Home > Others

Configure the self-reverse Access Control List on the vro

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Self-CountermeasureThe access list willAccess Control List, Automatically create a list of Reverse control, which is a list that is reversed from the original control list-IP Source Address and destination address, and the source port number is exactly the opposite of the destination port number. So how do I configure the self-reverse Access Control List on the vro? Next we will start gradually:

Note that it must be initiated internally! Use the named ACL.

Not very understandable. Let's look at an example.

Let's take a look at the following:

 
 
    
  
  
  1. ip access-list extended abc 
    2. 
  
  
  2. deny icmp any 192.168.1.0 0.0.0.255  
    3. 
  
  
  3. permit ip any any  
    4. 
  
  
  4. exit  
    5. 
  
  
  5. int s0/0  
    6. 
  
  
  6. ip access-group abc in 
    7.

This ACL prohibits the Internet from pinging the network segment 192.168.1.0/24 on the Intranet. But can I ping the Internet from 192.168.1.1?

No !! Remember, communication is bidirectional! The traffic on one side is blocked !!

Next let's look at the self-anti-ACL;

  1. Ip access-list extended refin
  2. Permit ospf any
  3. Evaluate abc 'pay attention to this statement!
  4. Exit
  5. Ip access-list extended refout
  6. Permit ip any reflect abc 'and this one!
  7. Exit
  8. Int s0/0
  9. Ip access-group refin in
  10. Ip access-group rofut out
  11. Exit
  12. Ip reflexive-list timeout 60

Take a closer look. First, only one ospf protocol is allowed in the in direction of the interface. Other accesses are forbidden, that is, the Internet is not allowed to access the Intranet. Evaluate abc is nested with a reflection ACL named abc.

In the out direction of the interface, allow all accesses. Remember what you just mentioned. You can go out, but you cannot return !!! Therefore, a reflect abc is added after the permit ip any, that is, if any traffic initiated from the Intranet matches the permit ip any reflect abc statement, A dynamic permit statement is automatically created in the refin list! Use show access-lists to view the results! It's not easy to call the source destination address in this entry! It's a detailed entry!

Remember, the self-reverse ACL is always permit. Let's take a good look at it!

Ip reflexive-list timeout 60 sets the effective time of the reflected entries!

  1. Access Control List ACL Technology
  2. Application of Cisco anti-DDoS Control List
  3. Application of cisco Dynamic Access Control List
  4. Change the ACL Access Control List of a public folder)
  5. Access Control List ACL in typical Secpath configuration)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More