标准acl,只能检查流量的源IP地址,1-99,
扩展acl,同时检查流量的:源IP,目的IP,源port,目的port,protocol,100-199
华为:默认permit所有
基本adl,只能检查流量的源IP地址,2000-2999
高级acl,同时检查流量的:源IP,目的IP,源port,目的port,protocol,3000-3999
二层acl,检查流量的源/目的MAC地址以及二层协议类型等,4000-4999
通配符掩码:
32bit的数字,使用“0”匹配,“1”忽略,指定与“IP网络前缀”的匹配方式
例如:192.168.1.0 0.0.0.255
思科ACL配置命令:
(编号式)标准acl配置:
access-list 1 permit 172.16.0.0 0.0.255.255
interface ethernet 0
ip access-group 1 out
(编号式)扩展acl配置:
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 permit any any
interface ethernet 0
ip access-group 101 out
(命名式)标准acl配置:
ip access-list standard troublemaker
deny host 172.16.4.13
permit 172.16.4.0 0.0.0.255
interface ethernet 0
ip access-group troublemaker out
(命名式)扩展acl配置:
ip access-list extended badgroup
deny tcp 172.16.4.0 0.0.0.255 any eq 23
permit ip any any
interface ethernet 0
ip access-group badgroup out
华为ACL配置命令:
基本ACL配置:
acl 2000
rule deny source 192.168.1.0 0.0.0.255
interface ethernet 0/0/0
traffic-filter outbound acl 2000
高级ACL配置:
acl 3000
rule deny tcp source 192.168.1.0 0.0.0.255 destination 172.16.10.1 0.0.0.0 destination-port eq 21
rule deny tcp source 192.168.2.0 0.0.0.255 destination 172.16.10.0 0.0.0.0
rule permit ip
interface ethernet 0/0/0
traffic-filter outbound acl 3000
原文:http://blog.51cto.com/12950413/2150826