来源:百度文库 编辑:偶看新闻 时间:2024/04/28 03:05:00
基于上下文的访问控制CBAC配置实例2010年05月20日 星期四 11:49
配置:
Access-list 101 permit ip 172.17.1.0 0.0.0.255 any Access-list 101 deny ip any any Interface e1 ip access-group 101 in
Access-list 102 permit icmp any any administratively-prohibited Access-list 102 permit icmp any any echo-reply Access-list 102 permit icmp any any packet-too-big Access-list 102 permit icmp any any time-exceeded Access-list 102 permit icmp any any unreachable Access-list 102 deny ip any any Interface e1
Ip access-group 102 out
Access-list 111 permit ip 172.16.1.0 0.0.0.255 any Access-list 111 deny ip any any Interface e0 ip access-group 111 in Access-list 112 permit tcp any host 172.16.1.2 eq 53 Access-list 112 permit udp any host 172.16.1.2 eq domain Access-list 112 permit tcp any host 172.16.1.2 eq www Access-list 112 permit tcp any host 172.16.1.2 eq ftp Access-list 112 permit tcp any host 172.16.1.2 eq smtp Access-list 112 permit tcp any host 172.16.1.2 eq pop3 Access-list 112 permit icmp any any administratively-prohibited Access-list 112 permit icmp any any echo-reply Access-list 112 permit icmp any any packet-too-big Access-list 112 permit icmp any any time-exceeded Access-list 112 permit icmp any any unreachable Access-list 112 deny ip any any Interface e0
Ip access-group 112 out
Access-list 121 deny ip 172.17.1.0 0.0.0.255 any
Access-list 121 deny ip 127.0.0.0 0.0.0.255 any
Access-list 121 deny ip 224.0.0.0 31.255.255.255 any
Access-list 121 permit ip any any
Interface s0
ip access-group 121 in
Access-list 122 permit icmp any any ehco-reply
Access-list 122 permit icmp any any time-exceeded
Access-list 122 deny ip 172.16.1.0 0.0.0.255 any
Access-list 122 permit ip any any
Interface s0
Ip access-group 122 out
Ip inspect name cisco ftp
Ip inspect name cisco http
Ip inspect name cisco smtp
Ip inspect name cisco tcp
Ip inspect name cisco udp
Ip inspect name cisco tfpt
Interface e1
ip inspect cisco in
Interface s0
ip inspect cisco in
偶看新闻