訪問控制列表
通過檢查源IP地址、目標IP地址、協議、源埠及目標埠來執行檢查

匹配規則
依次匹配、匹配即停止、預設拒絕

建立標準ACL(1-99)
access-list number {permit|deny|source} 反碼

隱含拒絕語句
access-list number deny 0.0.0.0 255.255.255.255

關鍵字host、any
access-list number permit host 具體IP地址
access-list number deny any

將標準ACL應用於介面
ip access-group access-list-number {in|out}

擴充套件ACL(100-199)支援協議過濾
access-list number permit protocol source 反碼 destination 反碼 （eq等於、lt小於、gt大於、neq不等於+埠號）

access-list 101 deny icmp 192.168.20.0 0.0.0.255 host 192.168.10.0

access-list 101 permit tcp 192.168.10.0 0.0.0.255 host 192.168.20.0 eq 21

access-list 101 permit ip 192.168.10.0 0.0.0.255 host 192.168.20.0 0.0.0.255

命名ACL

實驗拓撲圖R1配置

R1#conf t
Enter configuration commands, one per
line.  End with CNTL/Z.
R1(config)#int f0/0
R1(config-if)#ip add 192.168.10.1 255.255.255.0
R1(config-if)#no sh
R1(config-if)#int f1/0
R1(config-if)
 
#ip add 10.0.0.1 255.255.255.252
% Warning: use /31 mask on non
point-to-point interface cautiously
R1(config-if)#no sh
R1(config-if)#int loopback0
R1(config-if)#ip add 1.1.1.1 255.255.255.255
R1(config-if)#no sh
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#no auto-summary
R1(config-router)#version 2
R1(config-router)#net 10.0.0.0
R1(config-router)#net 192.168.10.0
R1(config-router)#net 1.1.1.1

R2配置

R2#conf t
Enter configuration commands, one per
line.  End with CNTL/Z.
R2(config)#int f0/0
R2(config-if)#ip add 10.0.0.2 255.255.255.252
% Warning: use /31 mask on non
point-to-point interface cautiously
R2(config-if)#no sh
R2(config-if)#int f1/0
R2(config-if)#ip add 20.0.0.1 255.255.255.252
% Warning: use /31 mask on non
point-to-point interface cautiously
R2(config-if)#no sh
R2(config-if)#int loopback0
R2(config-if)#ip add 2.2.2.2 255.255.255.255
R2(config-if)#no sh
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#no auto-summary
R2(config-router)#version 2
R2(config-router)#net 10.0.0.0
R2(config-router)#net 20.0.0.0
R2(config-router)#net 2.2.2.2
*Mar 
1 00:00:37.027: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback0, changed state to up
R2(config-router)#net 2.2.2.2

R3配置

R3(config)#int f0/0
R3(config-if)#ip add 192.168.20.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#int f1/0
R3(config-if)#ip add 20.0.0.2 255.255.255.252
% Warning: use /31 mask on non
point-to-point interface cautiously
R3(config-if)#no sh
R3(config-if)#int loopback0
R3(config-if)#ip add 3.3.3.3 255.255.255.255
R3(config-if)#no sh
R3(config-if)#exit
R3(config)#router rip
R3(config-router)#no auto-summary
R3(config-router)#version 2
R3(config-router)#net 20.0.0.0
R3(config-router)#net 192.168.20.0
R3(config-router)#net 3.3.3.3

PC1配置

pc1#conf t
Enter configuration commands, one per
line.  End with CNTL/Z.
pc1(config)#no ip routing
pc1(config)#int f0/0
pc1(config-if)#ip add 192.168.10.10 255.255.255.0
pc1(config-if)#no sh
pc1(config-if)#ip default-gateway 192.168.10.1

PC2配置

pc2#conf t
Enter configuration commands, one per
line.  End with CNTL/Z.
pc2(config)#no ip routing
pc2(config)#int f0/0
pc2(config-if)#ip add 192.168.20.10 255.255.255.0
pc2(config-if)#no sh
pc2(config-if)#ip default-gateway 192.168.20.1

測試PC1pingPC2

R2上配置標準ACL，禁ping並測試能否ping通

R2(config)#access-list 1 deny host 192.168.20.10
R2(config)#int f0/0
R2(config-if)#ip access-group 1 in

測試PC1是否還能ping通PC2

R2上配置擴充套件ACL

R2(config)#access-list  101  deny  ip 192.168.10.0  0.0.0.255  192.168.20.0  0.0.0.255

應用擴充套件ACL

R2(config)#int f0/0
R2(config-if)#ip access-group 101 in

PC1pingPC2

ACL

R2(config)#ip access-list extended  ex200
R2(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 host 192.168.20.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 host 192.168.20.0 
R2(config-ext-nacl)#deny any
(config-ext-nacl)#int f0/0
R2(config-if)#ip access-group ex200 in

試PC1pingPC2