5.3 name ACL
Purpose:
1. master the basic preparation of the named ACL.
2. Understand the basic features of the named ACL.
3. Understand the differences between the named ACL and the numbered ACL.
Tutorial topology:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/061514EA-0.png "title =" 5.3.png "/>
Tutorial steps:
1. Configure the IP addresses of each vro Based on the topology in the figure, and deploy static routes to ensure full network connectivity. The configuration is as follows:
On R1
R1 (config) # ip route 23.1.1.0 255.255.255.0 12.1.1.2
R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2
R1 (config) # ip route 8.8.8.8 255.255.255.255 12.1.1.2
On R2
R2 (config) # ip route 192.168.1.0 255.255.255.0 12.1.1.1
R2 (config) # ip route 192.168.2.0 255.255.255.0 12.1.1.1
R2 (config) # ip route 3.3.3.3 255.255.255.255 23.1.1.3
R2 (config) # ip route 8.8.8 route 255.255 23.1.1.3
On R3
R3 (config) # ip route 12.1.1.0 255.255.255.0 23.1.1.2
R3 (config) # ip route 192.168.1.0 255.255.0 23.1.1.2
R3 (config) # ip route 192.168.2.0 255.255.255.0 23.1.1.2
The connectivity test is as follows:
R1 # ping 3.3.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 MS
R1 # ping 8.8.8.8 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 MS
As you can see, there is no problem with communication between the Intranet and the Internet.
2. Deploy a named standard ACL on R2 so that the Intranet CIDR Block 192.168.1.0/24 cannot access the Internet, and other services can be accessed. The configuration is as follows:
R2 (config) # ip access-list standard DENYVLAN10
R2 (config-std-nacl) # deny 192.168.1.0 0.0.255
R2 (config-std-nacl) # permit any
R2 (config-std-nacl) # exit
R2 (config) # int f0/0
R2 (config-if) # ip access-group DENYVLAN10 in
R2 (config-if) # exit
Test the ACL effect and allow the Intranet router R1 to access the Internet Router R3 as follows:
R1 # ping 3.3.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
UUUUU
Success rate is 0 percent (0/5)
R1 # ping 8.8.8.8 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
UUUUU
Success rate is 0 percent (0/5)
R1 # ping 3.3.3.3 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/38/64 MS
R1 # ping 8.8.8.8 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/38/48 MS
It is obvious from the above that the Intranet segment 192.168.1.0/24 cannot access the Internet, and other network segments can.
3. Deploy the name extension ACL on R2 so that the Intranet segment 192.168.1.0/24 cannot access port 23 of the Internet host 3.3.3.3, and the network segment 192.168.2.0/24 cannot Ping 8.8.8.8.8. The configuration is as follows:
On R2
R2 (config) # ip access-list extended DENYSERVICE
R2 (config-ext-nacl) # deny tcp 192.168.1.0 0.0.255 host 3.3.3.3 eq 23
R2 (config-ext-nacl) # deny icmp 192.168.2.0 0.0.255 host 8.8.8.8
R2 (config-ext-nacl) # permit ip any
R2 (config-ext-nacl) # exit
R2 (config) # int f0/0
R2 (config-if) # ip access-group DENYSERVICE in
On R3
R3 (config) # line vty 0 15
R3 (config-line) # no login
R3 (config-line) # exit
Test name extension ACL, as follows:
R1 # telnet 3.3.3.3/source-interface lo1
Trying 3.3.3.3...
% Destination unreachable; gateway or host down
R1 # telnet 3.3.3.3
Trying 3.3.3.3... Open
R3> exit
As you can see, R1's local loopback address 192.168.1.1 cannot be remotely accessed 3.3.3.3, and other addresses can.
R1 # ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/44 MS
R1 # ping 8.8.8.8 source loopback 2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
UUUUU
Success rate is 0 percent (0/5)
In this case, the IP address range of 192.168.2.0 cannot be pinged to 8.8.8.8, but other IP addresses can.
4. Manage the named ACL
① View the ACL status
R2 # show ip access-lists
Extended IP access list DENYSERVICE
10 deny tcp 192.168.1.0 0.0.0.255 host 3.3.3.3 eq telnet (3 matches)
20 deny icmp 192.168.2.0 0.0.0.255 host 8.8.8.8 (15 matches)
30 permit ip any (20 matches)
② Delete an ACL statement
R2 (config) # ip access-list extended DENYSERVICE
R2 (config-ext-nacl) # no 10
③ View the ACL status
R2 # show ip access-lists
Extended IP access list DENYSERVICE
20 deny icmp 192.168.2.0 0.0.0.255 host 8.8.8.8 (15 matches)
30 permit ip any (20 matches)
④ Insert an ACL statement
R2 (config) # ip access-list extended DENYSERVICE
R2 (config-ext-nacl) #25 deny tcp 192.168.1.0 0.0.255 host 3.3.3.3 eq telnet
⑤ View the ACL status
Extended IP access list DENYSERVICE
20 deny icmp 192.168.2.0 0.0.0.255 host 8.8.8.8 (15 matches)
25 deny tcp 192.168.1.0 0.0.255 host 3.3.3.3 eq telnet
30 permit ip any (20 matches)
From the experiment above, we can see that the name-based standard and extended ACL have no syntax difference with the number-based ACL, except that the number is changed to the name, naming ACLs are more user-friendly in management. This experiment is complete.
========================================================== =
PingingLab· High quality ITEducation provider
CCIELab-ITProject Practice · customization of high-end Talents
Shenzhen pinke Information Technology Co., Ltd. · waihuan West Road Station, Guangzhou University City
Sina Weibo :@PingingLab@ PingingLab-Chen xinjie
PingingLabPublic Account: pinginglab
PingingLabTechnical Exchange Group: 240920680
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0615141231-1.jpg "title =" pinginglab .bmp "/>
This article from the "Chen xinjie network" blog, please be sure to keep this source http://chenxinjie.blog.51cto.com/7749507/1274479