Home | Mirror | Search

12. ACLs

12.1. 基本配置

show access-list

Extended IP access list 101
    10 permit tcp any any eq www (534 matches)
    20 deny tcp any any (111 matches)
		

Removing ACLs

		
no access-list <list number>
		
		

Here is an example:

permit all

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
		

deny all

access-list 101 deny tcp any any
access-list 101 deny udp any any
access-list 101 deny icmp any any
		

Applying Access Lists

conf t
int f0/0
ip access-group 101 out
ip access-group 102 in
		

12.2. extended

12.2.1. port numbers

Use an operator to match port numbers used by the source or destination. The permitted operators are as follows:

•lt—less than
•gt—greater than
•eq—equal to
•neq—not equal to
•range—an inclusive range of values. When you use this operator, specify two port numbers, for example:
range 100 200

			
access-list 111 extended permit tcp any any range 8080 8080
			

12.3. object-group

12.3.1. network-object

object-group network www
 description www
 network-object 172.16.4.0 255.255.255.0
 network-object 172.16.5.0 255.255.255.0
			

12.3.2. port-object

object-group network dbhost
 description database
 network-object 172.16.4.0 255.255.255.0
 network-object 172.16.5.0 255.255.255.0
object-group service dbport tcp
 description database
 port-object eq 3306
 port-object eq 2521
 port-object eq 5432
 port-object eq 1433

object-group service webport tcp
 description web
 port-object eq 80
 port-object range 81 88
			

12.3.3. access-list

access-list outside extend permit tcp object-group dbhost host 172.16.4.10 object-group dbport
access-list outside extend permit tcp any object-group webport any
			

12.4. www

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 deny tcp any any
Router(config)#access-list 101 deny udp any any
Router(config)#access-list 101 deny icmp any any
Router(config)#int f0/1
Router(config-if)#ip access-group 101 in
Router(config-if)#end
		

www

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 101 permit tcp any any eq www
Router(config)#access-list 101 deny tcp any any
Router(config)#end
Router#
		

12.5. show access-list

# sh access-list | include udp
		
comments powered by Disqus