自反列表学习配置经验笔记

network

自反列表学习配置经验笔记



1.        配置例子:

ip access-list extended VLAN80_inside
permit ip any any reflect ip
permit tcp any any reflect tcp
permit udp any any reflect udp
ip access-list extended VLAN80_outside
evaluate ip
evaluate tcp
evaluate udp
deny   ip any 192.168.1.0 0.0.0.255
deny   ip any 192.168.11.0 0.0.0.255

interface Serial1/2
ip address 192.168.8.1 255.255.255.0
ip access-group VLAN80_outside in
ip access-group VLAN80_inside out
serial restart-delay 0
end


配置所有清单:
sh run
Building configuration...

Current configuration : 1408 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 5
no aaa new-model
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip address 192.168.1.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/1
ip address 192.168.11.1 255.255.255.0
serial restart-delay 0
!
interface Serial1/2
ip address 192.168.8.1 255.255.255.0
ip access-group VLAN80_outside in
ip access-group VLAN80_inside out
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.8.2
!
!
!
ip access-list extended VLAN80_inside
permit ip any any reflect ip
permit tcp any any reflect tcp
permit udp any any reflect udp
ip access-list extended VLAN80_outside
evaluate ip
evaluate tcp
evaluate udp
deny   ip any 192.168.1.0 0.0.0.255
deny   ip any 192.168.11.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
!
End

network

客户需求:

a.        VLAN之间本身不能互访 VLAN80和VLAN11不能互访
Extended IP access list VLAN80_inside
    10 permit ip any any reflect ip (71 matches)
    20 permit tcp any any reflect tcp
    30 permit udp any any reflect udp
Extended IP access list VLAN80_outside
    10 deny ip any 192.168.11.0 0.0.0.255  -------------先Deny掉就是禁止VLAN8和VLAN11互访
    20 evaluate ip
    30 evaluate tcp
    40 evaluate udp
    50 deny ip any 192.168.1.0 0.0.0.255       ------------建立单向访问
    60 permit ip any any                   ------------可以访问其他的VLAN或者接口,例如:可以上网

b.        VLAN这间可以互访,并且VLAN1能够单向访问VLAN8和VLAN11

Extended IP access list VLAN80_inside
    10 permit ip any any reflect ip (71 matches)
    20 permit tcp any any reflect tcp
    30 permit udp any any reflect udp
Extended IP access list VLAN80_outside
    10 evaluate ip
    20 evaluate tcp
    30 evaluate udp
    40 deny ip any 192.168.1.0 0.0.0.255          --------在嵌套之后所以就是单向访问,建立RACL
    50 deny ip any 192.168.11.0 0.0.0.255
    60 permit ip any any
Reflexive IP access list ip
Reflexive IP access list tcp
Reflexive IP access list udp

c.        VLAN这间能够互访,并且VLAN1能够单向访问VLAN8,但是VLAN8能够和VLAN11互访
Extended IP access list VLAN80_inside
    10 permit ip any any reflect ip (103 matches)
    20 permit tcp any any reflect tcp
    30 permit udp any any reflect udp
Extended IP access list VLAN80_outside
    10 evaluate ip
    20 evaluate tcp
    30 evaluate udp
    40 deny ip any 192.168.1.0 0.0.0.255
    50 permit ip any any (5 matches)            --------VLAN11包括在内,所以就能够和VLAN8能够互访
Reflexive IP access list ip
     permit icmp host 192.168.8.2 host 192.168.11.2  (9 matches) (time left 293)
Reflexive IP access list tcp
Reflexive IP access list udp




注:自反列表超时时间默认为:300s