自反ACL

    最近作了一下自反ACL的实验，以防忘记，简单记录一下。

    拓扑图以下：

 

    目的是经过自反ACL实现：

    1.从R1发起的到R3的全部数据都能经过（双向）

    2.过滤从R3发起的到R1的Telnet数据

 

配置以下：

R1:

!

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!     
router rip
 network 192.168.1.0
!

 

R3:

!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
! 
router rip
 network 192.168.2.0
!

 

R2:

!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.2.254 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 duplex auto
 speed auto
!
router rip
 network 192.168.1.0
 network 192.168.2.0
!

ip access-list extended INBOUND
 evaluate CISCO
 deny   tcp 192.168.2.0 0.0.0.255 any eq telnet
ip access-list extended OUTBOUND
 permit ip 192.168.1.0 0.0.0.255 any reflect CISCO
!

 

    要注意的是，evaluate CISCO 必定要放在deny语句的前面，否则R3返回R1的Telnet数据也会被过滤掉

 

    分别在两边Telnet一下：

R1#telnet 192.168.2.1
Trying 192.168.2.1 ... Open

User Access Verification

Password:
R3>

---------------------------------------

R3#telnet 192.168.1.1
Trying 192.168.1.1 ...
% Destination unreachable; gateway or host down

R3#

 

    在R2上show一下ACL能够看到匹配的信息：

R2#sh ip access-lists Reflexive IP access list CISCO      permit tcp host 192.168.2.1 eq telnet host 192.168.1.1 eq 20149 (55 matches) (time left 111) Extended IP access list INBOUND     10 evaluate CISCO     20 deny tcp 192.168.2.0 0.0.0.255 any eq telnet (6 matches) Extended IP access list OUTBOUND     10 permit ip 192.168.1.0 0.0.0.255 any reflect CISCO (76 matches)