reflect+evalute實現(xiàn)單向訪問控制列表的最新實驗結(jié)果

reflect+evalute實現(xiàn)單向訪問控制列表的最新實驗結(jié)果

interface Vlan12

ip address 10.147.18.92 255.255.255.240

ip access-group in-filter in

ip access-group out-filter out

ip helper-address 10.147.17.193

no ip redirects

standby 12 ip 10.147.18.94

standby 12 priority 150

standby 12 preempt

第一步:

ip access-list extended in-filter

evaluate abcd

deny ip any any

ip access-list extended out-filter

permit ip any any reflect abcd

結(jié)果從VLAN12上的客戶機ping其它VLAN的機器,提示:

Reply from 10.147.18.92: Destination net unreachable.

第二步:

將上面的訪問控制列表改為:

ip access-list extended in-filter

permit ip any any reflect abcd

ip access-list extended out-filter

evaluate abcd

deny ip any any

結(jié)果從VLAN12的客戶機可以ping通其它vlan的機器,但其它vlan的機器ping不通vlan12的機器.

觀察發(fā)現(xiàn),我從vlan12的客戶機上ping 其它vlan里面的任何一臺機器的話,就會自動生成一條動態(tài)度的

access-list,(假如 我從vlan12的機器10.147.18.90 ping vlan1里面的10.147.17.251)

記錄如下:

Reflexive IP access list abcd

permit icmp host 10.147.17.251 host 10.147.18.90 (8 matches) (time left 297)

permit udp host 202.96.170.163 eq 8000 host 10.147.18.90 eq 4000 (6 matches) (time left 247)

permit udp host 224.0.0.2 eq 1985 host 10.147.18.93 eq 1985 (155 matches) (time left 299)

Extended IP access list in-filter

permit ip any any reflect abcd

Extended IP access list out-filter

evaluate abcd

deny ip any any (289 matches)

第三步:我想實現(xiàn)功能:vlan12里的機器能訪問所有其他vlan,除了vlan 2(10.147.16.0/255.255.255.128)外均

不能訪問vlan12:

將訪問控制列表改為:

ip access-list extended in-filter

permit ip any any reflect abcd

ip access-list extended out-filter

evaluate abcd

permit ip 10.147.16.0 0.0.0.128 any

deny ip any any

結(jié)果一開始幾分鐘內(nèi),除了定義的VLAN2(10.147.16.0/255.255.255.128)外,其它vlan的機器均ping不通vlan 12 的機器

后來就全部PING

不通,和第二次開發(fā)步的結(jié)果相同