基於Cisco-PT的拓展ACL配置

 

 

 

Device	Interface	IP Address	Subnet Mask	Default Gateway
R0	Fa0/0	172.118.1.1	255.255.255.0	N/A
	Fa0/1	172.118.2.1	255.255.255.0	N/A
	Se0/3/0   s	172.118.12.1	255.255.255.0	N/A
R1	Se0/3/0	172.118.12.2	255.255.255.0	N/A
	Se0/3/1	172.118.23.2	255.255.255.0	N/A
R3	Fa0/0	172.118.3.3	255.255.255.0	N/A
	Se0/3/1	172.118.23.1	255.255.255.0	N/A
PC0	Fa0/0	172.118.1.100	255.255.255.0	172.118.1.1
PC1	Fa0/0	172.118.2.100	255.255.255.0	172.118.2.1
PC2	Fa0/0	172.118.3.100	255.255.255.0	172.118.3.3

 

在實驗前先進行連通性測試

R0

access-list 110 remark this is an example for extended acl  //添加備注，增加可讀性

access-list 110 deny tcp(icmp)172.118.X.0 0.0.0.255 host 172.118.X.Y eq XXX

//拒絕對應網段訪問服務器某種服務。

R2

access-list 120 deny icmp host 172.118.23.2 host 172.118.23.3 echo

access-list 120 permit ip any any

int s0/0/1

ip access-group 120 in

 

 

 

 

當一切准備就緒后，進行調試

在路由器R0上查看ACL110

服務器1與2的互PING

 

 

 

 

 

易知實現了服務器單方向通信。

 

R0

ip access-list extended acl120

deny icmp host 172.118.23.2 host 172.118.23.3 echo

permit ip any any

int s0/0/1

ip access-group acl120 in

至此，拓展ACL已配置完畢