学习新思想，争做新青年。今天学习访问控制列表ACL

实验拓扑

实验要求

①允许三台PC访问FTP和WEB
②不允许三台PC访问FTP和WEB
③允许PC1访问，不允许PC2PC3访问
④允许PC1访问FTP，PC2PC3访问WEB，不允许PC1访问WEB，PC2PC3访问FTP
⑤PC1可以访问PC3，PC2不可以访问PC3

实验配置

基础配置

R1:
sys
sysname R1
int g0/0/0
ip add 172.16.1.254 24
int g0/0/1
ip add 172.16.2.254 24
int g0/0/2
ip add 172.16.3.254 24
int g0/0/3
ip add 192.168.1.254 24

S1:
sys
sysname S1
int vlanif 1
ip add 192.168.1.1 24

要求配置

①允许三台PC访问FTP和WEB
acl 2000
rule 5 permit source 172.16.1.1 0
rule 10 permit source 172.16.2.1 0
rule 15 permit source 172.16.3.1 0

②不允许三台PC访问FTP和WEB
acl 2001
rule 5 deny source 172.16.1.1 0
rule 10 deny source 172.16.2.1 0
rule 15 deny source 172.16.3.1 0

③允许PC1访问，不允许PC2PC3访问
acl 2002
rule 5 permit source 172.16.1.1 0
rule 10 deny source 172.16.2.1 0
rule 15 deny source 172.16.3.1 0

④允许PC1访问FTP，PC2PC3访问WEB，不允许PC1访问WEB，PC2PC3访问FTP
acl 3000
rule 5 permit tcp destination-port eq ftp source 172.16.1.1 0 destination 192.168.1.10 0
rule 10 permit tcp destination-port eq www source 172.16.2.1 0 destination 192.168.1.30 0
rule 15 permit tcp destination-port eq www source 172.16.3.1 0 destination 192.168.1.30 0
rule 20 deny tcp destination-port eq www source 172.16.1.1 0 destination 192.168.1.30 0
rule 25 deny tcp destination-port eq www source 172.16.2.1 0 destination 192.168.1.10 0
rule 30 deny tcp destination-port eq www source 172.16.3.1 0 destination 192.168.1.10 0
rule 35 deny any

⑤PC1可以访问PC3，PC2不可以访问PC3
acl 3001
rule 5 permit tcp destination-port eq icmp source 172.16.1.1 0 destionation 172.16.3.1 0
rule 10 deny tcp destination-port eq icmp source 172.16.2.1 0 destionation 172.16.3.1 0
rule 15 deny any any