PingingLab-5.5 anti-ACL

5.5 self-anti-ACL

Purpose:

1. master the basic preparation of the Self-anti-ACL.

2. Understand the basic features of Self-anti-ACL.

Tutorial topology:

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0614393942-0.png "title =" 5.5.png "/>

Tutorial steps:

1. Configure the IP addresses of each vro Based on the topology in the figure, and deploy static routes to ensure full network connectivity. The configuration is as follows:

On R1

R1 (config) # ip route 23.1.1.0 255.255.255.0 12.1.1.2

R1 (config) # ip route 3.3.3.3 255.255.255.255 12.1.1.2

R1 (config) # ip route 8.8.8.8 255.255.255.255 12.1.1.2

On R2

R2 (config) # ip route 192.168.1.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 192.168.2.0 255.255.255.0 12.1.1.1

R2 (config) # ip route 3.3.3.3 255.255.255.255 23.1.1.3

R2 (config) # ip route 8.8.8 route 255.255 23.1.1.3

On R3

R3 (config) # ip route 12.1.1.0 255.255.255.0 23.1.1.2

R3 (config) # ip route 192.168.1.0 255.255.0 23.1.1.2

R3 (config) # ip route 192.168.2.0 255.255.255.0 23.1.1.2

The connectivity test is as follows:

R1 # ping 3.3.3.3 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 MS

R1 # ping 8.8.8.8 source 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 36/43/56 MS

As you can see, there is no problem with communication between the Intranet and the Internet.

2. Deploy the self-reverse ACL on R2 so that all devices in the Intranet can access the Internet, but the traffic actively initiated by the Internet is rejected. The configuration is as follows:

① Allow Intranet access to Internet traffic and execute "record" Traffic"

R2 (config) # ip access-list extended OUTBOUND

R2 (config-ext-nacl) # permit ip any reflect PL

R2 (config-ext-nacl) # exit

R2 (config) # ip access-list extended INBOUND

② Deny Internet access to the Intranet, except for the traffic recorded

R2 (config-ext-nacl) # evaluate PL

R2 (config-ext-nacl) # deny ip any

R2 (config-ext-nacl) # EXIT

③ Call the ACL under the interface

R2 (config) # int f1/0

R2 (config-if) # ip access-group OUTBOUND out

R2 (config-if) # ip access-group INBOUND in

R2 (config-if) # exit

3. Test the self-reverse ACL as follows:

View ACL status on R2

R2 # show ip access-lists

Extended IP access list INBOUND

10 evaluate PL

20 deny ip any

Extended IP access list OUTBOUND

10 permit ip any reflect PL

Reflexive IP access list PL

Allow R1 to access the Internet

R1 # ping 8.8.8.8 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/63/64 MS

View the ACL status on R2 again

R2 # show ip access-lists

Extended IP access list INBOUND

10 evaluate PL

20 deny ip any

Extended IP access list OUTBOUND

10 permit ip any reflect PL (10 matches)

Reflexive IP access list PL

Permit icmp host 8.8.8.8 host 192.168.1.1(20 matches) (time left 298)

As can be seen from the above, when the Intranet accesses the Internet, due to the implementation of the traffic "record", the self-reverse ACL automatically generates a reverse ACL to open the Intranet to the Internet to return traffic. The traffic that has not been recorded or actively initiated by the Internet is rejected, as follows:

R3 # ping 192.168.1.1 source 3.3.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Packet sent with a source address of 3.3.3.3

UUUUU

Success rate is 0 percent (0/5)

Through this experiment, we can see that the self-reverse ACL can implement more secure access control, and can act as a firewall to some extent. This experiment is complete.

========================================================== =

PingingLab· High quality ITEducation provider

CCIELab-ITProject Practice · customization of high-end Talents

Shenzhen pinke Information Technology Co., Ltd. · waihuan West Road Station, Guangzhou University City

Sina Weibo :@PingingLab@ PingingLab-Chen xinjie

PingingLabPublic Account: pinginglab

PingingLabTechnical Exchange Group: 240920680

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06143923I-1.jpg "title =" pinginglab .bmp "/>

This article from the "Chen xinjie network" blog, please be sure to keep this source http://chenxinjie.blog.51cto.com/7749507/1274477