Cisco ACL配置全解

思科⽹络配置-ACL1、标准ACL Router(config)# access-list access-list-number {permit | deny | remark} source [mask] Router(config-if)# ip access-group access-list-number {in | out} *表号------- 1 to 99 *缺省的通配符掩码 0.0.0.0 *no access-list access-list-number 移除整个ACL *remark 给访问列表添加功能注释 *mask 反掩码2.扩展ACL 扩展访问控制列表是⼀种⾼级的ACL，配置命令的具体格式如下： access-list ACL号 [permit|deny] [协议] [定义过滤源主机范围] [定义过滤源端⼝] [定义过滤⽬的主机访问] [定义过滤⽬的端⼝] 例如：access-list 101 deny tcp any host 192.168.1.1 eq www这句命令是将所有主机访问192.168.1.1这个地址⽹页服务（WWW）TCP连接的数据包丢弃。

⼩提⽰：同样在扩展访问控制列表中也可以定义过滤某个⽹段，当然和标准访问控制列表⼀样需要我们使⽤反向掩码定义IP地址后的⼦⽹掩码。

　 表号 100 to 199　3.命名访问控制列表 命名访问控制列表格式： ip access-list {standard/extended} <access-list-name>（可有字母，数字组合的字符串) 例如：ip access-list standard softer //建⽴⼀个名为softer的标准访问控制列表。

1. router（config）#ip access-list standard +⾃定义名2. router（config-std-nac1）#11 permit host +ip //默认情况下第⼀条为10,第⼆条为20.如果不指定序列号，则新添加的ACL被添加到列表的末尾3. router（config-std-nac1）#deny any4. router（config）#ip access-list standard benet5. router（config-std-nasl）#no 116. 使⽤show access-lists可查看配置的acl信息ACL的过滤流程： 1、按顺序的⽐较：先⽐较第⼀⾏，如果不匹配，再⽐较第⼆⾏，依次类推直到最后⼀⾏ 2、从第⼀⾏起，直到找到⼀个符合条件的⾏，符合以后就不再继续⽐较下去 3、默认在每个ACL中的最后⼀⾏为隐含的拒绝，最后要加pemint any,使其他的⽹络可通。

思科ACL访问控制列表常规配置操作详解本⽂实例讲述了思科ACL访问控制列表常规配置操作。

分享给⼤家供⼤家参考，具体如下：⼀、ACL概述ACL (Access Control List,访问控制列表）是⼀系列运⽤到路由器接⼝的指令列表。

这些指令告诉路由器接收哪些数据包、拒绝哪些数据包，接收或者拒绝根据⼀定的规则进⾏，如源地址、⽬标地址、端⼝号等。

ACL使得⽤户能够管理数据流，检测特定的数据包。

路由器将根据ACL中指定的条件，对经过路由器端⼝的数据包进⾏检査。

ACL可以基于所有的Routed Protocols (被路由协议，如IP、IPX等）对经过路由器的数据包进⾏过滤。

ACL在路由器的端⼝过滤数据流，决定是否转发或者阻⽌数据包。

ACL应该根据路由器的端⼝所允许的每个协议来制定，如果需要控制流经某个端⼝的所有数据流，就需要为该端⼝允许的每⼀个协议分别创建ACL。

例如，如果端⼝被配置为允许IP、AppleTalk和IPX协议的数据流，那么就需要创建⾄少3个ACL, 本⽂中仅讨论IP的访问控制列表。

针对IP协议，在路由器的每⼀个端⼝,可以创建两个ACL:—个⽤于过滤进⼊（inbound)端⼝的数据流，另⼀个⽤于过滤流出（outboimd)端⼝的数据流。

顺序执⾏：—个ACL列表中可以包含多个ACL指令，ACL指令的放置顺序很重要。

当路由器在决定是否转发或者阻⽌数据包的时候，Cisco的IOS软件，按照ACL中指令的顺序依次检査数据包是否满⾜某⼀个指令条件。

当检测到某个指令条件满⾜的时候，就执⾏该指令规定的动作，并且不会再检测后⾯的指令条件。

ACL作⽤： * 限制⽹络流量，提⾼⽹络性能。

* 提供数据流控制。

* 为⽹络访问提供基本的安全层。

⼆、ACL 类型1. 标准ACL: access-list-number编号1~99之间的整数，只针对源地址进⾏过滤。

2. 扩展ACL: access-list-number编号100~199之间的整数，可以同时使⽤源地址和⽬标地址作为过滤条件，还可以针对不同的协议、协议的特征、端⼝号、时间范围等过滤。

详解cisco访问控制列表ACL一：访问控制列表概述〃访问控制列表（ACL）是应用在路由器接口的指令列表。

这些指令列表用来告诉路由器哪些数据包可以通过，哪些数据包需要拒绝。

〃工作原理：它读取第三及第四层包头中的信息，如源地址、目的地址、源端口、目的端口等。

根据预先设定好的规则对包进行过滤，从而达到访问控制的目的。

〃实际应用：阻止某个网段访问服务器。

阻止A网段访问B网段，但B网段可以访问A网段。

禁止某些端口进入网络，可达到安全性。

二：标准ACL〃标准访问控制列表只检查被路由器路由的数据包的源地址。

若使用标准访问控制列表禁用某网段，则该网段下所有主机以及所有协议都被禁止。

如禁止了A网段，则A网段下所有的主机都不能访问服务器，而B网段下的主机却可以。

用1----99之间数字作为表号一般用于局域网，所以最好把标准ACL应用在离目的地址最近的地方。

〃标准ACL的配置：router（config）#access-list表号 deny(禁止)网段/IP地址反掩码********禁止某各网段或某个IProuter（config）#access-list表号 permit（允许） any注：默认情况下所有的网络被设置为禁止，所以应该放行其他的网段。

router（config）#interface 接口 ******进入想要应用此ACL的接口（因为访问控制列表只能应用在接口模式下）router（config-if）#ip access-group表号 out/in ***** 设置在此接口下为OUT或为IN其中router(config)#access-list 10 deny 192.168.0.10.0.0.0 =router(config)#access-list 10 deny host 192.168.0.1router(config)#access-list 10 deny 0.0.0.0255.255.255.255 =router(config)#access-list 10 deny anyrouter#show access-lists ******查看访问控制列表。

配置命名ACL名字（Named）访问控制列表允许IP标准的（或者扩展的）访问列表使用字母-数字串（名字）表示，而不是使用上面所述的代码表示。

对于使用数字表示的IP访问控制列表条件语句，网络管理员若想要单独把其中某个语句删除是不可能的，他只能把整个IP访问列表删除，然后再重写，很不灵活。

而使用命名的IP访问列表可以从一个特定的访问列表中去删除单个的条件语句。

另外，使用命名的访问控制列表直观，管理员可以把访问控制列表的功能作为该列表的名字，这样不需要逐个条件语句分析就知道该访问控制列表的作用。

在使用代码配置访问控制列表时，被选择的代码有两层含义：它代表着访问控制列表的类型（标准访问列表或扩展访问列表）和针对的协议（检查IP协议数据还是其他协议数据）。

使用命名的访问列表时，也应声明是针对哪一种协议的访问控制列表及其类型。

不能在多个访问列表中使用相同的名字，不同类型的访问列表也不能使用相同的名字。

例如，某个标准访问列表被命名为“Market”,而某个扩展访问列表也被命名为Market,这是非法的。

注意：访问控制列表中的名字是大小写敏感的，例如，Market与market是不同的名字；此外，访问列表的名字不能以数字开头，例如，3abc是非法的名字。

在IOS11.2版之前不支持命名的访问控制列表。

命名访问控制列表的语法如下：（1）定义命名ACLRouter(config)#ip access-list {standard | extended} name×name:为ACL命的名字；进入命名的访问控制列表配置模式后：Router(config-{std | ext}-nac)#{test conditions}(2) 与接口关联Router(config-if)#ip access-group name {in | out}例如：Router(config)#ip access-list standard exampleRouter(config-std-nac)#permit 100.100.1.2 0.0.0.0Router(config-std-nac)#deny 11.10.0.0. 0.0.255.255Router(config-std-nac)#permit anyRouter(config)#interface s0Router(config-if)#ip access-group example in如果要删除某条件语句，例如，删除最后一条，可这样：Router(config-std-nac)#no permit any。

Cisco配置ACL-电脑资料第一阶段实验：配置实验环境，网络能正常通信R1的配置：R1>enR1#conf tR1（config）#int f0/0R1（config-if）#ip addr 10.0.0.1 255.255.255.252R1（config-if）#no shutR1（config-if）#int loopback 0R1（config-if）#ip addr 123.0.1.1 255.255.255.0R1（config-if）#int loopback 1R1（config-if）#ip addr 1.1.1.1 255.255.255.255R1（config-if）#exitR1（config）#ip route 192.168.0.0 255.255.0.0 10.0.0.2 R1（config）#username benet password testR1（config）#line vty 0 4R1（config-line）#login localSW1的配置：SW1>enSW1#vlan dataSW1（vlan）#vlan 2SW1（vlan）#vlan 3SW1（vlan）#vlan 4SW1（vlan）#vlan 100SW1（vlan）#exitSW1#conf tSW1（config）#int f0/1SW1（config-if）#no switchportSW1（config-if）#ip addr 10.0.0.2 255.255.255.252SW1（config-if）#no shutSW1（config-if）#exitSW1（config）#ip route 0.0.0.0 0.0.0.0 10.0.0.1SW1（config）#int range f0/14 - 15SW1（config-if-range）#switchport trunk encapsulation dot1qSW1（config-if-range）#switchport mode trunkSW1（config-if-range）#no shutSW1（config-if-range）#exitSW1（config）#int vlan 2SW1（config-if）#ip addr 192.168.2.1 255.255.255.0SW1（config-if）#no shutSW1（config-if）#int vlan 3SW1（config-if）#ip addr 192.168.3.1 255.255.255.0SW1（config-if）#no shutSW1（config-if）#int vlan 4SW1（config-if）#ip addr 192.168.4.1 255.255.255.0SW1（config-if）#no shutSW1（config-if）#int vlan 100SW1（config-if）#ip addr 192.168.100.1 255.255.255.0SW1（config-if）#no shutSW1（config-if）#exitSW1（config）#ip routingSW1（config）#int vlan 1SW1（config-if）#ip addr 192.168.0.1 255.255.255.0SW1（config-if）#no shutSW1（config-if）#exitSW1（config）#username benet password testSW1（config）#line vty 0 4SW2的配置：SW2>enSW2#vlan dataSW2（vlan）#vlan 2SW2（vlan）#vlan 3SW2（vlan）#vlan 4SW2（vlan）#exitSW2#conf tSW2（config）#int f0/15SW2（config-if）#switchport mode trunkSW2（config-if）#no shutSW2（config-if）#exitSW2（config）#int f0/1SW2（config-if）#switchport mode accessSW2（config-if）#switchport access vlan 2SW2（config-if）#no shutSW2（config-if）#int f0/2SW2（config-if）#switchport mode accessSW2（config-if）#switchport access vlan 3SW2（config-if）#no shutSW2（config-if）#int f0/3SW2（config-if）#switchport mode accessSW2（config-if）#switchport access vlan 4SW2（config-if）#no shutSW2（config-if）#int vlan 1SW2（config-if）#ip addr 192.168.0.2 255.255.255.0 SW2（config-if）#no shutSW2（config-if）#exitSW2（config）#ip default-gateway 192.168.0.1SW2（config）#username benet password test SW2（config）#line vty 0 4SW2（config-line）#login localSW3的配置：SW3>enSW3#vlan dataSW3（vlan）#vlan 100SW3（vlan）#exitSW3#conf tSW3（config）#int f0/15SW3（config-if）#switchport mode trunkSW3（config-if）#no shutSW3（config-if）#int f0/1SW3（config-if）#switchport mode accessSW3（config-if）#switchport access vlan 100SW3（config-if）#no shutSW3（config-if）#int vlan 1SW3（config-if）#ip addr 192.168.0.3 255.255.255.0 SW3（config-if）#no shutSW3（config-if）#exitSW3（config）#ip default-gateway 192.168.0.1 SW3（config）#no ip routingSW3（config）#username benet password test SW3（config）#line vty 0 4SW3（config-line）#login local网络管理区主机PC1（这里用路由器模拟）R5>enR5#conf tR5（config）#int f0/0R5（config-if）#ip addr 192.168.2.2 255.255.255.0R5（config-if）#no shutR5（config-if）#exitR5（config）#ip route 0.0.0.0 0.0.0.0 192.168.2.1财务部主机PC2配置IP:IP地址：192.168.3.2 网关：192.168.3.1信息安全员主机PC3配置IP:IP地址：192.168.4.2 网关：192.168.4.1服务器主机配置IP:IP地址：192.168.100.2 网关：192.168.100.1第一阶段实验验证测试：所有部门之间的主机均能互相通信并能访问服务器和外网（测试方法：用PING命令）在所有主机上均能远程管理路由器和所有交换机，，电脑资料《Cisco 配置ACL》(https://www.)。

访问控制列表ACLACL简介ACL（Access Control List）是一个常用的用于流量匹配的工具，ACL通过对数据包中的源IP、目标IP、协议、源端口、目标端口这5元素进行匹配，然后对匹配的数据执行相应的策略（转发、丢弃、NAT 转换、限速）1.对访问网络的流量进行过滤，实现网络的安全访问；2. 网络地址转换(NAT)；3. QOS服务质量；4. 策略路由。

策略：要求1.1和1.2可以访问财务部(1.1和1.2 是销售部经理),其他不允许访问财务。

一、标准ACL:匹配条件较少，只能通过源IP地址和时间段进行流量匹配，在一些需要进行简单匹配的环境中使用。

R(config)# access-list 编号策略源地址编号：标准ACL范围1--- 99策略：permit允许 | deny 拒绝源地址：要严格检查的地址（ IP+通配符掩码）通配符掩码--- 是用来限定特定的地址范围（反掩码）用0 表示严格匹配用1 表示不检查例：主机 172.16.1.1 通配符掩码 0.0.0.0 32位都要检查主网 172.16.0.0/16 通配符掩码0.0.255.255 检查16位子网 172.16.1.0/24 通配符掩码0.0.0.255 24位要检查任意的 0.0.0.0 通配符掩码255.255.255.255不检查主机 ---- host 172.16.1.1 任意 ---- any练习：192.168.1.64/28子网掩码：255.255.255.240子网号： 192.168.1.64/28 (剩余4个主机位，网络号是16的倍数)广播地址： 192.168.1.79 (下一个网络号-1)通配符掩码 0.0.0.15 (比较前28位)通配符掩码 = 255.255.255.255 - 子网掩码也称为反掩码将ACL与接口关联：R(config-if)#ip access-group 编号 {in|out}{in|out} 表明在哪个方向上的数据进行控制策略：要求1.1和1.2可以访问财务部(1.1和1.2 是销售部经理)，其他不允许访问财务部。

cisco访问控制列表acl所有配置命令详解Cisco 路由ACL（访问控制列表）的配置标准ACL Router(config)#access-list 1-99 permit/deny 192.168.1.1（源IP）0.0.0.255（反码）Router(config)#interface f0/0 Router(config-if)#ip access-group 1-99 out/in 扩展ACL Router(config)#access-list 100-199 permit/deny tcp （协议类型）192.168.1.1（源IP） 0.标准ACLRouter(config)#access-list 1-99 permit/deny 192.168.1.1（源IP） 0.0.0.255（反码）Router(config)#interface f0/0Router(config-if)#ip access-group 1-99 out/in扩展ACLRouter(config)#access-list 100-199 permit/deny tcp（协议类型） 192.168.1.1（源IP） 0.0.0.255（源IP反码） 172.16.0.1（目标IP） 0.0.255.255（目标IP反码） eq ftp/23 端口号Router(config)#interface f0/0Router(config-if)#ip access-group 100-199 out/in基于时间的ACL设定路由器的时间:#clock set {hh:mm:ss} {data} {month} {year}Router(config)#time-range wangxin （定义时间名称）以下有两种：1.absouluterRouter(config-time-range)#absouluter指定绝对时间范围start hh:mm end hh:mm Day（日） MONTH(月份） YEAR（年份）end hh:mm end hh:mm Day（日） MONTH(月份） YEAR（年份）如果省略start及其后面的时间，则表示与之相联系的permit或deny语句立即生效，并一直作用到end处的时间为止。

cisco路由器配置ACL详解ACL（Access Control List）是一种在Cisco路由器上配置的安全控制功能，用于控制网络流量的进出。

通过使用ACL，管理员可以根据特定的源地质、目标地质、端口号等条件来限制网络流量的传输。

本文将详细介绍如何在Cisco路由器上配置ACL。

第一章：ACL概述1.1 什么是ACL1.2 ACL的作用和用途1.3 ACL的优点和限制第二章：ACL配置方法2.1 基于标准访问列表（Standard Access List）的配置步骤2.2 基于扩展访问列表（Extended Access List）的配置步骤2.3 应用ACL到接口的配置步骤第三章：标准访问列表（Standard Access List）3.1 标准访问列表的介绍3.2 标准访问列表的配置示例3.3 标准访问列表的注意事项第四章：扩展访问列表（Extended Access List） 4.1 扩展访问列表的介绍4.2 扩展访问列表的配置示例4.3 扩展访问列表的注意事项第五章：应用ACL到接口5.1 应用ACL到入站（Inbound）接口的配置步骤 5.2 应用ACL到出站（Outbound）接口的配置步骤 5.3 应用ACL到VLAN接口的配置步骤第六章：法律名词及注释6.1 法律名词1的定义及注释6.2 法律名词2的定义及注释6.3 法律名词3的定义及注释附件：1、示例配置文件12、示例配置文件2请注意：文档中描述的配置选项和命令可能因不同的cisco路由器型号和软件版本而有所不同，具体的配置步骤应根据您的路由器型号和软件版本进行调整。

本文档涉及附件：（请根据实际情况列出涉及的附件）本文所涉及的法律名词及注释：（请根据实际情况列出相关法律名词及其注释）。

Configuring IP Access ListsContentsIntroduction Prerequisites Requirements Components Used Conventions ACL Concepts MasksACL Summarization Process ACLsDefine Ports and Message Types Apply ACLsDefine In, Out, Inbound, Outbound, Source, and Destination Edit ACLs Troubleshoot Types of IP ACLs Network Diagram Standard ACLs Extended ACLsLock and Key (Dynamic ACLs) IP Named ACLs Reflexive ACLsTime-Based ACLs Using Time Ranges Commented IP ACL Entries Context-Based Access Control Authentication Proxy Turbo ACLsDistributed Time-Based ACLs Receive ACLsInfrastructure Protection ACLs Transit ACLsCisco Support Community - Featured Conversations Related InformationIntroductionThis document describes how IP access control lists (ACLs) can filter network traffic. It also contains brief descriptions of the IP ACL types, featureavailability, and an example of use in a network.TAC Notice: What's Changing on TAC WebHelp us help you.Please rate thisdocument.Excellent GoodAverageFair PoorThis document solvedmy problem.YesNoJust browsing Suggestions for improvement:(256 character limit)SendAccess the Software Advisor (registered customers only) tool in order to determine the support of some of the more advanced Cisco IOS® IP ACL features.RFC 1700 contains assigned numbers of well-known ports. RFC 1918 contains address allocation for private Internets, IP addresses which should not normally be seen on the Internet.Note: ACLs might also be used for purposes other than to filter IP traffic, for example, defining traffic to Network Address Translate (NAT) or encrypt, or filtering non-IP protocols such as AppleTalk or IPX.A discussion of these functions is outside the scope of this document.PrerequisitesRequirementsThere are no specific prerequisites for this document. The concepts discussed are present in Cisco IOS® Software Releases 8.3 or later. This is noted under each access list feature.Components UsedThis document discusses various types of ACLs. Some of these are present since Cisco IOS Software Releases 8.3 and others were introduced in later software releases. This is noted in the discussion of each type.The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.ConventionsRefer to Cisco Technical Tips Conventions for more information on document conventions.ACL ConceptsThis section describes ACL concepts.MasksMasks are used with IP addresses in IP ACLs to specify what should be permitted and denied. Masks in order to configure IP addresses on interfaces start with 255 and have the large values on the left side, for example, IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is a "don't care". This table further explains the concept.Mask Examplenetwork addressBased on the binary mask, you can see that the first three sets (octets) must match the given binary network address exactly (00001010.00000001.00000001). The last set of numbers are "don'tcares" (.11111111). Therefore, all traffic that begins with 10.1.1. matches since the last octet is "don't care". Therefore, with this mask, network addresses 10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.Subtract the normal mask from 255.255.255.255 in order to determine the ACL inverse mask. In this example, the inverse mask is determined for network address 172.16.1.0 with a normal mask of 255.255.255.0.●255.255.255.255 - 255.255.255.0 (normal mask) = 0.0.0.255 (inverse mask)Note these ACL equivalents.●The source/source-wildcard of 0.0.0.0/255.255.255.255 means "any". ●The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host 10.1.1.2".ACL SummarizationNote: Subnet masks can also be represented as a fixed length notation. For example, 192.168.10.0/24 represents 192.168.10.0 255.255.255.0.This list describes how to summarize a range of networks into a single network for ACL optimization. Consider these networks.192.168.32.0/24 192.168.33.0/24 192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24 192.168.39.0/24The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these into a single network.The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.(traffic that is tobe processed) 10.1.1.0mask0.0.0.255network address(binary) 00001010.00000001.00000001.00000000mask (binary)00000000.00000000.00000000.11111111Decimal128 64 32 16 8 4 2 132 0 0 1 0 0 0 0 033 0 0 1 0 0 0 0 134 0 0 1 0 0 0 1 035 0 0 1 0 0 0 1 136 0 0 1 0 0 1 0 037 0 0 1 0 0 1 0 138 0 0 1 0 0 1 1 039 0 0 1 0 0 1 1 1M M M M M D D DSince the first five bits match, the previous eight networks can be summarized into one network (192.168.32.0/21 or 192.168.32.0 255.255.248.0). All eight possible combinations of the three low-order bits are relevant for the network ranges in question. This command defines an ACL that permits this network. If you subtract 255.255.248.0 (normal mask) from 255.255.255.255, it yields 0.0.7.255.access-list acl_permit permit ip 192.168.32.0 0.0.7.255Consider this set of networks for further explanation.192.168.146.0/24192.168.147.0/24192.168.148.0/24192.168.149.0/24The first two octets and the last octet are the same for each network. This table is an explanation of how to summarize these.The third octet for the previous networks can be written as seen in this table, according to the octet bit position and address value for each bit.Decimal128 64 32 16 8 4 2 1146 1 0 0 1 0 0 1 0147 1 0 0 1 0 0 1 1148 1 0 0 1 0 1 0 0149 1 0 0 1 0 1 0 1M M M M M ? ? ?Unlike the previous example, you cannot summarize these networks into a single network. If they are summarized to a single network, they become192.168.144.0/21 because there are five bits similar in the third octet. This summarized network 192.168.144.0/21 covers a range of networks from 192.168.144.0 to 192.168.151.0. Among these, 192.168.144.0, 192.168.145.0, 192.168.150.0, and 192.168.151.0 networks are not in the given list of four networks. In order to cover the specific networks in question,you need a minimum of two summarized networks. The given four networks can be summarized into these two networks:●For networks 192.168.146.x and 192.168.147.x, all bits match except for the last one, which is a"don't care." This can be written as 192.168.146.0/23 (or 192.168.146.0 255.255.254.0).●For networks 192.168.148.x and 192.168.149.x, all bits match except for the last one, which is a"don't care." This can be written as 192.168.148.0/23 (or 192.168.148.0 255.255.254.0).This output defines a summarized ACL for the above networks.!--- This command is used to allow access access for devices with IP!--- addresses in the range from 192.168.146.0 to 192.168.147.254.access-list 10 permit 192.168.146.0 0.0.1.255!--- This command is used to allow access access for devices with IP!--- addresses in the range from 192.168.148.0 to 192.168.149.254access-list 10 permit 192.168.148.0 0.0.1.255Process ACLsTraffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted. A single-entry ACL with only one deny entry has the effect of denying all traffic. You must have at least one permit statement in an ACL or all traffic is blocked. These two ACLs (101 and 102) have the same effect.!--- This command is used to permit IP traffic from 10.1.1.0!--- network to 172.16.1.0 network. All packets with a source!--- address not in this range will be rejected.access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255!--- This command is used to permit IP traffic from 10.1.1.0!--- network to 172.16.1.0 network. All packets with a source!--- address not in this range will be rejected.access-list 102 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255access-list 102 deny ip any anyIn this example, the last entry is sufficient. You do not need the first three entries because TCP includes Telnet, and IP includes TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).!--- This command is used to permit Telnet traffic!--- from machine 10.1.1.2 to machine 172.16.1.1.access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet!--- This command is used to permit tcp traffic from!--- 10.1.1.2 host machine to 172.16.1.1 host machine.access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1!--- This command is used to permit udp traffic from!--- 10.1.1.2 host machine to 172.16.1.1 host machine.access-list 101 permit udp host 10.1.1.2 host 172.16.1.1!--- This command is used to permit ip traffic from!--- 10.1.1.0 network to 172.16.1.10 network.access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255Define Ports and Message TypesIn addition to defining ACL source and destination, it is possible to define ports, ICMP message types,ICMP and other parameters. A good source of information for well-known ports is RFC 1700 . message types are explained in RFC 792 .The router can display descriptive text on some of the well-known ports. Use a ? for help.access-list 102 permit tcp host 10.1.1.1 host 172.16.1.1 eq ?bgp Border Gateway Protocol (179)chargen Character generator (19)cmd Remote commands (rcmd, 514)During configuration, the router also converts numeric values to more user-friendly values. This is an example where you type the ICMP message type number and it causes the router to convert the number to a name.access-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 14becomesaccess-list 102 permit icmp host 10.1.1.1 host 172.16.1.1 timestamp-reply Apply ACLsYou can define ACLs without applying them. But, the ACLs have no effect until they are applied to the interface of the router. It is a good practice to apply the ACL on the interface closest to the source of the traffic. As shown in this example, when you try to block traffic from source to destination, you can apply an inbound ACL to E0 on router A instead of an outbound list to E1 on router C. An access-list has a deny ip any any implicitly at the end of any access-list. If traffic is related to a DHCP request andif it is not explicity permitted, the traffic is dropped because when you look at DHCP request in IP, the source address is s=0.0.0.0 (Ethernet1/0), d=255.255.255.255, len 604, rcvd 2 UDP src=68, dst=67. Note that the source IP address is 0.0.0.0 and destination address is 255.255.255.255. Source port is 68 and destination 67. Hence, you should permit this kind of traffic in your access-list else the traffic is dropped due to implicit deny at the end of the statement.Note: For UDP traffic to pass through, UDP traffic must also be permited explicitly by the ACL.Define In, Out, Inbound, Outbound, Source, and DestinationThe router uses the terms in, out, source, and destination as references. Traffic on the router can be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania and wanted to stop a truck going from Maryland to New York, the source of the truck is Maryland and the destination of the truck is New York. The roadblock could be applied at the Pennsylvania–New York border (out) or the Maryland–Pennsylvania border (in).When you refer to a router, these terms have these meanings.●Out—Traffic that has already been through the router and leaves the interface. The source iswhere it has been, on the other side of the router, and the destination is where it goes.●In—Traffic that arrives on the interface and then goes through the router. The source is where ithas been and the destination is where it goes, on the other side of the router.●Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS softwarechecks the criteria statements of the access list for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.●Outbound—If the access list is outbound, after the software receives and routes a packet to theoutbound interface, the software checks the criteria statements of the access list for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the softwarediscards the packet.The in ACL has a source on a segment of the interface to which it is applied and a destination off of any other interface. The out ACL has a source on a segment of any interface other than the interface to which it is applied and a destination off of the interface to which it is applied.Edit ACLsWhen you edit an ACL, it requires special attention. For example, if you intend to delete a specific line from a numbered ACL that exists as shown here, the entire ACL is deleted.!--- The access-list 101 denies icmp from any to any network!--- but permits IP traffic from any to any network.router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.router(config)#access-list 101 deny icmp any anyrouter(config)#access-list 101 permit ip any anyrouter(config)#^Zrouter#show access-listExtended IP access list 101deny icmp any anypermit ip any anyrouter#*Mar 9 00:43:12.784: %SYS-5-CONFIG_I: Configured from console by console router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.router(config)#no access-list 101 deny icmp any anyrouter(config)#^Zrouter#show access-listrouter#*Mar 9 00:43:29.832: %SYS-5-CONFIG_I: Configured from console by console Copy the configuration of the router to a TFTP server or a text editor such as Notepad in order to edit numbered ACLs. Then make any changes and copy the configuration back to the router.You can also do this.router#configure terminalEnter configuration commands, one per line.router(config)#ip access-list extended test!--- Permits IP traffic from 2.2.2.2 host machine to 3.3.3.3 host machine.router(config-ext-nacl)#permit ip host 2.2.2.2 host 3.3.3.3!--- Permits www traffic from 1.1.1.1 host machine to 5.5.5.5 host machine.router(config-ext-nacl)#permit tcp host 1.1.1.1 host 5.5.5.5 eq www!--- Permits icmp traffic from any to any network.router(config-ext-nacl)#permit icmp any any!--- Permits dns traffic from 6.6.6.6 host machine to 10.10.10.0 network.router(config-ext-nacl)#permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domai router(config-ext-nacl)#^Z1d00h: %SYS-5-CONFIG_I: Configured from console by consoles-lrouter#show access-listExtended IP access list testpermit ip host 2.2.2.2 host 3.3.3.3permit tcp host 1.1.1.1 host 5.5.5.5 eq wwwpermit icmp any anypermit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domainAny deletions are removed from the ACL and any additions are made to the end of the ACL.router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.router(config)#ip access-list extended test!--- ACL entry deleted.router(config-ext-nacl)#no permit icmp any any!--- ACL entry added.router(config-ext-nacl)#permit gre host 4.4.4.4 host 8.8.8.8router(config-ext-nacl)#^Z1d00h: %SYS-5-CONFIG_I: Configured from console by consoles-lrouter#show access-listExtended IP access list testpermit ip host 2.2.2.2 host 3.3.3.3permit tcp host 1.1.1.1 host 5.5.5.5 eq wwwpermit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domainpermit gre host 4.4.4.4 host 8.8.8.8You can also add ACL lines to numbered standard or numbered extended ACLs by sequence number in Cisco IOS. This is a sample of the configuration:Configure the extended ACL in this way:Router(config)#access-list 101 permit tcp any anyRouter(config)#access-list 101 permit udp any anyRouter(config)#access-list 101 permit icmp any anyRouter(config)#exitRouter#Issue the show access-list command in order to view the ACL entries. The sequence numbers such as 10, 20, and 30 also appear here.Router#show access-listExtended IP access list 10110 permit tcp any any20 permit udp any any30 permit icmp any anyAdd the entry for the access list 101 with the sequence number 5.Example 1:Router#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)#ip access-list extended 101Router(config-ext-nacl)#5 deny tcp any any eq telnetRouter(config-ext-nacl)#exitRouter(config)#exitRouter#In the show access-list command output, the sequence number 5 ACL is added as the first entry to the access-list 101.Router#show access-listExtended IP access list 1015 deny tcp any any eq telnet10 permit tcp any any20 permit udp any any30 permit icmp any anyRouter#Example 2:internetrouter#show access-listsExtended IP access list 10110 permit tcp any any15 permit tcp any host 172.162.2.920 permit udp host 172.16.1.21 any30 permit udp host 172.16.1.22 anyinternetrouter#configure terminalEnter configuration commands, one per line. End with CNTL/Z.internetrouter(config)#ip access-list extended 101internetrouter(config-ext-nacl)#18 per tcp any host 172.162.2.11internetrouter(config-ext-nacl)#^Zinternetrouter#show access-listsExtended IP access list 10110 permit tcp any any15 permit tcp any host 172.162.2.918 permit tcp any host 172.162.2.1120 permit udp host 172.16.1.21 any30 permit udp host 172.16.1.22 anyinternetrouter#Similarly, you can configure the standard access list in this way:internetrouter(config)#access-list 2 permit 172.16.1.2internetrouter(config)#access-list 2 permit 172.16.1.10internetrouter(config)#access-list 2 permit 172.16.1.11internetrouter#show access-listsStandard IP access list 230 permit 172.16.1.1120 permit 172.16.1.1010 permit 172.16.1.2internetrouter(config)#ip access-list standard 2internetrouter(config-std-nacl)#25 per 172.16.1.7internetrouter(config-std-nacl)#15 per 172.16.1.16internetrouter#show access-listsStandard IP access list 215 permit 172.16.1.1630 permit 172.16.1.1120 permit 172.16.1.1025 permit 172.16.1.710 permit 172.16.1.2The major difference in a standard access list is that the Cisco IOS adds an entry by descending order of the IP address, not on a sequence number.This example shows the different entries, for example, how to permit an IP address (192.168.100.0) or the networks (10.10.10.0).internetrouter#show access-listsStandard IP access list 1910 permit 192.168.100.015 permit 10.10.10.0, wildcard bits 0.0.0.25519 permit 201.101.110.0, wildcard bits 0.0.0.25525 deny anyAdd the entry in access list 2 in order to permit the IP Address 172.22.1.1:internetrouter(config)#ip access-list standard 2internetrouter(config-std-nacl)#18 permit 172.22.1.1This entry is added in the top of the list in order to give priority to the specific IP address rather than network.internetrouter#show access-listsStandard IP access list 1910 permit 192.168.100.018 permit 172.22.1.115 permit 10.10.10.0, wildcard bits 0.0.0.25519 permit 201.101.110.0, wildcard bits 0.0.0.25525 deny anyNote: The previous ACLs are not supported in Security Appliance such as the ASA/PIX Firewall.Guidelines to change access-lists when they are applied to crypto maps●If you add to an existing access-list configuration, there is no need to remove the crypto map. Ifyou add to them directly without the removal of the crypto map, then that is supported andacceptable.●If you need to modify or delete access-list entry from an existing access-lists, then you mustremove the crypto map from the interface. After you remove crypto map, make all changes to the access-list and re-add the crypto map. If you make changes such as the deletion of the access-list without the removal of the crypto map, this is not supported and can result in unpredictablebehavior.TroubleshootHow do I remove an ACL from an interface?Go into configuration mode and enter no in front of the access-group command, as shown in this example, in order to remove an ACL from an interface.interface <interface>no ip access-group <acl-number> in|outWhat do I do when too much traffic is denied?If too much traffic is denied, study the logic of your list or try to define and apply an additional broader list. The show ip access-lists command provides a packet count that shows which ACL entry is hit.The log keyword at the end of the individual ACL entries shows the ACL number and whether the packet was permitted or denied, in addition to port-specific information.Note: The log-input keyword exists in Cisco IOS Software Release 11.2 and later, and in certain Cisco IOS Software Release 11.1 based software created specifically for the service provider market. Older software does not support this keyword. Use of this keyword includes the input interface and source MAC address where applicable.How do I debug at the packet level that uses a Cisco router?This procedure explains the debug process. Before you begin, be certain that there are no currently applied ACLs, that there is an ACL, and that fast switching is not disabled.Note: Use extreme caution when you debug a system with heavy traffic. Use an ACL in order to debug specific traffic. But, be sure of the process and the traffic flow.e the access-list command in order to capture the desired data.In this example, the data capture is set for the destination address of10.2.6.6 or the source address of 10.2.6.6.access-list 101 permit ip any host 10.2.6.6access-list 101 permit ip host 10.2.6.6 any2.Disable fast switching on the interfaces involved. You only see the first packet if fast switching isnot disabled.config interfaceno ip route-cachee the terminal monitor command in enable mode in order to display debug command outputand system error messages for the current terminal and session.e the debug ip packet 101 or debug ip packet 101 detail command in order to begin thedebug process.5.Execute the no debug all command in enable mode and the interface configuration command inorder to stop the debug process.6.Restart caching.config interfaceip route-cacheTypes of IP ACLsThis section of the document describes ACL types.Network DiagramStandard ACLsStandard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL.This is the command syntax format of a standard ACL.access-list access-list-number {permit|deny}{host|source source-wildcard|any}In all software releases, the access-list-number can be anything from 1 to 99. In Cisco IOS Software Release 12.0.1, standard ACLs begin to use additional numbers (1300 to 1999). These additional numbers are referred to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in standard ACLs.A source/source-wildcard setting of 0.0.0.0/255.255.255.255 can be specified as any. The wildcard can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same as host 10.1.1.2.After the ACL is defined, it must be applied to the interface (inbound or outbound). In early software releases, out was the default when a keyword out or in was not specified. The direction must be specified in later software releases.interface <interface>ip access-group number {in|out}This is an example of the use of a standard ACL in order to block all traffic except that from source 10.1.1.x.interface Ethernet0/0ip address 10.1.1.1 255.255.255.0ip access-group 1 inaccess-list 1 permit 10.1.1.0 0.0.0.255Extended ACLsExtended ACLs were introduced in Cisco IOS Software Release 8.3. Extended ACLs control traffic by the comparison of the source and destination addresses of the IP packets to the addresses configured in the ACL.This is the command syntax format of extended ACLs. Lines are wrapped here for spacing considerations.IPaccess-list access-list-number[dynamic dynamic-name [timeout minutes]]{deny|permit} protocol source source-wildcarddestination destination-wildcard [precedence precedence][tos tos] [log|log-input] [time-range time-range-name]ICMPaccess-list access-list-number[dynamic dynamic-name [timeout minutes]]{deny|permit} icmp source source-wildcarddestination destination-wildcard[icmp-type [icmp-code] |icmp-message][precedence precedence] [tos tos] [log|log-input][time-range time-range-name]TCPaccess-list access-list-number[dynamic dynamic-name [timeout minutes]]{deny|permit} tcp source source-wildcard [operator [port]]destination destination-wildcard [operator [port]][established] [precedence precedence] [tos tos][log|log-input] [time-range time-range-name]UDPaccess-list access-list-number[dynamic dynamic-name [timeout minutes]]{deny|permit} udp source source-wildcard [operator [port]]destination destination-wildcard [operator [port]][precedence precedence] [tos tos] [log|log-input][time-range time-range-name]In all software releases, the access-list-number can be 101 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs begin to use additional numbers (2000 to 2699). These additional numbers are referred to as expanded IP ACLs. Cisco IOS Software Release 11.2 added the ability to use list name in extended ACLs.The value of 0.0.0.0/255.255.255.255 can be specified as any. After the ACL is defined, it must be applied to the interface (inbound or outbound). In early software releases, out was the default when a keyword out or in was not specified. The direction must be specified in later software releases.interface <interface>ip access-group {number|name} {in|out}This extended ACL is used to permit traffic on the 10.1.1.x network (inside) and to receive ping responses from the outside while it prevents unsolicited pings from people outside, permitting all other traffic.interface Ethernet0/1ip address 172.16.1.2 255.255.255.0ip access-group 101 inaccess-list 101 deny icmp any 10.1.1.0 0.0.0.255 echoaccess-list 101 permit ip any 10.1.1.0 0.0.0.255Note: Some applications such as network management require pings for a keepalive function. If this is the case, you might wish to limit blocking inbound pings or be more granular in permitted/denied IPs. Lock and Key (Dynamic ACLs)Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release 11.1. This feature is dependent on Telnet, authentication (local or remote), and extended ACLs.Lock and key configuration starts with the application of an extended ACL to block traffic through the router. Users that want to traverse the router are blocked by the extended ACL until they Telnet to the router and are authenticated. The Telnet connection then drops and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular time period; idle and absolute timeouts are possible.This is the command syntax format for lock and key configuration with local authentication.username user-name password passwordinterface <interface>ip access-group {number|name} {in|out}The single-entry ACL in this command is dynamically added to the ACL that exists after authentication.access-list access-list-number dynamic name {permit|deny} [protocol]{source source-wildcard|any} {destination destination-wildcard|any}[precedence precedence][tos tos][established] [log|log-input][operator destination-port|destination port]line vty line_rangelogin localThis is a basic example of lock and key.username test password 0 test!--- Ten (minutes) is the idle timeout.username test autocommand access-enable host timeout 10interface Ethernet0/0ip address 10.1.1.1 255.255.255.0ip access-group 101 inaccess-list 101 permit tcp any host 10.1.1.1 eq telnet!--- 15 (minutes) is the absolute timeout.。

cisco路‎由器配置AC‎L详解什么是ACL‎？访问控制列表‎简称为ACL‎，访问控制列表‎使用包过滤技‎术，在路由器上读‎取第三层及第‎四层包头中的‎信息如源地址‎，目的地址，源端口，目的端口等，根据预先定义‎好的规则对包‎进行过滤，从而达到访问‎控制的目的。

该技术初期仅‎在路由器上支‎持，近些年来已经‎扩展到三层交‎换机，部分最新的二‎层交换机也开‎始提供ACL‎的支持了。

访问控制列表‎使用原则由于ACL涉‎及的配置命令‎很灵活，功能也很强大‎，所以我们不能‎只通过一个小‎小的例子就完‎全掌握全部A‎C L的配置。

在介绍例子前‎为大家将AC‎L设置原则罗‎列出来，方便各位读者‎更好的消化A‎C L知识。

1、最小特权原则‎只给受控对象‎完成任务所必‎须的最小的权‎限。

也就是说被控‎制的总规则是‎各个规则的交‎集，只满足部分条‎件的是不容许‎通过规则的。

2、最靠近受控对‎象原则所有的网络层访问权限控‎制。

也就是说在检‎查规则时是采‎用自上而下在‎A C L中一条‎条检测的，只要发现符合‎条件了就立刻‎转发，而不继续检测‎下面的ACL‎语句。

3、默认丢弃原则‎在CISCO路由交换设备‎中默认最后一‎句为ACL中‎加入了DEN‎Y ANY ANY，也就是丢弃所‎有不符合条件‎的数据包。

这一点要特别‎注意，虽然我们可以‎修改这个默认‎，但未改前一定‎要引起重视。

由于ACL是‎使用包过滤技‎术来实现的，过滤的依据又‎仅仅只是第三‎层和第四层包‎头中的部分信‎息，这种技术具有‎一些固有的局‎限性，如无法识别到‎具体的人，无法识别到应‎用内部的权限‎级别等。

因此，要达到端到端‎的权限控制目‎的，需要和系统级‎及应用级的访‎问权限控制结‎合使用。

分类：标准访问控制‎列表扩展访问控制‎列表基于名称的访‎问控制列表反向访问控制‎列表基于时间的访‎问控制列表标准访问列表‎：访问控制列表‎A C L分很多‎种，不同场合应用‎不同种类的A‎C L。

Cisco VLAN ACL配置及详解1.什么是ACL？ACL全称访问控制列表（Access Control List），主要通过配置一组规则进行过滤路由器或交换机接口进出的数据包，是控制访问的一种网络技术手段，ACL适用于所有的被路由支持的协议，如IP、tcp、udp、ftp、www等。

2.什么是反掩码？反掩码就是通配符掩码，通过标记0和1告诉设备应该匹配到哪位。

在反掩码中，相应位为1的地址在比较中忽略，为0的必须被检查。

IP地址与反掩码都是32位的数由于跟子网掩码刚好相反，所以也叫反掩码。

路由器使用的通配符掩码与源或目标地址一起来分辨匹配的地址范围，它与子网掩码不同。

它不像子网掩码告诉路由器IP地址是属于哪个子网（网段），通配符掩码告诉路由器为了判断出匹配，它需要检查IP地址中的多少位。

例如：255.255.255.0 反掩码（wildcard-mask）就是0.0.0.255255.255.255.248 反掩码（wildcard-mask）就是0.0.0.73.ACL工作原理：ACL使用包过滤技术，在路由器上读取OSI七层模型的第3层和第4层包头中的信息。

如源地址，目标地址，源端口，目标端口等，根据预先定义好的规则，对包进行过滤，从而达到访问控制的目的。

对于路由器接口而言，ACL是有两个方向：注意：如果发现没有匹配的ACL规则，默认会丢弃该数据包，思科ACL规则默认会有一条隐藏的deny any any规则，而华三ACL规则默认是permit any any规则。

入站----如果是入站访问列表，则当路由器接收到数据包时，Cisco IOS 软件将检查访问列表中的条件语句，看是否有匹配。

如果数据包被允许，则软件将继续处理该数据包。

如果数据包被拒绝，则软件会丢弃该数据包。

出站----如果是出站访问列表，则当软件到接收数据包并将群其路由至出站接口后，软件将检查访问列表中的条件语句，看是否有匹配。

基本原则：1、按顺序执行，只要有一条满足，则不会继续查找2、隐含拒绝，如果都不匹配，那么一定匹配最后的隐含拒绝条目，思科默认的3、任何条件下只给用户能满足他们需求的最小权限4、不要忘记把ACL应用到端口上一、标准ACL 命令：access-list {1-99} {permit/deny} source-ip source-wildcard [log] 例：access-list 1 penmit 192.168.2.0 0.0.0.255 允许192.168.2.0网段的访问access-list 1 deny 192.168.1.0 0.0.0.255 拒绝192.168.1.0网段的访问说明：wildcard为反掩码，host表示特定主机等同于192.168.2.3 0.0.0.0；any表示所有的源或目标等同于0.0.0.0 255.255.255.255 ；log表示有匹配时生成日志信息；标准ACL一般用在离目的最近的地方二、扩展ACL 命令：access-list {100-199} {permit/deny} protocol source-ip source-wildcard [operator port] destination-ipdestination-wildcard [operator port] [established][log] 例：access-list 101 permit tcp 192.168.2.0 0.0.0.255 gt 1023 host 192.168.1.2 eq 80 允许192.168.2.0网段的主机访问主机192.168.1.2的web服务access-list 101 permit udp 192.168.2.0 0.0.0.255 gt 1023 any eq 53允许192.168.2.0网段的主机访问外网以做dns查询说明：gt 1023表示所有大于1023的端口，这是因为一般访问web、ftp等服务器时客户端的主机是使用一个1023以上的随机端口；established 表示允许一个已经建立的连接的流量，也就是数据包的ACK位已设置的包。

cisco ACL配置详解ACL(Access Control List，访问控制列表)技术从来都是一把双刃剑，网络应用与互联网的普及在大幅提高企业的生产经营效率的同时，也带来了诸如数据的安全性，员工利用互联网做与工作不相干事等负面影响。

如何将一个网络有效的管理起来，尽可能的降低网络所带来的负面影响就成了摆在网络管理员面前的一个重要课题。

A公司的某位可怜的网管目前就面临了一堆这样的问题。

A公司建设了一个企业网，并通过一台路由器接入到互联网。

在网络核心使用一台基于IOS的多层交换机，所有的二层交换机也为可管理的基于IOS的交换机，在公司内部使用了VLAN技术，按照功能的不同分为了6个VLAN。

分别是网络设备与网管(VLAN1，10.1.1.0/24)、内部服务器(VLAN2)、Internet连接(VLAN3)、财务部（VLAN4）、市场部(VLAN5)、研发部门（VLAN6），出口路由器上Fa0/0接公司内部网，通过s0/0连接到Internet。

每个网段的三层设备（也就是客户机上的缺省网关）地址都从高位向下分配，所有的其它节点地址均从低位向上分配。

该网络的拓朴如下图所示：自从网络建成后麻烦就一直没断过，一会儿有人试图登录网络设备要捣乱；一会儿领导又在抱怨说互联网开通后，员工成天就知道泡网；一会儿财务的人又说研发部门的员工看了不该看的数据。

这些抱怨都找这位可怜的网管，搞得他头都大了。

那有什么办法能够解决这些问题呢？答案就是使用网络层的访问限制控制技术――访问控制列表（下文简称ACL）。

那么，什么是ACL呢？ACL是种什么样的技术，它能做什么，又存在一些什么样的局限性呢？ACL的基本原理、功能与局限性网络中常说的ACL是Cisco IOS所提供的一种访问控制技术，初期仅在路由器上支持，近些年来已经扩展到三层交换机，部分最新的二层交换机如2950之类也开始提供ACL的支持。

只不过支持的特性不是那么完善而已。

cisco路由器配置ACL详解如果有人说路由交换设备主要就是路由和交换的功能，仅仅在路由交换数据包时应用的话他一定是个门外汉。

如果仅仅为了交换数据包我们使用普通的HUB就能胜任，如果只是使用路由功能我们完全可以选择一台WINDOWS服务器来做远程路由访问配置。

实际上路由器和交换机还有一个用途，那就是网络管理，学会通过硬件设备来方便有效的管理网络是每个网络管理员必须掌握的技能。

今天我们就为大家简单介绍访问控制列表在CISCO路由交换设备上的配置方法与命令。

什么是ACL？访问控制列表简称为ACL，访问控制列表使用包过滤技术，在路由器上读取第三层及第四层包头中的信息如源地址，目的地址，源端口，目的端口等，根据预先定义好的规则对包进行过滤，从而达到访问控制的目的。

该技术初期仅在路由器上支持，近些年来已经扩展到三层交换机，部分最新的二层交换机也开始提供ACL的支持了。

访问控制列表使用原则由于ACL涉及的配置命令很灵活，功能也很强大，所以我们不能只通过一个小小的例子就完全掌握全部ACL的配置。

在介绍例子前为大家将ACL设置原则罗列出来，方便各位读者更好的消化ACL知识。

1、最小特权原则只给受控对象完成任务所必须的最小的权限。

也就是说被控制的总规则是各个规则的交集，只满足部分条件的是不容许通过规则的。

2、最靠近受控对象原则所有的网络层访问权限控制。

也就是说在检查规则时是采用自上而下在ACL 中一条条检测的，只要发现符合条件了就立刻转发，而不继续检测下面的ACL 语句。

3、默认丢弃原则在CISCO路由交换设备中默认最后一句为ACL中加入了DENY ANY ANY，也就是丢弃所有不符合条件的数据包。

这一点要特别注意，虽然我们可以修改这个默认，但未改前一定要引起重视。

由于ACL是使用包过滤技术来实现的，过滤的依据又仅仅只是第三层和第四层包头中的部分信息，这种技术具有一些固有的局限性，如无法识别到具体的人，无法识别到应用内部的权限级别等。

cisco路由器配置ACL详解Cisco 路由器配置 ACL 详解在网络世界中，Cisco 路由器就像是交通警察，而访问控制列表（ACL）则是它手中的规则手册，用于决定哪些流量可以通过，哪些需要被阻止。

理解和正确配置 ACL 对于网络管理员来说至关重要，它不仅可以保障网络的安全，还能优化网络性能。

接下来，让我们深入了解一下 Cisco 路由器配置 ACL 的方方面面。

首先，我们要明白 ACL 到底是什么。

简单来说，ACL 是一系列规则的集合，这些规则基于数据包的源地址、目的地址、源端口、目的端口以及协议类型等信息来决定是否允许数据包通过路由器。

Cisco 路由器支持多种类型的 ACL，常见的有标准 ACL 和扩展ACL。

标准 ACL 基于源 IP 地址进行过滤，它的编号范围是 1 99 和1300 1999。

扩展 ACL 则更加精细，可以基于源地址、目的地址、源端口、目的端口以及协议类型进行过滤，其编号范围是 100 199 和2000 2699。

在配置 ACL 之前，我们需要明确配置的目的。

是要阻止特定网络的访问？还是限制某些端口的使用？或者是只允许特定主机的流量通过？明确了目标，才能制定出有效的规则。

当我们开始配置 ACL 时，第一步是创建 ACL。

以配置标准 ACL 为例，我们可以使用以下命令：｀｀｀Router(config)accesslist 10 deny 19216810 000255｀｀｀上述命令中，“accesslist 10”表示创建编号为 10 的 ACL，“deny”表示拒绝，“19216810 000255”是要拒绝的源地址范围，表示 19216810 到1921681255 这个网段的流量。

如果要允许某个网段的流量通过，可以使用“permit”命令，例如：｀｀｀Router(config)accesslist 10 permit 19216820 000255｀｀｀创建好 ACL 后，还需要将其应用到接口上才能生效。