2、配置ACL禁止192.168.3.0/24网段的icmp协议数据包通向与192.168.1.0/24网段 xixian(config)#access-list 101 deny icmp 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 xixian(config)#access-list 101 permit ip any any xixian(config)#int fa0/1
xixian(config-if)#ip access-group 101 out xixian(config-if)#
3、配置ACL禁止特点的协议端口通讯 HuangChuang#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HuangChuang(config)#ip access-list extended ACL1 \\\\创建基于名称的扩展ACL HuangChuang(config-ext-nacl)#deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq 80 HuangChuang(config-ext-nacl)#deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq 53 HuangChuang(config-ext-nacl)#permit ip any any HuangChuang(config-ext-nacl)#exit HuangChuang(config)#int fa0/1
HuangChuang(config-if)#ip access-group ACL1 in HuangChuang(config-if)#
第 69 页
图四 验证ACL
4。检验、查看ACL HuangChuang#sh access-list Standard IP access list 1
permit host 192.168.2.2 (4 match(es)) Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www permit ip any any HuangChuang#show access-list Standard IP access list 1
第 70 页
permit host 192.168.2.2 (4 match(es)) Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es)) deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es)) permit ip any any (34 match(es)) HuangChuang#show access-list ACL1 Extended IP access list ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain (15 match(es)) deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www (60 match(es)) permit ip any any (34 match(es)) HuangChuang#show access-list 1 Standard IP access list 1
permit host 192.168.2.2 (4 match(es)) 四、配置ACL的路由器配置内容HuangChuang#sh startup-config Using 914 bytes !
version 12.4
no service password-encryption !
hostname HuangChuang ! !
enable password cisco !
ip ssh version 1 no ip domain-lookup ! !
interface FastEthernet0/0 no ip address duplex auto 第 71 页
speed auto shutdown !
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0 ip access-group ACL1 in duplex auto speed auto !
interface Serial0/3/0
ip address 172.17.1.2 255.255.255.0 !
interface Serial0/3/1
ip address 172.16.1.1 255.255.255.0 clock rate 56000 !
interface Vlan1 no ip address shutdown !
router eigrp 100 network 192.168.2.0 network 172.17.0.0
network 172.16.0.0 auto-summary !
ip classless ! !
access-list 1 permit host 192.168.2.2 ip access-list extended ACL1
deny udp host 192.168.2.3 192.168.1.0 0.0.0.255 eq domain
deny tcp host 192.168.2.2 192.168.1.0 0.0.0.255 eq www permit ip any any !
line con 0 line vty 0 4 access-class 1 in password cisco login ! ! end
第 72 页