扩展ACL(100–199)
-
总结扩展ACL访问列表语法:
Router(config)#access-list 100 permit (IP) 大协议 源地址 源反掩码 目标地址 目标反掩码
access-list 100 permit IP 192.168.1.0 0.0.0.255 host 192.168.4.2 -
扩展列表他控制OSI七层模型的第三 四 七
三层网络层 四层传输层 七层应用层
IP ICMP(ping)------>TCP(0–65535)–80 23---->http(telnet)
UDP(0–65535)–53---->dns协议
- 注意:IP协议最大,ping 协议是(icmp)被IP地址协议包含
建立扩展ACL的操作步骤:
1)建表
access-list 100 deny icmp 192.168.1.0 0.0.0.255 host 192.168.4.2
拒绝 ping 网段
access-list 100 deny icmp host 192.168.2.2 host 192.168.4.2
access-list 100 permit ip 192.168.1.0 0.0.0.255 host 192.168.4.2
access-list 100 permit ip host 192.168.2.2 host 192.168.4.2
access-list 100 deny tcp host 172.16.1.2 host 192.168.1.2 eq www
access-list 100 permit ip any any
R2(config)#access-list 100 permit tcp host 1.1.1.1 host 2.2.2.2 eq ?
<0-65535> Port number
- ftp
File Transfer Protocol (21) - pop3
Post Office Protocol v3 (110) - smtp
Simple Mail Transport Protocol (25) - telnet
Telnet (23) - www
World Wide Web (HTTP, 80)
2).用表
R2(config)#int e1/1
R2(config-if)#ip access-group 100 out