标签:acl
Router(config)#int f1/1
Router(config-if)#ip access-group 100 in
Router(config-if)#exit
Router(config)#$ access-list 100 permit ip 192.168.1.0 0.0.0.255 host 192.168.100.10
Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq telnet
Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 22
Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 21
Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 3389
Router(config)#int f1/1
Router(config-if)#ip access-group 100 in
##只允许192.168.1.0的网段通过ssh,telnet,运程桌面的方式连接到服务器,应用于f1/1端口上。
Router(config)#$ access-list 101 permit ip 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 80
Router(config-if)#int f1/2
Router(config-if)#ip access-group 101 in
##允许内网所有主机访问192.168.100.10的80端口,应用于f1/2端口上
Router(config)#$ access-list 101 permit tcp any host 192.168.100.10 eq 80
Router(config-if)#int f1/3
Router(config-if)#ip access-group 101 in
##允许外网所有主机访问192.168.100.10的80端口,应用于f1/3端口上.
通过命令查看访问控制列表。
Router#sh access-list
Extended IP access list 100
10 permit ip 192.168.1.0 0.0.0.255 host 192.168.100.10
20 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq telnet
30 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 22
40 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq ftp
50 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 3389
Extended IP access list 101
10 permit ip 192.168.0.0 0.0.255.255 host 192.168.100.10
Extended IP access list 102
10 permit tcp any host 192.168.100.10 eq www
本文出自 “龙爱雪琪” 博客,请务必保留此出处http://dragon123.blog.51cto.com/9152073/1564841
标签:acl
原文地址:http://dragon123.blog.51cto.com/9152073/1564841