一)标准的 IP Access-list 若选用中的任意一个号码即表示一个标准的Ip Access-list 产生,标准的IP Acces=list 只对数据包中的IP源地址进行检查限制,因此若要应用一个标准的IP Access-list,我建议将其配置在一个目的端的路由器上.
(二)扩展的IP Access-list 当你要对目的地址,高层协议,高层服务等进行过滤,则需要配置扩展的IP Access-list .其范围号码是, 一般来说,在一个源端的路由器上进行此配置.其中,在配置完access-list type 后,你要选一个协议,在这里如果你选了IP,这将表示你的路由器不会对高层的协议或服务进行过滤.所以IP一般要慎选.
例:
/***********************************************************/
RouterA(config)#access-list ?
IP standard access list
IP extended access list
IPX SAP access list
Extended 48-bit MAC address access list
IPX summary address access list
Protocol type-code access list
DECnet access list
XNS standard access list
XNS extended access list
Appletalk access list
48-bit MAC address access list
IPX standard access list
IPX extended access list
/***********************************************************/
RouterA(config)#access-list 110 ?
deny Specify packet
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
/***********************************************************/
RouterA(config)#access-list 110 deny ?
An IP protocol number
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
/***********************************************************/
RouterA(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
tcp Transmission Control Protocol
udp User Datagram Protocol
/***********************************************************/
RouterA(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
/***********************************************************/
RouterA(config)#access-list 110 deny tcp any host
172.16.30.2 ?
eq Match only packets on a given port number
established Match established connections
fragments Check fragments
gt Match only packets with a greater port
number
log Log matches against this entry
log-input Log matches against this entry,including
inputinterface
lt Match only packets with a lower port number
neq Match only packets not on a given port
number
precedence Match packets with given precedence value
range Match only packets in the range of port
numbers
tos Match packets with given TOS value
/***********************************************************/
RouterA(config)#access-list 110 deny tcp any host
172.16.30.2 eq ?
Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd,51 4)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
echo Echo (7)
/***********************************************************/
RouterA(config)#access-list 110 deny tcp any host
172.16.30.2 eq 23 log
exec Exec (rsh,512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp File Transfer Protocol (21)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin,513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP,80)
最后不要忘了在端口激活这个Access-list,否则它是不会起作用的!
RouterA(config-if)#ip access-group 110 in
or
RouterA(config-if)#ip access-group 110 out访问表的包过滤规则:
1、标准包过滤 该种包过滤只对数据包中的源地址进行检查
2、扩展包过滤 该种包过滤对数据包中的源地址,目的地址,协议及端口号进行检查。
包过滤功能配置
1、定义标准包过滤规则,在全局配置状态下access-list 标识号码 deny 或permit 源地址通配符或在全局配置状态下,定义扩展包过滤规则access-list 标识号码 deny或permit 协议标识 源地址 通配符 目地地址 通配符。
可以在指定范围内任意选择一个标识号码定义相应的包过滤规则,deny参数表示禁止,pernit表示允许。通配符也为32位二进制数字,并与相应的地址一一对应。路由器将检查与通配符中的“0”(2进制)位置一样的地址位,对于通配符中“1”(2进制)位置一致的地址位,将忽略不检查。
一个包过滤规则可以包含一系列检查条件,即可以用同一标识号码定义一系列access-list语句,路由器将从最先定义的条件开始依次检查,如数据包满足某个条件,路由器将不再执行下面的包过滤条件,如果数据包不满足规则中的所有条件,Cisco路由器缺省为禁止该数据包,即丢掉该数据包。
2、在需要包过滤功能的端口,引出包过滤规则
ip access-group包过滤规则标识号in或out,其中in 表示对进入该端口的数据包进行检查,out表示对要从该端口送出的数据包进行检查。如果不进行步骤2的配置,则所定义的包过滤规则根本不会执行。
实例:
Currrent configuration:
!
version 11.3
no service password-encryption
!
hostname 2511-1
!
enable password cisco
!
username 2505 password 0 cisco
no ip domain-lookup
!
interface Ethernet0
ip address 192.4.1.1 255.255.255.0
ip access-group 101 in
