CCIE笔记_Cisco定时访问列表、动态访问列表、自反访问列表

—CISCODocumentationOnlineVivy20052MSN:Mr_Flying@hotmail.com(9:00-17:30)internetQQMSN20051231()InternetinternethttphttpsTCP/80TCP/443MSNTCP/1863QQTCP/UDP8000udp/4000TCP8080TCP3128HTTPTCP1080(socks)time-rangeTESTabsolutestart00:0031Dec2005end23:5931Dec2005periodicweekdaysstart9:0017:30exitipaccess-listextendINTERNET_LIMITdenytcp10.1.0.00.0.255.255anyeq80time-rangeTESTdenytcp10.1.0.00.0.255.255anyeq443time-rangeTESTdenytcp10.1.0.00.0.255.255anyeq1863time-rangeTESTdenytcp10.1.0.00.0.255.255anyeq8000time-rangeTESTdenyudp10.1.0.00.0.255.255anyeq8000time-rangeTESTdenyudp10.1.0.00.0.255.255anyeq4000time-rangeTESTdenytcp10.1.0.00.0.255.255anyeq3128time-rangeTESTdenytcp10.1.0.00.0.255.255anyeq8080time-rangeTESTdenytcp10.1.0.00.0.255.255anyeq1080time-rangeTESTpermitipanyanyintfa0/0ipaccess-groupINTERNET_LIMITin1time-rangeTESTTESTabsolute1993-2035Periodicperiodic2access-list101denyip10.1.0.00.0.255.255anytime-rangeTEST:time-rangeTESTACLtime-rangeTR1time-rangeTEST3Lock-and-KeyCiscoLock-and-keyIP(telnet)Lock-and-key1internetLock-and-key2Lock-and-keyTacacs+1telnetLock-and-key()VTY2CiscoIOStelnettelnetTACACS+RADIUS3telnetIOS45()IOSLock-and-KeyStep1Router(config)#access-listaccess-list-number[dynamicdynamic-name[timeoutminutes]]{deny|permit}telnetsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence][tostos][established][log]Step2Router(config)#access-listdynamic-extend()ACL6Step3Router(config)#interfacetypenumberStep4Router(config-if)#ipaccess-groupaccess-list-numberStep5Router(config-if)#exitStep6Router(config)#linevtyline-number[ending-line-number]VTYStep7TacacsRouter(config-line)#logintacacsRouter(config-line)#passwordpasswordRouter(config-line)#loginlocalRouter(config)#usernamenamepasswordsecretStep8Router(config-line)#autocommandaccess-enable[host][timeoutminutes]Router(config)#autocommandaccess-enable[host][timeoutminutes]linehosttelnethostRouter#showaccess-lists[access-list-number]Router#clearaccess-template[access-list-number|name][dynamic-name][source][destination]usernametestpassword0testiptelnetsource-interfaceEthernet0TELNETE0IPinterfaceethernet0ipaddress172.18.23.9255.255.255.0ipaccess-group101inaccess-list101permittcpanyhost172.18.23.9eqtelnetaccess-list101dynamicmytestlisttimeout120permitipanyanylinevty0loginlocalautocommandaccess-enabletimeout5CISCO:255.255.255.0PC(10.1.1.2)---E0(10.1.1.1)[RouterA]S0(192.1.1.1)---S1(192.1.1.2)[RouterB]RouterAE0RouterAS0PCpingRouterBS1RouterBpingPCICMPRouterBICMPACLACLReflexiveACLReflexiveACLoutboundinbound1)Reflexive-ACLa.protocolsource-IP,destination-IPsource-port,destination-portICMPb.c.2)TCPa)FIN5b)RSTc)(300)UDP(300)192.168.10.0/24HTTPSMTP,,RA:!ipaccess-listextendedOUTBOUNDpermittcp192.168.10.00.0.0.255anyeq!intserial0ipaccess-groupOUBOUNDoutipaccess-groupINBOUNDinfragmentestablished1.fragment(1)ACL(2)frament,acl:(nonfragmented)(initialfragment),ACLpermitdenynoninitialfragmentACLpermitdenyACLACL(3)fragment,aclnoninitialfragmentACLaccess-list101permitfragment2establishedaccess-list101permittcpestablishedtcptcppdutcpACKRSTNetA----e1-R1-e0----NetBNetANetBTCPNetBNetATCPACLhostnameR1interfaceethernet0ipaccess-group102inaccess-list102permittcpanyanygt1023establishedaccess-list102established,CISCOTCPTCPACKRSTACKRSTestablishedACKRSTTCP1024~65536Well-Knowport1~1023establishedaccess-list100permittcpanyanygt1023established1023ACKRST10231024FTPDNSHTTP