Ciscoios自反ACL配置详解
反身ACL是在Cisco IOS Release 11.3引入的,他只能和扩展的命名IP ACL一起定义而不能和基于数字或标准ACL,以及其他协议的ACL一起使用,语法如下:
创新互联专业为企业提供和龙网站建设、和龙做网站、和龙网站设计、和龙网站制作等企业网站建设、网页设计与制作、和龙企业网站模板建站服务,10多年和龙做网站经验,不只是建网站,更提供有价值的思路和整体网络服务。
ip access-list extended permit any any reflect name [timeout]
ip access-list extended evaluate
interface xx
ip acces-group {name} {in | out}
1)Reflexive-ACL 的工作流程:
a.由内网始发的流量到达配置了自反访问表的路由器,路由器根据此流量的第三层和第四层信息自动生成一个临时性的访问表,临时性访问表的创建依据下列原 则:
protocol 不变,source-IP 地址 , destination-IP 地址严格对调,source-port,destination-port 严格对调,对于ICMP 这样的协议,会根据类型号进行匹配。
b.路由器将此流量传出,流量到达目标,然后响应流量从目标返回到配置了自反访问表的路由器。
c.路由器对入站的响应流量进行评估,只有当返回流量的第三、四层信息与先前基于出站流量创建的临时性访问表的第三、四层信息严格匹配时,路由器才会允许 此流量进入内部网络。
2)自反访问表的超时:
对于TCP 流量,当下列三种情况中任何一种出现时,才会删除临时性的访问表:
a)两个连续的FIN 标志被检测到,之后3秒钟删除。
b)RST 标志被检测到,立即删除。
c)配置的空闲超时值到期(缺省是300 秒)。
对于UDP,由于没有各种标志,所以只有当配置的空闲超时值(
默认300 秒
)到期才会删除 临时性的访问表。
如下举例说明:
R2模拟边界路由器
R1模拟内部路由器
R3模拟外部路由器
试验要求:
运用reflexive access-list 实现,内网可以ping,telnet等...外部网络.而外部网络不能访问内部网络
R1的配置:
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
ip address 10.1.1.1 255.255.255.0
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
router ospf 100
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
!
no ip http server
(R1上的配置很简单,不用解释了)
R2的配置:
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
ip address 10.1.1.2 255.255.255.0
ip access-group neibu_in in
clock rate 64000
!
interface Serial0/1
ip address 192.168.1.1 255.255.255.0
ip access-group waibu_in in
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
router ospf 100
log-adjacency-changes
network 10.1.1.2 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
!
no ip http server
!
!
!
!
ip access-list extended neibu_in
permit icmp host 10.1.1.1 any reflect cisco timeout 30
permit tcp host 10.1.1.1 any reflect cisco timeout 30 // timeout 默认是300秒.这儿为了测试,设置为30秒
permit ip any any (这句可以不要,但这儿为了保证连通性测试)
ip access-list extended waibu_in
evaluate cisco // 引用(参照)外出的ACL,产生一条临时的permit语句 reflect+evalute实现单向访问控制列表
deny icmp any any
deny tcp any any eq telnet
permit ip any any
!
!
!
control-plane
R3的配置:
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Serial0/1
ip address 192.168.1.2 255.255.255.0
clock rate 64000
!
router ospf 100
log-adjacency-changes
network 192.168.1.2 0.0.0.0 area 0
!
no ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
在没有测试只前:
R2#sh ip access-lists
Reflexive IP access list cisco
Extended IP access list neibu_in
10 permit icmp host 10.1.1.1 any reflect cisco (54 matches)
20 permit tcp host 10.1.1.1 any reflect cisco (88 matches)
30 permit ip any any (602 matches)
Extended IP access list waibu_in
10 evaluate cisco
20 deny icmp any any (68 matches)
30 deny tcp any any eq telnet (3 matches)
40 permit ip any any (758 matches)
R2#
开始测试:
r1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
r1#
r1#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
User Access Verification
Password:
r3>en
Password:
r3# //telnet上去以后不要关闭,否则timeout时间马上会变为3秒,看不到试验现象
/////////////////////////////////////////////////////////////////
r2#sh ip access-lists
Reflexive IP access list cisco
permit tcp host 192.168.1.2 eq telnet host 10.1.1.1 eq 31699 (103 matches) (time left 28)
permit icmp host 192.168.1.2 host 10.1.1.1 (20 matches) (time left 0) //这两条是动态产生的,30秒的生存时间
Extended IP access list neibu_in
10 permit icmp host 10.1.1.1 any reflect cisco (65 matches)
20 permit tcp host 10.1.1.1 any reflect cisco (145 matches)
30 permit ip any any (611 matches)
Extended IP access list waibu_in
10 evaluate cisco
20 deny icmp any any (68 matches)
30 deny tcp any any eq telnet (3 matches)
40 permit ip any any (766 matches)
在外网测试(R3上)
r3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r3#
r3#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Destination unreachable; gateway or host down
r3#
外网不能访问内部,达到试验效果.
网页标题:Ciscoios自反ACL配置详解
地址分享:http://scyanting.com/article/jiioec.html