扩展的ACL配置

扩展的[/b]ACL[/b]配置：[/b][/b]
<1[/b]，允许网络[/b]10.1.1[/b].0 [/b]的主机访问[/b] WEB server>[/b]
<2, [/b]拒绝网络[/b]10.1.1[/b].0 [/b]的主机访问[/b] FTP server >[/b]
<3, [/b]拒绝网络[/b]10.1.1[/b].0 [/b]的主机[/b]Telnet Router 1 [/b]和[/b] [/b]主机[/b]>[/b]
<4, [/b]拒绝主机[/b]10.1.1[/b].100 ping Router 1>[/b]
[/b]
Router 0 [/b]的配置：[/b][/b]
Router>en
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 10.1.1.1 255.255.255.0
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface serial 0/0
Router(config-if)#ip address 12.12.12.1 255.255.255.0
Router(config-if)#clock rate 64000
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/0, changed state to down
Router(config-if)#
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Router(config-if)#
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#net
Router(config-router)#network 10.1.1.0
Router(config-router)#network 12.12.12.0
Router(config-router)#end
%SYS-5-CONFIG_I: Configured from console by console
Router#show ip rou
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
12.0.0.0/24 is subnetted, 1 subnets
C 12.12.12.0 is directly connected, Serial0/0
R 192.168.1.0/24 [120/1] via 12.12.12.2, 00:00:11, Serial0/0
Router#ping 192.168.1.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
Router(config)#access-list 100 pe
Router(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq ?
<0-65535> Port number
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
Router(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 80
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 ?
eq Match only packets on a given port number
established established
gt Match only packets with a greater port number
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
<cr>
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 21
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 20
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 23
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.2 eq 23
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 12.12.12.2 eq 23
Router(config)#access-list 100 deny icmp host 10.1.1.100 host 12.12.12.2
Router(config)#access-list 100 deny icmp host 10.1.1.100 host 192.168.1.2
Router(config)#access-list 100 permit ip any any
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip access-group 100 in
Router(config-if)#no shutdown
Router(config-if)#
Router(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
Router#show acc
Router#show access-lists
Extended IP access list 100
permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq www
deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq ftp
deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 20
deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq telnet
deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.2 eq telnet
deny tcp 10.1.1.0 0.0.0.255 host 12.12.12.2 eq telnet
deny icmp host 10.1.1.100 host 12.12.12.2
deny icmp host 10.1.1.100 host 192.168.1.2
permit ip any any (8 match(es))
Router#

Router 1[/b]的配置：[/b][/b]
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface serial 0/0
Router(config-if)#ip add
Router(config-if)#ip address 12.12.12.2 255.255.255.0
Router(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/0, changed state to up
Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Router(config-if)#
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#net
Router(config-router)#network 12.12.12.0
Router(config-router)#network 192.168.1.0
Router(config-router)#end
%SYS-5-CONFIG_I: Configured from console by console
Router#show ip rou
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

R 10.0.0.0/8 [120/1] via 12.12.12.1, 00:00:21, Serial0/0
12.0.0.0/24 is subnetted, 1 subnets
C 12.12.12.0 is directly connected, Serial0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
Router#ping 10.1.1.100

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 93/93/94 ms

Router#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 78/84/93 ms

Router#

Pc0 [/b]上[/b]ping [/b]对方：[/b][/b]
Packet Tracer PC Command Line 1.0
PC>ping 12.12.12.2

Pinging 12.12.12.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 12.12.12.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>ping 192.168.1.100

Pinging 192.168.1.100 with 32 bytes of data:

Reply from 192.168.1.100: bytes=32 time=109ms TTL=126
Reply from 192.168.1.100: bytes=32 time=125ms TTL=126
Reply from 192.168.1.100: bytes=32 time=110ms TTL=126
Reply from 192.168.1.100: bytes=32 time=125ms TTL=126

Ping statistics for 192.168.1.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 109ms, Maximum = 125ms, Average = 117ms

PC>