diff --git "a/29 \346\235\250\346\210\220\350\261\252/20250424 \350\256\277\351\227\256\346\216\247\345\210\266.md" "b/29 \346\235\250\346\210\220\350\261\252/20250424 \350\256\277\351\227\256\346\216\247\345\210\266.md" new file mode 100644 index 0000000000000000000000000000000000000000..44b129789efb11474c4ef9069b391beb62bd12ac --- /dev/null +++ "b/29 \346\235\250\346\210\220\350\261\252/20250424 \350\256\277\351\227\256\346\216\247\345\210\266.md" @@ -0,0 +1,91 @@ +##### 访问控制列表 + +```cmd +1.创建ACL +access-list <编号> <动作> <源IP> <通配符掩码> +# 编号范围 1-99 +# 动作:permit 允许 、 deny 拒绝 +# 示例: +access-list 10 permit 192.168.1.0 0.0.0.255 # 允许192.168.1.0/24g整个网络 +access-list 10 permit 192.168.10.2 # 允许192.168.10.2单个IP通过 +access-list 10 deny any # 拒绝其他所有流量 +2.应用ACL +ip access-group <编号> <方向> +# in / out 流量流入/流出 +# 示例: +interface GigabitEthernet0/0 # 第一步,进入G0/0端口 +ip access-group 10 in # 第二步,在G0/0端口的入口方向应用编号为10的ACL +``` + +![042401](https://gitee.com/yuszz/picture-warehouse/raw/master/img/upgit_20250424_1745497598.png) + +```cmd +#关键配置 +#三层交换机Fa0/2 +! +access-list 10 permit 192.168.10.0 0.0.0.255 +access-list 10 deny any +! +#路由器1Gig0/1 +! +access-list 10 permit 192.168.20.0 0.0.0.255 +access-list 10 deny any +! +``` + +![0424](https://gitee.com/yuszz/picture-warehouse/raw/master/img/upgit_20250424_1745497969.png) + +```cmd +#关键配置 +#路由器1Gig0/2(路由器4.6类似) +! +access-list 10 permit host 192.168.10.1 +access-list 10 deny any +! +#路由器5Gig0/1 +! +access-list 10 permit host 192.168.10.1 +access-list 10 permit 3.3.3.0 0.0.0.255 +access-list 10 deny any +! +``` + +```cmd +查看访问控制是否开启 +Router#show ip interface gigabitEthernet 0/1 +GigabitEthernet0/1 is up, line protocol is up (connected) + Internet address is 192.168.30.254/24 + Broadcast address is 255.255.255.255 + Address determined by setup command + MTU is 1500 bytes + Helper address is not set + Directed broadcast forwarding is disabled + Outgoing access list is not set //出战访问控制 + Inbound access list is not set //入站访问控制 + Proxy ARP is enabled + Security level is default + Split horizon is enabled + ICMP redirects are always sent + ICMP unreachables are always sent + ICMP mask replies are never sent + IP fast switching is disabled + IP fast switching on the same interface is disabled + IP Flow switching is disabled + IP Fast switching turbo vector + IP multicast fast switching is disabled + IP multicast distributed fast switching is disabled + Router Discovery is disabled + IP output packet accounting is disabled + IP access violation accounting is disabled + TCP/IP header compression is disabled + RTP/IP header compression is disabled + Probe proxy name replies are disabled + Policy routing is disabled + Network address translation is disabled + BGP Policy Mapping is disabled + Input features: MCI Check + WCCP Redirect outbound is disabled + WCCP Redirect inbound is disabled + WCCP Redirect exclude is disabled +``` +