ACL访问控制列表案例_第1张图片



Router(config)#$ access-list 100 permit ip 192.168.1.0 0.0.0.255 host 192.168.100.10

Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq telnet

Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 22

Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 21

Router(config)#$ access-list 100 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 3389

Router(config)#int f1/1

Router(config-if)#ip access-group 100 out

##只允许192.168.1.0的网段通过ssh,telnet,运程桌面的方式连接到服务器,应用于f1/1端口上。


Router(config)#$ access-list 101 permit ip 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 80

Router(config-if)#int f1/2

Router(config-if)#ip access-group 101 in

##允许内网所有主机访问192.168.100.10的80端口,应用于f1/2端口上


Router(config)#$ access-list 101 permit tcp any host 192.168.100.10 eq 80 

Router(config-if)#int f1/3

Router(config-if)#ip access-group 101 in

##允许外网所有主机访问192.168.100.10的80端口,应用于f1/3端口上.


通过命令查看访问控制列表。

Router#sh access-list

Extended IP access list 100

    10 permit ip 192.168.1.0 0.0.0.255 host 192.168.100.10

    20 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq telnet

    30 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 22

    40 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq ftp

    50 deny tcp 192.168.0.0 0.0.255.255 host 192.168.100.10 eq 3389

Extended IP access list 101

    10 permit ip 192.168.0.0 0.0.255.255 host 192.168.100.10

Extended IP access list 102    

    10 permit tcp any host 192.168.100.10 eq www