配置IP会话过滤(自反访问列表) 
版权声明:原创作品,谢绝转载!否则将追究法律责任。 |
1,外部接口配置
拓扑环境:R1属于内部路由器,R2为边界路由器,R3属于外部路由器。R1, R2通过局域网交换机相连。R2, R3通过FRAME-RELAY交换机相连。
配置实例
初始配置
R1 conf t int f0/0 ip ad 10.1.1.1 255.255.255.0 no shut router eigrp 1 no au net 10.0.0.0 end R2 conf t int f 0/0 ip ad 10.1.1.2 255.255.255.0 no shut int s2/0 ip ad 10.1.2.2 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.2.3 203 b frame map ip 10.1.2.4 204 b no shut router eigrp 1 no au net 10.0.0.0 exit R3 conf t int s2/0 ip ad 10.1.2.3 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.2.2 302 b frame map ip 10.1.2.4 302 b no shut router eigrp 1 no au net 10.0.0.0 end 当EIGRP邻居建立后,对边界路由器(R2)配置自反访问列表类过虑内网用户对外网的访问
R2
conf t
ip access-list extended intraffic
per eigrp any any
deny icmp any any
evaluate tcptraffic
exit
ip access-list extended outtraffic
per tcp any any reflect tcptraffic
exit
int s2/0
ip access-group intraffic in
ip access-group outtraffic out
exit
ip reflexiver-list timeout 180
end
校验
在R3上配置 conf t line v 0 4 password comeon login end 在R1上检验 R1#ping 10.1.2.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R1#telnet 10.1.2.3 Trying 10.1.2.3 ... Open User Access Verification Password: R3>quit [Connection to 10.1.2.3 closed by foreign host] R1# 在R2上观察EIGRP邻居表 R2#sh ip ei n IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 2 10.1.2.4 Se2/0 20 00:04:31 1 5000 0 2 1 10.1.1.1 Fa0/0 13 00:04:33 784 4704 0 2 0 10.1.2.3 Se2/0 118 00:04:33 1 5000 0 2 说明R2是允许EIGRP和TCP流量通过的,而不允许ICMP流量通过。 检验R2的ACL。 R2#sh access-list Extended IP access list intraffic 10 permit tcp any any reflect tcptraffic (116 matches) Extended IP access list outtraffic 10 permit eigrp any any (27 matches) 20 deny icmp any any (8 matches) 30 evaluate tcptraffic Reflexive IP access list tcptraffic permit tcp host 10.1.2.3 eq telnet host 10.1.1.1 eq 25369 (75 matches) (time left 2) 自动添加了一条自反访问控制列表。 2,内部接口配置
拓扑图如上。R1为内部路由器,R2为边界路由器,R3为内部路由器,且属于内网的DMZ区域。R4为外部路由器。
R1, R2通过局域网交换机连接,R2, R3, R4通过FRAME-RELAY交换机连接
在R2上配置IP会话过虑后,R4不能访问R1,但是可以访问R3。当R1触发R2上的自反访问列表后,可以使R1与R4相互通信
R1, R2, R3初始配置同上
R4 conf t int s2/0 ip ad 10.1.2.4 255.255.255.0 encap f no arp f no frame inver frame map ip 10.1.2.2 402 b frame map ip 10.1.2.3 402 b no shut router eigrp 1 no au net 10.0.0.0 line v 0 4
password come
login end 当EIGRP邻居建立后,对边界路由器(R2)配置自反访问列表类过虑内网用户对外网的访问
R2
conf t
ip access-list extend intraffic
per eigrp any any
per tcp any any reflect tcptraffic
exit
ip access-list extended outtraffic
deny icmp any any
evaluate tcptraffic
exit
int f0/0
ip access-group intraffic in
ip access-group outtraffic out
exit
ip reflexive-list timeout 180
end
校验
R1#telnet 10.1.2.4 Trying 10.1.2.4 ... Open User Access Verification Password: R4>quit [Connection to 10.1.2.4 closed by foreign host] R1#ping 10.1.2.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) R2#sh access-l Extended IP access list intraffic 10 permit eigrp any any (63 matches) 20 permit tcp any any reflect tcptraffic (119 matches) Extended IP access list outtraffic 10 deny icmp any any 20 evaluate tcptraffic Reflexive IP access list tcptraffic permit tcp host 10.1.2.4 eq telnet host 10.1.1.1 eq 47535 (43 matches) (time left 177) R2#sh ip ei n IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 10.1.1.1 Fa0/0 11 00:05:55 1 4500 0 8 2 10.1.2.4 Se2/0 147 00:12:40 1 3000 0 4 1 10.1.2.3 Se2/0 131 00:12:56 1 5000 0 6 本文出自 “穿过地狱去看海” 博客,谢绝转载! 本文出自 51CTO.COM技术博客 |
cj231210
博客统计信息
热门文章
最新评论
友情链接
