PingingLab-5.1 No. Standard ACL

5.1 No. Standard ACL

Purpose:

1. master the basic preparation of the Number Standard ACL.

2. Understand the basic features of the serial number standard ACL.

Tutorial topology:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0615563b6-0.png "title =" 5.1.png "/>

Tutorial steps:

1. Configure the IP addresses of each vro Based on the topology in the figure, and deploy static routes to ensure full network connectivity. The configuration is as follows:

On R1

R1 (config) # ip route 23.1.1.0 255.255.255.0 12.1.1.2

R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2

R1 (config) # ip route 8.8.8.8 255.255.255.255 12.1.1.2

On R2

R2 (config) # ip route 192.168.1.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 192.168.2.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 3.3.3.3 255.255.255.255 23.1.1.3

R2 (config) # ip route 8.8.8 route 255.255 23.1.1.3

On R3

R3 (config) # ip route 12.1.1.0 255.255.255.0 23.1.1.2

R3 (config) # ip route 192.168.1.0 255.255.0 23.1.1.2

R3 (config) # ip route 192.168.2.0 255.255.255.0 23.1.1.2

The connectivity test is as follows:

R1 # ping 3.3.3.3 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 MS

R1 # ping 8.8.8.8 source 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 MS

As you can see, there is no problem with communication between the Intranet and the Internet.

2. Deploy the standard number ACL on R2 so that the Intranet CIDR Block 192.168.1.0/24 cannot access the Internet, and others can be accessed. The configuration is as follows:

R2 (config) # access-list 1 deny 192.168.1.0 0.0.255 [PL1]

R2 (config) # access-list 1 permit any

R2 (config) # int f0/0

R2 (config-if) # ip access-group 1 in [PL2]

R2 (config-if) # exit

Test the ACL effect and allow the Intranet router R1 to access the Internet Router R3 as follows:

R1 # ping 3.3.3.3 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

UUUUU [PL3]

Success rate is 0 percent (0/5)

R1 # ping 8.8.8.8 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

UUUUU

Success rate is 0 percent (0/5)

R1 # ping 3.3.3.3 source 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/64 MS

R1 # ping 8.8.8.8 source 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/48 MS

It is obvious from the above that the Intranet segment 192.168.1.0/24 cannot access the Internet, and other network segments can.

3. Deploy the serial number standard ACL on R2 so that the IP address 192.168.2.1 can be used to Telnet to the local device, but other IP addresses cannot be accessed. security management is implemented. The configuration is as follows:

On R2

R2 (config) # line vty 0 15

R2 (config-line) # no login [PL4]

R2 (config) # access-list 2 permit host 192.168.2.1

R2 (config) # line vty 0 15

R2 (config-line) # access-class 2 in [PL5]

Telnet R2 on R1 and R3 as follows:

R1 # telnet 12.1.1.2

Trying 12.1.1.2...

% Connection refused by remote host [PL6]

R3 # telnet 23.1.1.2

Trying 23.1.1.2...

% Connection refused by remote host

R1 # telnet 12.1.1.2/source-interface lo2

Trying 12.1.1.2... Open

R2>

As you can see, only 192.168.2.1 can remotely access Telnet. The numbering standard ACL can achieve the most basic access restrictions and security management, but it is powerless when the restrictions are high, if the above requirement "192.168.1.0 cannot access the Internet" is changed to "192.168.1.0 cannot access 3.3.3.3 can access 8.8.8.8", the serial number standard ACL cannot be implemented because the standard ACL can only match the source, the target and specific ports and protocols cannot be matched. This experiment is complete.

[PL1]The standard ACL can only match the source but cannot match the destination. The serial number range of the standard ACL is 1 ~ 99 and 1300 ~ 1999.

[PL2]The in and out directions of the interface should be taken into consideration by the local router as the reference point and then the traffic direction.

[PL3]The utable indicates that the data is not reachable or is forbidden, Unreachable.

[PL4]Verification is not required, which is mainly convenient for lab testing.

[PL5]Call the acl in vty, which is generally IN the IN direction.

[PL6]The connection is rejected.

========================================================== =

PingingLab· High quality ITEducation provider

CCIELab-ITProject Practice · customization of high-end Talents

Shenzhen pinke Information Technology Co., Ltd. · waihuan West Road Station, Guangzhou University City

Sina Weibo :@PingingLab@ PingingLab-Chen xinjie

PingingLabPublic Account: pinginglab

PingingLabTechnical Exchange Group: 240920680

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0615563910-1.jpg "title =" pinginglab .bmp "/>

This article from the "Chen xinjie network" blog, please be sure to keep this source http://chenxinjie.blog.51cto.com/7749507/1274481