学习新思想,争做新青年。今天学习访问控制列表ACL
实验拓扑
实验要求
①允许三台PC访问FTP和WEB
②不允许三台PC访问FTP和WEB
③允许PC1访问,不允许PC2PC3访问
④允许PC1访问FTP,PC2PC3访问WEB,不允许PC1访问WEB,PC2PC3访问FTP
⑤PC1可以访问PC3,PC2不可以访问PC3
实验配置
基础配置
R1:
sys
sysname R1
int g0/0/0
ip add 172.16.1.254 24
int g0/0/1
ip add 172.16.2.254 24
int g0/0/2
ip add 172.16.3.254 24
int g0/0/3
ip add 192.168.1.254 24
S1:
sys
sysname S1
int vlanif 1
ip add 192.168.1.1 24
要求配置
①允许三台PC访问FTP和WEB
acl 2000
rule 5 permit source 172.16.1.1 0
rule 10 permit source 172.16.2.1 0
rule 15 permit source 172.16.3.1 0
②不允许三台PC访问FTP和WEB
acl 2001
rule 5 deny source 172.16.1.1 0
rule 10 deny source 172.16.2.1 0
rule 15 deny source 172.16.3.1 0
③允许PC1访问,不允许PC2PC3访问
acl 2002
rule 5 permit source 172.16.1.1 0
rule 10 deny source 172.16.2.1 0
rule 15 deny source 172.16.3.1 0
④允许PC1访问FTP,PC2PC3访问WEB,不允许PC1访问WEB,PC2PC3访问FTP
acl 3000
rule 5 permit tcp destination-port eq ftp source 172.16.1.1 0 destination 192.168.1.10 0
rule 10 permit tcp destination-port eq www source 172.16.2.1 0 destination 192.168.1.30 0
rule 15 permit tcp destination-port eq www source 172.16.3.1 0 destination 192.168.1.30 0
rule 20 deny tcp destination-port eq www source 172.16.1.1 0 destination 192.168.1.30 0
rule 25 deny tcp destination-port eq www source 172.16.2.1 0 destination 192.168.1.10 0
rule 30 deny tcp destination-port eq www source 172.16.3.1 0 destination 192.168.1.10 0
rule 35 deny any
⑤PC1可以访问PC3,PC2不可以访问PC3
acl 3001
rule 5 permit tcp destination-port eq icmp source 172.16.1.1 0 destionation 172.16.3.1 0
rule 10 deny tcp destination-port eq icmp source 172.16.2.1 0 destionation 172.16.3.1 0
rule 15 deny any any