Routing Switching instance: RACL configuration on three interfaces

Policy requirements:

1. Internet access to Email, DNS, and Web servers in the DMZ Region

2. The Internet cannot access the internal network.

3. The internal Email server can only access the DMZ Email server, but cannot access other devices.

4. the DMZ Email server can access the internal Email server to send emails.

5. Internal users can access the Internet and receive reply packets

6. Internal users cannot access the DMZ Email server or any external Email server.

Configuration:

R1 (config) # ip access-list extended internal_ACL/* This name ACL is used to restrict traffic from the Intranet segment */R1 (config-ext-nacl) # permit tcp host 192.1.1.1 host 192.1.2.1 eq 25 reflect RACL_DMZ/* allow the internal Email server to send an Email to the DMZ Email server and allow the returned traffic to pass through RACL_DMZ */R1 (config-ext-nacl) # deny tcp any eq 25/* reject any internal host from sending an Email to the DMZ Email server or any other Email server */R1 (config-ext-nacl) # deny ip host 192.1.1.1 any/* deny internal Email server access to any other DMZ device or external device */R1 (config-ext-nacl) # permit ip any 192.1.2.0 0.0.0.255 reflect RACL_DMZ/* Create a RACL for the traffic from the Intranet segment to DMZ. These temporary entries are placed in RACL_DMZ */R1 (config-ext-nacl) # permit ip any/* allow all other traffic from the Intranet segment to the Internet */R1 (config-ext-nacl) # exit

R1 (config) # ip access-list extended dmz_ACL/* This name ACL is used to restrict traffic from DMZ and Internet network segments to intranet segments */R1 (config-ext-nacl) # permit tcp host 192.1.2.1 host 192.1.1.1 eq 25/* allow the DMZ Email server to forward Email to the internal Email server */R1 (config-ext-nacl) # evaluate RACL_DMZ/* RACL_DMZ reference allows internal devices to send traffic to DMZ can be returned to internal devices */R1 (config-ext-nacl) # The reference of evaluate RACL_Internal_return/* RACL_Internal_return allows the traffic sent from the internal device to the Internet to be returned to the internal device. For the definition of RACL_Internal_return, see the following section */R1 (config-ext-nacl) # exit

R1 (config) # ip access-list extended exit_ACL/* This name ACL is used to restrict traffic from leaving the Network */R1 (config-ext-nacl) # permit tcp host 192.1.2.1 any eq 25 reflect RACL_DMZ_return/* define RACL_DMZ_return to allow the traffic initiated by the DMZ Email server to be returned to the DMZ Email server */R1 (config-ext-nacl) # permit udp host 192.1.2.2 any eq 53 reflect RACL_DMZ_return/* define RACL_DMZ_return to allow the dmz dns server to send to the Internet DNS query and return to the dmz dns server */R1 (config-ext-nacl) # permit ip 192.1.1.0 0.0.0.255 any reflect RACL_Internal_return/* define RACL_Internal_return to allow internal users to return traffic sent to the Internet to internal users */R1 (config-ext-nacl) # permit tcp host 192.1.2.1 eq 25 anyR1 (config-ext-nacl) # permit udp host 192.1.2.2 eq 53 anyR1 (config-ext-nacl) # permit tcp host 192.1.2.3 eq 80 any/* the preceding three commands allow the DMZ server to forward responses to Internet users */R1 (config-ext-nacl) # exit

R1 (config) # ip access-list extended external_ACL/* This name ACL is used to filter Internet traffic entering the Network */R1 (config-ext-nacl) # permit tcp any host 192.1.2.1 eq 25R1 (config-ext-nacl) # permit udp any host 192.1.2.2 eq 53R1 (config-ext-nacl) # permit tcp any host 192.1.2.3 eq 80/* the preceding three commands allow Internet access to the Email, DNS, and Web servers in DMZ */R1 (config-ext-nacl) # evaluate RACL_DMZ_returnR1 (config-ext-nacl) # reference of evaluate RACL_Internal_return/* RACL_DMZ_return and RACL_Internal_return allows traffic sent from internal devices to the Internet to be returned to internal devices, It also allows traffic initiated by the DMZ device to be returned from the Internet. It must be noted that RACL_Internal_return is referenced by two named ACLs, Allow the returned Internet traffic to be applied to the input direction of E1 through the external ACL) and dmz acl to apply the output direction of E0) are necessary */R1 (config-ext-nacl) # exit

R1 (config) # interface e0/* enter the e0 interface */R1 (config-if) # description Internal NetworkR1 (config-if) # ip access-group DMZ_ACL outR1 (config-if) # ip access-group internal_ACL in/* e0 is connected to the Intranet segment. Two ACLs are activated on this interface. internal_ACL is used to restrict traffic from leaving the network segment, The RACL is set up to allow the returned traffic to return to the CIDR block. DMZ_ACL is used to restrict traffic from DMZ and Internet segments to intranet segments */R1 (config-if) # exit

R1 (config) # interface e2/* enter interface e2 */R1 (config-if) # description DMZ/* e2 to be connected to the DMZ network segment. No ACL is applied here, all policies are executed by the Internal interface and the ACL on the external interface */R1 (config-if) # exit

R1 (config) # interface e1/* enter interface e1 */R1 (config-if) # description InternetR1 (config-if) # ip access-group exit_ACL outR1 (config-if) # ip access-group external_ACL in/* e1 is connected to the Internet. There is an ACLexternal_ACL) applied to the input direction of this interface, It is used to restrict traffic to DMZ and allow the return traffic to internal users. There is also an ACLexit_ACL) that is applied to the output direction of this interface, Used to create RACL entries and allow DMZ network segments to forward replies to Internet queries */R1 (config-if) # exitR1 (config) # ip reflexive-list timeout 60/* set the timeout value of all idle connections to 60 seconds. After 60 seconds, idle connections will be deleted from RACL */

1. Detailed explanation of routing and switching
2. Combining exchange and routing technologies to reduce enterprise operation costs
3. H3C MSR "Integration of Route exchange" based on requirements"