2019/04/16

Configure and Verify IPv4 Extended Access Lists



8
R1(config)#ip access-list extended Example4
R1(config-ext-nacl)#deny udp ?
  A.B.C.D       Source address
  any           Any source host
  host          A single source host
  object-group  Source network object group

R1(config-ext-nacl)#deny udp any ?
  A.B.C.D       Destination address
  any           Any destination host
  eq            Match only packets on a given port number
  gt            Match only packets with a greater port number
  host          A single destination host
  lt            Match only packets with a lower port number
  neq           Match only packets not on a given port number
  object-group  Destination network object group
  range         Match only packets in the range of port numbers



R1(config-ext-nacl)#deny udp any any

R1(config-ext-nacl)#permit tcp ?
  A.B.C.D       Source address
  any           Any source host
  host          A single source host
  object-group  Source network object group

R1(config-ext-nacl)#permit tcp host 10.10.1.10 any eq 23
R1(config-ext-nacl)#deny tcp host 10.10.1.10 any
R1(config-ext-nacl)#permit ?
  <0-255>       An IP protocol number
  ahp           Authentication Header Protocol
  eigrp         Cisco's EIGRP routing protocol
  esp           Encapsulation Security Payload
  gre           Cisco's GRE tunneling
  icmp          Internet Control Message Protocol
  igmp          Internet Gateway Message Protocol
  ip            Any Internet Protocol
  ipinip        IP in IP tunneling
  nos           KA9Q NOS compatible IP over IP tunneling
  object-group  Service object group
  ospf          OSPF routing protocol
  pcp           Payload Compression Protocol
  pim           Protocol Independent Multicast
  tcp           Transmission Control Protocol
  udp           User Datagram Protocol

R1(config-ext-nacl)#permit ip any any

R1(config)#int e1/1
R1(config-if)#ip access-group Example4 in
R1(config-if)#do show ip access-lists
Extended IP access list Example4
    10 deny udp any any
    20 permit tcp host 10.10.1.10 any eq telnet
    30 deny tcp host 10.10.1.10 any
    40 permit ip any any


PC1(config)#ntp server 10.10.3.30
PC1(config)#do show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**10
reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.28 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000000000 s/s
system poll interval is 8, never updated.

R1#sh ip access-lists
Extended IP access list Example4
    10 deny udp any any (2 matches)
    20 permit tcp host 10.10.1.10 any eq telnet
    30 deny tcp host 10.10.1.10 any
    40 permit ip any any

PC1#telnet 10.10.3.30
Trying 10.10.3.30 ... Open
User Access Verification
Username: admin
Password:
SRV1>

R1#sh ip access-lists
Extended IP access list Example4
    10 deny udp any any (6 matches)
    20 permit tcp host 10.10.1.10 any eq telnet (31 matches)
    30 deny tcp host 10.10.1.10 any
    40 permit ip any any

PC1#ssh -l admin 10.10.3.30
% Destination unreachable; gateway or host down

R1#sh ip access-lists
Extended IP access list Example4
    10 deny udp any any (12 matches)
    20 permit tcp host 10.10.1.10 any eq telnet (42 matches)
    30 deny tcp host 10.10.1.10 any (1 match)
    40 permit ip any any

PC1#ping 10.10.3.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.30, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/6 ms

R1#sh ip access-lists
Extended IP access list Example4
    10 deny udp any any (12 matches)
    20 permit tcp host 10.10.1.10 any eq telnet (42 matches)
    30 deny tcp host 10.10.1.10 any (1 match)
    40 permit ip any any (5 matches)


張貼者:
標籤: , , ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)