Use the standard IP address access list to control network traffic

[Experiment Name] numbered standard IP address access list [Objective] To master the rules of the numbered standard IP address access list on the vro and configure [experiment function] to implement security control for mutual access between network segments 【 lab device: vro (2), V35 cable (1), crossover line (3) [experiment topology] www.2cto.com [experiment step] Router 1 Router> enable
Router # configure terminal
Router (config) # interface fastEthernet 0/0
Router (config-if) # no shutdownRouter (config-if) # ip address 172.16.1.2 255.255.255.0
Router (config-if) # exit
Router (config) # interface fastEthernet 1/0
Router (config-if) # no shutdownRouter (config-if) # ip address 172.16.2.2 255.255.255.0
Router (config-if) # exit
Router (config) # interface serial 2/0
Router (config-if) # no shutdownRouter (config-if) # ip address 172.16.3.1 255.255.255.0
Router (config-if) # exit
Router (config) # router ospf 1
Router (config-router) # network 172.16.1.0 255.255.255.0 area 0
Router (config-router) # network 172.16.2.0 255.255.255.0 area 0
Router (config-router) # network 172.16.3.0 255.255.255.0 area 0Router2Router> enable
Router # configure terminal
Router (config) # interface serial 2/0
Router (config-if) # no shutdownRouter (config-if) # clock rate 64000
Router (config-if) # ip address 172.16.3.2 255.255.255.0
Router (config-if) # exit
Router (config) # interface fastEthernet 0/0
Router (config-if) # no shutdownRouter (config-if) # ip address 172.16.4.1 255.255.255.0
Router (config-if) # exit
Router (config) # router ospf 1
Router (config-router) # network 172.16.3.0 255.255.255.0 area 0
Router (config-router) # network 172.16.4.0 255.255.255.0 area 0 configuration here, the whole network is interconnected
Www.2cto.com PC> ping 172.16.2.1Pinging 172.16.2.1 with 32 bytes of data: Reply from 172.16.2.1: bytes = 32 time = 94 ms TTL = 127
Reply from 172.16.2.1: bytes = 32 time = 63 ms TTL = 127 Ping statistics for 172.16.2.1:
Packets: Sent = 2, stored ED = 2, Lost = 0 (0% loss ),
Approximate round trip times in milli-seconds:
Minimum = 63 ms, Maximum = 94 ms, Average = 78 msPC> ping 172.16.4.2Pinging 172.16.4.2 with 32 bytes of data: Reply from 172.16.4.2: bytes = 32 time = 110 ms TTL = 126
Reply from 172.16.4.2: bytes = 32 time = 94 ms TTL = 126
Reply from 172.16.4.2: bytes = 32 time = 93 ms TTL = 126
Reply from 172.16.4.2: bytes = 32 time = 94 ms TTL = 126 Ping statistics for 172.16.4.2:
Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss ),
Approximate round trip times in milli-seconds:
Minimum = 93 ms, Maximum = 110 ms, Average = 97ms next is the focus of this chapter! (In the past, I tried to connect the entire network. Now I want to control it. It's not strange! What we are doing now is to control the PC of the CIDR Block 172.16.1.0 and prohibit access to other PCs of the CIDR Block 172.16.4.0. (the control of other PCs is similar )! The PC that controls the CIDR Block 172.16.1.0 is forbidden to access the PC of the CIDR Block 172.16.4.0. We configured it on Router2. Someone may ask: Why should I configure it on Router2? Yes! Our standard access control list should be placed close to the source as much as possible! If I put it on Router1, then the network segment 172.16.1.0 cannot even connect to my vro, and he will not be able to access 172.16.2.0, which will not achieve our results! If we put Router2 F0/0, the effect will be different! Think about it! Www.2cto.com Router2Router # configure terminal
Router (config) # access-list 1 deny 172.16.1.0 0.0.255 (reject the network segment 172.16.1.0 followed by the anti-mask)
 
Router (config) # access-list 1 permit any (allow all other accesses)
Router (config) # interface fastEthernet 0/0
Router (config-if) # ip access-group 1 out (apply access Control List 1 to the interface) Then you can find PC> ping 172.16.2.1Pinging 172.16.2.1 with 32 bytes of data: Reply from 172.16.2.1: bytes = 32 time = 47 ms TTL = 127
Reply from 172.16.2.1: bytes = 32 time = 63 ms TTL = 127
Reply from 172.16.2.1: bytes = 32 time = 63 ms TTL = 127
Reply from 172.16.2.1: bytes = 32 time = 62 ms TTL = 127 Ping statistics for 172.16.2.1:
Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss ),
Approximate round trip times in milli-seconds:
Minimum = 47 ms, Maximum = 63 ms, Average = 58 msPC> ping 172.16.4.2Pinging 172.16.4.2 with 32 bytes of data: Request timed out.
Request timed out.
Request timed out.
Request timed out. Ping statistics for 172.16.4.2:
Packets: Sent = 4, pinned ED = 0, Lost = 4 (100% loss), PC1 can PING PC2 but not PC3