forum.opennet.ru

Составление сообщения

Исходное сообщение

"CIsco 2960 port acl"
Отправлено st0rk, 30-Июн-16 09:31

Добрый день!
строю access-list чтобы пропускал только определенные ip на портах, но что-то пускает все подряд.
Итак по порядку:
500-switch>show ver
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 19-Jul-07 20:06 by nachen
Image text-base: 0x00003000, data-base: 0x00D40000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE6, RELEASE SOFTWARE (fc1)
500-switch uptime is 20 hours, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbase-mz.122-35.SE5/c2960-lanbase-mz.122-35.SE5.bin"
cisco WS-C2960-24TT-L (PowerPC405) processor (revision F0) with 61440K/4088K bytes of memory.
Processor board ID FOC1233Y0U7
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:22:BE:F3:13:00
Motherboard assembly number     : 73-11473-05
Power supply part number        : 341-0097-02
Motherboard serial number       : FOC12325B80
Power supply serial number      : DCA12288976
Model revision number           : F0
Motherboard revision number     : A0
Model number                    : WS-C2960-24TT-L
System serial number            : FOC1233Y0U7
Top Assembly Part Number        : 800-29859-02
Top Assembly Revision Number    : A0
Version ID                      : V05
CLEI Code Number                : COM3L00BRD
Hardware Board Revision Number  : 0x01

Switch   Ports  Model              SW Version              SW Image
------   -----  -----              ----------              ----------
*    1   26     WS-C2960-24TT-L    12.2(35)SE5             C2960-LANBASE-M

Configuration register is 0xF
Вот сам конфиг:
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 500-switch
!
enable secret 5 $1$/WQ7$ARWSO5XzUqbMWq8OjOtlt0
enable password cisco
!
no aaa new-model
clock timezone EET 2
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
ip access-group 1 in
!
interface FastEthernet0/2
ip access-group 2 in
!
interface FastEthernet0/3
ip access-group 3 in
!
interface FastEthernet0/4
ip access-group 4 in
!
interface FastEthernet0/5
ip access-group 5 in
!
interface FastEthernet0/6
ip access-group 6 in
!
interface FastEthernet0/7
ip access-group 7 in
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
description 258
speed 100
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.0.5 255.255.0.0
no ip route-cache
!
ip default-gateway 192.168.0.7
ip http server
access-list 3 permit 192.168.22.8
access-list 3 permit 192.168.22.6
access-list 3 permit 192.168.22.7
access-list 3 permit 192.168.22.4
access-list 3 permit 192.168.22.5
access-list 3 permit 192.168.22.2
access-list 3 permit 192.168.22.3
access-list 3 permit 192.168.22.1
!
control-plane
!
!
line con 0
line vty 0 4
password jkjkjkjkj
login
line vty 5 15
login
!
end

вот сами access-list:
500-switch>show access-list 3
Standard IP access list 3
    80 permit 192.168.22.8
    60 permit 192.168.22.6
    70 permit 192.168.22.7
    40 permit 192.168.22.4
    50 permit 192.168.22.5
    20 permit 192.168.22.2
    30 permit 192.168.22.3
    10 permit 192.168.22.1 (108 matches)
подскажите почему не работает access-list?

Исходное сообщение
"CIsco 2960 port acl" Отправлено st0rk, 30-Июн-16 09:31
Добрый день! строю access-list чтобы пропускал только определенные ip на портах, но что-то пускает все подряд. Итак по порядку: 500-switch>show ver Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Thu 19-Jul-07 20:06 by nachen Image text-base: 0x00003000, data-base: 0x00D40000 ROM: Bootstrap program is C2960 boot loader BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE6, RELEASE SOFTWARE (fc1) 500-switch uptime is 20 hours, 2 minutes System returned to ROM by power-on System image file is "flash:c2960-lanbase-mz.122-35.SE5/c2960-lanbase-mz.122-35.SE5.bin" cisco WS-C2960-24TT-L (PowerPC405) processor (revision F0) with 61440K/4088K bytes of memory. Processor board ID FOC1233Y0U7 Last reset from power-on 1 Virtual Ethernet interface 24 FastEthernet interfaces 2 Gigabit Ethernet interfaces The password-recovery mechanism is enabled. 64K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address : 00:22:BE:F3:13:00 Motherboard assembly number : 73-11473-05 Power supply part number : 341-0097-02 Motherboard serial number : FOC12325B80 Power supply serial number : DCA12288976 Model revision number : F0 Motherboard revision number : A0 Model number : WS-C2960-24TT-L System serial number : FOC1233Y0U7 Top Assembly Part Number : 800-29859-02 Top Assembly Revision Number : A0 Version ID : V05 CLEI Code Number : COM3L00BRD Hardware Board Revision Number : 0x01 Switch Ports Model SW Version SW Image ------ ----- ----- ---------- ---------- * 1 26 WS-C2960-24TT-L 12.2(35)SE5 C2960-LANBASE-M Configuration register is 0xF Вот сам конфиг: ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 500-switch ! enable secret 5 $1$/WQ7$ARWSO5XzUqbMWq8OjOtlt0 enable password cisco ! no aaa new-model clock timezone EET 2 system mtu routing 1500 ip subnet-zero ! ! ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! interface FastEthernet0/1 ip access-group 1 in ! interface FastEthernet0/2 ip access-group 2 in ! interface FastEthernet0/3 ip access-group 3 in ! interface FastEthernet0/4 ip access-group 4 in ! interface FastEthernet0/5 ip access-group 5 in ! interface FastEthernet0/6 ip access-group 6 in ! interface FastEthernet0/7 ip access-group 7 in ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 description 258 speed 100 ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.0.5 255.255.0.0 no ip route-cache ! ip default-gateway 192.168.0.7 ip http server access-list 3 permit 192.168.22.8 access-list 3 permit 192.168.22.6 access-list 3 permit 192.168.22.7 access-list 3 permit 192.168.22.4 access-list 3 permit 192.168.22.5 access-list 3 permit 192.168.22.2 access-list 3 permit 192.168.22.3 access-list 3 permit 192.168.22.1 ! control-plane ! ! line con 0 line vty 0 4 password jkjkjkjkj login line vty 5 15 login ! end вот сами access-list: 500-switch>show access-list 3 Standard IP access list 3 80 permit 192.168.22.8 60 permit 192.168.22.6 70 permit 192.168.22.7 40 permit 192.168.22.4 50 permit 192.168.22.5 20 permit 192.168.22.2 30 permit 192.168.22.3 10 permit 192.168.22.1 (108 matches) подскажите почему не работает access-list?

Ваше сообщение

Имя*:

EMail:

Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email).
Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.

Заголовок*:

Сообщение*:

> Добрый день!
> строю access-list чтобы пропускал только определенные ip на портах, но что-то пускает 
> все подряд.
> Итак по порядку:

> 500-switch>show ver 
> Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE 
> (fc1) 
> Copyright (c) 1986-2007 by Cisco Systems, Inc.
> Compiled Thu 19-Jul-07 20:06 by nachen 
> Image text-base: 0x00003000, data-base: 0x00D40000

> ROM: Bootstrap program is C2960 boot loader 
> BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)SEE6, RELEASE SOFTWARE (fc1)

> 500-switch uptime is 20 hours, 2 minutes 
> System returned to ROM by power-on 
> System image file is "flash:c2960-lanbase-mz.122-35.SE5/c2960-lanbase-mz.122-35.SE5.bin"

> cisco WS-C2960-24TT-L (PowerPC405) processor (revision F0) with 61440K/4088K bytes of 
> memory.
> Processor board ID FOC1233Y0U7 
> Last reset from power-on 
> 1 Virtual Ethernet interface 
> 24 FastEthernet interfaces 
> 2 Gigabit Ethernet interfaces 
> The password-recovery mechanism is enabled.

> 64K bytes of flash-simulated non-volatile configuration memory.
> Base ethernet MAC Address       : 00:22:BE:F3:13:00 
 
> Motherboard assembly number     : 73-11473-05 
> Power supply part number        : 
> 341-0097-02 
> Motherboard serial number       : FOC12325B80 
> Power supply serial number      : DCA12288976 
> Model revision number          
>  : F0 
> Motherboard revision number     : A0 
> Model number           
>          : WS-C2960-24TT-L 
 
> System serial number          
>   : FOC1233Y0U7 
> Top Assembly Part Number        : 
> 800-29859-02 
> Top Assembly Revision Number    : A0 
> Version ID           
>            
> : V05 
> CLEI Code Number          
>       : COM3L00BRD 
> Hardware Board Revision Number  : 0x01

> Switch   Ports  Model       
>        SW Version   
>            
> SW Image 
> ------   -----  -----       
>        ----------    
>           ---------- 
 
> *    1   26     
> WS-C2960-24TT-L    12.2(35)SE5       
>       C2960-LANBASE-M

> Configuration register is 0xF

> Вот сам конфиг:

> !
> version 12.2 
> no service pad 
> service timestamps debug uptime 
> service timestamps log uptime 
> no service password-encryption 
> !
> hostname 500-switch 
> !
> enable secret 5 $1$/WQ7$ARWSO5XzUqbMWq8OjOtlt0 
> enable password cisco 
> !
> no aaa new-model 
> clock timezone EET 2 
> system mtu routing 1500 
> ip subnet-zero 
> !
> !
> !
> !
> no file verify auto 
> spanning-tree mode pvst 
> spanning-tree extend system-id 
> !
> vlan internal allocation policy ascending 
> !
> interface FastEthernet0/1 
>  ip access-group 1 in 
> !
> interface FastEthernet0/2 
>  ip access-group 2 in 
> !
> interface FastEthernet0/3 
>  ip access-group 3 in 
> !
> interface FastEthernet0/4 
>  ip access-group 4 in 
> !
> interface FastEthernet0/5 
>  ip access-group 5 in 
> !
> interface FastEthernet0/6 
>  ip access-group 6 in 
> !
> interface FastEthernet0/7 
>  ip access-group 7 in 
> !
> interface FastEthernet0/8 
> !
> interface FastEthernet0/9 
> !
> interface FastEthernet0/10 
> !
> interface FastEthernet0/11 
> !
> interface FastEthernet0/12 
> !
> interface FastEthernet0/13 
> !
> interface FastEthernet0/14 
> !
> interface FastEthernet0/15 
> !
> interface FastEthernet0/16 
> !
> interface FastEthernet0/17 
> !
> interface FastEthernet0/18 
> !
> interface FastEthernet0/19 
> !
> interface FastEthernet0/20 
> !
> interface FastEthernet0/21 
> !
> interface FastEthernet0/22 
> !
> interface FastEthernet0/23 
>  description 258 
>  speed 100 
> !
> interface FastEthernet0/24 
> !
> interface GigabitEthernet0/1 
> !
> interface GigabitEthernet0/2 
> !
> interface Vlan1 
>  ip address 192.168.0.5 255.255.0.0 
>  no ip route-cache 
> !
> ip default-gateway 192.168.0.7 
> ip http server 
> access-list 3 permit 192.168.22.8 
> access-list 3 permit 192.168.22.6 
> access-list 3 permit 192.168.22.7 
> access-list 3 permit 192.168.22.4 
> access-list 3 permit 192.168.22.5 
> access-list 3 permit 192.168.22.2 
> access-list 3 permit 192.168.22.3 
> access-list 3 permit 192.168.22.1 
> !
> control-plane 
> !
> !
> line con 0 
> line vty 0 4 
>  password jkjkjkjkj 
>  login 
> line vty 5 15 
>  login 
> !
> end

> вот сами access-list:

> 500-switch>show access-list 3 
> Standard IP access list 3 
>     80 permit 192.168.22.8 
>     60 permit 192.168.22.6 
>     70 permit 192.168.22.7 
>     40 permit 192.168.22.4 
>     50 permit 192.168.22.5 
>     20 permit 192.168.22.2 
>     30 permit 192.168.22.3 
>     10 permit 192.168.22.1 (108 matches)

> подскажите почему не работает access-list?

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру