ACL写法(思科+华为)
| 说明 | 思科(命名ACL) | 思科(编号ACL) | 华为 |
|---|---|---|---|
创建标准ACL,允许源IP为192.168.1.1的流量 |
ip access-list standard ACL_1permit 192.168.1.1deny any |
access-list 1 permit 192.168.1.1access-list 1 deny any |
acl number 2001rule permit ip source 192.168.1.1 0.0.0.0rule deny ip |
创建扩展ACL,允许源IP 192.168.1.2 访问目标IP 10.0.0.1 的 HTTP 服务(端口80) |
ip access-list extended ACL_100permit tcp 192.168.1.2 0.0.0.0 10.0.0.1 0.0.0.0 eq 80deny ip any any |
access-list 100 permit tcp 192.168.1.2 0.0.0.0 10.0.0.1 0.0.0.0 eq 80access-list 100 deny ip any any |
acl number 3001rule permit tcp source 192.168.1.2 0.0.0.0 destination 10.0.0.1 0.0.0.0 destination-port eq 80rule deny ip |
创建扩展ACL,允许源IP 192.168.1.3 访问目标IP 10.0.0.2 的 FTP 服务(端口21) |
ip access-list extended ACL_101permit tcp 192.168.1.3 0.0.0.0 10.0.0.2 0.0.0.0 eq 21deny ip any any |
access-list 101 permit tcp 192.168.1.3 0.0.0.0 10.0.0.2 0.0.0.0 eq 21access-list 101 deny ip any any |
acl number 3002rule permit tcp source 192.168.1.3 0.0.0.0 destination 10.0.0.2 0.0.0.0 destination-port eq 21rule deny ip |
将ACL应用到接口 GigabitEthernet0/1 的入方向 |
interface GigabitEthernet0/1ip access-group 100 in |
interface GigabitEthernet0/1ip access-group 100 in |
interface GigabitEthernet0/1traffic-filter inbound acl 3001 |
拒绝特定的IP地址段(例如拒绝 192.168.2.0/24) |
ip access-list extended ACL_102deny ip 192.168.2.0 0.0.0.255 anypermit ip any any |
access-list 102 deny ip 192.168.2.0 0.0.0.255 anyaccess-list 102 permit ip any any |
acl number 3003rule deny ip source 192.168.2.0 0.0.0.255rule permit ip |
| 基于IP协议类型过滤(例如只允许ICMP协议) | ip access-list extended ACL_103permit icmp any anydeny ip any any |
access-list 103 permit icmp any anyaccess-list 103 deny ip any any |
acl number 3004rule permit icmprule deny ip |
ACL写法(思科+华为)
https://xinhaojin.github.io/2024/11/22/ACL写法(思科+华为)/