扩展的ACL配置:
<1,允许网络10.1.1.0 的主机访问 WEB  server>
<2, 拒绝网络10.1.1.0 的主机访问 FTP  server >
<3, 拒绝网络10.1.1.0 的主机Telnet  Router 1 主机>
<4, 拒绝主机10.1.1.100 ping  Router 1>
 
Router 0 的配置:
Router>en
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 10.1.1.1 255.255.255.0
Router(config-if)#no shutdown
 
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface serial 0/0
Router(config-if)#ip address 12.12.12.1 255.255.255.0
Router(config-if)#clock rate 64000
Router(config-if)#no shutdown
 
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
Router(config-if)#
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Router(config-if)#
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#net
Router(config-router)#network 10.1.1.0
Router(config-router)#network 12.12.12.0
Router(config-router)#end
%SYS-5-CONFIG_I: Configured from console by console
Router#show ip rou
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is not set
 
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0/0
     12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial0/0
R    192.168.1.0/24 [120/1] via 12.12.12.2, 00:00:11, Serial0/0
Router#ping 192.168.1.100
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 62/62/63 ms
 
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list
Router(config)#access-list 100 pe
Router(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq ?
  <0-65535>  Port number
  ftp        File Transfer Protocol (21)
  pop3       Post Office Protocol v3 (110)
  smtp       Simple Mail Transport Protocol (25)
  telnet     Telnet (23)
  www        World Wide Web (HTTP, 80)
Router(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 80
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 ?
  eq           Match only packets on a given port number
  established  established
  gt           Match only packets with a greater port number
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  range        Match only packets in the range of port numbers
  <cr>
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 21
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 20
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 23
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.2 eq 23
Router(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 host 12.12.12.2 eq 23
Router(config)#access-list 100 deny icmp host 10.1.1.100 host 12.12.12.2
Router(config)#access-list 100 deny icmp host 10.1.1.100 host 192.168.1.2
Router(config)#access-list 100 permit ip any any
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip access-group 100 in
Router(config-if)#no shutdown
Router(config-if)#
Router(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
Router#show acc
Router#show access-lists
Extended IP access list 100
    permit tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq www
    deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq ftp
    deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq 20
    deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.100 eq telnet
    deny tcp 10.1.1.0 0.0.0.255 host 192.168.1.2 eq telnet
    deny tcp 10.1.1.0 0.0.0.255 host 12.12.12.2 eq telnet
    deny icmp host 10.1.1.100 host 12.12.12.2
    deny icmp host 10.1.1.100 host 192.168.1.2
    permit ip any any (8 match(es))
Router#
 
 
 
 
Router 1的配置:
Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no shutdown
 
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface serial 0/0
Router(config-if)#ip add
Router(config-if)#ip address 12.12.12.2 255.255.255.0
Router(config-if)#no shutdown
 
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
Router(config-if)#
Router(config-if)#exit
Router(config)#router rip
Router(config-router)#net
Router(config-router)#network 12.12.12.0
Router(config-router)#network 192.168.1.0
Router(config-router)#end
%SYS-5-CONFIG_I: Configured from console by console
Router#show ip rou
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is not set
 
R    10.0.0.0/8 [120/1] via 12.12.12.1, 00:00:21, Serial0/0
     12.0.0.0/24 is subnetted, 1 subnets
C       12.12.12.0 is directly connected, Serial0/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
Router#ping 10.1.1.100
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 93/93/94 ms
 
Router#ping 10.1.1.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 78/84/93 ms
 
Router#
 
 
Pc0 ping 对方:
Packet Tracer PC Command Line 1.0
PC>ping 12.12.12.2
 
Pinging 12.12.12.2 with 32 bytes of data:
 
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 12.12.12.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
PC>ping 192.168.1.2
 
Pinging 192.168.1.2 with 32 bytes of data:
 
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
PC>ping 192.168.1.100
 
Pinging 192.168.1.100 with 32 bytes of data:
 
Reply from 192.168.1.100: bytes=32 time=109ms TTL=126
Reply from 192.168.1.100: bytes=32 time=125ms TTL=126
Reply from 192.168.1.100: bytes=32 time=110ms TTL=126
Reply from 192.168.1.100: bytes=32 time=125ms TTL=126
 
Ping statistics for 192.168.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 109ms, Maximum = 125ms, Average = 117ms
 
PC>