CCNA(Stand-ALONE)Lab 31-Named Access Lists

Objective: Create a named access list that will deny all ping traffic from PC 1 to Router 1, but will enable all access from Router 4 to Router 1. For this lab, the access list must be added on Router 1.
Lab Equipment: Router 1 and Router 4 from the eRouters menu and PC 1 from the eStations menu
Background Reading: Lab Primer Lesson 10: Access Lists

1. Establish the configurations outlined in the table below. Use the winipcfg command on PC 1 to configure the IP address and default gateway.

Router1:

Router4:

PC1:

2. configure RIP on the two routers. Be sure to use the proper network statements.
Router1(config)#router rip
Router1(config-router)#network 192.168.1.0

Router4(config)#router rip
Router4(config-router)#network 192.168.1.0

3. Use the show ip route command on each router to make sure that the routes have been received.
Router1#show ip route

Router4#show ip route

4. Verify that you can ping Router1 from PC 1.
C:>ping 192.168.1.1

5. Create an access list that prevents ping traffic originating from PC 1 and destined for Router1 from reaching Router1. Typically, this access list could be placed on either Router4 or Router1. It often makes more sense to place the access list on the router closest to the source as possible; this helps keep unnecessary traffic off the backbone.
For this example, however, the access list will be placed on Router1 for inbound traffic.
Router1(config)#ip access-list extended deny_ping
Router1(config-ext-acl)#deny icmp host 192.168.1.18 192.168.1.1
0.0.0.0 log
Router1(config-ext-acl)#permit ip any any log

The first statement above defines the access list as extended. The second statment denies any ICMP traffic with a source IP address of 192.168.1.18 that is destined for 192.168.1.1; the wildcard mask of 0.0.0.0 in this line means that the IP address must be matched exactly. Notice how the host command is used for the first part of the access list and the wildcard mask of 0.0.0.0 is used for the second part of the access list. The host command and the wildcard mask of 0.0.0.0 both do the same thing. The log keyword allows you to double-check your work.

6. Next, apply the access list to inbound traffic on the serial 0 interface of Router1.
Router1(config-ext-acl)#exit
Router1(config)#interface serial 0
Router1(config-if)#ip access-group deny_ping in

7. Connect to PC 1 and send a test ping to Router1. Then connect to Router4 and send a test ping to Router1. Are the pings successful?
C:>ping 192.168.1.1

Router4#ping 192.168.1.1

8. Connect to Router1 again; you should see two separate log messages. The first one is denying the ping from PC 1, and the second is allowing the ping from Router4.

*********************************************************

Above: CCNA(Stand-ALONE)Lab 30-Verify Extended Access Lists

Next: CCNA(Stand-ALONE)Lab 32-Advanced Extended Access Lists

本文转自redking51CTO博客，原文链接：http://blog.51cto.com/redking/74792 ，如需转载请自行联系原作者