命名ACL:
没有表号,使用名字作为表号,直接使用standard标识标准ACL、和extended标识扩展
删除访问控制列表
1.在删除访问控制列表前,需要先从应用的接口上取消
2.不管是标准ACL还是扩展ACL 不管no哪一条ACL,删除都是全部删除,不能单独删除
而且添加ACL是自动往后排,不能插在中间
命名ACL好处:
可以在某一个表内删除单条ACL或者在任意位置插入ACL
具体配置
Router(config)#ip access-list ?
extended Extended Access List
standard Standard Access List
Router(config)#ip access-list extended wn //扩展ACL命名为wn
Router(config-ext-nacl)#deny ?
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Router(config-ext-nacl)#deny icmp ?
A.B.C.D Source address
any Any source host
host A single source host
Router(config-ext-nacl)#deny icmp host 192.168.10.2 ?
A.B.C.D Destination address
any Any destination host
host A single destination host
Router(config-ext-nacl)#deny icmp host 192.168.10.2 host 192.168.30.2
Router(config-ext-nacl)#deny icmp host 192.168.20.2 host 192.168.30.2
Router(config-ext-nacl)#deny udp host 192.168.20.2 host 192.168.30.2 eq 53
Router(config-ext-nacl)#deny tcp host 192.168.10.2 host 192.168.30.2 eq 80
Router(config-ext-nacl)#permit ip any any
Router(config-ext-nacl)#exit
Router(config)#int g0/1
Router(config-if)#
Router(config-if)#ip access-group wn in
Router(config-if)#exit
Router(config)#
Router(config)#int g0/1 //应用到接口
Router(config-if)#ip access-group wn out
Router(config-if)#
删除ACL
第一步:查看ACL编号
Show access-lists
假设删除编号为20的acl
进入扩展ACL;然后直接no
Router(config)#ip access-list extended wn
Router(config-ext-nacl)#no 20
指定ACL序号
Router(config-ext-nacl)#?
<1-2147483647> Sequence Number
Router(config-ext-nacl)#12 deny icmp 192.168.20.2 0.0.0.0 192.168.30.2 0.0.0.0
deny icmp 192.168.20.2 0.0.0.0 192.168.30.2 0.0.0.0等同于deny icmp 192.168.20.2 92.168.30.2
此处的0.0.0.0是是255.255.255.255的反掩码,原因acl需要反掩码,标识一个IP我们用的子网掩码是四个255