2014. 11. 19. Access-List 실습 ( VTY )

 

 

조건 1. 10.1.5.2 의 서버로의 접근을 차단 2. 그외 모든 네트워크는 허용

R1 (S)

! interface FastEthernet0/0  ip address 10.1.1.1 255.255.255.128  ip access-group 2 in  ip access-group 1 out  duplex auto  speed auto ! access-list 1 deny 10.1.5.0 0.0.0.127 access-list 1 permit any access-list 2 permit host 10.1.1.10 ! line con 0  exec-timeout 0 0  logging synchronous line vty 0 4  access-class 2 out  password cisco  login line vty 5 15  access-class 2 out  login !

Seoul#sh access-lists Standard IP access list 1     deny 10.1.5.0 0.0.0.127 (32 match(es))     permit any (40 match(es)) Standard IP access list 2     permit host 10.1.1.10 (85 match(es))

 

조건 1. 관리자PC의 서버로의 ping은 허용 2. 관리자 및 사용자의 서버로의 telnet은 차단

R5 (J)

! interface FastEthernet0/1.1  encapsulation dot1Q 10  ip address 10.1.5.1 255.255.255.128 ! interface FastEthernet0/1.2  encapsulation dot1Q 20  ip address 10.1.5.129 255.255.255.128  ip access-group 100 in ! access-list 100 permit icmp host 10.1.5.130 host 10.1.1.10 access-list 100 deny tcp any any eq telnet !

Jeju#sh access-lists Extended IP access list 100     deny tcp any any eq telnet (12 match(es))     permit icmp host 10.1.5.130 host 10.1.1.10 (4 match(es))

 

조건 1. 관리자 외에는 telnet을 차단 2. ping의 모든 트래픽을 차단 3. 그 외 트래픽은 허용 4. 단 Seoul 라우터에서 설정

R1 (S)

! interface FastEthernet0/0  ip address 10.1.1.1 255.255.255.128  ip access-group 100 out  duplex auto  speed auto ! access-list 100 permit tcp host 10.1.5.130 host 10.1.1.10 eq telnet access-list 100 permit tcp host 10.1.3.10 host 10.1.1.10 eq telnet access-list 100 deny icmp any any access-list 100 permit ip any any access-list 2 permit host 10.1.1.10 ! line con 0  exec-timeout 0 0  logging synchronous line vty 0 4  access-class 2 out  password cisco  login line vty 5 15  access-class 2 out  login !

Seoul#sh access-lists Extended IP access list 100     permit tcp host 10.1.5.130 host 10.1.1.10 eq telnet (8 match(es))     permit tcp host 10.1.3.10 host 10.1.1.10 eq telnet (8 match(es))     deny icmp any any (2 match(es))     permit ip any any Standard IP access list 2     permit host 10.1.1.10