访问控制列表前缀整合（原创）

IP地址1：202.107.227.0/28

IP地址2：218.108.228.0/28

转换成二进制为：

11001010 01101011 11100011 00000000

11011010 01101100 11100100 00000000

11001010 01101000 11100000 00000000  AND 运算结果：202.104.224.0

11011010 01101111 11100111 00000000  OR 运算结果：218.111.231.0

两个IP地址段可以结合成：

网络地址：202.104.224.0  掩码：218.111.231.15(因为其掩码为28位，所以反掩码为15）

实验测试：

PC---F0/0(192.168.1.254)R1-E1/0(202.107.227.1/28或218.108.228.1/28)--------R2E1/0(202.107.227.2/28或218.108.228.2/28)----lo1(1.1.1.1/24)

R1，R2上分别加上一条默认路由指向对方

在R1上加访问控制列表，

ip access-list 101 deny ip 202.104.224.0  218.111.231.15 any

ip access-list 101 permit ip any any

应用在R1 e1/0IN 方向

R2(config)#do ping 192.168.1.254 source 202.107.227.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
U.U.U

R2#ping 192.168.1.254 source 218.108.228.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 218.108.228.2
U.U.U

R2#ping 192.168.1.254 source 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!

增加lo2 202.107.227.20 255.255.255.240

R2(config-if)#do ping 192.168.1.254 source lo2   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 202.107.227.20
!!!!!

增加lo3 218.108.228.20 255.255.255.240

R2(config-if)#do ping 192.168.1.254 source lo3   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 218.108.228.20
!!!!!

 

sh run查看访问控制列表，列表变成如下：

access-list 101 deny   ip 0.0.0.0 218.111.231.15 any
access-list 101 permit ip any any

查看匹配情况：

Extended IP access list 101
    10 deny ip 0.0.0.0 218.111.231.15 any (35 matches)
    20 permit ip any any (70 matches)

呵呵，说明访问控制列表匹配上了。