基于Cisco-PT的拓展ACL配置

 

 

 

Device	Interface	IP Address	Subnet Mask	Default Gateway
R0	Fa0/0	172.118.1.1	255.255.255.0	N/A
	Fa0/1	172.118.2.1	255.255.255.0	N/A
	Se0/3/0   s	172.118.12.1	255.255.255.0	N/A
R1	Se0/3/0	172.118.12.2	255.255.255.0	N/A
	Se0/3/1	172.118.23.2	255.255.255.0	N/A
R3	Fa0/0	172.118.3.3	255.255.255.0	N/A
	Se0/3/1	172.118.23.1	255.255.255.0	N/A
PC0	Fa0/0	172.118.1.100	255.255.255.0	172.118.1.1
PC1	Fa0/0	172.118.2.100	255.255.255.0	172.118.2.1
PC2	Fa0/0	172.118.3.100	255.255.255.0	172.118.3.3

 

在实验前先进行连通性测试

R0

access-list 110 remark this is an example for extended acl  //添加备注，增加可读性

access-list 110 deny tcp(icmp)172.118.X.0 0.0.0.255 host 172.118.X.Y eq XXX

//拒绝对应网段访问服务器某种服务。

R2

access-list 120 deny icmp host 172.118.23.2 host 172.118.23.3 echo

access-list 120 permit ip any any

int s0/0/1

ip access-group 120 in

 

 

 

 

当一切准备就绪后，进行调试

在路由器R0上查看ACL110

服务器1与2的互PING

 

 

 

 

 

易知实现了服务器单方向通信。

 

R0

ip access-list extended acl120

deny icmp host 172.118.23.2 host 172.118.23.3 echo

permit ip any any

int s0/0/1

ip access-group acl120 in

至此，拓展ACL已配置完毕