命名ACL的配置

1、  实验目的:

通过本次的实验我们可以掌握如下技能

1)        定义命名 ACL

2)        应用命名ACL

2、  实验拓扑图:

命名ACL的配置

3、  实验步骤:

(1)       在路由器R2上配置标准的命令ACL

R2(config-std-nacl)#ip access-list standard stand

R2(config-std-nacl)#deny 172.16.1.0 0.0.0.255

R2(config-std-nacl)#permit any

R2(config-std-nacl)#exit

R2(config-if)#ip access-group st

R2(config-if)#ip access-group stand in

R2(config-if)#ip access-list stand class

R2(config-std-nacl)#permit 172.16.3.1

R2(config-std-nacl)#exit

R2(config)#line vty 0 4

R2(config-line)#access-class in

% Incomplete command.

R2(config-line)#

(2)       在路由器R2上查看命名的ACL访问控制列表

R2#show ac

R2#show access-lists

Standard IP access list stand

    deny 172.16.1.0 0.0.0.255

    permit any (28 match(es))

Standard IP access list class

    permit host 172.16.3.1

R2#

 

(3)       在路由器R1R3上配置命令的扩展ACL

R1(config)#ip access-list extended ext1

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 hos

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq www

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq www

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq www

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnet

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnet

R1(config-ext-nacl)#permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq telnet

R1(config-ext-nacl)#exit

R1(config)#interface serial 3/0

R1(config-if)#ip access-group ext1 in

R1(config)#ip access-list extended ext2

R1(config-ext-nacl)#deny icmp 172.16.3.0 0.0.0.255 host 2.2.2.2 log

R1(config-ext-nacl)#deny icmp 172.16.3.0 0.0.0.255 host 192.168.12.2 log

R1(config-ext-nacl)#deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2 log

R1(config-ext-nacl)#deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2 log

(4)       在路由器R1R3上查看扩展命名ACL访问控制列表

R1#show access-lists

Extended IP access list 100

    permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq www

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq www

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq www

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnet

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnet

Extended IP access list ext1

    permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq www

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq www

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq www

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.23.2 eq telnet

    permit tcp 172.16.1.0 0.0.0.255 host 192.168.12.2 eq telnet

    permit tcp 172.16.1.0 0.0.0.255 host 2.2.2.2 eq telnet

R1#

 

R3#show access-lists

   Extended IP access list ext2

    deny icmp 172.16.3.0 0.0.0.255 host 2.2.2.2

    deny icmp 172.16.3.0 0.0.0.255 host 192.168.12.2

    deny icmp 172.16.3.0 0.0.0.255 host 192.168.23.2

R3#