实验条件:2600系列路由器一台,2900交换机一台,PC两台
一.ACL的配置
(一)标准ACL
Step 1 在路由器上配置主机名和密码
Step 2 配置以太网段上的PC
a. PC 1
IP address 192.168.14.2
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
b. PC 2
IP address 192.168.14.3
Subnet mask 255.255.255.0
Default gateway 192.168.14.1
Step 3 保存配置
GAD#copy running-config startup-config
Step 4 通过ping命令测试两台PC到缺省网关的连接性——成功
Step 5 阻止PC访问路由器的以太口---全局配置模式下
GAD(config)#access-list 1 deny 192.168.14.0 0.0.0.255
GAD(config)#access-list 1 permit any
Step 6 从路由器ping两台PC
Step 7 把ACL应用到接口上
GAD(config-if)#ip access-group 1 in
Step 8 从两台PC ping路由器
Step 9 创建新的ACL
access-list 2 permit 192.168.14.1 0.0.0.254
Step 10 把ACL应用的接口上
ip access-group 2 in——接口配置模式下完成
Step 11 从两台PC ping路由器
GAD#show running-config——
Building configuration...
Current configuration : 405 bytes
!
version 12.2
no service password-encryption
!
hostname RAD
!
!
!
!
!
ip ssh version 1
!
!
interface FastEthernet0/0
ip address 192.168.14.1 255.255.255.0
ip access-group 2 in
duplex auto
speed auto
!
ip classless
!
!
access-list 1 deny 192.168.14.0 0.0.0.255
access-list 1 permit any
access-list 2 permit 192.168.14.0 0.0.0.254
access-list 2 permit any
!
!
!
line con 0
line vty 0 4
login
!
!
end