object-group
用object-group 方法建立起来的ACL,生成的是一系列的ACL,如果行为都是允许,则显示为:access-list aa line 1 extended permit icmp host 1.1.12.10 host 1.1.23.3 (hitcnt=0) 0x416f90b6
access-list aa line 1 extended permit icmp host 1.1.12.10 host 3.3.3.3 (hitcnt=0) 0x3281a8fd
access-list aa line 1 extended permit icmp host 11.1.1.1 host 1.1.23.3 (hitcnt=0) 0x57ff93f4
但想让permit icmp host 11.1.1.1 host 1.1.23.3被deny,则需要在上面先把它deny,意思是从上向下执行,被deny后肯定不会再看最后的permit了。
执行:
access-list aa line 1 deny icmp host 1.1.12.10 host 3.3.3.3
一定要加line的序列,否则,如果执行access-list aa deny icmp host 1.1.12.10 host 3.3.3.3
则新加的条目排在所有line 1的后面,被最后执行,没有意义。
显示为:
access-list aa line 1 extended deny icmp host 1.1.12.10 host 3.3.3.3 (hitcnt=0) 0x2a2bd666
access-list aa line 2 extended permit object-group protocol object-group sider1 object-group sider3 0x14f7257c
access-list aa line 2 extended permit icmp host 1.1.12.10 host 1.1.23.3 (hitcnt=0) 0x416f90b6
access-list aa line 2 extended permit icmp host 1.1.12.10 host 3.3.3.3 (hitcnt=0) 0x3281a8fd
access-list aa line 2 extended permit icmp host 11.1.1.1 host 1.1.23.3 (hitcnt=0) 0x57ff93f4
Thanks for your information.
页:
[1]