命名ACL的基本用法

实例三：命名标准ACL的基本用法

 

1.在R1上配置1条静态路由到192.168.100.0/24网络，1条静态路由到192.168.200.0/24网络。

2．在R2上配置1条静态路由到200.200.200.0/24网络。

3．在R2上创建名permit-net100的标准ACL访问控制列表，规则设为：允许192.168.100.0/24网络访问，禁止192.168.200.0/24网络访问，并应用在R2的F0/0的出口方向上。

代码如下：

 

en
conf t
hostname R1
interface f0/0
ip address 200.200.200.254 255.255.255.0
no shutdown
exit
interface f0/1
ip address 192.168.12.1 255.255.255.0
no shutdown
exit
ip route 192.168.100.0 255.255.255.0 f0/1
ip route 192.168.200.0 255.255.255.0 f0/1
end

 

en
conf t
hostname R2
interface f0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
exit
interface f0/1
ip address 192.168.100.254 255.255.255.0
no shutdown
exit
interface f1/0
ip address 192.168.200.254 255.255.255.0
no shutdown
exit
ip route 200.200.200.0 255.255.255.0 192.168.12.1
ip access-list standard permit-net100
permit 192.168.100.0 0.0.0.255
deny 192.168.200.0 0.0.0.255
exit
interface f0/0
ip access-group permit-net100 out
exit
end

 

 

 

测试结果：PC1可以ping通

 

PC>ping 200.200.200.200

 

Pinging 200.200.200.200 with 32 bytes of data:

 

Reply from 200.200.200.200: bytes=32 time=2ms TTL=126

Reply from 200.200.200.200: bytes=32 time=0ms TTL=126

Reply from 200.200.200.200: bytes=32 time=0ms TTL=126

Reply from 200.200.200.200: bytes=32 time=0ms TTL=126

 

Ping statistics for 200.200.200.200:

    Packets:Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum =0ms, Maximum = 2ms, Average = 0ms

 

PC>

 

 

测试结果：PC2不可以ping通

 

PC>ping 200.200.200.200

 

Pinging 200.200.200.200 with 32 bytes of data:

 

Reply from 192.168.200.254: Destination hostunreachable.

Reply from 192.168.200.254: Destination hostunreachable.

Reply from 192.168.200.254: Destination hostunreachable.

Reply from 192.168.200.254: Destination hostunreachable.

 

Ping statistics for 200.200.200.200:

    Packets:Sent = 4, Received = 0, Lost = 4 (100% loss),

 

PC>

 

 

结果分析：访问列表设置成功

 

 

 

 

 

 

实例四：命名扩展ACL的基本用法

 

1.在R1上配置1条静态路由到192.168.100.0/24网络，1条静态路由到192.168.200.0/24网络。

2．在R2的F0/0方向配置1条静态路由到非直连网络200.200.200.0/24。

3．在R2上做命名（deny-web）的扩展ACL访问控制列表，规则为：“不允许192.168.100.0/24、192.168.200.0/24网络访问服务器的WEB，其它不作要求”。

4．并应用在R2的F0/0的出口方向上。

代码如下：

 

en
conf t
hostname R1
interface f0/0
ip address 200.200.200.254 255.255.255.0
no shutdown
exit
interface f0/1
ip address 192.168.12.1 255.255.255.0
no shutdown
exit
ip route 192.168.100.0 255.255.255.0 f0/1
ip route 192.168.200.0 255.255.255.0 f0/1
end

 

en
conf t
hostname R2
interface f0/0
ip address 192.168.12.2 255.255.255.0
no shutdown
interface f0/1
ip address 192.168.100.254 255.255.255.0
no shutdown
exit
interface f1/0
ip address 192.168.200.254 255.255.255.0
no shutdown
exit
ip route 200.200.200.0 255.255.255.0 f0/0
ip access-list extend deny-web
deny tcp 192.168.100.0 0.0.0.255 any eq www
deny tcp 192.168.200.0 0.0.0.255 any eq www
permit ip any any
exit
interface f0/0
ip access-group deny-web out
exit
end

 

 

 

结果如下：可以ping通，但无法访问web

 

PC>ping 200.200.200.200

 

Pinging 200.200.200.200 with 32 bytes of data:

 

Reply from 200.200.200.200: bytes=32 time=1ms TTL=126

Reply from 200.200.200.200: bytes=32 time=0ms TTL=126

Reply from 200.200.200.200: bytes=32 time=0ms TTL=126

Reply from 200.200.200.200: bytes=32 time=0ms TTL=126

 

Ping statistics for 200.200.200.200:

    Packets:Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum =0ms, Maximum = 1ms, Average = 0ms

 

 

http://200.200.200.200

Request Timeout

 

 

结果分析：访问列表设置成功