Router1(config-std-nacl)#deny any
Router1(config-std-nacl)#exit
Router1(config)#int s0/0
Router1(config——if)#ip access-group ?
<1-199> IPaccess list(standard or extended)
WORD Access-list name
Router1(config-if)#ip access-group10?
in inbound packets
out outbound packets
Router1(config-if)#ip access-group10out ?
< cr>
Router1(config-if)#ip access-group10out
Router1(config-if)#^ Z
%SYS-5-CONFIG_I:Configured from console by console
Router1#copy run start
Destination filename[startup-config]?
Building configuration...
[OK]
Router1#
访问控制策略配置完毕,下面进行测试,如果访问控制策略起作用,那么PC1ping网络任何结点都可达,而PC2只能ping通网络10.1.1.0/24和网络10.2.2.0/24中的任何结点,其余皆不通。
C>ipconfig//PC1
IPAddress......................:10.1.1.3
Subnet Mask.....................:255.255.255.0
Default GateWay.................:10.1.1.1
C>ping192.168.1.2//ping PC2
Pinging192.168.1.2With32bytes of data:
Reply from192.168.1.2:bytes=32time=140ms TTL=126
Reply from192.168.1.2:bytes=32time=156ms TTL=126
Reply from192.168.1.2:bytes=32time=140ms TTL=126
Reply from192.168.1.2:bytes=32time=125ms TTL=126
Ping statistics for192.168.1.2:
Packets:Sent=4,ReceiVed=4,Lost=0(0% loss),
Approximate round trip times in milli-seconds:
Minimum=125ms,Maximum=156ms,AVerage=140ms
C>ping192.168.2.2//ping PC6
Pinging192.168.2.2With32bytes of data:
Reply from192.168.2.2:bytes=32time=110ms TTL=126
Reply from192.168.2.2:bytes=32time=140ms TTL=126
Reply from192.168.2.2:bytes=32time=156ms TTL=126
Reply from192.168.2.2:bytes=32time=111ms TTL=126
Ping statistics for192.168.2.2:
Packets:Sent=4,ReceiVed=4,Lost=0(0% loss),
Approximate round trip times in milli-seconds:
Minimum=110ms,Maximum=156ms,AVerage=129ms
C>ping10.2.2.2//ping PC4
Pinging10.2.2.2With32bytes of data:
Reply from10.2.2.2:bytes=32time=109ms TTL=127
Reply from10.2.2.2:bytes=32time=94ms TTL=127
Reply from10.2.2.2:bytes=32time=110ms TTL=127
Reply from10.2.2.2:bytes=32time=109ms TTL=127
Ping statistics for10.2.2.2:
Packets:Sent=4,ReceiVed=4,Lost=0(0% loss),
Approximate round trip times in milli-seconds:
Minimum=94ms,Maximum=110ms,AVerage=105ms
C>
PC1ping PC2、PC6、PC4都通,与预想结果一致。
C>ipconfig//PC4
IPAddress......................:10.2.2.2
Subnet Mask.....................:255.255.255.0
Default GateWay.................:10.2.2.1
C>ping192.168.1.2//ping PC2
Pinging192.168.1.2With32bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for192.168.1.2:
Packets:Sent=4,ReceiVed=0,Lost=4(100% loss),
C>ping192.168.2.2//ping PC6
Pinging192.168.2.2With32bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for192.168.2.2:
Packets:Sent=4,ReceiVed=0,Lost=4(100% loss),
C>ping10.1.1.2//ping PC0
Pinging10.1.1.2With32bytes of data:
Reply from10.1.1.2:bytes=32time=96ms TTL=127
Reply from10.1.1.2:bytes=32time=109ms TTL=127
Reply from10.1.1.2:bytes=32time=125ms TTL=127
Reply from10.1.1.2:bytes=32time=109ms TTL=127
Ping statistics for10.1.1.2:
Packets:Sent=4,ReceiVed=4,Lost=0(0% loss),
Approximate round trip times in milli-seconds:
Minimum=96ms,Maximum=125ms,AVerage=109ms
C>
果然PC4pingPC2、PC6不通,pingPC0通,达到预期目标。任务1完成。
任务2和任务3只作分析,实训详细步骤留给读者去实现。
6.4.4任务2分析
对于Router1,禁止10.1.1.2/24和192.168.2.2/24两台计算机访问路由器,其他许可。
第一,两台计算机位于路由器的不同端口之外,10.1.1.2/24连接Router1的端口Fa0/0侧,而192.168.2.2/24连接Router1的S0/0侧,所以需要两组访问控制列表来实现任务要求。
第二,针对Router1的端口应用,方向都是入,即In。
第三,每组访问控制列表都是两条指令,先禁止,后许可。
6.4.5任务3分析
对于Router2,允许网段192.168.1.0/24和计算机192.168.2.2/24访问外网,其他禁止。
网段192.168.1.0/24和计算机192.168.2.2/24分别位于Router2的端口Fa0/0和Fa0/1之外,但是任务要求是访问外网,所以情况与任务2不同,第一,它只需要一组访问控制列表即可;第二,应用于Router2的端口S0/0,方向是出,即Out;第三,访问控制列表需要三条指令,先是两条许可,最后一条禁止。
6.5实训思考
假设网络192.168.1.0/24是一个企业的财务部,要求:第一,财务部不能访问外网,但可以访问内部网络的任何结点,即可以访问网络192.168.2.0/24和192.168.1.0/24中的任何结点;第二,各部门除本部门之外的内网结点和外网结点都不允许访问财务部。请设计这个访问策略。