How to write a standard ACL matching private IP address 5

You don't understand what manufacturer you are, so I'll take Huawei as an example.

1. Run the system-view command to enter the system view.

2. Build a basic ACL. It can be created by number or name.

Run the acl command (2000 2999 write as you like) to create a numeric basic ACL and enter the basic ACL view.

Run the acl command (take a name) to create a named basic ACL and go to the basic ACL view.

3. Execute the command rule 5 (the default step size is 5) deny permit (deny allow) source (if you want to match a network segment, you need to write an antimask).

Note that after an access control list is created, it must be applied to an interface for it to take effect. The object controlled by the ACL is the flow of traffic in and out of the interface.

The standard access list can only write addresses or default subnets, you need to extend the access list access-list 111 deny ip anyaccess-list 111 deny ip anyaccess-list 111 deny ip anyaccess-list 111 permit ip any any

Because only the source can be matched.

It is best to place it in the direction of the access switch.

If placed in the core out direction, there is some useless traffic. It also depends on the plan, and the traffic is not so much.

Only the www on the ISP side is allowed to access the intranet, and everything else is refused. This article also shows that everyone in the intranet can access this server to each other, simple, directly write an ACL on Mawson Lakes to capture the traffic that accesses the destination IP address, and all the others are denyed.

About any:

any stands for all addresses.

host stands for exact match, i.e. the subnet mask is.

The host is placed in front of the IP.

Example = host

Regarding Article 3:

Because once the ACL list is enabled.

At the end of the list, there will be a hidden message by default....

That is, except for the content of your permit, everything else will be rejected.

So you have to cover the last deny any any with a permit

About 110:

This number can be written by itself, but it must be a number between 100-199. Because you're using the control of the protocol, you're using the control of filtering the source and the destination address.

There are 2 types of ACL lists.

1.The standard ACL:list number is a number between 1 and 99, which only filters the source address. Only check where it came from and pass not through.

2.The extended acl:list number is a number between 100 and 199, which is based on the check of the upper port.

Check the application data of the upper layer. For example, access to a protocol can be allowed or denied. A protocol port is denied.

Source and destination addresses can also be filtered. In this question, 110 uses the extended ACL to filter the source and destination addresses).Check where you came from and where you can't go.

Let's take a look at the format of the acl command.

Standard ACL:

access-list [list number] deny permit [source address ip] [subnet mask].

Extended ACL:

access-list [list number] deny permit [protocol] [source address] [source subnet mask] [destination address] [destination subnet mask] [destination port].

About this configuration explained:

access-list 110 deny ip host any

Extended List 110....Hosts with the source address are not allowed to access any other via the IP protocol.

access-list 110 deny ip any host

Extended List 110....No other host is allowed to access the host with the destination address through the IP protocol.

access-list 110 permit ip any any

In addition to the above two, other hosts are free to communicate using the IP protocol.

The matching address is

Judging from your list, these addresses are addresses, not network segments.

access-list 1 deny hostaccess-list 1 permit any distribute-list 1 in s1 0 under the internal gateway protocol process of router1

access-list 1 deny hostaccess-list 1 permit any on router2 distribute-list 1 in s1 0

PKT send a look, private message contact

Very simple requirements:

I will take the subnet mask of the network segment of VLAN 3 as yes, and modify it according to your own situation.

access-list 100 permit ip allows vlan3 to only access vlan2, if you don't need vlan3 to access the Internet, then this one is enough, but if you need VLAN3 to access several other VLANs differently, but also to be able to access the Internet, then the following 4 must be added!!

access-list 100 deny ip

access-list 100 deny ip

access-list 100 deny ip

access-list 100 permit ip any any

INT VLAN 3 enters the SVI interface of VLAN 3.

ip access-group 100 in calls the ACL to the inbound traffic direction.

The access-list 101 permit IP section allows VLAN2 to access only VLAN1, and the remaining ones are the same as the above.

access-list 101 deny ip

access-list 101 deny ip

access-list 101 deny ip

access-list 101 permit ip any any

int vlan 2

ip access-group 101 in is the same as above.

The remaining VLANs can be defaulted to meet the requirements.

One of your requirements is "vlan1, vlan4, and vlan5 cannot access vlan3".

But I want to tell you that vlan1, vlan4, vlan5 can't access vlan3 and vlan2 at the same time

Because there is a sentence in your requirement that "vlan2 can only access vlan1".

So logically, your requirements should be: vlan1, vlan4, vlan5 can't access vlan3 and vlan2

This will be more rigorous.

In addition, it is recommended to use a named access control list (IP access-list) when you write, so that it looks more intuitive to describe each ACL and the corresponding traffic limit!

Pure hand-to-hand, if you don't understand, you can continue to ask.

VLAN3 can only access VLAN2, VLAN2 can only access VLAN1 What kind of device are you, this kind of one-way ACL that you can access me, I can't access your one-way ACL low-end devices are not supported.