close

Router(config)#access list ?

 <1-99>  IP standard access list
 <100-199> IP extended access list
 <1000-1099> IPX SAP access list
 <1100-1199> Extended 48-bit MAC address access list
 <1200-1299> IPX summary address access list
 <1300-1999> IP standard access list (expanded range)
 <200-299> Protocol type-code access list
 <2000-2699> IP extended access list (expanded range)
 <300-399> DECnet access list
 <400-499> XNS standard access list
 <500-599> XNS extended access list
 <600-699> Appletalk access list
 <700-799> 48-bit MAC address access list
 <800-899> IPX standard access list
 <900-999> IPX extended access list

Router(config)#access-list Access-List-number{permit/deny}source-addresswildcard mask

允許單一IP 通過

Router(config)#access-list 10 permit host 172.16.30.5            //允許該IP的主機存取

拒絕單一IP 通過

Router(config)#access-list 10 deny host 172.16.30.5              //拒絕該IP的主機存取

允許範圍網段通過

Router(config)#access-list 10 permit  172.16.16.0 0.0.3.255    //允許172.16.16.0-172.16.19.0

拒絕範圍網段通過

Router(config)#access-list 10 deny  192.168.160.0 0.0.31.255  //拒絕192.168.160.0-192.168.191.255

*P.S.:每個區塊大小必須從0或區塊大小的倍數開始

*P.S.:any命令等於通配遮罩 0.0.0.0 255.255.255.255

==========================標準式存取清單==========================

Router(config)#access-list 1 deny 172.16.128.0 0.0.31.255

Router(config)#access-list 1 deny 172.16.48.0 0.0.15.255

Router(config)#access-list 1 permit any

Router(config)#int Serial 0

Router(config-if)#ip access-group 1 out                             //拒絕Serial 0讀取該範圍ip
===================標準式存取清單使用VTY(telnet)存取=====================

Router(config)#access-list 50 permit 172.16.10.3

Router(config)#line vty 0 4

Router(config-line)#access-class 50 in               //只允許172.16.10.3主機可以telnet至路由器

===========================延伸式存取清單==========================

Router(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21

Router(config)#access-list<100-199>{permit|deny}[通訊協定]source-addresswildcard mask〕eq[port]

Router(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23

Router(config)#access-list 110 permit ip any any

Router(config)#int ethernet 1

Router(config-if)#ip access-group 110 out 

Router(config-if)#int ethernet 2

Router(config-if)#ip access-group 110 out 
===========================名單式存取清單==========================

Router(config)#ip access-list standard {<1-99>|Access-list name}

Router(config)#ip access-list standard Sales

Router(config-std-nacl)#deny 172.16.40.0 0.0.0.255

Router(config-std-nacl)#permit any

Router(config-std-nacl)#exit

Router(config)#^z

Router(config)#int e1

Router(config-if)#ip access-group Sales out

Router(config-if)#^z
=========================確認access-list 命令=========================

Router#sh access-lists  = show ip  access-list 

//顯示路由器上所設定之所有存取清單,以及她們的參數,但並不顯示配置在哪個介面
Standard IP access list 1
    10 deny   any
Standard IP access list 2
    10 deny   0.0.0.0
    20 permit any
Standard IP access list 5
    10 deny    172.16.40.0 , wildcard bits 0.0.0.31 (1777758 matches)
    20 permit  192.168.98.24, wildcard bits 0.0.0.3

Extended IP access list 1510
    10 permit icmp 172.16.30.5 0.0.3.255 any (338877 matches)
    20 permit icmp host 172.16.64.101 any
    30 deny   tcp any host eq ftp (520 matches)
    40 deny   tcp any host eq telnet (1513 matches)

Router#sh access-lists 110 //只顯示110存取清單的參數,此命令也不顯示這份清單配置在哪個介面

Extended IP access list 110
    10 permit ip 172.16.64.0 0.0.31.255 any
    20 permit ip 172.16.30.0 0.0.63.255 any
    30 permit ip 172.104.0.0 0.0.255.255 any
    40 permit ip 172.85.137.64 0.0.0.63 any
    50 deny ip any any log-input

arrow
arrow
    全站熱搜
    創作者介紹
    創作者 giboss 的頭像
    giboss

    小網管筆記

    giboss 發表在 痞客邦 留言(1) 人氣()

    E-mail轉寄