A standard access Control List experiment:
Experimental topology:
Experimental Purpose: Mastering the configuration of standard and extended ACLs
Experimental requirements: Reject all traffic from R1 to R3
Experimental steps:
Step 1 do the bottom-level configuration as above topology and detect connectivity between neighboring devices
Step 2 static routing, so that the entire network interoperability
R1 (config) #ip Route 10.1.1.64 255.255.255.252 10.1.1.2
R3 (config) #ip Route 10.1.1.0 255.255.255.252 10.1.1.65
Step 3 do a standard ACL on R3 to make R1 inaccessible R3
R3 (config) #access-list 1 deny 10.1.1.1 0.0.0.0
or use the command
R3 (config) #access-list 1 deny host 10.1.1.1
Because the access control list has a default rejection of all implied entries, you need to add a last one:
R3 (config) #access-list 1 Permit any
The standard ACL is placed near the target, so it is configured on the S1 of the R3 :
R3 (config) #int s1
R3 (config-if) #ip Access-group 1 in
Two extended access control List experiments:
Experimental topology:
Experimental Purpose: Mastering the configuration of Extended access control lists
Learn how to use extended access control lists for network security
Experimental requirements: Deny any ICMP traffic from the 192.168.1.0 network
Only PC1 can access the FTP server
Experimental steps: Step 1 as above topology at the bottom of the configuration, on three routers to start the RIPv2 protocol, so that the interoperability
R1 (config) #router rip
R1 (config-router) #version 2
R1 (config-router) #no auto-summary
R1 (config-rotuer) #network 10.0.0.0
R1 (config-rotuer) #network 172.16.0.0
R2 (config) #router rip
R2 (config-router) #version 2
R2 (config-router) #no auto-summary
R2 (config-rotuer) #network 10.0.0.0
R3 (config) #router rip
R3 (config-router) #version 2
R3 (config-router) #no auto-summary
R3 (config-rotuer) #network 10.0.0.0
R3 (config-router) #network 192.168.1.0
Step 3 do an extended ACLon R3 , denying ICMP traffic from the 192.168.1.0 Network
R3 (config) #access-list 102 deny ICMP 192.168.1.0 0.0.0.255 any
R3 (config) #access-list 102 permit IP any
R3 (config) #int E0
R3 (config-if) IP Access-group 102 in
Step 4 do an extended ACL on R1 so that only PC1 can access the FTP server
Note that FTP uses two port numbers:
R1 (config) #access-list permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 21
R1 (config) #access-list permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 20
R1 (config) #int S0
R1 (config-if) #ip Access-group
Three-named access Control List experiment:
Experimental requirements and topology diagram, the Access control list is converted to a named ACL:
R3 (config) #ip Access-list extended deny_icmp
R3 (CONFIG-EXT-NACL) #deny ICMP 192.168.1.0 0.0.0.255 any
R3 (config-ext-nacl) #permit IP any any
R3 (config) #int E0
R3 (config-if) #ip Access-group deny_icmp in
R1 (config) #ip Access-list extended deny_ftp
R1 (CONFIG-EXT-NACL) #permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 20
R1 (CONFIG-EXT-NACL) #permit tcp 192.168.1.1 0.0.0.0 172.16.1.2 0.0.0.0 eq 21
R1 (config) #int S0
R1 (config-if) #ip Access-group deny_ftp in
The biggest advantage of naming ACLs is that you can modify any of them, while using a numbered ACL does not.
Four: Use ACLs to restrict vty lines:
Experimental topology:
Experimental requirements: Restrict access via ACLs on Router's vty line
Only PC1 can telnet router
Experimental steps:
Router (config) #access-list 1 Permit host 172.16.1.3
Because the ACL has an implicit deny attribute, you do not need to explicitly deny PC2
Router (config) #line vty 0 15
Router (config-line) #password STSD
Router (Config-line) #login
Router (config-line) #access-class 1 in
Standard and extended ACL experiments