CHP6 访问控制列表.ppt

acl 4000 rule 10 deny l2-protocol arp destination-mac 5489-9862-2FF8 ffff-ffff-ffff source-mac 5489-9803-2C28 ffff-ffff-ffff rule 20 deny source-mac 5489-9862-2FF8 ffff-ffff-ffff destination-mac ffff-ffff-ffff ffff-ffff-ffff acl number 3000 rule 10 permit tcp destination 0 0 destination-port eq www rule 20 deny ip q acl number 3001 rule 10 permit ip source 55 rule 20 deny ip q firewall zone inside priority 10 q firewall zone outside priority 5 q interface GigabitEthernet0/0/0 ip address zone inside q interface GigabitEthernet0/0/1 ip address zone outside q firewall interzone inside outside firewall enable packet-filter 3000 inbound packet-filter 3001 outbound 1.高级ACL可以基于源/目的IP地址，源/目的端口号，协议类型以及IP流量分类和TCP标记值（SYN|ACK|FIN等）等参数来定义规则。 验证二层ACL [R1]display traffic policy statistics interface g0/0/0 inbound Interface: GigabitEthernet0/0/0 Traffic policy inbound: p1 Rule number: 1 Current status: OK! Item Sum(Packets/Bytes) Rate(pps/bps) Matched 3/ 0/ 252 0 +--Passed 0/ 0/ 0 0 +--Dropped 3/ 0/ 252 0 +--Filter 3/ 0/ 252 0 Page * 二层ACL举例（2） 要求CLIENT1不能访问CLIENT2，拒绝CLIENT1到CLIENT3的ARP流量 Page * 二层ACL举例（2） [S1]acl 4000 [S1-acl-L2-4000]rule 10 deny l2-protocol arp destination-mac 5489-9862-2FF8 ffff-ffff-ffff source-mac 5489-9803-2C28 ffff-ffff-ffff [S1-acl-L2-4000]rule 20 deny source-mac 5489-9862-2FF8 ffff-ffff-ffff destination-mac ffff-ffff-ffff ffff-ffff-ffff ? [S1-acl-L2-4000]int g0/0/1 [S1-Gi