一、实验拓扑。
二、标准ACL配置。
R2(config)#access-list 1 deny 10.1.1.0 0.0.0.255R2(config)#access-list 1 permit any #R2只拒绝10.1.1.0网段访问R2(config)#int s0/0R2(config-if)#ip access-group 1 in #在接口上应用ACLR2(config)#access-list 2 permit 172.16.3.1R2(config)#line vty 0 4R2(config-line)#access-class 2 in #access-class命令只对标准ACL有效
三、扩展ACL配置。
R1#show access-lists 100Extended IP access list 10010 permit tcp 10.1.1.0 0.0.0.255 host 2.2.2.2 eq telnet (79 matches)20 permit icmp 10.1.1.0 0.0.0.255 any (8 matches)
四、命名ACL配置。
R1(config)#ip access-list extended ACLname #给ACL命名
五、基于时间ACL。
R3(config)#time-range mytime #定义时间范围R3(config-time-range)#periodic weekdays 08:00 to 18:00 #定义时间范围R3(config)#access-list 111 permit tcp 172.16.3.0 0.0.0.255 host 2.2.2.2 eq telnet time-range mytime #在ACL列表中调用时间范围。R3(config)#access-list 111 permit tcp 172.16.3.0 0.0.0.255 host 192.168.12.0 eq telnet time-range mytimeR3(config)#int e1/0R3(config-if)#ip access-group 111 inR3#show access-listsExtended IP access list 11130 permit tcp 172.16.3.0 0.0.0.255 host 2.2.2.2 eq telnet time-range mytime (inactive)40 permit tcp 172.16.3.0 0.0.0.255 host 192.168.12.0 eq telnet time-range mytime (inactive)R3#show clock*01:58:31.083 UTC Fri Mar 1 2002R3#clock set 09:00:30 april 19 2012 #修改时间符合时间范围R3#show access-listsExtended IP access list 11130 permit tcp 172.16.3.0 0.0.0.255 host 2.2.2.2 eq telnet time-range mytime (active)40 permit tcp 172.16.3.0 0.0.0.255 host 192.168.12.0 eq telnet time-range mytime (active)R3#show time-rangetime-range entry: mytime (active)periodic weekdays 8:00 to 18:00used in: IP ACL entryused in: IP ACL entry
六、动态ACL。
R2(config)#username liang password 123456 #配置本地用户密码R2(config)#access-list 111 permit tcp 172.16.3.0 0.0.0.255 host 2.2.2.2 eq telnet #打开Telnet访问权限R2(config)#access-list 111 permit tcp 172.16.3.0 0.0.0.255 host 192.168.12.2 eq telnetR2(config)#access-list 111 permit eigrp any any #允许Eigrp协议R2(config)#access-list 111 dynamic test timeout 120 permit tcp 172.16.3.0 0.0.0.255 host 2.2.2.2 eq www #定义动态ACL以及绝对超时时间R2(config)#int s0/01R2(config-if)#ip access-group 111 inR2(config)#line vty 0 4R2(config-line)#login local #VTY使用本地验证R2(config-line)#autocommand access-enable host timeout 5 #在动态ACL中创建一个临时性的访问控制条目,定义空闲超时值动态ACL应放在Deny条目的前面,且需放在离源最近的接口
七、自反ACL。
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.12.2R3(config)#ip route 0.0.0.0 0.0.0.0 202.210.23.2R2(config)#ip access-list extended ACLOUTR2(config-ext-nacl)#permit tcp any any reflect liang #定义自反ACLR2(config-ext-nacl)#permit udp any any reflect liangR2(config-ext-nacl)#exitR2(config)#ip access-list extended ACLINR2(config-ext-nacl)#evaluate liang #评估反射R2(config-ext-nacl)#exitR2(config)#int s0/1R2(config-if)#ip access-group ACLOUT outR2(config-if)#ip access-group ACLIN inR2#show access-listsExtended IP access list ACLIN10 evaluate liangExtended IP access list ACLOUT10 permit tcp any any reflect liang (88 matches)20 permit udp any any reflect liangReflexive IP access list liangpermit tcp host 3.3.3.3 eq telnet host 192.168.12.1 eq 15020 (153 matches) (time left 294)R1和R3均开启Telnet,实验结果应是R1能telnet到R3,而R3却到不了R1。