ACL Cisco | Apunts

Collapse sidebar

ACL Cisco

Tipus de ACL #

ACL estàndard #

• Filtratge de capa 3 • S'intenten col·locar el més apropo possible del destí

ACL extesa #

Filtratge de capa 4 S'intenten col·locar el més a prop possible de l'origen Permeten definir ip origen i destí, protocol, paquets i ports

Creació d'acces list #

Definir acces list numerada #

Router(config)# access-list access-list-number { deny | permit | remark } source [ source-wildcard ][ log ]

Abrebiatures #

any =  IP 255.255.255.255
host IP = IP 0.0.0.0
Exemples
access-list 1 permit 0.0.0.0 255.255.255.255
access-list 1 permit any

Definir acces-list nombrada #

Router(config)# ip access-list  [standard|extended] nom
Router(config-std-nacl)# [permit | deny |remark] IP wildcard [log]

Aplicar ACL #

Aplicar access-list a una interfície #

Router(config-if)# ip access-group { access-list-number | access-list-name } { in | out }

Aplicar access-list a una linea VTY #

Router (config)# access-class número-de-acl { in [ vrf-also ] | out }

El router reoardena les ACL primer les de host , després les de rang Regles de creació de ACL 1 regla per Interfíces, protocol i sentit

Comandes show #

Mostrar access-list (mostra el numero de sequencia de cada ACE de la ACL , estadístiques... #

show access-list

Mostrar aplicació ACL a interfícies #

show ip access list

Edició ACL #

Borrar estadístiques #

clear access-lists counters

Editar numero sequencia #

Router(config-std-nacl)# num_seq resta_comanda

Eliminar access-list #

no access-list

Eliminar número de sequencia #

Router(config)# ip access-list  standard numero
Router(config-std-nacl)# no num_seq

ACL esteses #

Definir acces list numerada ESTESA #

Router(config)# access-list access-list-number { deny | permit | remark } protocol sourceip  [ source-wildcard ]dest-ip  [ dest-wildcard ] operador port [ log ]

El número va de 100 a 199 (o de 2000-2699) protocol (IP,TCP,UDP,ICMP) operador (eq,

ACL esteses per a protocols concrets #

IP #

access-list access-list-number
         [dynamic dynamic-name [timeout minutes]]
         {deny|permit} protocol source source-wildcard destination destination-wildcard [precedence precedence]
         [tos tos] [log|log-input] [time-range time-range-name]

ICMP #

access-list access-list-number
         [dynamic dynamic-name [timeout minutes]]
         {deny|permit} icmp source source-wildcard destination destination-wildcard
         [icmp-type [icmp-code] |icmp-message]
         [precedence precedence] [tos tos] [log|log-input]
         [time-range time-range-name]

TCP #

access-list access-list-number
         [dynamic dynamic-name [timeout minutes]]
         {deny|permit} tcp source source-wildcard [operator [port]]
         destination destination-wildcard [operator [port]]
         [established] [precedence precedence] [tos tos]
         [log|log-input] [time-range time-range-name]

UDP #

access-list access-list-number
         [dynamic dynamic-name [timeout minutes]]
         {deny|permit} udp source source-wildcard [operator [port]]
         destination destination-wildcard [operator [port]]
         [precedence precedence] [tos tos] [log|log-input]
         [time-range time-range-name]