Extended ACL configuration
【Purpose】
- Master the configuration of extended ACL.
- Know the function of extended ACL.
- Verify the configuration.
【Experimental Topology】
The experimental topology is shown in Figure 1.
Figure 1 Experimental topology
The equipment parameters are shown in the table .
Table 1 Equipment parameter table
equipment |
interface |
IP address |
subnet mask |
default gateway |
R1 |
S0/3/0 |
192.168.1.1 |
255.255.255.252 |
N/A |
F0/0 |
192.168.2.1 |
255.255.255.0 |
N/A |
|
R2 |
S0/3/0 |
192.168.1.2 |
255.255.255.252 |
N/A |
F0/0 |
172.16.10.254 |
255.255.255.0 |
N/A |
|
PC1 |
N/A |
192.168.2.2 |
255.255.255.0 |
192.168.2.1 |
Server1 |
N/A |
172.16.10.1 |
255.255.255.0 |
172.16.10.254 |
【Experimental content】
1. Configure the routing protocol
- Basic configuration of R1
Router>and
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface f0/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
R1(config-if)#interface s0/3/0
R1(config-if)#ip address 192.168.1.1 255.255.255.252
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to down
R1(config-if)#exit
R1(config)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R1(config-if)#exit
R1(config)#ip route 172.16.10.0 255.255.255.0 serial 0/3/0
//Configure static routing protocol
(2) Basic configuration of R2
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface f0/0
R2(config-if)#ip address 172.16.10.254 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
R2(config-if)#interface s0/3/0
R2(config-if)#ip address 192.168.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
R2(config-if)#exit
R2(config)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R2(config)#ip route 192.16.2.0 255.255.255.0 serial 0/3/0
//Configure static routing protocol
(3) Basic configuration of Server1
(4) Verify connectivity
(5) Verify that PC1 accesses the service
① Access to Web services
②Access FTP service
③Access DNS service
2. Configure extended ACL to disable web services
(1) Configuration of R1
R1(config)#ip access-list extended 100
//Enable extended ACL, ACL number is 100
R1(config-ext-nacD)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
//Prohibit 192.168.2.0/24 access
R1(config-ext-nacD)#permit ip any any
//Allow any other network segment to access
R1(config)Hinterface serial 0/3/0
R1(config-if)tip access-group 100 out
//Apply ACL to the outbound direction of Se0/3/0 interface
- Authentication Web Service
\\After disabling the web service, the web server cannot be accessed
3. Configure extended ACL to disable FTP service
(1) Configuration of R1
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 20 R1(confg-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 21 R1(config-ext-nacl)#permit ip any any
R1(config)#interface serial 0/3/0
R1(config-if)#ip access-group 100 out
(2) Verify FTP service
\\ After the FTP service is disabled, the FTP server cannot be accessed
- Configure extended ACL to disable DNS service
(1) Configuration of R1
Rl(config)#ip access-list extended 100
Rl(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53
Rl(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53
Rl(config-ext-nacl)#permit ip any any
R1(config)#interface serial 0/3/0
Rl(config-if)#ip access-group 100 out
(2) Verify DNS service
//After disabling the DNS service, the DNS server cannot be accessed