Filtering IP Packets on Router Interfaces with Extended Access Lists
2006-08-12 10:04
501 查看
Suppose a router is connected to an "internal" Ethernet network and also has a link to the Internet via its serial 0 interface. The internal Ethernet network is the Class B network 131.108.0.0. You want to allow Internet Control Message Protocol (ICMP) messages in from the Internet to the Ethernet network for error-reporting purposes. You also want to allow TCP packets in from the Internet if they are destined to the Simple Mail Transport Protocol (SMTP) port of host 131.108.15.1 or if they are destined to ports greater that 1023 (this setup will allow TCP packets that are in response to connections generated from the internal network). This setup can be accomplished with the following extended access list:
This access list could also be written as:
We could also accomplish the same thing with the following standard named access list:
access-list 177 permit tcp 0.0.0.0 255.255.255.255 131.108.0.0 0.0.255.255 gt 1023 access-list 177 permit tcp 0.0.0.0 255.255.255.255 131.108.15.1 0.0.0.0 eq 25 access-list 177 permit icmp 0.0.0.0 255.255.255.255 131.108.0.0 0.0.255.255 interface s 0 ip address 207.200.115.6 255.255.255.252 ip access-group 177 in
This access list could also be written as:
access-list 177 permit tcp any 131.108.0.0 0.0.255.255 gt 1023 access-list 177 permit tcp any host 131.108.15.1 eq smtp access-list 177 permit icmp any 131.108.0.0 0.0.255.255
We could also accomplish the same thing with the following standard named access list:
ip access-list extended filter-in permit tcp any 131.108.0.0 0.0.255.255 gt 1023 permit tcp any host 131.108.15.1 eq smtp permit icmp any 131.108.0.0 0.0.255.255 interface s 0 ip address 207.200.115.6 255.255.255.252 ip access-group filter-in in
相关文章推荐
- Traffic Filtering with Reflexive Access-Lists 使用自反访问控制列表过滤流量
- Traffic Filtering with Access Lists
- CCNA(Stand-ALONE)Lab 30-Verify Extended Access Lists
- Learn to securely share files on the blockchain with IPFS!
- A Hybrid User and Item-Based Collaborative Filtering with Smoothing on Sparse Data
- ip traffic export: how to mirror traffic on a router
- Chapter10 Managing Traffic with Access Lists
- [转]linux下基于SMP架构的多队列网卡的调优(Multi-queue network interfaces with SMP on Linux)
- extended initializer lists only available with -std=c++11
- CCNA(Stand-ALONE)Lab 32-Advanced Extended Access Lists
- [Redux] Filtering Redux State with React Router Params
- How to Add Route to TCP/IP Routing Table With Windows Routing And Remote Access Console or DOS Promp
- Pix with mail server access on DMZ
- JAVA: Serial Port access with javax.comm or rxtx on Windows, Linux etc.
- Kernel32.dll and other error messages when you install Office 2000 products with Direct Memory Access (DMA) enabled on Windows 9
- SmartHome Gateway solution With rich and various interfaces Supporting flexible access of appliances
- cmake+gcc解决extended initializer lists only available with -std=c++11 or -std=gnu++11
- Forefront TMG 2010: Using malware inspection and URL filtering for FTP on access rules
- linux下基于SMP架构的多队列网卡的调优(Multi-queue network interfaces with SMP on Linux)