PingingLab-5.2 serial number extended ACL

5.2 extended ACL

Purpose:

1. master the basic preparation of number extended ACL.

2. Understand the basic features of serial number extended ACL.

Tutorial topology:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06153444D-0.png "title =" 5.2.png "/>

Tutorial steps:

1. Configure the IP addresses of each vro Based on the topology in the figure, and deploy static routes to ensure full network connectivity. The configuration is as follows:

On R1

R1 (config) # ip route 23.1.1.0 255.255.255.0 12.1.1.2

R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2

R1 (config) # ip route 8.8.8.8 255.255.255.255 12.1.1.2

On R2

R2 (config) # ip route 192.168.1.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 192.168.2.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 3.3.3.3 255.255.255.255 23.1.1.3

R2 (config) # ip route 8.8.8 route 255.255 23.1.1.3

On R3

R3 (config) # ip route 12.1.1.0 255.255.255.0 23.1.1.2

R3 (config) # ip route 192.168.1.0 255.255.0 23.1.1.2

R3 (config) # ip route 192.168.2.0 255.255.255.0 23.1.1.2

The connectivity test is as follows:

R1 # ping 3.3.3.3 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 MS

R1 # ping 8.8.8.8 source 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 MS

As you can see, there is no problem with communication between the Intranet and the Internet.

2. Deploy the serial number extended ACL on R2 so that the Intranet segment 192.168.1.0/24 cannot access port 23 of the Internet host 3.3.3.3. The IP address range of 192.168.2.0/24 cannot Ping 8.8.8.8.8. The configuration is as follows:

On R2

R2 (config) # access-list 100 deny tcp 192.168.1.0 0.0.255 host 3.3.3.3 eq 23

R2 (config) # access-list 100 deny icmp 192.168.2.0 0.0.255 host 8.8.8.8

R2 (config) # access-list 100 permit ip any

R2 (config) # int f0/0

R2 (config-if) # ip access-group 100 in

On R3

R3 (config) # line vty 0 15

R3 (config-line) # no login

R3 (config-line) # exit

3. Test serial number extended ACL, as shown below:

R1 # telnet 3.3.3.3/source-interface lo1

Trying 3.3.3.3...

% Destination unreachable; gateway or host down

R1 # telnet 3.3.3.3

Trying 3.3.3.3... Open

R3> exit

As you can see, R1's local loopback address 192.168.1.1 cannot be remotely accessed 3.3.3.3, and other addresses can.

R1 # ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/44 MS

R1 # ping 8.8.8.8 source loopback 2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

UUUUU

Success rate is 0 percent (0/5)

As shown above, the IP address range of 192.168.2.0 cannot be pinged to 8.8.8.8, but other IP addresses can.

From the experiment above, we can see that the serial number extended ACL can match the source IP address, port, and Protocol. Compared with the standard ACL, the traffic control is more delicate and can meet more complex network environments. However, as long as it is a number-based ACL, whether it is a number standard or number expansion, it is not easy to manage, for example, it is impossible to delete a separate statement in the ACL, etc, the name-based ACL can solve these problems. Next we will introduce them in detail. This experiment is complete.

========================================================== =

PingingLab· High quality ITEducation provider

CCIELab-ITProject Practice · customization of high-end Talents

Shenzhen pinke Information Technology Co., Ltd. · waihuan West Road Station, Guangzhou University City

Sina Weibo :@PingingLab@ PingingLab-Chen xinjie

PingingLabPublic Account: pinginglab

PingingLabTechnical Exchange Group: 240920680

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0615344Y6-1.jpg "title =" pinginglab .bmp "/>

This article from the "Chen xinjie network" blog, please be sure to keep this source http://chenxinjie.blog.51cto.com/7749507/1274480