實驗一:標準式IP存取清單
只允許172.16.30.0網段的電腦進入172.16.10.0的網路
Router_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Router_A(config)#access-list 10 permit 172.16.30.0 0.0.0.255
Router_A(config)#interface fa0/0
Router_A(config-if)#ip access-group 10 out
Router_A(config-if)#exit
Router_A(config)#exit
Router_A#show access-lists
Standard IP access list 10
permit 172.16.30.0 0.0.0.255
Router_A#show ip interface fa0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 10
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
實驗二:延伸式IP存取清單
阻止172.16.10.1(Host_A)主機對Router_B路由器(172.16.20.2)的Telnet連線
但該Host_A主機仍可以ping到Router_B的IP(172.16.20.2)
Router_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Router_A(config)#access-list 110 deny tcp host 172.16.10.1 host 172.16.20.2 eq 23
Router_A(config)#access-list 110 permit ip any any
Router_A(config)#interface fa0/0
Router_A(config-if)#ip access-group 110 in
Router_A(config-if)#exit
Router_A(config)#exit
Router_A#show access-lists
Extended IP access list 110
deny tcp host 172.16.10.1 host 172.16.20.2 eq telnet
permit ip any any
Router_A#show ip interface fa0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 110
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
只允許172.16.30.0網段的電腦進入172.16.10.0的網路
Router_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Router_A(config)#access-list 10 permit 172.16.30.0 0.0.0.255
Router_A(config)#interface fa0/0
Router_A(config-if)#ip access-group 10 out
Router_A(config-if)#exit
Router_A(config)#exit
Router_A#show access-lists
Standard IP access list 10
permit 172.16.30.0 0.0.0.255
Router_A#show ip interface fa0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 10
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
實驗二:延伸式IP存取清單
阻止172.16.10.1(Host_A)主機對Router_B路由器(172.16.20.2)的Telnet連線
但該Host_A主機仍可以ping到Router_B的IP(172.16.20.2)
Router_A#configure t
Enter configuration commands, one per line. End with CNTL/Z.
Router_A(config)#access-list 110 deny tcp host 172.16.10.1 host 172.16.20.2 eq 23
Router_A(config)#access-list 110 permit ip any any
Router_A(config)#interface fa0/0
Router_A(config-if)#ip access-group 110 in
Router_A(config-if)#exit
Router_A(config)#exit
Router_A#show access-lists
Extended IP access list 110
deny tcp host 172.16.10.1 host 172.16.20.2 eq telnet
permit ip any any
Router_A#show ip interface fa0/0
FastEthernet0/0 is up, line protocol is up (connected)
Internet address is 172.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 110
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
測試telnet是否會被ACL阻擋
Host_A>telnet 172.16.20.2
Trying 172.16.20.2 ...
% Connection timed out; remote host not responding
Host_A>ping 172.16.20.2
Pinging 172.16.20.2 with 32 bytes of data:
Reply from 172.16.20.2: bytes=32 time=50ms TTL=254
Reply from 172.16.20.2: bytes=32 time=80ms TTL=254
Reply from 172.16.20.2: bytes=32 time=50ms TTL=254
Reply from 172.16.20.2: bytes=32 time=60ms TTL=254
0 回應:
張貼留言