PingingLab-5.5 anti-ACL

Source: Internet
Author: User


5.5 self-anti-ACL

Purpose:

1. master the basic preparation of the Self-anti-ACL.

2. Understand the basic features of Self-anti-ACL.

Tutorial topology:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0614393942-0.png "title =" 5.5.png "/>



Tutorial steps:

1. Configure the IP addresses of each vro Based on the topology in the figure, and deploy static routes to ensure full network connectivity. The configuration is as follows:

On R1

R1 (config) # ip route 23.1.1.0 255.255.255.0 12.1.1.2

R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2

R1 (config) # ip route 8.8.8.8 255.255.255.255 12.1.1.2

On R2

R2 (config) # ip route 192.168.1.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 192.168.2.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 3.3.3.3 255.255.255.255 23.1.1.3

R2 (config) # ip route 8.8.8 route 255.255 23.1.1.3

On R3

R3 (config) # ip route 12.1.1.0 255.255.255.0 23.1.1.2

R3 (config) # ip route 192.168.1.0 255.255.0 23.1.1.2

R3 (config) # ip route 192.168.2.0 255.255.255.0 23.1.1.2

The connectivity test is as follows:

R1 # ping 3.3.3.3 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 MS

R1 # ping 8.8.8.8 source 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 MS

As you can see, there is no problem with communication between the Intranet and the Internet.

2. Deploy the self-reverse ACL on R2 so that all devices in the Intranet can access the Internet, but the traffic actively initiated by the Internet is rejected. The configuration is as follows:

① Allow Intranet access to Internet traffic and execute "record" Traffic"

R2 (config) # ip access-list extended OUTBOUND

R2 (config-ext-nacl) # permit ip any reflect PL

R2 (config-ext-nacl) # exit

R2 (config) # ip access-list extended INBOUND

② Deny Internet access to the Intranet, except for the traffic recorded

R2 (config-ext-nacl) # evaluate PL

R2 (config-ext-nacl) # deny ip any

R2 (config-ext-nacl) # EXIT

③ Call the ACL under the interface

R2 (config) # int f1/0

R2 (config-if) # ip access-group OUTBOUND out

R2 (config-if) # ip access-group INBOUND in

R2 (config-if) # exit

3. Test the self-reverse ACL as follows:

View ACL status on R2

R2 # show ip access-lists

Extended IP access list INBOUND

10 evaluate PL

20 deny ip any

Extended IP access list OUTBOUND

10 permit ip any reflect PL

Reflexive IP access list PL

Allow R1 to access the Internet

R1 # ping 8.8.8.8 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/63/64 MS

View the ACL status on R2 again

R2 # show ip access-lists

Extended IP access list INBOUND

10 evaluate PL

20 deny ip any

Extended IP access list OUTBOUND

10 permit ip any reflect PL (10 matches)

Reflexive IP access list PL

Permit icmp host 8.8.8.8 host 192.168.1.1(20 matches) (time left 298)

As can be seen from the above, when the Intranet accesses the Internet, due to the implementation of the traffic "record", the self-reverse ACL automatically generates a reverse ACL to open the Intranet to the Internet to return traffic. The traffic that has not been recorded or actively initiated by the Internet is rejected, as follows:

R3 # ping 192.168.1.1 source 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 3.3.3.3

UUUUU

Success rate is 0 percent (0/5)

Through this experiment, we can see that the self-reverse ACL can implement more secure access control, and can act as a firewall to some extent. This experiment is complete.

========================================================== =

PingingLab· High quality ITEducation provider

CCIELab-ITProject Practice · customization of high-end Talents

Shenzhen pinke Information Technology Co., Ltd. · waihuan West Road Station, Guangzhou University City

Sina Weibo :@PingingLab@ PingingLab-Chen xinjie

PingingLabPublic Account: pinginglab

PingingLabTechnical Exchange Group: 240920680

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06143923I-1.jpg "title =" pinginglab .bmp "/>

This article from the "Chen xinjie network" blog, please be sure to keep this source http://chenxinjie.blog.51cto.com/7749507/1274477

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.