5.5 self-anti-ACL
Purpose:
1. master the basic preparation of the Self-anti-ACL.
2. Understand the basic features of Self-anti-ACL.
Tutorial topology:
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0614393942-0.png "title =" 5.5.png "/>
Tutorial steps:
1. Configure the IP addresses of each vro Based on the topology in the figure, and deploy static routes to ensure full network connectivity. The configuration is as follows:
On R1
R1 (config) # ip route 23.1.1.0 255.255.255.0 12.1.1.2
R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2
R1 (config) # ip route 8.8.8.8 255.255.255.255 12.1.1.2
On R2
R2 (config) # ip route 192.168.1.0 255.255.255.0 12.1.1.1
R2 (config) # ip route 192.168.2.0 255.255.255.0 12.1.1.1
R2 (config) # ip route 3.3.3.3 255.255.255.255 23.1.1.3
R2 (config) # ip route 8.8.8 route 255.255 23.1.1.3
On R3
R3 (config) # ip route 12.1.1.0 255.255.255.0 23.1.1.2
R3 (config) # ip route 192.168.1.0 255.255.0 23.1.1.2
R3 (config) # ip route 192.168.2.0 255.255.255.0 23.1.1.2
The connectivity test is as follows:
R1 # ping 3.3.3.3 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 MS
R1 # ping 8.8.8.8 source 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 MS
As you can see, there is no problem with communication between the Intranet and the Internet.
2. Deploy the self-reverse ACL on R2 so that all devices in the Intranet can access the Internet, but the traffic actively initiated by the Internet is rejected. The configuration is as follows:
① Allow Intranet access to Internet traffic and execute "record" Traffic"
R2 (config) # ip access-list extended OUTBOUND
R2 (config-ext-nacl) # permit ip any reflect PL
R2 (config-ext-nacl) # exit
R2 (config) # ip access-list extended INBOUND
② Deny Internet access to the Intranet, except for the traffic recorded
R2 (config-ext-nacl) # evaluate PL
R2 (config-ext-nacl) # deny ip any
R2 (config-ext-nacl) # EXIT
③ Call the ACL under the interface
R2 (config) # int f1/0
R2 (config-if) # ip access-group OUTBOUND out
R2 (config-if) # ip access-group INBOUND in
R2 (config-if) # exit
3. Test the self-reverse ACL as follows:
View ACL status on R2
R2 # show ip access-lists
Extended IP access list INBOUND
10 evaluate PL
20 deny ip any
Extended IP access list OUTBOUND
10 permit ip any reflect PL
Reflexive IP access list PL
Allow R1 to access the Internet
R1 # ping 8.8.8.8 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/63/64 MS
View the ACL status on R2 again
R2 # show ip access-lists
Extended IP access list INBOUND
10 evaluate PL
20 deny ip any
Extended IP access list OUTBOUND
10 permit ip any reflect PL (10 matches)
Reflexive IP access list PL
Permit icmp host 8.8.8.8 host 192.168.1.1(20 matches) (time left 298)
As can be seen from the above, when the Intranet accesses the Internet, due to the implementation of the traffic "record", the self-reverse ACL automatically generates a reverse ACL to open the Intranet to the Internet to return traffic. The traffic that has not been recorded or actively initiated by the Internet is rejected, as follows:
R3 # ping 192.168.1.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
UUUUU
Success rate is 0 percent (0/5)
Through this experiment, we can see that the self-reverse ACL can implement more secure access control, and can act as a firewall to some extent. This experiment is complete.
========================================================== =
PingingLab· High quality ITEducation provider
CCIELab-ITProject Practice · customization of high-end Talents
Shenzhen pinke Information Technology Co., Ltd. · waihuan West Road Station, Guangzhou University City
Sina Weibo :@PingingLab@ PingingLab-Chen xinjie
PingingLabPublic Account: pinginglab
PingingLabTechnical Exchange Group: 240920680
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06143923I-1.jpg "title =" pinginglab .bmp "/>
This article from the "Chen xinjie network" blog, please be sure to keep this source http://chenxinjie.blog.51cto.com/7749507/1274477