2018年1月8日 星期一

Cisco-ACL

ACL種類
數字範圍或名稱
差異
Number Standard
1-99,1300-1999
檢查IP或網段
Number Extended
100-199,2000-2699
檢查來源、目的、協定、服務
Named(Standard and Extended)
Name


一、Number Standard標準ACL
允許IP -192.168.0.1
Router(config)#access-list 1 permit host 192.168.0.1

拒絕IP-192.168.0.1
Router(config)#access-list 1 deny host 192.168.0.2

允許IP網段-192.168.1.0~192.168.1.255
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

拒絕IP網段-192.168.2.0~192.168.2.127
Router(config)#access-list 1 deny 192.168.2.0 0.0.0.127

拒絕IP網段-192.168.3.0~192.168.3.63
Router(config)#access-list 1 deny 192.168.3.0 0.0.0.63

gi0/0啟動ACL
Router(config)#int gi0/0
Router(config-if)#ip access-group 1 out

顯示ACL
Router#show access-lists
Standard IP access list 1
10 permit host 192.168.0.1
20 deny host 192.168.0.2
30 permit 192.168.0.128 0.0.0.127
40 permit 192.168.1.0 0.0.0.255
50 deny 192.168.2.0 0.0.0.127
60 deny 192.168.3.0 0.0.0.63

允許IP網段-192.168.0.0~192.168.255.255可以VTY(Telnet)Router
Router(config)#access-list 10 permit 192.168.0.0 0.0.255.255
Router(config)#line vty 0 15
Router(config-line)#access-class 10 in

二、Number Extended延伸ACL
允許192.168.0.1使用IP Protocol連至任一網路位址
Router(config)#access-list 100 permit ip host 192.168.0.1 any

拒絕任一網路位址使用80 Port連線至192.168.0.1
Router(config)#access-list 100 deny tcp any host 192.168.0.1 eq 80

拒絕192.168.1.0~255使用21 Port連線至192.168.2.0~255
Router(config)#access-list 100 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 21

拒絕所有封包通過
Router(config)#access-list 100 deny ip any any

gi0/1啟動ACL
Router(config)#int gi0/1
Router(config-if)#ip access-group 100 out

顯示ACL
Router#show access-lists
Extended IP access list 100
10 permit ip host 192.168.0.1 any
20 deny tcp any host 192.168.0.1 eq www
30 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq ftp
40 deny ip any any

三、Named 命名延伸ACL
Router(config)#ip access-list standard {<1-99>|Access-list name}
Router(config)#ip access-list standard teacher
Router(config-std-nacl)#permit 172.16.0.0 0.0.255.255
Router(config-std-nacl)#deny any
Router(config-std-nacl)#exit
Router(config)#int gi0/0
 Router(config-if)#ip access-group teacher out
Router(config-if)#^z
Router#sh ip access-lists
Standard IP access list teacher
10 permit 172.16.0.0 0.0.255.255
20 deny any


Router(config)#ip access-list extended {<100-199>|Access-list name}
Router(config)#ip access-list extended student
Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq 80
Router(config-ext-nacl)#deny ip any any
Router(config-ext-nacl)#exit
Router(config)#int gi0/1
Router(config-if)#ip access-group student out
Router(config-ext-nacl)#^Z
Router#sh ip access-lists
Extended IP access list student
10 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
20 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www

30 deny ip any any

沒有留言:

張貼留言