您好,登錄后才能下訂單哦!
反身ACL是在Cisco IOS Release 11.3引入的,他只能和擴(kuò)展的命名IP ACL一起定義而不能和基于數(shù)字或標(biāo)準(zhǔn)ACL,以及其他協(xié)議的ACL一起使用,語法如下:
ip access-list extended permit any any reflect name [timeout]
ip access-list extended evaluate
interface xx
ip acces-group {name} {in | out}
1)Reflexive-ACL 的工作流程:
a.由內(nèi)網(wǎng)始發(fā)的流量到達(dá)配置了自反訪問表的路由器,路由器根據(jù)此流量的第三層和第四層信息自動(dòng)生成一個(gè)臨時(shí)性的訪問表,臨時(shí)性訪問表的創(chuàng)建依據(jù)下列原 則:
protocol 不變,source-IP 地址 , destination-IP 地址嚴(yán)格對調(diào),source-port,destination-port 嚴(yán)格對調(diào),對于ICMP 這樣的協(xié)議,會(huì)根據(jù)類型號進(jìn)行匹配。
b.路由器將此流量傳出,流量到達(dá)目標(biāo),然后響應(yīng)流量從目標(biāo)返回到配置了自反訪問表的路由器。
c.路由器對入站的響應(yīng)流量進(jìn)行評估,只有當(dāng)返回流量的第三、四層信息與先前基于出站流量創(chuàng)建的臨時(shí)性訪問表的第三、四層信息嚴(yán)格匹配時(shí),路由器才會(huì)允許 此流量進(jìn)入內(nèi)部網(wǎng)絡(luò)。
2)自反訪問表的超時(shí):
對于TCP 流量,當(dāng)下列三種情況中任何一種出現(xiàn)時(shí),才會(huì)刪除臨時(shí)性的訪問表:
a)兩個(gè)連續(xù)的FIN 標(biāo)志被檢測到,之后3秒鐘刪除。
b)RST 標(biāo)志被檢測到,立即刪除。
c)配置的空閑超時(shí)值到期(缺省是300 秒)。
對于UDP,由于沒有各種標(biāo)志,所以只有當(dāng)配置的空閑超時(shí)值(
默認(rèn)300 秒
)到期才會(huì)刪除 臨時(shí)性的訪問表。
如下舉例說明:
R2模擬邊界路由器
R1模擬內(nèi)部路由器
R3模擬外部路由器
試驗(yàn)要求:
運(yùn)用reflexive access-list 實(shí)現(xiàn),內(nèi)網(wǎng)可以ping,telnet等...外部網(wǎng)絡(luò).而外部網(wǎng)絡(luò)不能訪問內(nèi)部網(wǎng)絡(luò)
R1的配置:
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
ip address 10.1.1.1 255.255.255.0
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
router ospf 100
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
!
no ip http server
(R1上的配置很簡單,不用解釋了)
R2的配置:
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
ip address 10.1.1.2 255.255.255.0
ip access-group neibu_in in
clock rate 64000
!
interface Serial0/1
ip address 192.168.1.1 255.255.255.0
ip access-group waibu_in in
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
router ospf 100
log-adjacency-changes
network 10.1.1.2 0.0.0.0 area 0
network 192.168.1.1 0.0.0.0 area 0
!
no ip http server
!
!
!
!
ip access-list extended neibu_in
permit icmp host 10.1.1.1 any reflect cisco timeout 30
permit tcp host 10.1.1.1 any reflect cisco timeout 30 // timeout 默認(rèn)是300秒.這兒為了測試,設(shè)置為30秒
permit ip any any (這句可以不要,但這兒為了保證連通性測試)
ip access-list extended waibu_in
evaluate cisco // 引用(參照)外出的ACL,產(chǎn)生一條臨時(shí)的permit語句 reflect+evalute實(shí)現(xiàn)單向訪問控制列表
deny icmp any any
deny tcp any any eq telnet
permit ip any any
!
!
!
control-plane
R3的配置:
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Serial0/1
ip address 192.168.1.2 255.255.255.0
clock rate 64000
!
router ospf 100
log-adjacency-changes
network 192.168.1.2 0.0.0.0 area 0
!
no ip http server
!
control-plane
!
line con 0
exec-timeout 0 0
password cisco
login
line aux 0
line vty 0 4
password cisco
login
在沒有測試只前:
R2#sh ip access-lists
Reflexive IP access list cisco
Extended IP access list neibu_in
10 permit icmp host 10.1.1.1 any reflect cisco (54 matches)
20 permit tcp host 10.1.1.1 any reflect cisco (88 matches)
30 permit ip any any (602 matches)
Extended IP access list waibu_in
10 evaluate cisco
20 deny icmp any any (68 matches)
30 deny tcp any any eq telnet (3 matches)
40 permit ip any any (758 matches)
R2#
開始測試:
r1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/60 ms
r1#
r1#telnet 192.168.1.2
Trying 192.168.1.2 ... Open
User Access Verification
Password:
r3>en
Password:
r3# //telnet上去以后不要關(guān)閉,否則timeout時(shí)間馬上會(huì)變?yōu)?秒,看不到試驗(yàn)現(xiàn)象
/////////////////////////////////////////////////////////////////
r2#sh ip access-lists
Reflexive IP access list cisco
permit tcp host 192.168.1.2 eq telnet host 10.1.1.1 eq 31699 (103 matches) (time left 28)
permit icmp host 192.168.1.2 host 10.1.1.1 (20 matches) (time left 0) //這兩條是動(dòng)態(tài)產(chǎn)生的,30秒的生存時(shí)間
Extended IP access list neibu_in
10 permit icmp host 10.1.1.1 any reflect cisco (65 matches)
20 permit tcp host 10.1.1.1 any reflect cisco (145 matches)
30 permit ip any any (611 matches)
Extended IP access list waibu_in
10 evaluate cisco
20 deny icmp any any (68 matches)
30 deny tcp any any eq telnet (3 matches)
40 permit ip any any (766 matches)
在外網(wǎng)測試(R3上)
r3#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
r3#
r3#telnet 10.1.1.1
Trying 10.1.1.1 ...
% Destination unreachable; gateway or host down
r3#
外網(wǎng)不能訪問內(nèi)部,達(dá)到試驗(yàn)效果.
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。