自反ACL

    最近作了一下自反ACL的實驗，以防忘記，簡單記錄一下。

    拓撲圖以下：

 

    目的是經過自反ACL實現：

    1.從R1發起的到R3的全部數據都能經過（雙向）

    2.過濾從R3發起的到R1的Telnet數據

 

配置以下：

R1:

!

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!     
router rip
 network 192.168.1.0
!

 

R3:

!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
! 
router rip
 network 192.168.2.0
!

 

R2:

!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.2.254 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 duplex auto
 speed auto
!
router rip
 network 192.168.1.0
 network 192.168.2.0
!

ip access-list extended INBOUND
 evaluate CISCO
 deny   tcp 192.168.2.0 0.0.0.255 any eq telnet
ip access-list extended OUTBOUND
 permit ip 192.168.1.0 0.0.0.255 any reflect CISCO
!

 

    要注意的是，evaluate CISCO 必定要放在deny語句的前面，否則R3返回R1的Telnet數據也會被過濾掉

 

    分別在兩邊Telnet一下：

R1#telnet 192.168.2.1
Trying 192.168.2.1 ... Open

User Access Verification

Password:
R3>

---------------------------------------

R3#telnet 192.168.1.1
Trying 192.168.1.1 ...
% Destination unreachable; gateway or host down

R3#

 

    在R2上show一下ACL能夠看到匹配的信息：

R2#sh ip access-lists Reflexive IP access list CISCO      permit tcp host 192.168.2.1 eq telnet host 192.168.1.1 eq 20149 (55 matches) (time left 111) Extended IP access list INBOUND     10 evaluate CISCO     20 deny tcp 192.168.2.0 0.0.0.255 any eq telnet (6 matches) Extended IP access list OUTBOUND     10 permit ip 192.168.1.0 0.0.0.255 any reflect CISCO (76 matches)