Rijie layer-3 switching 3760-24 and router RSR20-04 ACL rules

Sometimes I think ACL is a depressing technology, because different vendors, brands, and even models have different settings for the last ACL rule. Recently the school's younger brother to use ruijie three-layer switch 3760-24 and router RSR20-04 to participate in the Guangzhou Computer Skills Competition, but was ruijie ACL confused. Due to technical vulnerabilities and chaotic rules in the ACL of ruijie exchange routes, after all, it is a domestic manufacturer. Most of the immature routing exchange technologies are copied and adapted according to Cisco technology, even the technical staff who have checked the configuration manual and called ruijie's sales team cannot fully explain the problem. (This is the gap between domestic manufacturers and foreign manufacturers)
Www.2cto.com so the night before yesterday, I went back to a school, did some experimental research on the ruijie layer-3 switching 3760-24 and the ACL rules of the router RSR20-04. Finally, I finally figured out the ACL rules of the layer-3 switching 3760-24 and the router RSR20-04. After the experiment, I also found some depressing things, that is, the layer-3 Exchange of ruijie binds the ACL TO THE OUT direction, which does not work at all. That is, the ACL in the OUT direction is discarded. Depressing... the following is the rule concluded after the experiment: 3760-24. the last rule is to allow all data to pass by default. For example, if 192.168.1.3 (non-existent IP address) ping (icmp protocol) 192.168.2.2 (PC2) is disabled, it is bound to the IN direction of VLAN10, PC1 and PC2 can still ping each other. Access-list 100 deny icmp host 192.168.1.3 host 192.168.2.2int vlan 10ip access-group 100 in2. whether it is a standard ACL or an extended ACL, it can only be bound to the IN direction. The OUT direction is invalid; if 192.168.1.2 (PC1) ping 192.168.2.2 (PC2) is prohibited, it can only be bound to the IN direction of VLAN10. If it is bound to the OUT direction of VLAN20, it will not work. Otherwise, if 192.168.2.2 (PC2) ping 192.168.1.2 (PC1) is prohibited, it can only be bound to the IN direction of VLAN20. If it is bound to the OUT direction of VLAN10, it will not work. 3. Both standard ACL and extended ACL are used to prohibit data passing through. After binding, the two-way data cannot pass. For example, if you disable ping 192.168.1.2 (PC1) to 192.168.2.2 (PC2) and bind it to the IN direction of VLAN10, PC1 cannot ping PC2 or PC2. And vice versa. Ruijie router RSR20-04: 1. Whether the use of standard ACL or extended ACL prohibit data through, after binding, reverse data can still pass. For example, if you disable ping 192.168.1.2 (PC1) to 192.168.2.2 (PC2) and bind it to the IN direction of F0/0, PC1 cannot ping PC2, but PC2 can still ping pc1. And vice versa. (Opposite to the switch ACL mechanism) access-list 100 deny icmp host 192.168.1.2 host 192.168.2.2int F0/0ip access-group 100 in I guess this is because the ACL in the vro has a mechanism, determine whether the data is a response or a Request (for example, whether the ACK bit of the TCP/IP protocol is 1, and whether the ICMP packet is a Request or a Reply ). However, layer-3 switches do not have this mechanism.
Www.2cto.com 2. the last rule defaults to deny all data passes. For example, if you disable ping (icmp protocol) 192.168.2.2 (PC2) from 192.168.1.3 (non-existent IP) and bind it to the IN direction of F0/0, PC1 cannot be pinged to PC2 (opposite to the switch mechanism), but PC2 can be pinged to pc1. (The reason is: the routing ACL mechanism problem) access-list 100 deny icmp host 192.168.1.3 host 192.168.2.2int F0/0ip access-group 100 in if an access-list 100 permit icmp any at the end is added, PC1 can ping pc2. (Verify that the last rule rejects all data) 3. whether it is a standard ACL or an extended ACL, as long as the data flow direction is determined, binding IN the IN direction or OUT direction is valid; for example, disabling 192.168.1.2 (PC1) ping 192.168.2.2 (PC2 ), bind to the IN direction of F0/0, and bind to the OUT direction of F0/1.