ACL配置命令总结

ACL配置命令总结

A．标准ACL

1.access-list access-list-number {deny|permit} {source[source-wildcard] | any} [log] 创建ACL

2.ip access-group access-list-number in/out 在接口应用ACL

3.no access-list access-list-number 删除acl

4.no ip access-group access-list-number in/out 取消在接口应用ACL

5.[no] ip access-list standarded 名字

[no] Deny ……

Permit ….. 创建/删除命名的acl

Ip access-group 名字in/out

6.show access-lists 查看acl

7.no number 删除行

B．扩展ACL

1.扩展的编辑功能:

例子:ip access-list extended 100

15 permit ……. 插入编号15

2.Ip access-list resequence access-list-number start increase重新编号，有开始编号以及步长值

3．Established使用：只允许带有established的TCP包进入同理有:access-list 100 permit icmp any any echo-replay 即是单向ping有效

4．使用acl限制远程登录

Access-list 1 permit ip地址

Line vty 0 4

Access-class 1 in

C．反射ACL

1.ip access-list extended out-acl

Permit ip any any reflect out-ip 创建反射

Exit

Ip access-list extended in-acl

Evaluate out-ip 评估反射列表

Int s0/0/1

Ip access-group out-acl out 外出时叫做反射

Ip access-group in-acl in 进入时叫做评估

Ip reflexive-list timeout 30 修改全局超时时间

D．动态ACL

1.临时条目的生存周期

空闲时间:产生临时条目是同时启动空间时间以及绝度时间，每当一个报文匹配动态访问列表时更新空闲时间。

绝对时间:永不复位，到了结束时间将临时条目删除

2.access-list 100 permit tcp any host 12.1.12 eq 23

access-list 100 permit tcp any host 12.1.12 eq 3001

access-list 100 dynamic cisco timeout 120 permit ip any any user cisco pass cisco

line vty 0 3

login loacl

autocommand access-enable host timeout 5

line vty 4

login local

rotary 1

int s0/0/1

ip access-list 100 in

E．基于时间的ACL

1.time-range working定义时间范围名字

2.periodic daily/weekdays/weekend/hh:mm 8：00 to 12：00

2.access-list100 deny ip any any time-range working