
Serial3/0 is up, line protocol is up (connected)
Internet address is 192.168.4.2/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 1
……
表明在接口Serial3/0入方向应用了ACL 1
配置命名标准ACL
R3(config)# ip access-list standard ACL1
R3(config-std-nacl)# remark DENY NETWORK 192.168.2.0 FROM R1
R3(config-std-nacl)# deny 192.168.2.0 0.0.0.255
R3(config-std-nacl)# permit any
R3(config-std-nacl)# interface serial 3/0
R3(config-if)# ip access-group ACL1 in
PC1 TELNET R2
PC>telnet 192.168.3.1
Trying 192.168.3.1 ...Open
User Access Verification
Password:
R1>en
Password:
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B –BGP……
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area…….
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet1/0