扩展ACL

 ACL应用规则

Only one ACL can be applied in one direction on an interface

access-list 1 deny host 192.168.1.1

access-list 2 deny host 192.168.2.1

int f0/0

ip access-group 1 in#这条生效

ip access-aroup 2 in # 这条不生效

ip access-aroup 2 out #另一个方向根本没有192.168.2.1的通信信息,Equivalent to white configuration

This can be done by setting it on the same routerin、out来解决,Pay attention to the flow direction

扩展ACL：基于源ip、目的ip、指定协议、端口号、标志位进行过滤.表号：100~199

配置扩展ACL实例

实验要求
1、PC0无法访问服务器0的DNS服务,其他服务不受影响
2、PC1无法访问服务器0的http服务,其他服务不受影响
3、两台主机都无法ping通服务器0

The above topology is completed as shown in the figure,网段划分,ip配置,服务器也需要配置ip,Then specify static routes,All hosts and servers can communicate with each other,服务器开启DNS,And write a resource recordwww.test.com 123.123.123.123.After completing the above settings, you can do the experiment

PC1 ping 服务器

PC0 ping 服务器

测试http服务

测试DNS服务

This step requires the hostdns服务器配置为server的ip

思考：ACLon which server the configuration is done？Configured at entry or exit？

Try not to have useless traffic on the link

Reduce router workload

Try to configure it on one table

on this topology,Either multiple table numbers are applied directly to the entry,or a table number,Apply directly at export ie,路由器1的g0/1接口

DNS基于udp的应用层协议 端口是53.号

Http基于tcp的应用层协议,端口是80号

eq 等于

gt 大于

lt 小于

neq 不等于

range 一个范围

R1上的配置如下

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#access-list 160 deny ?

  ahp    Authentication Header Protocol

  eigrp  Cisco's EIGRP routing protocol

  esp    Encapsulation Security Payload

  gre    Cisco's GRE tunneling

  icmp   Internet Control Message Protocol

  ip     Any Internet Protocol

  ospf   OSPF routing protocol

  tcp    Transmission Control Protocol

  udp    User Datagram Protocol

Router(config)#access-list 160 deny icmp ?

  A.B.C.D  Source address

  any      Any source host

  host     A single source host

Router(config)#access-list 160 deny icmp host 192.168.10.2 ?

  A.B.C.D  Destination address

  any      Any destination host

  host     A single destination host

Router(config)#access-list 160 deny icmp host 192.168.10.2 host 192.168.30.2

Router(config)#

Router(config)#access-list 160 deny icmp host 192.168.20.2 host 192.168.30.2

Router(config)#

Router(config)#access-list 160 deny tcp host 192.168.10.2 host 192.168.30.2 eq 80

Router(config)#

Router(config)#access-list 160 deny udp host 192.168.20.2 host 192.168.30.2 eq 53

Router(config)#

Router(config)#access-list 160 permit ip any any

查看效果

PC0无法使用dns服务,但HTTP服务不受影响

PC2刚好相反,不做演示

总结：

扩展ACL命令：

先拒绝再允许\One last configurationpermit ip any any 允许其他ip流量通过

access-list 表号 permit/deny 协议(icmp ip tcp udp) host 源地址 host 目的地址(eq/gt/lt/neq/range) 端口号