cisco 配置扩展ACL

R1#conf

R1#configure 

Configuring from terminal, memory, or network [terminal]? 

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#

R1(config)#access-list 110 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

R1(config)#access-list 110 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 110 permit ip any any

R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#exit

R1#

%SYS-5-CONFIG_I: Configured from console by console

R1#

R1#show access-lists

Extended IP access list 110

    10 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

    20 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp

    30 permit ip any any

Extended IP access list 111

    10 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

    20 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1#

R1#int f0/0

       ^

% Invalid input detected at '^' marker.

R1#conf terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#

R1(config)#int f0/0

R1(config-if)#ip access-group 110 in

R1(config-if)#int f0/1

R1(config-if)#ip access-group 111 in

R1(config-if)#

R1(config-if)#

R1(config-if)#exit

R1(config)#

R1(config)#int f0/1

R1(config-if)#ip access-group 111 in

R1(config-if)#exit

R1(config)#

R1(config)#

R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#exit

R1#

%SYS-5-CONFIG_I: Configured from console by console

R1#

R1#show access-lists

Extended IP access list 110

    10 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

    20 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp

    30 permit ip any any

Extended IP access list 111

    10 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

    20 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1#

R1#exit

R1>enable 

Password: 

R1#

R1#en

R1#enable 

R1#con

R1#con

R1#conf

R1#configure 

Configuring from terminal, memory, or network [terminal]? 

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int f0/0

R1(config-if)#ip acce

R1(config-if)#ip access-group 110 in

R1(config-if)#exit

R1(config)#

R1(config)#int f0/1

R1(config-if)#ip ac

R1(config-if)#ip access-group 111 in

R1(config-if)#

R1(config-if)#exit

R1(config)#

R1(config)#

R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255

R1(config)#access-list 111 permit ip any any

R1(config)#

R2

Password: 

R2>

R2>en

R2>enable t

R2>enable t

          ^

% Invalid input detected at '^' marker.

R2>en

R2>enable 

Password: 

R2#

R2#conf

R2#configure 

Configuring from terminal, memory, or network [terminal]? 

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#

R2(config)#ip access-list extended FIREWALL

R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www

R2(config-ext-nacl)#permit tcp any any established

R2(config-ext-nacl)#permit icmp any any echo-reply

R2(config-ext-nacl)#exit

R2(config)#

R2(config)#int

R2(config)#interface s0/1/0

R2(config-if)#ip access-group FIREWALL in

R2(config-if)#

R2(config-if)#

R2(config-if)#exit

R2(config)#

R2(config)#

R2(config)#

R2(config)#ip access-list extended FIREWALL

R2(config-ext-nacl)#

R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www

R2(config-ext-nacl)#permit tcp any any established

R2(config-ext-nacl)#permit icmp any any echo-reply

R2(config-ext-nacl)#deny ip any any

R2(config-ext-nacl)#interfa

R2(config-ext-nacl)#interface

R2(config-ext-nacl)#interface s0/1/0

R2(config-if)#ip access-group FIREWALL in

R2(config-if)#

R3

R3>

R3>en

R3>enable 

Password: 

R3#

R3#en

R3#enable t

R3#enable 

R3#conf t

R3#conf terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#

R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any

R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0 0.0.0.255

R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0 0.0.0.255

R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www

R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any

R3(config)#access-list 130 deny ip any any

R3(config)#

R3(config)#in

R3(config)#interface fa0/0

R3(config-if)#ip access-group 130 in

R3(config-if)#