IP地址1:202.107.227.0/28
IP地址2:218.108.228.0/28
转换成二进制为:
11001010 01101011 11100011 00000000
11011010 01101100 11100100 00000000
11001010 01101000 11100000 00000000 AND 运算结果:202.104.224.0
11011010 01101111 11100111 00000000 OR 运算结果:218.111.231.0
两个IP地址段可以结合成:
网络地址:202.104.224.0 掩码:218.111.231.15(因为其掩码为28位,所以反掩码为15)
实验测试:
PC---F0/0(192.168.1.254)R1-E1/0(202.107.227.1/28或218.108.228.1/28)--------R2E1/0(202.107.227.2/28或218.108.228.2/28)----lo1(1.1.1.1/24)
R1,R2上分别加上一条默认路由指向对方
在R1上加访问控制列表,
ip access-list 101 deny ip 202.104.224.0 218.111.231.15 any
ip access-list 101 permit ip any any
应用在R1 e1/0IN 方向
R2(config)#do ping 192.168.1.254 source 202.107.227.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
U.U.U
R2#ping 192.168.1.254 source 218.108.228.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 218.108.228.2
U.U.U
R2#ping 192.168.1.254 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
增加lo2 202.107.227.20 255.255.255.240
R2(config-if)#do ping 192.168.1.254 source lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 202.107.227.20
!!!!!
增加lo3 218.108.228.20 255.255.255.240
R2(config-if)#do ping 192.168.1.254 source lo3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 218.108.228.20
!!!!!
sh run查看访问控制列表,列表变成如下:
access-list 101 deny ip 0.0.0.0 218.111.231.15 any
access-list 101 permit ip any any
查看匹配情况:
Extended IP access list 101
10 deny ip 0.0.0.0 218.111.231.15 any (35 matches)
20 permit ip any any (70 matches)
呵呵,说明访问控制列表匹配上了。