Chapter9ACLConîš¿guration
calport,VLANorSmartgroupvirtualinterface)supportstwoACL
processingmodesandcanprocesspacketsinthesetwomodes.
ConfiguringACLs
ACLconîš¿gurationincludes:
�DeneanACLrule
�Congureatimerange
�ApplytheACLtoaport
DefiningACLs
Thefollowingissuesaretobetakenintoaccountwhendeîš¿ning
ACLrules.
�Whenapacketmeetsmultiplerules,rstrulewillbematched.
Rulesequenceisveryimportant.Generally,rulesinasmall
rangeareputinthefrontandrulesinalargerangeareputin
theback.
�Consideringnetworksecurity,systemwilladdanimplicitdeny
ruletotheendofeachACLautomaticallyfordenyingallthe
packets.Apermitruleforallowingallpacketsshouldbede-
îš¿nedattheendofeachACL.
DefiningStandardACL
Toconîš¿gurestandardACL,performthefollowingsteps.
Step
CommandFunction
1
ZXR10(config)#aclstandard{number<acl-number
>|name<acl-name>|alias<alias-name>}[match-
order{auto|config}]
ThisentersstandardACL
conîš¿gurationmode
2
ZXR10(config-std-acl)#rule<rule-no>{permit|deny
}{<source>[<source-wildcard>]|any}[time-range
<timerange-name>]
Thisdeîš¿nesrules
3
ZXR10(config-std-acl)#move<rule-no>after
<rule-no>
Thismovesarule
4
ZXR10(config-std-acl)#attachtime-range<Time
rangename>to<ruleid>
Thisbindsatimerangetoa
rule
ExampleThisexampledescribeshowtodeîš¿neastandardACLwhichal-
lowsaccessofmessagesfromnetwork192.168.1.0/24butdenies
messagesfromsourceIPaddress192.168.1.100.
ZXR10(config)#aclbasicnumber10
ZXR10(config-std-acl)#rule1deny192.168.1.1000.0.0.0
Conîš¿dentialandProprietaryInformationofZTECORPORATION79
To Next Page
Loading...
Need help?
General