动态ACL案例研究

  • A+
所属分类:Route

案例1需求:为192.168.1.0网段上通过认证的用户提供上网服务,但只允许进行Web浏览和FTP访问。
  username internet password cisco
  interface ethernet 1
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 in
  access-list 100 permit tcp any host 192.168.1.1 eq telnet
  access-list 100 permit udp any any eq 53
  access-list 100 permit tcp any any eq www established
  access-list 100 permit tcp any any eq 21 established
  access-list 100 dynamic internet timeout 180 permit ip any any log
  line vty 0 2
  login local
  autocommand access-enable host timeout 10
  line vty 3 4
  login local
  rotary 1
  案例2需求:允许合法的外部用户连到198.78.46.12服务器,以进行telnet和FTP访问。阻塞从E0到E1的访问,以防止IP地址为198.78.46.12的服务器被击破而影响到内部主机。
  username server password cisco
  interface ethernet 0
  ip address 198.78.46.1 255.255.255.0
  ip access-group 101 in
  interface serial 0
  ip address 202.10.10.1 255.255.255.0
  ip access-group 100 in!
  access-list 100 permit tcp any host 202.10.10.1 eq telnet
  access-list 100 permit tcp any host 198.78.46.12 eq gt 1023 -established
  access-list 100 dynamic wolf timeout 180 permit ip any host 198.78.46.12 time-range my-time log
  access-list 101 permit tcp any any established
  access-list 101 deny ip any 198.78.46.0 0.0.0.255a
  time-range my-timer
  periodic weekdays 8:00 to 18:00
  line vty 0 2
  login local
  autocommand access-enable host timeout 10
  line vty 3 4
  login local
  rotary 1
  案例3需求:为了统一管理用户,使用TACACS服务器进行认证,当认证服务器不可用时,使用本地用户数据库进行备份认证。
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+
  username internet password cisco
  interface ethernet 17
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 in
  access-list 100 permit tcp any host 192.168.1.1 eq telnet
  access-list 100 permit udp any any eq 53
  access-list 100 permit tcp any any eq www established
  access-list 100 permit tcp any any eq 21 established
  access-list 100 dynamic internet timeout 180 permit ip any any log
  tacacs-server host 198.78.46.13
  tacacs-server key mykey
  line vty 0 2
  login authentication default
  line vty 3 4
  login local
rotary 1

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: