配置访问控制列表 推荐

初始配置：
R1
conf t
int f 0/0
ip ad 10.1.1.1 255.255.255.0
no shut
int l0
ip ad 1.1.1.1 255.255.255.255
router rip
ver 2
net 10.0.0.0
net 1.00.0.0
no au

R3
conf t
int s2/0
ip ad 10.1.2.3 255.255.255.0
clock rate 64000
no shut
router rip
ver 2
net 10.0.0.0
no au

R2
conf t
int f 0/0
ip ad 10.1.1.2 255.255.255.0
no shut
int s2/0
ip ad 10.1.2.2 255.255.255.0
no shut
router rip
ver 2
no au
net 10.0.0.0
exit

CASE1:标准ACL(1)
R2
int f 0/0
ip access-group 1 in
exit
access-list 1 permit host 10.1.1.1

校验：
R1#ping 10.1.2.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U.U
Success rate is 0 percent (0/5)
R1#ping 10.1.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/103/220 ms

CASE 2：标准ACL(2)
在R2上配置
int f 0/0
ip access-group 1 in
exit
access 1 deny host 10.1.1.1
access 1 permit any

校验：
R1#ping 10.1.2.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
U.U..
Success rate is 0 percent (0/5)
R1#ping 10.1.2.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/59/112 ms

CASE3:扩展ACL(1)
R3
int l 1
ip ad 3.3.3.1 255.255.255.255
int l 2
ip ad 3.3.3.2 255.255.255.255
int l 3
ip ad 3.3.3.3 255.255.255.255
router rip
net 3.0.0.0

R2
access 100 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
int f0/0
ip access-group 100 in

校验：
R1#ping 3.3.3.3 source l 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/90/200 ms
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

CASE4：扩展ACL(2)
R3
conf t
username R3 password pass
line vty 0 4
login local
end

R2
conf t
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
int f0/0
ip access-group 100 in
end

校验：
R1#telnet 3.3.3.3
Trying 3.3.3.3 ...
% Destination unreachable; gateway or host down
R1#telnet 10.1.2.3
Trying 10.1.2.3 ...
% Destination unreachable; gateway or host down

CASE5:使用ACL限制时间范围
R2
conf t
time-range allowtelnet
periodic daily 19:00 to 19:01 /×由于是实验，所以这里只把时间范围设定为1分钟，有便于校验
exit
access 100 deny tcp host 10.1.1.1 3.3.3.0 0.0.0.255 eq telnet time-range allowtelnet
access 100 permit ip any any
int f 0/0
ip access-group 100 in
end

R2#sh time-range
time-range entry: allowtelnet (active)
periodic daily 19:00 to 19:01
used in: IP ACL entry
R2#sh ip access
Extended IP access list 100
10 deny tcp host 10.1.1.1 3.3.3.0 0.0.0.255 eq telnet time-range allowtelnet (active) (3 matches)
20 permit ip any any (54 matches)
R1#telnet 3.3.3.3
Trying 3.3.3.3 ...
% Destination unreachable; gateway or host down
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/115/256 ms
R1#ping 10.1.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/158/292 ms
1分钟以后：
R1#telnet 3.3.3.3
Trying 3.3.3.3 ... Open

User Access Verification
Username: r3
Password:
R3>quit
[Connection to 3.3.3.3 closed by foreign host]