RACL的配置:
初始配置:
R1:
interface s1/1
ip address 192.168.12.1 255.255.255.0
no shut
ip route 192.168.23.0 255.255.255.0 192.168.12.2
line vty 0 4
password fangtao
login
R2:
interface s1/0
ip address 192.168.12.2 255.255.255.0
no shut
interface s1/1
ip address 192.168.23.2 255.255.255.0
no shut
R3:
interface s1/0
ip address 192.168.23.3 255.255.255.0
no shut
ip route 192.168.12.0 255.255.255.0 192.168.23.2
line vty 0 4
password fangtao
login
在R2上配置RACL:
ip access-list extended INTERNAL
permit icmp any any reflect RACL_icmp
permit tcp any any reflect RACL_tcp
deny ip any any
exit
ip access-list extended EXTERNAL
evaluate RACL_icmp
evaluate RACL_tcp
deny ip any any
exit
在R2的外部接口s1/1上激活RACL
interface s1/1
ip access-group INTERNAL out
ip access-group EXTERNAL in
exit
查看R2的ACL:
r2#sh access-list
Extended IP access list EXTERNAL
10 evaluate RACL_icmp
20 evaluate RACL_tcp
30 deny ip any any
Extended IP access list INTERNAL
10 permit icmp any any reflect RACL_icmp
20 permit tcp any any reflect RACL_tcp
30 deny ip any any
Reflexive IP access list RACL_icmp
Reflexive IP access list RACL_tcp
在R3上ping R1:
r3#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
无法ping 通,因为外部接口上的ACL拒绝了该ping包
现在在R1上ping R3:
r1#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/63/100 ms
这下查看R2的ACL,发现RACL_icmp条目中多了一条临时的ACL
r2#sh access-list
Extended IP access list EXTERNAL
10 evaluate RACL_icmp
20 evaluate RACL_tcp
30 deny ip any any (22 matches)
Extended IP access list INTERNAL
10 permit icmp any any reflect RACL_icmp (20 matches)
20 permit tcp any any reflect RACL_tcp
30 deny ip any any
Reflexive IP access list RACL_icmp
permit icmp host 192.168.23.3 host 192.168.12.1 (19 matches) (time left 297)
Reflexive IP access list RACL_tcp
再用telnet做演示:
在R3上telnet R1:
r3#telnet 192.168.12.1
Trying 192.168.12.1 ...
% Destination unreachable; gateway or host down
此时从 R1上telnet R3:
r1#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
User Access Verification
Password:
r3>
在R2上查看ACL可以发现,RACL_tcp 中多了一条临时的ACL:
r2#sh access-list
Extended IP access list EXTERNAL
10 evaluate RACL_icmp
20 evaluate RACL_tcp
30 deny ip any any (37 matches)
Extended IP access list INTERNAL
10 permit icmp any any reflect RACL_icmp (31 matches)
20 permit tcp any any reflect RACL_tcp (141 matches)
30 deny ip any any
Reflexive IP access list RACL_icmp
permit icmp host 192.168.23.3 host 192.168.12.1 (19 matches) (time left 277)
Reflexive IP access list RACL_tcp
permit tcp host 192.168.23.3 eq telnet host 192.168.12.1 eq 28109 (51 matches) (time left 297)
CBAC的配置:
初始配置同上面的RACL
现在在R2上配置CBAC:
ip access-list extended EXTERNAL
deny icmp any any
deny tcp any any
deny ip any any
exit
ip inspect name CBAC icmp
ip inspect name CBAC tcp
在R2的外部接口s1/1上激活CBAC:
interface s1/1
ip access-group EXTERNAL in
ip inspect CBAC out
exit
此时查看CBAC状态表,发现什么也没有
r2#sh ip inspect sessions
r2#
在R3 上ping R1:
r3#ping 192.168.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
再在R1 上 ping R3:
r1#ping 192.168.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/119/300 ms
此时再查看CBAC的状态表:
r2#sh ip inspect sessions
Established Sessions
Session 65F31950 (192.168.12.1:8)=>(192.168.23.3:0) icmp SIS_OPEN
r2#
同样,R1能够telnet到R3:
r1#telnet 192.168.23.3
Trying 192.168.23.3 ... Open
User Access Verification
Password:
r3>
但是,R3却不能telnet到R1:
r3#telnet 192.168.12.1
Trying 192.168.12.1 ...
% Destination unreachable; gateway or host down
查看CBAC状态表:
r2#sh ip inspect sessions
Established Sessions
Session 65F31690 (192.168.12.1:39966)=>(192.168.23.3:23) tcp SIS_OPEN
r2#
上一篇:详解:路由器工作原理及路由算法和常用路由协议
下一篇:CCNP实验:GRE隧道流量的IPSEC加密
 |
 |
 |