My Portfolio

Ciscoアクセスリストの改廃方法

登録日	：2024/06/12 04:37
カテゴリ	：ネットワーク

Ciscoルータのアクセスリストを改廃したい。
参考）https://www.infraexpert.com/study/aclz7.html

まず、ランニングコンフィグにて既存のアクセスリストを確認する。

RT1>en
RT1#sh run
Building configuration...

Current configuration : 866 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname RT1
!
!
!
!
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 20.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 ip address 30.1.1.1 255.255.255.0
 ip access-group 100 out
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 40.1.1.0 255.255.255.0 30.1.1.2 
!
ip flow-export version 9
!
!
access-list 100 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
access-list 100 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
access-list 100 permit ip any any
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

拡張ACL 100でアクセスリストがあるので、詳細を確認する。

RT1#sh ip access-lists 
Extended IP access list 100
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any

ACLの条件追加

1行目に、アクセスリストの条件を追加する

RT1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RT1(config)#ip ac
RT1(config)#ip access-list ex
RT1(config)#ip access-list extended 100
RT1(config-ext-nacl)#5 permit ip host 192.168.0.1 host 20.1.1.1
RT1(config-ext-nacl)#end
RT1#
%SYS-5-CONFIG_I: Configured from console by console

RT1#sh ip acc
RT1#sh ip access-lists 
Extended IP access list 100
    5 permit ip host 192.168.0.1 host 20.1.1.1
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any

最終行に、アクセスリストの条件を追加してみる。

RT1#sh ip access-lists 
Extended IP access list 100
    5 permit ip host 192.168.0.1 host 20.1.1.1
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any


RT1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RT1(config)#ip access-list extended 100
RT1(config-ext-nacl)#40 permit tcp any any
RT1(config-ext-nacl)#end
RT1#
%SYS-5-CONFIG_I: Configured from console by console

RT1#sh ip acc
RT1#sh ip access-lists 
Extended IP access list 100
    5 permit ip host 192.168.0.1 host 20.1.1.1
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any
    40 permit tcp any any

ACLの条件削除

アクセスリストの条件を１つ削除してみる。

RT1#
RT1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RT1(config)#ip ac
RT1(config)#ip access-list e
RT1(config)#ip access-list extended 100
RT1(config-ext-nacl)#no 40
RT1(config-ext-nacl)#end
RT1#
%SYS-5-CONFIG_I: Configured from console by console

RT1#sh ac
RT1#sh access-lists 
Extended IP access list 100
    5 permit ip host 192.168.0.1 host 20.1.1.1
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any

RT1#

1行目のアクセスリストを削除してみる。

RT1#sh access-lists 
Extended IP access list 100
    5 permit ip host 192.168.0.1 host 20.1.1.1
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any

RT1#
RT1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RT1(config)#
RT1(config)#ip ac
RT1(config)#ip access-list ex
RT1(config)#ip access-list extended 100
RT1(config-ext-nacl)#no 5
RT1(config-ext-nacl)#end
RT1#
%SYS-5-CONFIG_I: Configured from console by console

RT1#sh acc
RT1#sh access-lists 
Extended IP access list 100
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any

RT1#

Appendix

プロトコルを指定しても追加できることを確認

RT1#sh ip access-lists 
Extended IP access list 100
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any

RT1#conf t 
RT1(config)#ip access-list extended 100
RT1(config-ext-nacl)#deny tcp host 10.1.1.10 host 40.1.1.50 eq www
RT1(config-ext-nacl)#5 permit ip host 192.168.0.1 host 20.1.1.1
RT1(config-ext-nacl)#3 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
RT1(config-ext-nacl)#2 permit tcp host 10.1.1.10 host 40.1.1.50 eq www
RT1(config-ext-nacl)#1 permit tcp host 10.1.1.10 host 40.1.1.50 eq 80
RT1(config-ext-nacl)#1 permit tcp host 10.1.1.10 host 40.1.1.50 eq 3389
RT1(config-ext-nacl)#
RT1(config-ext-nacl)#end
RT1#
RT1#sh ip access-lists 
Extended IP access list 100
    1 permit tcp host 10.1.1.10 host 40.1.1.50 eq 3389
    2 permit tcp host 10.1.1.10 host 40.1.1.50 eq www
    5 permit ip host 192.168.0.1 host 20.1.1.1
    10 deny tcp host 10.1.1.10 host 40.1.1.50 eq www
    20 deny tcp host 20.1.1.10 host 40.1.1.50 eq www
    30 permit ip any any