reflect+evalute實(shí)現(xiàn)單向訪問(wèn)控制列表的最新實(shí)驗(yàn)結(jié)果

reflect+evalute實(shí)現(xiàn)單向訪問(wèn)控制列表的最新實(shí)驗(yàn)結(jié)果

interface Vlan12

ip address 10.147.18.92 255.255.255.240

ip access-group in-filter in

ip access-group out-filter out

ip helper-address 10.147.17.193

no ip redirects

standby 12 ip 10.147.18.94

standby 12 priority 150

standby 12 preempt

第一步:

ip access-list extended in-filter

evaluate abcd

deny ip any any

ip access-list extended out-filter

permit ip any any reflect abcd

結(jié)果從VLAN12上的客戶機(jī)ping其它VLAN的機(jī)器,提示:

Reply from 10.147.18.92: Destination net unreachable.

第二步:

將上面的訪問(wèn)控制列表改為:

ip access-list extended in-filter

permit ip any any reflect abcd

ip access-list extended out-filter

evaluate abcd

deny ip any any

結(jié)果從VLAN12的客戶機(jī)可以ping通其它vlan的機(jī)器,但其它vlan的機(jī)器ping不通vlan12的機(jī)器.

觀察發(fā)現(xiàn),我從vlan12的客戶機(jī)上ping 其它vlan里面的任何一臺(tái)機(jī)器的話,就會(huì)自動(dòng)生成一條動(dòng)態(tài)度的

access-list,(假如 我從vlan12的機(jī)器10.147.18.90 ping vlan1里面的10.147.17.251)

記錄如下:

Reflexive IP access list abcd

permit icmp host 10.147.17.251 host 10.147.18.90 (8 matches) (time left 297)

permit udp host 202.96.170.163 eq 8000 host 10.147.18.90 eq 4000 (6 matches) (time left 247)

permit udp host 224.0.0.2 eq 1985 host 10.147.18.93 eq 1985 (155 matches) (time left 299)

Extended IP access list in-filter

permit ip any any reflect abcd

Extended IP access list out-filter

evaluate abcd

deny ip any any (289 matches)

第三步:我想實(shí)現(xiàn)功能:vlan12里的機(jī)器能訪問(wèn)所有其他vlan,除了vlan 2(10.147.16.0/255.255.255.128)外均

不能訪問(wèn)vlan12:

將訪問(wèn)控制列表改為:

ip access-list extended in-filter

permit ip any any reflect abcd

ip access-list extended out-filter

evaluate abcd

permit ip 10.147.16.0 0.0.0.128 any

deny ip any any

結(jié)果一開(kāi)始幾分鐘內(nèi),除了定義的VLAN2(10.147.16.0/255.255.255.128)外,其它vlan的機(jī)器均ping不通vlan 12 的機(jī)器

后來(lái)就全部PING

不通,和第二次開(kāi)發(fā)步的結(jié)果相同