实验35:标准ACL
1.实验目的
通过本实验可以掌握:
1ACL 设计原则和工作过程
2)定义标准ACL
3)应用ACL
4)标准ACL 调试
注:本实验拒绝PC0访问路由器R2,同时只允许主机PC1 访问路由器R1 TELNET
服务。整个网络配置EIGRP 保证IP 的连通性
2.拓扑结构
实验拓扑如图所示。
3.实验步骤
注:1ACL 定义好,可以在很多地方应用,接口上应用只是其中之一,其它的常用应用
包括在route map 中的match 应用)和在vty 下用“access-class”命令调用,
来控制telnet 的访问;
2)访问控制列表表项的检查按自上而下的顺序进行,并且从第一个表项开始,所以
必须考虑在访问控制列表中定义语句的次序;
3)路由器不对自身产生的IP 数据包进行过滤;
4)访问控制列表最后一条是隐含的拒绝所有;
5)每一个路由器接口的每一个方向,每一种协议只能创建一个ACL
6)“access-class”命令只对标准ACL 有效。
 
 
 
 
r0(config)#int s1/0
r0(config-if)#ip add 172.16.2.1 255.255.255.0
r0(config-if)#no sh
 
%LINK-5-CHANGED: Interface Serial1/0, changed state to up
r0(config-if)#
r0(config-if)#exit
r0(config)#int f0/0
r0(config-if)#ip add 172.16.1.2 255.255.255.0
r0(config-if)#no sh
 
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
r0(config-if)#
r0(config-if)#do sh ip int b
Interface              IP-Address      OK? Method Status                Protocol
 
FastEthernet0/0        172.16.1.2      YES manual up                    up
 
FastEthernet0/1        unassigned      YES manual administratively down down
 
FastEthernet1/0        unassigned      YES manual administratively down down
 
Serial1/0              172.16.2.1      YES manual up                    down
r0(config-if)#exit
r0(config)#int s1/0
r0(config-if)#clo r 64000
r0(config-if)#no sh
r0(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
r0(config-if)#do ping 172.16.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/27/31 ms
 
r0(config-if)#exit
r0(config)#router eigrp 1
r0(config-router)#no au
r0(config-router)#net 172.16.1.0
r0(config-router)#net 172.16.2.0
r0(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 172.16.2.2 (Serial1/0) is up: new adjacency
r0(config-router)#
 
 
r1(config)#int s1/1
r1(config-if)#clo r 64000
r1(config-if)#no sh
r1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed state to up
r1(config-if)#exit
r1(config)#router eigrp 1
r1(config-router)#no au
r1(config-router)#net 172.16.2.0
r1(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 172.16.2.1 (Serial1/0) is up: new adjacency
r1(config-router)#net 172.16.3.0
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 172.16.3.2 (Serial1/1) is up: new adjacency
r1(config-router)#exit
r1(config)#access-list 1 permit 172.16.4.1
r1(config)#line vty 0 4
r1(config-line)#access-class 1 in
 
r1(config-line)#pass cisco
r1(config-line)#login
r1(config-line)#do sh ip int b  定义ACL
 
Interface              IP-Address      OK? Method Status                Protocol
 
FastEthernet0/0        unassigned      YES manual administratively down down
 
FastEthernet0/1        unassigned      YES manual administratively down down
 
FastEthernet1/0        unassigned      YES manual administratively down down
 
Serial1/0              172.16.2.2      YES manual up                    up
 
Serial1/1              172.16.3.1      YES manual up                    up
 
r1(config-line)#do ping 172.16.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/56/62 ms
 
r1(config-line)#do ping 172.16.4.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 47/56/62 ms
 
r1(config-line)#do sh ip access-lists
Standard IP access list 1
    permit host 172.16.4.1
r1(config-line)#do sh ip int
FastEthernet0/0 is administratively down, line protocol is down (disabled)
  Internet protocol processing disabled
FastEthernet0/1 is administratively down, line protocol is down (disabled)
  Internet protocol processing disabled
FastEthernet1/0 is administratively down, line protocol is down (disabled)
  Internet protocol processing disabled
Serial1/0 is up, line protocol is up (connected)
  Internet address is 172.16.2.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
Serial1/1 is up, line protocol is up (connected)
  Internet address is 172.16.3.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
r1(config-line)#
 
 
 
r2(config)#int f0/0
r2(config-if)#ip add 172.16.4.2 255.255.255.0
r2(config-if)#no sh
 
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
r2(config-if)#
r2(config-if)#exit
r2(config)#int s1/0
r2(config-if)#ip add 172.16.3.2 255.255.255.0
r2(config-if)#no sh
 
%LINK-5-CHANGED: Interface Serial1/0, changed state to down
r2(config-if)#
%LINK-5-CHANGED: Interface Serial1/0, changed state to up
r2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
r2(config-if)#exit
r2(config)#router eigrp 1
r2(config-router)#no au
r2(config-router)#net 172.16.3.0
r2(config-router)#
%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 172.16.3.1 (Serial1/0) is up: new adjacency
r2(config-router)#net 172.16.4.0
r2(config-router)#exit
r2(config)#access-list 1 deny 172.16.1.1 0.0.0.0
r2(config)#access-list 1 permit any
r2(config)#int f0/0
r2(config-if)#exit
r2(config)#int s1/0
r2(config-if)#ip access-group 1 in//在接口下应用ACL
 
r2(config-if)#exit
r2(config)#do ping 172.16.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
 
r2(config)#do sh ip access-lists
Standard IP access list 1
    deny host 172.16.1.1 (18 match(es))
    permit any (93 match(es))
r2(config)#do sh ip int
FastEthernet0/0 is up, line protocol is up (connected)
  Internet address is 172.16.4.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
FastEthernet0/1 is administratively down, line protocol is down (disabled)
  Internet protocol processing disabled
FastEthernet1/0 is administratively down, line protocol is down (disabled)
  Internet protocol processing disabled
Serial1/0 is up, line protocol is up (connected)
  Internet address is 172.16.3.2/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 1
  Proxy ARP is enabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is disabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP Fast switching turbo vector
  IP multicast fast switching is disabled
  IP multicast distributed fast switching is disabled
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
r2(config)#
 
pc0:
 
 
pc1