动态ACL案例研究

December 26, 2012CommentsRead

案例1需求：为192.168.1.0网段上通过认证的用户提供上网服务，但只允许进行Web浏览和FTP访问。

　　
    username internet password cisco 
　　interface ethernet 1 <!--more-->
　　ip address 192.168.1.1 255.255.255.0 
　　ip access-group 100 in 
　　access-list 100 permit tcp any host 192.168.1.1 eq telnet 
　　access-list 100 permit udp any any eq 53 
　　access-list 100 permit tcp any any eq www established 
　　access-list 100 permit tcp any any eq 21 established 
　　access-list 100 dynamic internet timeout 180 permit ip any any log 
　　line vty 0 2 
　　login local 
　　autocommand access-enable host timeout 10 
　　line vty 3 4 
　　login local 
　　rotary 1

username internet password cisco

interface ethernet 1

　　ip address 192.168.1.1 255.255.255.0

　　ip access-group 100 in

　　access-list 100 permit tcp any host 192.168.1.1 eq telnet

　　access-list 100 permit udp any any eq 53

　　access-list 100 permit tcp any any eq www established

　　access-list 100 permit tcp any any eq 21 established

　　access-list 100 dynamic internet timeout 180 permit ip any any log

　　line vty 0 2

　　autocommand access-enable host timeout 10

　　line vty 3 4

　　rotary 1

　　案例2需求：允许合法的外部用户连到198.78.46.12服务器，以进行telnet和FTP访问。阻塞从E0到E1的访问，以防止IP地址为198.78.46.12的服务器被击破而影响到内部主机。

　　username server password cisco 
　　interface ethernet 0 
　　ip address 198.78.46.1 255.255.255.0 
　　ip access-group 101 in 
　　interface serial 0 
　　ip address 202.10.10.1 255.255.255.0 
　　ip access-group 100 in! 
　　access-list 100 permit tcp any host 202.10.10.1 eq telnet 
　　access-list 100 permit tcp any host 198.78.46.12 eq gt 1023 -established 
　　access-list 100 dynamic wolf timeout 180 permit ip any host 198.78.46.12 time-range my-time log 
　　access-list 101 permit tcp any any established 
　　access-list 101 deny ip any 198.78.46.0 0.0.0.255a 
　　time-range my-timer 
　　periodic weekdays 8:00 to 18:00 
　　line vty 0 2 
　　login local 
　　autocommand access-enable host timeout 10 
　　line vty 3 4 
　　login local 
　　rotary 1

　　username server password cisco

　　interface ethernet 0

　　ip address 198.78.46.1 255.255.255.0

　　ip access-group 101 in

　　interface serial 0

　　ip address 202.10.10.1 255.255.255.0

　　ip access-group 100 in!

　　access-list 100 permit tcp any host 202.10.10.1 eq telnet

　　access-list 100 permit tcp any host 198.78.46.12 eq gt 1023 -established

　　access-list 100 dynamic wolf timeout 180 permit ip any host 198.78.46.12 time-range my-time log

　　access-list 101 permit tcp any any established

　　access-list 101 deny ip any 198.78.46.0 0.0.0.255a

　　time-range my-timer

　　periodic weekdays 8:00 to 18:00

　　line vty 0 2

　　autocommand access-enable host timeout 10

　　line vty 3 4

　　rotary 1

　　案例3需求：为了统一管理用户，使用TACACS服务器进行认证，当认证服务器不可用时，使用本地用户数据库进行备份认证。

　　aaa new-model 
　　aaa authentication login default group tacacs+ local 
　　aaa authorization exec default group tacacs+ 
　　username internet password cisco 
　　interface ethernet 17 
　　ip address 192.168.1.1 255.255.255.0 
　　ip access-group 100 in 
　　access-list 100 permit tcp any host 192.168.1.1 eq telnet 
　　access-list 100 permit udp any any eq 53 
　　access-list 100 permit tcp any any eq www established 
　　access-list 100 permit tcp any any eq 21 established 
　　access-list 100 dynamic internet timeout 180 permit ip any any log 
　　tacacs-server host 198.78.46.13 
　　tacacs-server key mykey 
　　line vty 0 2 
　　login authentication default 
　　line vty 3 4 
　　login local

　　aaa new-model

　　aaa authentication login default group tacacs+ local

　　aaa authorization exec default group tacacs+

　　username internet password cisco

　　interface ethernet 17

　　ip address 192.168.1.1 255.255.255.0

　　ip access-group 100 in

　　access-list 100 permit tcp any host 192.168.1.1 eq telnet

　　access-list 100 permit udp any any eq 53

　　access-list 100 permit tcp any any eq www established

　　access-list 100 permit tcp any any eq 21 established

　　access-list 100 dynamic internet timeout 180 permit ip any any log

　　tacacs-server host 198.78.46.13

　　tacacs-server key mykey

　　line vty 0 2

　　line vty 3 4

rotary 1 文章源自 note.t4x.orgByrd's Blog-https://note.t4x.org/route/dynamic-acl-study/

申明：除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!

On this day in past years

December

Hot search

On this day in past years

Comment