需求:在R2上,允许R1主动访问R3的流量,R3主动访问R1所有流量都拒绝。
R2:
ip access-list extended out_acl
permit ip any any reflect any_acl //指定该条语句执行自反,自反列表的名字为any_acl.
ip access-list extended in_acl
evaluate any_acl //计算并生成自反列表
deny ip any any
interface FastEthernet1/0
ip access-group in_acl in
ip access-group out_acl out
说明1:reflect和evalute后面的对应名应该相同,此例中为any_acl
说明2:自反ACL只能在命名的扩展ACL里定义
结果:
R1#ping 10.0.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/108 ms
R1#ping 10.0.23.3
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/108 ms
R1#ping 10.0.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/72/164 ms
R1#
Sending 5, 100-byte ICMP Echos to 10.0.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/72/164 ms
R1#
R2#sh access-lists
Reflexive IP access list any_acl
permit icmp host 10.0.23.3 host 10.0.12.1 (20 matches) (time left 283)
Extended IP access list in_acl
10 evaluate any_acl
20 deny ip any any
Extended IP access list out_acl
10 permit ip any any reflect any_acl (10 matches)
R2#
Reflexive IP access list any_acl
permit icmp host 10.0.23.3 host 10.0.12.1 (20 matches) (time left 283)
Extended IP access list in_acl
10 evaluate any_acl
20 deny ip any any
Extended IP access list out_acl
10 permit ip any any reflect any_acl (10 matches)
R2#
R3#ping 10.0.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
Sending 5, 100-byte ICMP Echos to 10.0.12.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#
