问题
使用基本编号的ACL没有实际意义,只有通过阅读具体的条目才能得知该ACL的作用。而且ACL的编号有限制,如传统的标准ACL用1~99表示,扩展ACL用100~199表示。
配置扩展命名ACL允许PC1访问192.168.4.1的www服务但拒绝访问192.168.4.1的其他服务,PC2、PC3无限制。
方案
命名访问控制列表可以为ACL起一个有意义的名字,通过名称就可以得知该ACL要实现什么功能。同时,因为使用的是名称而不是数字,也就没有了ACL数量上的限制。
步骤
1.将配置扩展ACL中的扩展访问控制列表移除,其他配置保留
tarena-R1(config)#no access-list 100 permit tcp host 192.168.1.1 host 192.168.4.1 eq www
tarena-R1(config)#interface fastEthernet 0/0
tarena-R1(config-if)#no ip access-group 100 in
2.在R1上配置扩展命名访问控制列表
命名访问控制列表的配置总体上和用数字表示的ACL一样,但是更加灵活。
tarena-R1(config)# ip access-list extended text
tarena-R1(config-ext-nacl)#permit tcp host 192.168.1.1 host 192.168.4.1 eq 80
tarena-R1(config-ext-nacl)#deny ip host 192.168.1.1 host 192.168.4.1
tarena-R1(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 host 192.168.4.1
tarena-R1(config)#interface fastEthernet 0/0
tarena-R2(config-if)# ip access-group text in
3.在R1上查看相关的ACL信息
·tarena-R1#show ip access-lists
Extended IP access list tarena
10 permit tcp host 192.168.1.1 host 192.168.4.1 eq www
20 deny ip host 192.168.1.1 host 192.168.4.1
30 permit ip 192.168.1.0 0.0.0.255 host 192.168.4.1
4.在PC1上验证
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:F7FF:FED6:54CC
IP Address......................: 192.168.1.1
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.254
PC>ping 192.168.4.1
Pinging 192.168.4.1 with 32 bytes of data:
Reply from 192.168.1.254: Destination host unreachable.
Reply from 192.168.1.254: Destination host unreachable.
Reply from 192.168.1.254: Destination host unreachable.
Reply from 192.168.1.254: Destination host unreachable.
Ping statistics for 192.168.4.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
从输入结果可以验证,PC1到Web Server的http访问没有受到影响,但不能ping通192.168.4.1
5.在PC2上进行验证
PC>ipconfig
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2E0:F7FF:FED6:54CC
IP Address......................: 192.168.1.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.0.1
PC>ping 192.168.4.1
Pinging 192.168.4.1 with 32 bytes of data:
Reply from 192.168.4.1: bytes=32 time=0ms TTL=126
Reply from 192.168.4.1: bytes=32 time=0ms TTL=126
Reply from 192.168.4.1: bytes=32 time=0ms TTL=126
Reply from 192.168.4.1: bytes=32 time=0ms TTL=126
Ping statistics for 192.168.4.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms