Named ACL configuration
【Purpose】
- Master the configuration of named ACLs.
- Verify the configuration.
【Experimental Topology】
The experimental topology is shown in Figure 1.
Figure 1 Experimental topology
The equipment parameters are shown in the table .
Table 1 Equipment parameter table
| equipment |
interface |
IP address |
subnet mask |
default gateway |
| R1 |
S0/3/0 |
192.168.1.1 |
255.255.255.252 |
N/A |
| F0/0 |
192.168.2.1 |
255.255.255.0 |
N/A |
|
| R2 |
S0/3/0 |
192.168.1.2 |
255.255.255.252 |
N/A |
| F0/0 |
172.16.10.254 |
255.255.255.0 |
N/A |
|
| PC1 |
N/A |
192.168.2.2 |
255.255.255.0 |
192.168.2.1 |
| PC2 |
N/A |
192.168.3.2 |
255.255.255.0 |
192.168.3.1 |
| Server1 |
N/A |
172.16.10.1 |
255.255.255.0 |
172.16.10.254 |
【Experimental content】
1. Configure the routing protocol
- Basic configuration of R1
Router>en
Router#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface f0/0
R1(config-if)#ip add 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface s0/3/0
R1(config-if)#ip add 192.168.1.1 255.255.255.252
R1(config-if)#no shutdown%LINK-5-CHANGED: Interface Serial0/3/0, changed state to down
R1(config-if)#ex
R1(config)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R1(config)#ip route 192.168.3.0 255.255.255.0 s0/3/0%Default route without gateway, if not a point-to-point interface, may impact performance
R1(config)#ip route 172.16.10.0 255.255.255.0 s0/3/0%Default route without gateway, if not a point-to-point interface, may impact performance
//Configure static routing protocol
(2) Basic configuration of R2
Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface s0/3/0
R2(config-if)#ip add 192.168.1.2 255.255.255.252
R2(config-if)#no shutdownR2(config-if)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
0
R2(config-if)#interface f0/0
R2(config-if)#ip add 172.16.10.254 255.255.255.0
R2(config-if)#no shutdownR2(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#interface f0/1
R2(config-if)#ip add 192.168.3.1 255.255.255.0
R2(config-if)#no shutdownR2(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R2(config-if)#ex
R2(config)#ip route 192.168.2.0 255.255.255.0 s0/3/0%Default route without gateway, if not a point-to-point interface, may impact performance
R2(config)#
(3) Basic configuration of Server1
(4) Basic configuration of PC1
(5) Basic configuration of PC2
- verify connectivity
- PC1 ping PC2
- PC1 ping Server1
3. Verify PC1 access service
(1) Access to web services
②Access FTP service
③Access DNS service
4. Configure named standard ACL on R2
R2(config)#ip access-list standard ACL
R2(config-std-nacl)#deny 172.16.10.0 0.0.0.255
R2(config-std-nacl)#permit any
R2(config-std-nacl)#ex
R2(config)#int f0/1
R2(config-if)#ip access-group ACL out- verify connectivity
4. Configure extended ACL on R1 to disable Web
(1) Configuration of R1
R1(config)#ip access-list extended web
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
//禁止192.168.2.0/24
R1(config-ext-nacl)#permit ip any any
//允许其他任何网段访问
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group web out
//在S0/3/0接口出方向应用ACL- Authentication Web Service
\\After disabling the web service, the web server cannot be accessed
7. Configure extended ACL to disable FTP service
(1) Configuration of R1
R1(config)#ip access-list extended ftp
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 20
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 21
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group ftp out(2) Verify FTP service
\\ After the FTP service is disabled, the FTP server cannot be accessed 8.. Configure extended ACL to disable DNS service
(1) R1 configuration
R1(config)#ip access-list extended dns
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53
R1(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53
R1(config-ext-nacl)#permit ip any any
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group dns out(2) Verify DNS service
//After disabling the DNS service, the DNS server cannot be accessed