![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2016-02-05
介紹
Cisco 的 ACL 一共分 3 種, 分別係
# standard access lists
L3 (1~99)
# extended access lists
L3, L4 (100~199)
# Named Access Lists
segment 及 Host 作為設定對象
# show
ip access-list
show access-list [N]
show ip interface [int]
ACL 的 inbound, outbound 次序
inbound ACL --> route --> outbound ACL
Router(config)#access-list 10 deny 172.16.40.0 0.0.0.255
Router(config)#access-list 10 permit any
Router(config)#int e1
Router(config-if)#ip access-group 10 out
Router(config)#access-list 110 deny tcp any host 172.16.30.5 eq 22
Router(config)#access-list 110 deny tcp any host 172.16.30.6 eq 23
Router(config)#access-list 110 permit ip any any
Router(config)#int e1
Router(config-if)#ip access-group 110 out
operator port
* lt
* gt
* eq
* neq
* range
port range:
range 100 200
Example
access-list outside_acl permit host singapore_wan_ip
access-list acl_permit permit ip 192.168.32.0 0.0.7.255
!--- This command is used to permit tcp traffic from
!--- 10.1.1.2 host machine to 172.16.1.1 host machine.
access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1
!--- This command is used to permit ip traffic from
!--- 10.1.1.0 network to 172.16.1.10 network.
access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended ACL
syntax
access-list access_list_name extended { deny | permit } protocol_argument source_address_argument dest_address_argument
access-list access_list_name extended { deny | permit } icmp source_address_argument dest_address_argument [ icmp_argument ]
i.e.
[1]
hostname(config)# access-list ACL_IN extended permit ip any any
[2]
hostname(config)# access-list OUT remark - this is the inside admin address
hostname(config)# access-list OUT extended permit ip host x.x.x.x any
object-group protocol_grp_id 應用
# 許可某些人 ping
object-group icmp-type PingProto
icmp-object echo
icmp-object echo-reply
object-group network AllowPingGroup
network-object host x.x.x.x
object-group network WebService
network-object host y.y.y.y
access-list outside_acl remark allow_client_ping
access-list outside_acl extended permit icmp object-group AllowPingGroup object-group WebService object-group PingProto
ACL Example
# object network admin_vm host 192.168.3.199 object-group network admin_ip_group network-object object admin_vm # object network esxi0 host 192.168.2.91 object network esxi1 host 192.168.2.92 object-group network esxi_server_group network-object object esxi0 network-object object esxi1 # object service esxi-port-443-tcp service tcp destination eq 443 object service esxi-port-22-tcp service tcp destination eq 22 object-group service esxi_service_group service-object object esxi-port-443-tcp service-object object esxi-port-22-tcp # Rule access-list outside_access_in extended permit object-group esxi_service_group object-group admin_ip_group object-group esxi_server_group log disable
