ACL種類
|
數字範圍或名稱
|
差異
|
Number Standard
|
1-99,1300-1999
|
檢查IP或網段
|
Number Extended
|
100-199,2000-2699
|
檢查來源、目的、協定、服務
|
Named(Standard and Extended)
|
Name
|
一、Number Standard標準ACL
允許IP -192.168.0.1
Router(config)#access-list 1
permit host 192.168.0.1
拒絕IP-192.168.0.1
Router(config)#access-list 1 deny host 192.168.0.2
允許IP網段-192.168.1.0~192.168.1.255
Router(config)#access-list 1
permit 192.168.1.0 0.0.0.255
拒絕IP網段-192.168.2.0~192.168.2.127
Router(config)#access-list 1 deny
192.168.2.0 0.0.0.127
拒絕IP網段-192.168.3.0~192.168.3.63
Router(config)#access-list 1 deny
192.168.3.0 0.0.0.63
在gi0/0啟動ACL
Router(config)#int
gi0/0
Router(config-if)#ip
access-group 1 out
顯示ACL
Router#show access-lists
Standard IP access list 1
10 permit host 192.168.0.1
20 deny host 192.168.0.2
30 permit 192.168.0.128
0.0.0.127
40 permit 192.168.1.0 0.0.0.255
50 deny 192.168.2.0 0.0.0.127
60 deny 192.168.3.0 0.0.0.63
允許IP網段-192.168.0.0~192.168.255.255可以VTY(Telnet)至Router
Router(config)#access-list 10 permit 192.168.0.0
0.0.255.255
Router(config)#line vty 0 15
Router(config-line)#access-class
10 in
二、Number Extended延伸ACL
允許192.168.0.1使用IP Protocol連至任一網路位址
Router(config)#access-list
100 permit ip host 192.168.0.1 any
拒絕任一網路位址使用80 Port連線至192.168.0.1
Router(config)#access-list 100 deny tcp any host 192.168.0.1
eq 80
拒絕192.168.1.0~255使用21 Port連線至192.168.2.0~255
Router(config)#access-list 100 deny tcp 192.168.1.0
0.0.0.255 192.168.2.0 0.0.0.255 eq 21
拒絕所有封包通過
Router(config)#access-list 100 deny ip any any
在gi0/1啟動ACL
Router(config)#int
gi0/1
Router(config-if)#ip
access-group 100 out
顯示ACL
Router#show access-lists
Extended IP access list 100
10 permit ip host 192.168.0.1 any
20 deny tcp any host 192.168.0.1 eq www
30 deny tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq ftp
40 deny ip any any
三、Named 命名延伸ACL
Router(config)#ip access-list standard
{<1-99>|Access-list name}
Router(config)#ip access-list standard teacher
Router(config-std-nacl)#permit 172.16.0.0
0.0.255.255
Router(config-std-nacl)#deny any
Router(config-std-nacl)#exit
Router(config)#int gi0/0
Router(config-if)#ip
access-group teacher out
Router(config-if)#^z
Router#sh ip
access-lists
Standard IP access list teacher
10 permit 172.16.0.0 0.0.255.255
20 deny any
Router(config)#ip
access-list extended {<100-199>|Access-list name}
Router(config)#ip
access-list extended student
Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0
0.0.0.255
Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 192.168.2.0
0.0.0.255 eq 80
Router(config-ext-nacl)#deny
ip any any
Router(config-ext-nacl)#exit
Router(config)#int gi0/1
Router(config-if)#ip
access-group student out
Router(config-ext-nacl)#^Z
Router#sh ip access-lists
Extended IP access list student
10 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
20 permit tcp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 eq www
30 deny ip any any
沒有留言:
張貼留言