控制 列表 每接口、每协议、每方向只能有一个访问 列表 1、标准 控制 列表 (config)#access-list access-list-number {permit | deny | remark} source [mask 说明: access-list-number:是 列表 的号码名(1—99) permit | deny 允许或者禁止 source [mas
控制列表
每接口、每协议、每方向只能有一个访问列表
1、标准控制列表
(config)#access-list access-list-number {permit | deny | remark} source
[mask
说明:
access-list-number:是列表的号码名(1—99)
permit | deny 允许或者禁止
source [mask 源IP或者IP 段 和反掩码
例:(config)#access-list 1 permit any(允许所有通过)
B、(config)#access-list access-list-number +(permit | deny )+ host +IP地址
例:(config)#access-list 1 permit host 211.99.151.208
2、扩展控制列表
(config)# access-list +(名字—100-199)+ (permit | deny )+ 协议 +源IP(段)+ 反掩码+
目的IP(段)+反掩码+ (eq\gt\lt\range)+端口号
说明:eq 就是等于 gt 就是大于 lt 就是小于 range 就是包括
(config)# access-list +(名字—100-199)+ (permit | deny )+ 协议 +any (指所有)
+any (指所有)+ (eq\gt\lt\range)+端口号
客户要求:
(config)#interface fastEthernet 0/0 (进入外网口)
(config-if)#ip
access-group 100 out
帮我配置一下:
外网222.77.64.146 255.255.255.252 222.77.64.145
内网192.168.0.1 255.255.255.255.0 192.168.0.1
DNS 202.101.107.55 202.101.98.55
禁止dhcp
禁止192.168.0.160-192.168.0.230上外网 (tcp)
禁止192.168.0.3-192.168.0.254 8000(udp)
禁止192.168.0.3-192.168.0.254 443 (tcp)
禁止192.168.0.3-192.168.0.254访问 218.117.209.1 - 218.117.209.255 80 (tcp
www)
禁止192.168.0.3-192.168.0.254访问tencent.com (ip)
配置如下:
暂时无配置
路由器通过以太网的子口建立与下连交换机TRUNK口相连。(下面未经过验证,故不能全信)
要求管理VLAN可以访问其它业务VLAN、办公VLAN、财务VLAN、家庭网VLAN,但是其它VLAN不可以访问管理VLAN。
下面把路由器上的配置附上:
ip access-list extended infilter
evaluate mppacket
deny ip 10.54.16.0 0.0.0.255 10.54.17.0 0.0.0.255
deny ip 10.54.16.0 0.0.0.255 10.54.18.0 0.0.0.255
deny ip 10.54.16.0 0.0.0.255 10.54.19.0 0.0.0.255
deny ip 10.54.16.0 0.0.0.255 10.54.31.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.16.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.18.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.19.0 0.0.0.255
deny ip 10.54.17.0 0.0.0.255 10.54.31.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.16.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.17.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.19.0 0.0.0.255
deny ip 10.54.18.0 0.0.0.255 10.54.31.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.16.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.17.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.18.0 0.0.0.255
deny ip 10.54.19.0 0.0.0.255 10.54.31.0 0.0.0.255
permit ip any any
exit
ip access-list extended outfilter
permit ip any any reflect mppacket
exit
interface fastethernet0
ip address 10.255.49.2 255.255.255.252
exit
interface fastethernet1
exit
interface fastethernet1.1
description Guanli
ip address 10.54.31.254 255.255.255.0
encapsulation dot1q 1
exit
interface fastethernet1.2
description Yewu
ip address 10.54.17.254 255.255.255.0
encapsulation dot1q 2
ip access-group outfilter out
ip access-group infilter in
exit
interface fastethernet1.3
description Bangong
ip address 10.54.16.254 255.255.255.0
encapsulation dot1q 3
ip access-group outfilter out
ip access-group infilter in
exit
interface fastethernet1.4
description Caiwu
ip address 10.54.18.254 255.255.255.0
encapsulation dot1q 4
ip access-group outfilter out
ip access-group infilter in
exit
interface fastethernet1.5
description Jiating
ip address 10.54.19.254 255.255.255.0
encapsulation dot1q 5
ip access-group outfilter out
ip access-group infilter in
exit
ip route 0.0.0.0 0.0.0.0 10.255.49.1
声明:本网页内容旨在传播知识,若有侵权等问题请及时与本网联系,我们将在第一时间删除处理。TEL:177 7030 7066 E-MAIL:11247931@qq.com
Copyright © 2019-2023 51dongshi.com 版权所有
违法及侵权请联系:TEL:177 7030 7066 E-MAIL:11247931@qq.com 本站由北京市万商天勤律师事务所王兴未律师提供法律服务
