Experiment topology of acl Network Protocol Configuration: IP Address Allocation: pc2: 192.168.0.3sw1: 192.168.0.2r1: f0/0: 192.168.0.1s1/0219. 146.0.1r2: s1/0: 219. 146.0.2s1/1:219. 146.1.1r3: s1/0: 219. 146.1.2f0/0: 192.168.1.1sw3: 192.168.1.2pc5: 192.168.1.3 objective: (1) pc2 cannot ping pc5 from-from Monday to Friday every week. (2) Reject all traffic of pc2. (3) r1 only allows telnet between-each day for pc5 hosts. (4) r1 only allows pc5 to communicate with the outside world through the ping command. (5) it only allows pc5 to communicate with the outside world. Basic information configuration: r1: Router> enRouter # conf tRouter (config) # enable secret abcRouter (config) # line console 0 Router (config-line) # password abcRouter (config-line) # loginRouter (config-line) # logging synchronousRouter (config-line) # exec-timeout 0 0 Router (config-line) # exiRouter (config) # no ip domain lookupRouter (config) # no cdp runRouter (config) # hostname r1 r1 (config) # in f0/0r1 (config-if) # ip add 192.168.0.1 255.255.255.0r1 (Config-if) # no shutr1 (config-if) # in s1/0r1 (config-if) # ip add 219.146.0.1 255.255.255.0r1 (config-if) # no shutr1 (config-if) # exi r1 (config) # router ospf 10r1 (config-router) # network 219.146.0.0 0.0.255 a 0r1 (config-router) # network 192.168.0.0 0.0.255 a 0r1 (config-router) # exi r2: Router> enRouter # conf tRouter (config) # enable secret abcRouter (config) # line console 0 Router (config-line) # password abcRouter (c Onfig-line) # loginRouter (config-line) # logging synchronousRouter (config-line) # exec-timeout 0 0 Router (config-line) # exiRouter (config) # no ip domain lookupRouter (config) # no cdp runRouter (config) # hostname r2 r2 (config) # in s1/0r2 (config-if) # ip add 219.146.0.2 255.255.255.0r2 (config-if) # no shutr2 (config-if) # in s1/1r2 (config-if) # ip add 219.146.1.1 255.255.255.0r2 (config-if) # no shutr2 (config-if) # exi r2 (confi G) # router ospf 10r2 (config-router) # network 219.146.0.0 0.0.255 a 0r2 (config-router) # network 219.146.1.0 0.0.0.255 a 0r2 (config-router) # exi r3: router> enRouter # conf tRouter (config) # enable secret abcRouter (config) # line console 0 Router (config-line) # password abcRouter (config-line) # loginRouter (config-line) # logging synchronousRouter (config-line) # exec-timeout 0 0 Router (config-line) # exiRouter (config) # no Ip domain lookupRouter (config) # no cdp runRouter (config) # hostname r3www.2cto.com r3 (config) # in s1/0r3 (config-if) # ip add 219.146.1.2 255.255.255.0 r3 (config-if) # no shutr3 (config-if) # in f0/0r3 (config-if) # ip add 192.168.1.1 255.255.255.0r3 (config-if) # no shutr3 (config-if) # exi r3 (config) # router ospf 10r3 (config-router) # network 219.146.1.0 0.0.0.255 a 0r3 (config-router) # network 192.168.1.0 0.0.0.255 a 0r 3 (config-router) # configure the IP addresses of exipc and sw (1) pc2 cannot ping pc5 from-on Monday to Friday of every week. Nothing else will be affected. Www.2cto.com pc2 # p 219.146.1.2Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 80/127/212 MS test found that the current communication is OK. Next, configure the access control list. R1 (config) # time-range nop // create a time-based list r1 (config-time-range) # periodic weekdays to // to r1 (config-time-range) from Monday to Friday # exir1 (config) # ip access-list extended f0 // create the named list r1 (config-ext-nacl) # deny icmp host 192.168.0.3 host 219.146.1.2 time-range nop // reject icmp protocol from 192.168.0.3 to 219.146.1.2 within the specified time. R1 (config-ext-nacl) # permit ip any // allow any traffic to anyone r1 (config-ext-nacl) # exir1 (config-if) # in f0/0r1 (config-if) # ip access-group f0 in // use the list r1 (config-if) in THE in direction of the interface) # exir1 # clock set 11:00:00 nov 26 2009 // set the time to enable the telnet service: r3 (config) # line vty 0 903 r3 (config-line) # pass abconvention (config-line) # loginr3 (config-line) # exi www.2cto.com test: pc2 # p 219.146.1.2Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds: U. u. USuccess rate is 0 percent (0/5)
Ping is no longer allowed. The list already works. Ping other hosts: pc2 # p 192.168.1.3Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/148/312 ms OK: We just can't ping, now test telnet: pc2 # telnet 219.146.1.2Trying 219.146.1.2... open www.2cto.com User Access VerificationPassword: r3> r3> exi [Connection to 219.146.1.2 closed by foreign host]. telnet is available. The list is completely correct. Test on r3: r3 (config) # do p 192.168.0.3Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds :..... success rate is 0 percent (0/5) found that r3 cannot ping pc2 now, this is not the result we want to see. Cause analysis: The traffic sent by r3 ping pc2 is rejected by port f0/0 of r1. So it doesn't work. Solution: r1 (config) # ip access-list extended s1 // create the name list r1 (config-ext-nacl) # permit icmp host 219.146.1.2 host 192.168.0.3 reflect abc // Add an abc ID to the icmp traffic of r3. When pc2, then let the f0/0 port of r1 check whether there is any abc mark, if yes, let the pass, and if not, refuse, so that the purpose can be achieved, if the first session initiated by pc2 is not identified by abc, it cannot be passed. R1 (config-ext-nacl) # permit ip any r1 (config-ext-nacl) # exir1 (config) # no ip acce ex f0 // remove the previously created list r1 (config) # ip access-list extended f0 // recreate a name list r1 (config-ext-nacl) # evaluate abc // first, check the abc ID r1 (config-ext-nacl) # deny icmp host 192.168.0.3 host 219.146.1.2 time-range nop // reject icmp traffic r1 (config-ext-nacl) of pc2) # permit ip any // allow any traffic of all people r1 (config-ext-nacl) # exir1 (config-if) # in s1/0r1 (config-if) # ip acc Ess-group s1 in // apply to the s1/0 port of r1. When the data comes in, add the abc ID r1 (config-if) # exi because the f0/0 port of r1 has just been applied to the list, pc2 # p 219.146.1.2Type escape sequence to abort is not required here. sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds: U. u. USuccess rate is 0 percent (0/5) is still unavailable in pc2, which is normal. Pc2 # p 192.168.1.3 www.2cto.com Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/148/312 ms can ping other hosts, is also normal pc2 # telnet 219.146.1.2Trying 219.146.1.2... open User Access VerificationPassword: r3> r3> exi [Connection to 219.146.1.2 closed by foreign host] telnet r3. No problem. R3 (config) # do p 192.168.0.3Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/142/256 ms now r3 can ping pc2. (2) Reject all traffic of pc2. R1 (config) # no ip acce ex s1 // remove the created list r1 (config) # no ip acce ex f0r1 (config) # in s1/0 www.2cto.com r1 (config-if) # no ip acce s1 in // remove the list r1 (config-if) applied on the interface just now) # in f0/0 r1 (config-if) # no ip acce f0 inr1 (config-if) # exi r1 (config) # access-list 10 deny 192.168.0.3 0.0.0.0 // create a standard list r1 (config) # in f0/0r1 (config-if) # ip access-group 10 in // apply list r1 (config-if) in THE in direction # exi test: pc2 # p 219.146.1.2Type escape sequence To abort. sending 5, 100-byte ICMP Echos to 219.146.1.2, timeout is 2 seconds: U. u. USuccess rate is 0 percent (0/5) pc2 # telnet 219.146.1.2Trying 219.146.1.2... % Destination unreachable; gateway or host downpc2 # p 192.168.1.3 Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds: U. u. USuccess rate is 0 percent (0/5) pc5 (config) # do p 192.168.0.3Type escape se Quence to abort. sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds :..... success rate is 0 percent (0/5) www.2cto.com pc2 # conf tpc2 (config) # line vty 0 181pc2 (config-line) # pass abcpc2 (config-line) # loginpc2 (config-line) # exi pc5 (config) # do telnet 192.168.0.3Trying 192.168.0.3... % Connection timed out; remote host not responding all services are rejected. (3) r1 only allows telnet between-each day for pc5 hosts. R1 (config) # no access-list 10 // remove list r1 (config) # in f0/0r1 (config-if) # no ip access-group 10 in // remove the Application List r1 (config) # do show time-range // view the created time list time-range entry: nop (active) periodic weekdays to 17: 00r1 (config) # no time-r nop // remove the time-based list r1 (configli) # time-r nopr1 (config-time-range) # periodic daily to // every day to r1 (config-time-range) # exi r1 (config) # ip acce ex vty // create a name list r1 (config-ext-nacl) # per tcp 192.168.1.3 0.0.0.0 host 219.146.0.1 eq telnet time-range nop // allow pc5 to telnet r1 r1 (config-ext-nacl) within the specified time) # deny tcp any host 219.146.0.1 eq tel time-range nop // reject all hosts to telnet r1r1 (config-ext-nacl) within the specified time) # per ip a // allow all traffic of all people r1 (config-ext-nacl) # exir1 (config) # in s1/0r1 (config-if) # ip access-group vty in // list of applications in the in direction r1 (config-if) # exi
Test: pc5 # tel 219.146.0.1Trying 219.146.0.1... open www.2cto.com User Access VerificationPassword: r1> r1> exi [Connection to 219.146.0.1 closed by foreign host] sw3 # tel 219.146.0.1Trying 219.146.0.1... % Destination unreachable; gateway or host downsw3 # p 219.146.0.1Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 219.146.0.1, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 284/387/500 ms everything is normal. To prevent the host tlenet in the LAN of pc2, the list of r1 (config) # in f0/0r1 (config-if) must be applied to port f0/0 of r1) # ip acce vty inr1 (config-if) # exipc2 # telnet 219.146.0.1Trying 219.146.0.1... % Destination unreachable; gateway or host downpc2 # p 219.146.0.1Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 219.146.0.1, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 92/174/280 ms has achieved the expected goal. Now let's try to change the time: r1 (config) # enr1 # clock set 18:00:00 nov 26 2009sw3 # tel 219.146.0.1Trying 219.146.0.1... open User Access VerificationPassword: r1> r1> exi [Connection to 219.146.0.1 closed by foreign host] pc2 # telnet 219.146.0.1Trying 219.146.0.1... open User Access VerificationPassword: r1> r1> exi [Connection to 219.146.0.1 closed by foreign host] will expire after the time list. (4) r1 only allows pc5 one host telnetr1 (config) # no ip acce ex vty // remove list r1 (config) # in s1/0 www.2cto.com r1 (config-if) # no ip acce vty in // remove the Application List r1 (config-if) # in f0/0r1 (config-if) # no ip acce vty inr1 (config-if) # exir1 (config) # access-list 10 permit host 192.168.1.3 // create a standard list r1 (config) # line vty 0 903r1 (config-line) # pass abcr1 (config-line) # loginr1 (config-line) # access-class 10 in // the statements in the Application List here are different from those in other r1 (config-line) # e Xi test: pc5 # tel 219.146.0.1Trying 219.146.0.1... open User Access VerificationPassword: r1> exi [Connection to 219.146.0.1 closed by foreign host] sw3 # tel 219.146.0.1Trying 219.146.0.1... % Destination unreachable; gateway or host downsw3 # tel 219.146.0.1Trying 219.146.0.1... % Connection refused by remote host pc2 # telnet 219.146.0.1Trying 219.146.0.1... % Connection refused by remote host www.2cto. Com (5) only allow pc5 to communicate with the outside world through the ping command. R3 (config) # ip acce ex noping // create the name list r3 (config-ext-nacl) # per icmp host 192.168.1.3 any // Allow icmp traffic of pc5 r3 (config-ext-nacl) # deny ip host 192.168.1.3 any // reject all traffic of pc5 r3 (config-ext-nacl) # per ip a // allow all traffic of all people r3 (config-ext-nacl) # exir3 (config) # in f0/0r3 (config-if) # ip acce noping in // list of applications in the interface in r3 (config-if) # exi test: pc5 # p 192.168.0.3Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 192.16 8.0.3, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 404/485/512 mspc5 # telnet 192.168.0.3Trying 192.168.0.3... % Destination unreachable; gateway or host down www.2cto.com pc5 # p 219.146.0.2Type escape sequence to abort. sending 5, 100-byte ICMP Echos to 219.146.0.2, timeout is 2 seconds :!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 204/249/308 MS pc5 # telnet 219.146.0.2Trying 219.146.0.2... % Destination unreachable; gateway or host down
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
