Setp 1 basic configuration r1 (config) # int fa0/0r1 (config-if) # ip add 192.168.10.1 255.255.0r1 (config-if) # no shr1 (config-if) # int fa1/0r1 (config-if) # ip add 12.12.1 255.255.255.0r1 (config-if) # no shr1 (config-if) # int fa2/0r1 (config-if) # ip add 13.13.13.1 255.255.255.0r1 (config-if) # no shr1 (config-if) # exitr1 (config) # router ospf 100r1 (config-router) # router-id 1.1.1.1r1 (config-router) # net 0.0.0.0 255.255.255.255 a 0r1 (config-router) # exit www.2cto.com r2 (config) # int fa1/0r2 (config-if) # ip add 12.12.12.2 255.255.255.0r2 (config-if) # no shr2 (config-if) # int fa0/0r2 (config-if) # ip add 192.168.20.1 255.255.255.0r2 (config-if) # no shr2 (config-if) # exitr2 (config) # router ospf 100r2 (config-router) # router-id 2.2.2.2r2 (config-router) # net 0.0.0.0 255.255.255.255 a 0r2 (config-router) # exit r3 (config) # int fa1/0r3 (config-if) # ip add 13.13.13.3 255.255.255.0r3 (config-if) # no shr3 (config-if) # exitr3 (config) # int fa0/0r3 (config-if) # ip add 192.168.30.1 255.255.255.0r3 (config-if) # no shr3 (config-if) # exitr3 (config) # router ospf 100r3 (config-router) # router-id 3.3.3r3 (config-router) # net 0.0.0.0 255.255.255.255 area 0r3 (config-router) # exit PC1
Www.2cto.com PC2 setp 2 Experiment 1. PC1 cannot be remotely connected to PC2. ping or telnet r2 (config) # ip access-list extended 100r2 (config-ext-nacl) # deny tcp host 192.168.10.10 host 192.168.20.10 eq 3389r2 (config-ext-nacl) # permit ip any anyr2 (config) # int fa1/0r2 (config-if) # ip accer2 (config-if) # ip access-group 100 inr2 (config-if) # exitr2 (config) # exit r2 # show ip access-listsExtended IP access list 10010 deny tcp host 192.168.10.10 host 192.168.20.10 eq 3389 (6 matches) 20 permit ip any (8 matches) 2. requirement: only the ip addresses in PC1 can be pinged to PC2 r2 (config) # ip access-list extended 101r2 (config-ext-nacl) # deny ip 192.168.10.1 0.0.0.254 host 192.168.20.10r2 (config-ext-nacl) # permit ip any anyr2 (config) # int fa1/0r2 (config-if) # ip access-group 101 inr2 (config-if) # no shr2 (config-if) # exit r2 # show ip access-listsExtended IP access list 10110 deny ip 192.168.10.1 0.0.254 host 192.168.20.10 (12 matches) 20 permit ip any (54 matches) 3. ACL error code: www.2cto.com r2 (config) # ip access-list extended 100r2 (config) # deny ip 192.168.10.10 255.255.255.255.255 192.168.255.10 255.255.255.255 // convert to any to r2 (config-ext-nacl) # exitr2 # show ip access-listsExtended IP access list 10010 deny ip any 4. ACL standard writing deny PC1 192.168.10.10 ----> 192.168.20.10 r1 (config) # access-list 1 deny host 192.168.10.10 r1 (config) # access-list 1 permit anyr1 (config) # int fa0/0r1 (config-if) # ip access-group 1 inr1 (config) # exitr1 # show ip access-listsStandard IP access list 110 deny 192.168.10.10 (12 matches) 20 permit any (64 matches) 5. the ACL extension statement requires that the network segment 192.168.10.0 cannot be remote desktop to 192.168.20.10. You can ping and telnet r1 (config) # access-list 101 deny tcp 192.168.10.0 0.0.255 host 192.168.20.10eq 3389r1 (config) # access-list 101 permit ip any anyr1 (config) # int fa0/0 r1 (config-if) # ip access-group 101 inr1 (config-if) # exitr1 # show ip access-listsExtended IP access list 10110 deny tcp 192.168.10.0 0.0.255 host 192.168.20.10 eq 3389 (9 matches) 20 permit ip any (39 matches) 6. ACL naming benefits: you can modify a separate statement r1 (config) # ip access-list extended ar1 (config-ext-nacl) # deny tcp 192.168.10.0 0.0.255 host 192.168.20.10 eq 3389r1 (config-ext-nacl) # permit ip any anyr1 (config-ext-nacl) # int fa0/0r1 (config-if) # ip access-group a inr1 (config) # ip access-list extended ar1 (config-ext-nacl) #15 deny tcp 192.168.10.0 0.0.255 host 192.168.20.10 eqtelnet r1 (config-ext-nacl) # do show ip accessExtended IP access list a10 deny tcp 192.168.10.0 0.0.255 host 192.168.20.10 eq 3389 (63 matches) 15 deny tcp 192.168.10.0 0.0.255 host 192.168.20.10 eq telnet (6 matches) 20 permit ip any (125 matches) 7. icmp acl requirements: 192.168.10.10 cannot be pinged to 192.168.10.10, while 192.168.10.10 can be pinged to 192.168.10.10 8. ACL does not work for outbound packets on R2, so that R2 cannot work on R1telnet r2 # telnet 12.12.12.1Trying 12.12.1... openUser Access VerificationPassword: r1> exit [Connection to 12.12.12.1 closed by foreign host] r2 (config) # access-list 100 deny tcp host 12.12.12.1 eq 23 host 12.12.12.2r2 (config) # access-list 100 permit ip any anyr2 (config) # int fa1/0r2 (config-if) # ip access-group 100 inr2 (config-if) # no shr2 (config-if) # exitr2 (config) # exitr2 # show ip access-lists 100 Extended IP access list 10010 deny tcp host 12.12.12.1 eq telnet host 12.12.12.2 20 permit ip any (2 matches) r2 # telnet 12.12.1trying 12.12.1... % Connection timed out; remote host not respondingr2 # show ip access-listsExtended IP access list 10010 deny tcp host 12.12.12.1 eq telnet host 12.12.12.2 (12 matches) 20 permit ip any (7 matches) 9. VTY app ACL r1 (config) # access-list 10 perr1 (config) # access-list 10 permit 192.168.20.10 // only 192.168.20.10 is allowed for this device telnetr1 (config) # line vty 0 4r1 (config-line) # accr1 (config-line) # access-class 10 inr1 (config-line) # exit
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
