自 反 列 表
实验拓扑:
实验要求:
1. R1,R2,R3之间是eigrp协议;
2. 要求R1可以telnet R3,而R3不能telnet R1;
3. 要求R2可以telnet R3,而R3不能telnet R2;
解题思路:
第2题解法:1)可以利用established 或者2)自反列表。我们首先利用established来解题。
利用established解题:
R2:
Access-list 100 permit eigrp any any
Access-list 100 permit tcp host 192.168.23.3 any established (或ack:匹配ack位,而established
是匹配established的连接,包含ACK和RST位)
Int s0/1
Ip access-group 100 in
(若在int s0/0 则是out方向)
测试:
R1:telnet 192.168.23.3可以正常连接,而R3telnetR1不允许。
提问:这里应用在s0/1的in方向还是用在s0/0的out方向。
肯定是应用在s0/0的out方向好。因为现在只是对R1和R3之间的控制,没有说R2和R3
之间不能访问。
利用自反列表解题:
R2:
Ip access-list extended infilter
Permit eigrp any any
Permit tcp any host 192.168.23.3 reflect telnet (这里还可以加参数timeout 240,即240S后访
问列表过期,也可以全部定义:ip reflexive-list timeout 240,注意单位是秒)
Ip access-list extended outfilter
Permit eigrp any any
Evaluate telnet
Int s0/0
Ip access-group infilter in
Int s0/1
Ip access-group outfilter in
测试:
R1: telnet R3 192.168.23.3可以正常连接,而R3 telnet R1不允许。
正常登录后,显示R2的访问列表:
r2#sh ip access
Extended IP access list infilter
10 permit eigrp any any (846 matches)
20 permit tcp any host 192.168.23.3 reflect telnet (61 matches)
Extended IP access list outfilter
10 evaluate telnet
20 permit eigrp any any (162 matches)
Reflexive IP access list telnet
permit tcp host 192.168.23.3 eq telnet host 192.168.12.1 eq 49521 (27 matches) (time left
295)
第三道题:由于要限制R2本身的流量对R3的访问,所以在R2上做ACL将会失效。
可以利用PBR来解这道题。(解法一)
R2:
ip access-list extended infilter
permit eigrp any any
evaluate telnet
ip access-list extended outfilter
permit eigrp any any
permit tcp any host 192.168.23.3 reflect telnet timeout 240
int s0/1(调用在一个接口上,而不是和前面一样,写在两个接口)
ip access-group infilter in
ip access-group outfilter out
route-map itb permit 10
match ip address outfilter
conf t
Ip local policy route-map itb
测试:
R2: TELNET 192.168.23.3成功,而R3 telnet 192.168.23.2 不成功。
注意:R2登陆成功R3后,若退出,则自反列表只能保存5秒钟(因为5秒钟内,会检测
两个FIN位)
此时可以使用R1登陆R2察看R2登陆R3成功后的超时时间(show ip access)
(r1登陆R2 后) :r2>sh ip access
Extended IP access list infilter
10 permit eigrp any any (351 matches)
20 evaluate telnet
Extended IP access list outfilter
10 permit eigrp any any
20 permit tcp any host 192.168.23.3 reflect telnet (63 matches)
Reflexive IP access list telnet
permit tcp host 192.168.23.3 eq telnet host 192.168.23.2 eq 29507 (26 matches) (time left
296)
当然此处最简单的办法是在R3上利用established来做。(解法二)
R2:
Access-list 100 perit tcp any host 192.168.23.2 established
Int s0/1
Ip access-group 100 in
测试:
R2:TELNET 192.168.23.3 成功;
R3:TELNET 192.168.23.2失败。
包括r2 ping 192.168.23.2也失败,因为没有允许icmp.