R1(config)# access-list ACL_NUMBER permit|deny IP_ADDRESS WILDCARD_MASK
NOTE
ACL number for the standard ACLs has to be between 1–99 and 1300–1999.
ACL number for the standard ACLs has to be between 1–99 and 1300–1999.
extended ACLs has to be between 100–199 and 2000–2699.
You can also use the host keyword to specify the host you want to permit or deny:
R1(config)# access-list ACL_NUMBER permit|deny host IP_ADDRESS
Once the access list is created, it needs to be applied to an interface. You do that by using the ip access-group ACL_NUMBER in|out interface subcommand. in and out keywords specify in which direction you are activating the ACL. in means that ACL is applied to the traffic coming into the interface, while the outkeyword means that the ACL is applied to the traffic leaving the interface.
* IPv6 不支援 standard ACLsR1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
R1(config)#access-list 10 permit ?
A.B.C.D Address to match
any Any source host
host A single host address
R1(config)#access-list 10 permit 192.168.10.1
R1#sh access-lists
Standard IP access list 10
10 permit host 192.168.10.1
R1(config)#access-list 10 deny host ?
A.B.C.D Host address
R1(config)#access-list 10 deny host 192.168.10.2
R1#sh access-lists
Standard IP access list 10
10 permit host 192.168.10.1
20 deny host 192.168.10.2
R1#sh running-config
...
!
interface FastEthernet0/0
ip address 192.168.10.254 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 207.16.10.254 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
...
!
access-list 10 permit host 192.168.10.1
access-list 10 deny host 192.168.10.2
!...
R1(config)#int fa0/1
R1(config-if)#ip access-group 10 ?
in inbound packets
out outbound packets
R1(config-if)#ip access-group 10 out
R1(config-if)#do sh access-list
Standard IP access list 10
10 permit host 192.168.10.1
20 deny host 192.168.10.2
PCA>ping 207.16.10.1
Pinging 207.16.10.1 with 32 bytes of data:
Request timed out.
Reply from 207.16.10.1: bytes=32 time=0ms TTL=127
Reply from 207.16.10.1: bytes=32 time=0ms TTL=127
Reply from 207.16.10.1: bytes=32 time=0ms TTL=127
Ping statistics for 207.16.10.1:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
R1(config-if)#do sh access-list
Standard IP access list 10
10 permit host 192.168.10.1 (4 match(es))
20 deny host 192.168.10.2
PCB>ping 207.16.10.1
Pinging 207.16.10.1 with 32 bytes of data:
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Reply from 192.168.10.254: Destination host unreachable.
Ping statistics for 207.16.10.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
R1(config-if)#do sh access-list
Standard IP access list 10
10 permit host 192.168.10.1 (4 match(es))
20 deny host 192.168.10.2 (4 match(es))
R1#show ip int fa0/1
FastEthernet0/1 is up, line protocol is up (connected)
Internet address is 207.16.10.254/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 10
Inbound access list is not set
Proxy ARP is enabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
...
多個條件同個號碼即為同 1組,一個介面最多只能啟動 2組ACL,且一個方向只能啟動 1組 ( in 或 out ),假設一個方向啟動 2組號碼,後面的會蓋掉前面的。
標準 ACL 應盡可能靠近目的地,因為 standard ACL 不會指定目的地位址。
假設 match 數量太多不好觀察,可先清除一下計數器。
R1#clear access-list counters
R1#sh access-lists
Standard IP access list 10
10 permit host 192.168.10.1
20 deny host 192.168.10.2
Reference:
https://study-ccna.com/configuring-standard-acls/
沒有留言:
張貼留言