ACL
access匹配原则:从前匹配
Branch#sh run int e0/0.1 Building configuration... Current configuration : 116 bytes ! interface Ethernet0/0.1 encapsulation dot1Q 10 ip address 10.1.100.254 255.255.255.0 ip access-group 1 in #在接口上应用 end Branch#sh run | s acce ip access-group 1 in access-list 1 deny 10.1.100.2 access-list 1 permit any
PC1>ping 10.1.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.200.2, timeout is 2 seconds: U.U.U
此时查看access-list会发现有配到的数据
Branch#sh ip acce
Standard IP access list 1
10 deny 10.1.100.2 (26 matches)
20 permit any
接下改变PC1的IP
PC1#sh run int e0/1 Building configuration... Current configuration : 66 bytes ! interface Ethernet0/1 ip address 10.1.100.2 255.255.255.0 end PC1#conf t Enter configuration commands, one per line. End with CNTL/Z. PC1(config)#int e0/1 PC1(config-if)#ip add 10.1.100.1 255.255.255.0 PC1(config-if)#end PC1#ping 10.1.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.200.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
Branch#sh ip acce Standard IP access list 1 10 deny 10.1.100.2 (14 matches) 20 permit any (5 matches)
思考:此时若是想在这个网段中放行奇数IP拒绝偶数IP,需要怎么做呢?
答:只需要这样做就好
Branch(config)#access-list 1 permit 10.1.100.3 0.0.0.254 (只需加上掩码)
Branch(config)#do sh ip acces
Standard IP access list 1
10 permit 10.1.100.1, wildcard bits 0.0.0.254
标准的ACL功能有限,在匹配流量的时候,仅仅能够匹配IP头部的源IP地址
host 参数代表通配符掩码为 32 bit严格匹配
any 参数代表匹配所有
PC1#conf t Enter configuration commands, one per line. End with CNTL/Z. PC1(config)#int e0/1 PC1(config-if)#ip add 10.1.100.4 255.255.255.0 PC1(config-if)#do ping 10.1.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.200.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) PC1(config-if)#ip add 10.1.100.3 255.255.255.0 PC1(config-if)#do ping 10.1.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.200.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms