最近做了一下自反ACL的实验,以防忘记,简单记录一下。
    拓扑图如下:
 
    目的是通过自反ACL实现:
    1.从R1发起的到R3的所有数据都能通过(双向)
    2.过滤从R3发起的到R1的Telnet数据
 
配置如下:
R1:
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!     
router rip
 network 192.168.1.0
!
 
R3:
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto

router rip
 network 192.168.2.0
!
 
R2:

!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.2.254 255.255.255.0
 ip access-group INBOUND in
 ip access-group OUTBOUND out
 duplex auto
 speed auto
!
router rip
 network 192.168.1.0
 network 192.168.2.0
!
ip access-list extended INBOUND
 evaluate CISCO
 deny   tcp 192.168.2.0 0.0.0.255 any eq telnet
ip access-list extended OUTBOUND
 permit ip 192.168.1.0 0.0.0.255 any reflect CISCO
!
 
    要注意的是,evaluate CISCO 一定要放在deny语句的前面,不然R3返回R1的Telnet数据也会被过滤掉
 
    分别在两边Telnet一下:
R1#telnet 192.168.2.1
Trying 192.168.2.1 ... Open

User Access Verification
Password:
R3>
---------------------------------------
R3#telnet 192.168.1.1
Trying 192.168.1.1 ...
% Destination unreachable; gateway or host down
R3#
 
    在R2上show一下ACL可以看到匹配的信息:
R2#sh ip access-lists
Reflexive IP access list CISCO
     permit tcp host 192.168.2.1 eq telnet host 192.168.1.1 eq 20149 (55 matches) (time left 111)
Extended IP access list INBOUND
    10 evaluate CISCO
    20 deny tcp 192.168.2.0 0.0.0.255 any eq telnet (6 matches)
Extended IP access list OUTBOUND
    10 permit ip 192.168.1.0 0.0.0.255 any reflect CISCO (76 matches)