中国网络-ITPro俱乐部 » 思科&华为3Com&juniper » 扩展ACL配置

独孤文昌 发表于 2006-2-27 19:45

扩展ACL配置

[img]http://blog.cnfan.net/attachment/Mon_0602/0_15_95262441b0b1fbe.jpg[/img]



top图如上所示：
要求如下:(1)在路由器R3上面使用ping命令，能ping通R2 但是不通ping通R1
         (2)在路由器1上面可以ping通R2和R3
         (3)在路由器2上面使用ping命令，能ping通R1。也能ping通R3上面的S0(20.1.1.3)
            不通ping通R3上面的L0(30.1.1.3)
          使用EIGRP动态路由协议 ，区域号是100


R1#show run
Building configuration...

Current configuration : 508 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
router eigrp 100                         //eigrp区域号为100
network 10.1.1.0 0.0.0.255
no auto-summary                         //关掉自动汇总
!
no ip http server
ip classless
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end


R1#ping 20.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
R1#ping 30.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/37/40 ms



R2#show run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
!
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Ethernet0
ip address 10.1.1.2 255.255.255.0
ip access-group 101 out        //在EO口上面绑定编号为101的扩展访问控制列表，从这个端口输
!                                  从这个端口离开
interface Serial0
ip address 20.1.1.2 255.255.255.0
clockrate 56000                   //配置DCE时钟
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
!
router eigrp 100
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
no auto-summary
!
ip classless
no ip http server
!
access-list 101 deny   icmp host 20.1.1.3 host 10.1.1.1 echo //访问列表编号为101 扩展列表
                                   //拒绝icmp协议 源地址为20.1.1.3 目的地址为10.1.1.1
access-list 101 permit ip any any  //许可其它的数据经过
!
line con 0
no exec
transport input none
line aux 0
line vty 0 4
!
end

R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
R2#ping 20.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/36 ms
R2#ping 30.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.3, timeout is 2 seconds:
U.U.U                                    //ping 路由器R3上面的端口不可达
Success rate is 0 percent (0/5)


R3#show run
Building configuration...

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Loopback0
ip address 30.1.1.3 255.255.255.0
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
ip address 20.1.1.3 255.255.255.0
ip access-group 102 in
!
interface Serial1
no ip address
shutdown
!
router eigrp 100
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
no auto-summary
!
ip classless
no ip http server
!
access-list 102 deny   icmp 20.1.1.0 0.0.0.255 host 30.1.1.3 echo //访问列表编号为102扩展
                                       // 列表 拒绝icmp协议 源地址为20.1.1.0这个网段内的
                                       // 所有地址，目的地址为30.1.1.3
                 
access-list 102 permit ip any any       //许可其它的数据经过
!
line con 0
transport input none
line aux 0
line vty 0 4
!
end

R3#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U     //ping路由器R1不可到达
Success rate is 0 percent (0/5)
R3#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/36/36 ms
R3#ping 20.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/35/36 ms
R3#ping 20.1.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/70/80 ms



  注：本文章属中国网络cnfan.net原创 作者独孤文昌，版权归中国网络cnfan.net所有，如要转载，请注明出处

yayacn 发表于 2006-4-7 21:59

辛苦，辛苦

雨中星辰 发表于 2006-4-18 10:50

ｈｅｈｅｈｅｈｅｈｅ

baiycel 发表于 2006-4-29 14:48

hehe

eisee 发表于 2007-9-28 10:11

回了再看，看帖是缘分，回贴是友情！！！

vivelo 发表于 2007-12-21 15:34

考完CCNA后，就没有配置过路由器了，怀念呀。

aerofoxwolf 发表于 2008-1-31 15:50

看不到图，郁闷。

查看完整版本: 扩展ACL配置