案例1需求:为192.168.1.0网段上通过认证的用户提供上网服务,但只允许进行Web浏览和FTP访问。
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
username internet password cisco interface ethernet 1 <!--more--> ip address 192.168.1.1 255.255.255.0 ip access-group 100 in access-list 100 permit tcp any host 192.168.1.1 eq telnet access-list 100 permit udp any any eq 53 access-list 100 permit tcp any any eq www established access-list 100 permit tcp any any eq 21 established access-list 100 dynamic internet timeout 180 permit ip any any log line vty 0 2 login local autocommand access-enable host timeout 10 line vty 3 4 login local rotary 1 |
案例2需求:允许合法的外部用户连到198.78.46.12服务器,以进行telnet和FTP访问。阻塞从E0到E1的访问,以防止IP地址为198.78.46.12的服务器被击破而影响到内部主机。
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
username server password cisco interface ethernet 0 ip address 198.78.46.1 255.255.255.0 ip access-group 101 in interface serial 0 ip address 202.10.10.1 255.255.255.0 ip access-group 100 in! access-list 100 permit tcp any host 202.10.10.1 eq telnet access-list 100 permit tcp any host 198.78.46.12 eq gt 1023 -established access-list 100 dynamic wolf timeout 180 permit ip any host 198.78.46.12 time-range my-time log access-list 101 permit tcp any any established access-list 101 deny ip any 198.78.46.0 0.0.0.255a time-range my-timer periodic weekdays 8:00 to 18:00 line vty 0 2 login local autocommand access-enable host timeout 10 line vty 3 4 login local rotary 1 |
案例3需求:为了统一管理用户,使用TACACS服务器进行认证,当认证服务器不可用时,使用本地用户数据库进行备份认证。
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
aaa new-model aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ username internet password cisco interface ethernet 17 ip address 192.168.1.1 255.255.255.0 ip access-group 100 in access-list 100 permit tcp any host 192.168.1.1 eq telnet access-list 100 permit udp any any eq 53 access-list 100 permit tcp any any eq www established access-list 100 permit tcp any any eq 21 established access-list 100 dynamic internet timeout 180 permit ip any any log tacacs-server host 198.78.46.13 tacacs-server key mykey line vty 0 2 login authentication default line vty 3 4 login local |
rotary 1 SourceByrd's Weblog-https://note.t4x.org/route/dynamic-acl-study/
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
