访问控制列表ACL

学习新思想，争做新青年。今天学习访问控制列表ACL

实验拓扑

实验要求

①允许三台PC访问FTP和WEB

②不允许三台PC访问FTP和WEB

③允许PC1访问，不允许PC2PC3访问

④允许PC1访问FTP，PC2PC3访问WEB，不允许PC1访问WEB，PC2PC3访问FTP

⑤PC1可以访问PC3，PC2不可以访问PC3

实验配置

基础配置

R1:

sys

sysname R1

int g0/0/0

ip add 172.16.1.254 24

int g0/0/1

ip add 172.16.2.254 24

int g0/0/2

ip add 172.16.3.254 24

int g0/0/3

ip add 192.168.1.254 24

S1:

sys

sysname S1

int vlanif 1

ip add 192.168.1.1 24

要求配置

①允许三台PC访问FTP和WEB

acl 2000

rule 5 permit source 172.16.1.1 0

rule 10 permit source 172.16.2.1 0

rule 15 permit source 172.16.3.1 0

②不允许三台PC访问FTP和WEB

acl 2001

rule 5 deny source 172.16.1.1 0

rule 10 deny source 172.16.2.1 0

rule 15 deny source 172.16.3.1 0

③允许PC1访问，不允许PC2PC3访问

acl 2002

rule 5 permit source 172.16.1.1 0

rule 10 deny source 172.16.2.1 0

rule 15 deny source 172.16.3.1 0

④允许PC1访问FTP，PC2PC3访问WEB，不允许PC1访问WEB，PC2PC3访问FTP

acl 3000

rule 5 permit tcp destination-port eq ftp source 172.16.1.1 0 destination 192.168.1.10 0

rule 10 permit tcp destination-port eq www source 172.16.2.1 0 destination 192.168.1.30 0

rule 15 permit tcp destination-port eq www source 172.16.3.1 0 destination 192.168.1.30 0

rule 20 deny tcp destination-port eq www source 172.16.1.1 0 destination 192.168.1.30 0

rule 25 deny tcp destination-port eq www source 172.16.2.1 0 destination 192.168.1.10 0

rule 30 deny tcp destination-port eq www source 172.16.3.1 0 destination 192.168.1.10 0

rule 35 deny any

⑤PC1可以访问PC3，PC2不可以访问PC3

acl 3001

rule 5 permit tcp destination-port eq icmp source 172.16.1.1 0 destionation 172.16.3.1 0

rule 10 deny tcp destination-port eq icmp source 172.16.2.1 0 destionation 172.16.3.1 0

rule 15 deny any any