|
实例: Currrent configuration: ! version 11.3 no service password-encryption ! hostname 2511-1 ! enable password cisco ! username 2505 password 0 cisco no ip domain-lookup ! interface Ethernet0 ip address 192.4.1.1 255.255.255.0 ip access-group 101 in ip security dedicated confidential genser no ip security add ip security implicit-labelling ! interface Serial0 ip address 192.3.1.1 255.255.255.0 ip access-group 1 in !引用标准包过滤规则1,禁止外部的用户采用IP欺骗的方式进入本地局域网 ip security dedicated confidential genser encapsulation frame-relay IETF ip ospf message-digest-key 1 md5 kim no ip mroute-cache bandwidth 2000 frame-relay map ip 192.3.1.2 100 broadcast frame-relay lmi-type cisco ! interface Seriall ip address 192.7.1.1 255.255.255.0 ip access-group 1 in ip security dedicated confidential genser encapsulation ppp ip ospf message-digest-key 1 md5 kim ip ospf network non-broadcast bandwidth 64 ppp authentication chap ! router ospf 1 passive - interface Ethernet0 network 192.3.1.0 0.0.0.255 area 0 network 192.4.1.0 0.0.0.255 area 0 network 192.7.1.0 0.0.0.255 area 0 neighbor 192.7.1.2 priority 1 neighbor 192.3.1.2 priority 1 area 0 authentication message-digest ! no ip classless access-list 1 deny 192.4.1.0 0.0.0.255 access-list 1 permit any !定义标准包过滤,禁止192.1.4.0网段使用IP网络 access-list 101 permit ip host 192.4.1.20 any access-list 101 deny icmp any any !定义扩展包过滤规则只允许192.4.1.20的单机使用ping,其他所有计算机都不允许使用 !ping 。这台计算机为网管计算机。 access-list 101 deny tcp any host 192.4.1.1 access-list 101 deny tcp any host 192.7.1.1 access-list 101 deny tcp any host 192.3.1.1 access-list 101 permit ip 192.4.1.0 0.0.0.255 any ! line con 0 line 1 8 line aux 0 line vty 0 4 password cisco login ! end |