标准ACL和扩展ACL

实验1：标准ACL一 实验目的通过本实验可以掌握：（1） ACL设计原则和工作过程（2） 定义标准ACL（3） 应用ACL（4） 标准ACL调试二 拓扑结构三 实验步骤（1）步骤1：配置路由器R1RouterenRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#host R1R1(config)#int fa 0/0R1(config-if)#ip add R1(config-if)#no shutR1(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR1(config-if)#int fa 0/1R1(config-if)#ip add Bad mask /24 for address R1(config-if)#ip add R1(config-if)#no shutR1(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to upR1(config-if)#int s0/0/0R1(config-if)#ip add R1(config-if)#clock rate 64000R1(config-if)#no shut%LINK-5-CHANGED: Interface Serial0/0/0, changed state to downR1(config-if)#exitR1(config)#router eigrp 1R1(config-router)#network 55R1(config-router)#network 55R1(config-router)#network R1(config-router)#no auto（2）步骤2：配置路由器R2RouterenRouter#conftEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line con 0Router(config-line)#logg sRouter(config-line)#no ip domain-lRouter(config)#host R2R2(config)#int s0/0/0R2(config-if)#ip add R2(config-if)#no shutR2(config-if)#%LINK-5-CHANGED: Interface Serial0/0/0, changed state to upR2(config-if)#int s0/0/1R2(config-if)#ip add 25%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up5R2(config-if)#ip add R2(config-if)#clock rate 64000R2(config-if)#no shut%LINK-5-CHANGED: Interface Serial0/0/1, changed state to downR2(config)#int lo0R2(config-if)#%LINK-5-CHANGED: Interface Loopback0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to upR2(config-if)#ip add R2(config-if)#exitR2(config)#router eigrp 1R2(config-router)#network 55R2(config-router)#network 55R2(config-router)#%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor (Serial0/0/0) is up: new adjacencyR2(config-router)#network 55R2(config-router)#no auto-summaryR2(config-router)#%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor (Serial0/0/0) is up: new adjacencyR2(config-router)#exitR2(config)#access-list 1 deny 55 /定义标准ACLR2(config)#access-list 1 permit anyR2(config)#interface s0/0/0R2(config-if)#ip access-group 1 in /在接口上开启ACLR2(config-if)#access-list 2 permit /定义标准ACLR2(config)#line vty 0 4R2(config-line)#access-class 2 in /在vty上开启ACLR2(config-line)#password ciscoR2(config-line)#login（3）步骤3：配置路由器R3RouterenRouter#conf tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#line con 0Router(config-line)#logg sRouter(config-line)#no ip domain-lRouter(config)#host R3R3(config)#int fa 0/0R3(config-if)#ip add R3(config-if)#no shutR3(config-if)#%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to upR3(config-if)#int s0/0/1R3(config-if)#ip add R3(config-if)#no shut%LINK-5-CHANGED: Interface Serial0/0/1, changed state to upR3(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to upR3(config-if)#exitR3(config)#router eigrp 1R3(config-router)#network 55R3(config-router)#network 55%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor (Serial0/0/1) is up: new adjacencyR3(config-router)#no auto-summary%DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor (Serial0/0/1) is up: new adjacency四 实验调试在PC1网络所在主机上ping ，应该通，在PC2网络所在的主机上ping 应该不通，在主机PC3上Telnet ，应该成功。(1) show ip access-listsR2#show ip access-listsStandard IP access list 1 deny 55 permit any (104 match(es)Standard IP access list 2 permit host (2) show ip interfaceR2#show ip interface s0/0/0Serial0/0/0 is up, line protocol is up (connected) Internet address is /24 Broadcast address is 55 Address determined by setup command MTU is 1500 Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 /说明在接口s0/0/0的入方向应用了ACL Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Fast switching turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled实验2：扩展ACL一 实验目的通过本实验可以掌握：（5） 定义扩展ACL（6） 应用扩展ACL（7） 扩展ACL调试二 拓扑结构本实验要求只允许PC2所在网段的主机访问路由器R2的WWW和Telnet服务，并拒绝PC3所在网段ping路由器R2。删除标准ACL实验中定义的ACL，保留EIGRP的配置三 实验步骤（1）步骤1：配置路由器R1R1(config)#access-list 100 permit tcp 55 host eq wwwR1(config)#access-list 100 permit tcp 55 host eq wwwR1(config)#access-list 100 permit tcp 55 host eq wwwR1(config)#access-list 100 permit tcp 55 host eq telnetR1(config)#access-list 100 permit tcp 55 host eq telnetR1(config)#access-list 100 permit tcp 55 host eq telnet（2）步骤2：配置路由器R2R2#conf tEnter configuration commands, one per line. End with CNTL/Z.R2(config)#no access-list 1R2(config)#no access-list 2R2(config)#line vty 0 4R2(config-line)#password ciscoR2(config-line)#login（3）步骤3：配置路由器R3R3(config)#access-list 101 deny icmp 55 host R3(config)#access-list 101 deny icmp 55 host ? type-num echo echo echo-reply echo-reply host-unreachable host-unreachable net-unreachable net-unreachable port-unreachable port-unreachable protocol-unreachable protocol-unreachable ttl-exceeded ttl-exceeded unreachable unreachable R3(config)#access-list 101 deny icmp 55 host R3(config)#access-list 101 deny icmp 172.16.3