我想写这篇文章,介绍如何通过使用模板访问列表将ACL复制并粘贴到无线控制器的命令行中来节省一些时间。在这篇小博文中,我将分享Blackhole,Employee,Guest和Web Redirect ACL的几个模板,任何人都可以在自己的环境中使用这些模板。
对于员工ACL,您可以下载它 这里。 ACL将如下所示:
配置ACL计数器启动
!根据需要多次复制并增加突出显示的部分以添加其他访问权限
config acl rule add EMPLOYEE_ACL 1 config acl rule destination port range EMPLOYEE_ACL 1 0 65535 config acl rule destination address EMPLOYEE_ACL 1 <Internal-Subnet> <Internal-Mask> config acl rule source port range EMPLOYEE_ACL 1 0 65535
拒绝某些子网的规则
config acl rule add EMPLOYEE_ACL 2
config acl rule destination address EMPLOYEE_ACL 2 <Subnet> <Internal-Mask>
config acl rule action EMPLOYEE_ACL 2 permit
config acl rule source port range EMPLOYEE_ACL 2 0 65535
拒绝所有规则
config acl rule add EMPLOYEE_ACL 3
config acl rule destination port range EMPLOYEE_ACL 3 0 65535
config acl rule source port range EMPLOYEE_ACL 3 0 65535
config acl create EMPLOYEE_ACL
config acl apply EMPLOYEE_ACL
对于来宾ACL,您可以下载它 这里。 ACL将如下所示:
配置ACL计数器启动
!允许DNS的规则
config acl rule add GUEST_ACL 1 config acl rule destination port range GUEST_ACL 1 53 53 config acl rule action GUEST_ACL 1 permit config acl rule source port range GUEST_ACL 1 0 65535 config acl rule direction GUEST_ACL 1 in config acl rule protocol GUEST_ACL 1 17
!允许ISE重定向的规则
config acl rule add GUEST_ACL 2 config acl rule destination port range GUEST_ACL 2 8443 8443 config acl rule destination address GUEST_ACL 2 <Insert-ISE-IP> config acl rule action GUEST_ACL 2 permit config acl rule source port range GUEST_ACL 2 0 65535 config acl rule direction GUEST_ACL 2 in config acl rule protocol GUEST_ACL 2 6
!规则允许内部HTTP服务器的流量(如果有)
config acl rule add GUEST_ACL 3 config acl rule destination port range GUEST_ACL 3 80 80 config acl rule destination address GUEST_ACL 3 <Internal-HTTP-Server-if-any> config acl rule action GUEST_ACL 3 permit config acl rule source port range GUEST_ACL 3 0 65535 config acl rule direction GUEST_ACL 3 in config acl rule protocol GUEST_ACL 3 6
!规则允许内部HTTP服务器的流量流出(如果有)
config acl rule add GUEST_ACL 4 config acl rule destination port range GUEST_ACL 4 0 65535 config acl rule action GUEST_ACL 4 permit config acl rule source port range GUEST_ACL 4 80 80 config acl rule source address GUEST_ACL 4 <Internal-HTTP-Server-if-any> config acl rule direction GUEST_ACL 4 out config acl rule protocol GUEST_ACL 4 6
禁止任何RFC1918地址的规则。如果您想添加更多规则,请复制并粘贴最后一条规则,并为每个规则将突出显示的部分加1,并在允许的情况下添加一行用于规则操作
config acl rule add GUEST_ACL 5 config acl rule destination port range GUEST_ACL 5 0 65535 config acl rule destination address GUEST_ACL 5 10.0.0.0 255.0.0.0 config acl rule source port range GUEST_ACL 5 0 65535 config acl rule direction GUEST_ACL 5 in config acl rule add GUEST_ACL 6 config acl rule destination port range GUEST_ACL 6 0 65535 config acl rule destination address GUEST_ACL 6 172.16.0.0 255.240.0.0 config acl rule source port range GUEST_ACL 6 0 65535 config acl rule direction GUEST_ACL 6 in config acl rule add GUEST_ACL 7 config acl rule destination port range GUEST_ACL 7 0 65535 config acl rule destination address GUEST_ACL 7 192.168.0.0 255.255.0.0 config acl rule source port range GUEST_ACL 7 0 65535 config acl rule direction GUEST_ACL 7 in
!最后的规则是允许其他所有内容。
config acl rule add GUEST_ACL 8 config acl rule destination port range GUEST_ACL 8 0 65535 config acl rule action GUEST_ACL 8 permit config acl rule source port range GUEST_ACL 8 0 65535 config acl rule add GUEST_ACL 9 config acl rule destination port range GUEST_ACL 9 0 65535 config acl rule source port range GUEST_ACL 9 0 65535 config acl create GUEST_ACL config acl apply GUEST_ACL
对于Web重定向ACL,您可以下载它 这里。 ACL会像这样:
配置ACL计数器启动
!允许(不重定向)DNS的规则& out
config acl rule add ACL_WEBAUTH_REDIRECT 1 config acl rule destination port range ACL_WEBAUTH_REDIRECT 1 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 1 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 1 53 53 config acl rule protocol ACL_WEBAUTH_REDIRECT 1 17 config acl rule add ACL_WEBAUTH_REDIRECT 2 config acl rule destination port range ACL_WEBAUTH_REDIRECT 2 53 53 config acl rule action ACL_WEBAUTH_REDIRECT 2 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 2 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 2 17
!允许(不重定向)DHCP输入的规则& out
config acl rule add ACL_WEBAUTH_REDIRECT 3 config acl rule destination port range ACL_WEBAUTH_REDIRECT 3 67 67 config acl rule action ACL_WEBAUTH_REDIRECT 3 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 3 68 68 config acl rule protocol ACL_WEBAUTH_REDIRECT 3 17 config acl rule add ACL_WEBAUTH_REDIRECT 4 config acl rule destination port range ACL_WEBAUTH_REDIRECT 4 68 68 config acl rule action ACL_WEBAUTH_REDIRECT 4 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 4 67 67 config acl rule protocol ACL_WEBAUTH_REDIRECT 4 17
!允许ISE直接端口的规则
config acl rule add ACL_WEBAUTH_REDIRECT 5 config acl rule destination port range ACL_WEBAUTH_REDIRECT 5 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 5 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 5 8905 8905 config acl rule source address ACL_WEBAUTH_REDIRECT 5 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 5 6 config acl rule add ACL_WEBAUTH_REDIRECT 6 config acl rule destination port range ACL_WEBAUTH_REDIRECT 6 8905 8905 config acl rule destination address ACL_WEBAUTH_REDIRECT 6 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 6 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 6 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 6 6 config acl rule add ACL_WEBAUTH_REDIRECT 7 config acl rule destination port range ACL_WEBAUTH_REDIRECT 7 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 7 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 7 8443 8443 config acl rule source address ACL_WEBAUTH_REDIRECT 7 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 7 6 config acl rule add ACL_WEBAUTH_REDIRECT 8 config acl rule destination port range ACL_WEBAUTH_REDIRECT 8 8443 8443 config acl rule destination address ACL_WEBAUTH_REDIRECT 8 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 8 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 8 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 8 6 config acl rule add ACL_WEBAUTH_REDIRECT 9 config acl rule destination port range ACL_WEBAUTH_REDIRECT 9 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 9 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 9 8905 8905 config acl rule source address ACL_WEBAUTH_REDIRECT 9 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 9 6 config acl rule add ACL_WEBAUTH_REDIRECT 10 config acl rule destination port range ACL_WEBAUTH_REDIRECT 10 8905 8905 config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 10 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 10 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 10 6 config acl rule add ACL_WEBAUTH_REDIRECT 11 config acl rule destination port range ACL_WEBAUTH_REDIRECT 11 0 65535 config acl rule action ACL_WEBAUTH_REDIRECT 11 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 11 8443 8443 config acl rule source address ACL_WEBAUTH_REDIRECT 11 <Insert-ISE-IP> 255.255.255.255 config acl rule protocol ACL_WEBAUTH_REDIRECT 11 6 config acl rule add ACL_WEBAUTH_REDIRECT 12 config acl rule destination port range ACL_WEBAUTH_REDIRECT 12 8443 8443 config acl rule destination address ACL_WEBAUTH_REDIRECT 10 <Insert-ISE-IP> 255.255.255.255 config acl rule action ACL_WEBAUTH_REDIRECT 12 permit config acl rule source port range ACL_WEBAUTH_REDIRECT 12 0 65535 config acl rule protocol ACL_WEBAUTH_REDIRECT 12 6
最终拒绝规则将重定向其他所有内容。
config acl rule add ACL_WEBAUTH_REDIRECT 13 config acl rule destination port range ACL_WEBAUTH_REDIRECT 13 0 65535 config acl rule source port range ACL_WEBAUTH_REDIRECT 13 0 65535 config acl create ACL_WEBAUTH_REDIRECT config acl apply ACL_WEBAUTH_REDIRECT
对于黑洞ACL,您可以下载它 这里。 ACL会像这样:
配置ACL计数器启动
!允许DNS
config acl rule add BLACKHOLE 1 config acl rule destination port range BLACKHOLE 1 0 65535 config acl rule action BLACKHOLE 1 permit config acl rule source port range BLACKHOLE 1 53 53 config acl rule protocol BLACKHOLE 1 17 config acl rule add BLACKHOLE 2 config acl rule destination port range BLACKHOLE 2 53 53 config acl rule action BLACKHOLE 2 permit config acl rule source port range BLACKHOLE 2 0 65535 config acl rule protocol BLACKHOLE 2 17
!允许DHCP
config acl rule add BLACKHOLE 3 config acl rule destination port range BLACKHOLE 3 67 67 config acl rule action BLACKHOLE 3 permit config acl rule source port range BLACKHOLE 3 68 68 config acl rule protocol BLACKHOLE 3 6 config acl rule add BLACKHOLE 4 config acl rule destination port range BLACKHOLE 4 68 68 config acl rule action BLACKHOLE 4 permit config acl rule source port range BLACKHOLE 4 67 67 config acl rule protocol BLACKHOLE 4 6
允许重定向到Blackhole门户
config acl rule add BLACKHOLE 5 config acl rule destination port range BLACKHOLE 5 8444 8444 config acl rule destination address BLACKHOLE 5 <ISE-IP-Address> config acl rule action BLACKHOLE 5 permit config acl rule source port range BLACKHOLE 5 0 65535 config acl rule direction BLACKHOLE 5 in config acl rule protocol BLACKHOLE 5 6 config acl rule add BLACKHOLE 6 config acl rule destination port range BLACKHOLE 6 0 65535 config acl rule action BLACKHOLE 6 permit config acl rule source port range BLACKHOLE 6 8444 8444 config acl rule source address BLACKHOLE 6 <ISE-IP-Address> config acl rule direction BLACKHOLE 6 out config acl rule protocol BLACKHOLE 6 6
config acl rule add BLACKHOLE 7 config acl rule destination port range BLACKHOLE 7 8444 8444 config acl rule destination address BLACKHOLE 7 <ISE-IP-Address> config acl rule action BLACKHOLE 7 permit config acl rule source port range BLACKHOLE 7 0 65535 config acl rule direction BLACKHOLE 7 in config acl rule protocol BLACKHOLE 7 6 config acl rule add BLACKHOLE 8 config acl rule destination port range BLACKHOLE 8 0 65535 config acl rule action BLACKHOLE 8 permit config acl rule source port range BLACKHOLE 8 8444 8444 config acl rule source address BLACKHOLE 8 <ISE-IP-Address> config acl rule direction BLACKHOLE 8 out config acl rule protocol BLACKHOLE 8 6
!封锁的最终规则
config acl rule add BLACKHOLE 9 config acl rule destination port range BLACKHOLE 9 0 65535 config acl rule source port range BLACKHOLE 9 0 65535 config acl create BLACKHOLE config acl apply BLACKHOLE