CCNA实验(10) — Access List

使用包过滤技术
在路由器上读取三层及四层报头的信息如源地址、目的地址、源端口、目的端口
根据预先定义好的规则对包进行过滤

三种类型：
1.标准ACL：表号范围1-99或1300-1999.仅对源IP地址进行过滤
2.扩展ACL：表号范围100-199或2000-2699.可以对包括协议类型、源地址、目的地址、源端口、目的端口、TCP连接建立等进行过滤。
3.命名ACL：以名称代替编号，同样包括标准和扩展两种列表。

两个术语：
1.通配符掩码：1表示忽略IP地址中对应的位，0表示该位必须匹配
2.Inbound和Outbound，指明ACL应用于流入数据还是流出数据

0.无访问控制列表
1.标准访问控制列表
2.扩展访问控制列表
3.命名访问控制列表

enable
conf t
no ip do lo
enable pass cisco
line con 0
logg sync
exec-t 0 0
line vty 0 4
pass cisco
logg sync
exit
host 

0.无访问控制列表
————————————————————————————————

R1:
int f0/0
ip add 12.1.1.1 255.255.255.0
no shut
exit
int l0
ip add 11.1.1.1 255.255.255.0
no shut
exit
int l1
ip add 11.1.2.1 255.255.255.0
no shut
exit

router eigrp 1
no auto-summary
network 12.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
network 11.1.2.0 0.0.0.255
exit

R2:
int f0/0
ip add 12.1.1.2 255.255.255.0
no shut
exit
int f1/0
ip add 23.1.1.2 255.255.255.0
no shut
exit

router eigrp 1
no auto-summary
network 12.1.1.0 0.0.0.255
network 23.1.1.0 0.0.0.255
exit

R3:
int f0/0
ip add 23.1.1.3 255.255.255.0
no shut
exit
int l0
ip add 33.1.1.1 255.255.255.0
no shut
exit

router eigrp 1
no auto-summary
network 23.1.1.0 0.0.0.255
network 33.1.1.0 0.0.0.255
exit

R1:
end
ping 33.1.1.1 source 11.1.2.1
conf t

1.标准Access List
—————————————————————————————
R2:
access-list 10 deny 11.1.2.0 0.0.0.255
access-list 10 permit any
int f1/0
ip access-group 10 out
exit

R3:
access-list 11 permit 11.1.1.1
line vty 0 4
access-class 11 in
exit

R2:
end
telnet 33.1.1.1
conf t

R1:
end
telnet 33.1.1.1

telnet 33.1.1.1 /source-int l0


2.扩展Access List
——————————————————————————————
R2:
access-list 100 deny icmp host 11.1.1.1 any echo
access-list 100 deny icmp host 11.1.1.1 any echo-reply
access-list 100 permit tcp host 11.1.1.1 any eq telnet
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any

end
show access-lists
conf t

int f0/0
ip access-group 100 in
exit

R1:
end
ping 12.1.1.2 source 11.1.1.1
telnet 12.1.1.2 /source-int l0
conf t


3.命名Access List
———————————————————————————–
R2:
ip access-list standard yeslab
deny 11.1.2.0 0.0.0.255
permit any
exit
int f1/0
ip access-group yeslab out
exit

R3:
ip access-list standard yeslab
permit 11.1.1.1
exit
line vty 0 4
access-class yeslab in
exit

R2:
ip access-list extended yeslab1
deny icmp host 11.1.1.1 any echo
deny icmp host 11.1.1.1 any echo-reply
permit tcp host 11.1.1.1 any eq telnet
deny tcp any any eq telnet
permit ip any any
exit
int f0/0
ip access-group yeslab1 in
exit