计算机网络/计算机科学与应用/系统/运维/开发

cisco 配置扩展ACL

网络安全技术 597次阅读



R1#conf

R1#configure 

Configuring from terminal, memory, or network [terminal]? 

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#

R1(config)#access-list 110 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

R1(config)#access-list 110 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 110 permit ip any any

R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#exit

R1#

%SYS-5-CONFIG_I: Configured from console by console


R1#

R1#show access-lists

Extended IP access list 110

    10 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

    20 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp

    30 permit ip any any

Extended IP access list 111

    10 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

    20 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1#

R1#int f0/0

       ^

% Invalid input detected at '^' marker.

R1#conf terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#

R1(config)#int f0/0

R1(config-if)#ip access-group 110 in

R1(config-if)#int f0/1

R1(config-if)#ip access-group 111 in

R1(config-if)#

R1(config-if)#

R1(config-if)#exit

R1(config)#

R1(config)#int f0/1

R1(config-if)#ip access-group 111 in

R1(config-if)#exit

R1(config)#

R1(config)#

R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#exit

R1#

%SYS-5-CONFIG_I: Configured from console by console


R1#

R1#show access-lists

Extended IP access list 110

    10 deny tcp 192.168.10.0 0.0.0.255 any eq telnet

    20 deny udp 192.168.10.0 0.0.0.255 host 192.168.20.254 eq tftp

    30 permit ip any any

Extended IP access list 111

    10 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

    20 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1#

R1#exit

R1>enable 

Password: 

R1#

R1#en

R1#enable 

R1#con

R1#con

R1#conf

R1#configure 

Configuring from terminal, memory, or network [terminal]? 

Enter configuration commands, one per line.  End with CNTL/Z.

R1(config)#int f0/0

R1(config-if)#ip acce

R1(config-if)#ip access-group 110 in

R1(config-if)#exit

R1(config)#

R1(config)#int f0/1

R1(config-if)#ip ac

R1(config-if)#ip access-group 111 in

R1(config-if)#

R1(config-if)#exit

R1(config)#

R1(config)#

R1(config)#access-list 111 permit tcp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq www

R1(config)#access-list 111 permit udp 192.168.11.0 0.0.0.255 host 192.168.20.254 eq tftp

R1(config)#access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255

R1(config)#access-list 111 permit ip any any

R1(config)#


R2

Password: 


R2>

R2>en

R2>enable t

R2>enable t

          ^

% Invalid input detected at '^' marker.

R2>en

R2>enable 

Password: 

R2#

R2#conf

R2#configure 

Configuring from terminal, memory, or network [terminal]? 

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#

R2(config)#ip access-list extended FIREWALL

R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www

R2(config-ext-nacl)#permit tcp any any established

R2(config-ext-nacl)#permit icmp any any echo-reply

R2(config-ext-nacl)#exit

R2(config)#

R2(config)#int

R2(config)#interface s0/1/0

R2(config-if)#ip access-group FIREWALL in

R2(config-if)#

R2(config-if)#

R2(config-if)#exit

R2(config)#

R2(config)#

R2(config)#

R2(config)#ip access-list extended FIREWALL

R2(config-ext-nacl)#

R2(config-ext-nacl)#permit tcp any host 192.168.20.254 eq www

R2(config-ext-nacl)#permit tcp any any established

R2(config-ext-nacl)#permit icmp any any echo-reply

R2(config-ext-nacl)#deny ip any any

R2(config-ext-nacl)#interfa

R2(config-ext-nacl)#interface

R2(config-ext-nacl)#interface s0/1/0

R2(config-if)#ip access-group FIREWALL in

R2(config-if)#



R3

R3>

R3>en

R3>enable 

Password: 

R3#

R3#en

R3#enable t

R3#enable 

R3#conf t

R3#conf terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

R3(config)#

R3(config)#access-list 130 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255

R3(config)#access-list 130 permit ip 192.168.30.0 0.0.0.127 any

R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.10.0 0.0.0.255

R3(config)#access-list 130 permit ip 192.168.30.128 0.0.0.127 192.168.11.0 0.0.0.255

R3(config)#access-list 130 permit tcp 192.168.30.128 0.0.0.127 any eq www

R3(config)#access-list 130 permit icmp 192.168.30.128 0.0.0.127 any

R3(config)#access-list 130 deny ip any any

R3(config)#

R3(config)#in

R3(config)#interface fa0/0

R3(config-if)#ip access-group 130 in

R3(config-if)#


扩展ACL

生活的强者,不是指能搞定一切困难,也不是指没有恐惧,而是就算心里藏着无尽的疲惫和委屈,还是会认真地做好手头上的事情;就算自己被生活锤得心灰意冷,还是会尽心尽力地负起责任;就算发现现实与理想的差距有十万里,虽然鞭长莫及,却依然马不停蹄。

评论

相关文章

文章仅个人学习  文章总数:1488篇
Copyright © 2023 All rights reserved | 备案号:蜀ICP备20008960号-1
^