天下网吧 >> 网吧方案 >> 方案实例 >> 正文

实现多等级reflect acl 配置实例


  以下路由器的配置过程:
  
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  !
  interface FastEthernet0/0.1
  encapsulation isl 11
  ip address 192.168.0.1 255.255.255.0
  ip access-group v11 in
  interface FastEthernet0/0.2
  encapsulation isl 10
  ip address 172.16.1.1 255.255.255.0
  ip access-group v10 in
  interface FastEthernet0/1
  ip address 10.10.10.9 255.255.255.0
  ip access-group v13 in
  
  ip route 0.0.0.0 0.0.0.0 10.10.10.10
  
  ip access-list extended v10
  permit ip 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit tcp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit udp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit icmp 172.16.1.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit ip 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
  permit tcp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
  permit udp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
  permit icmp 172.16.1.0 0.0.0.255 192.168.0.0 0.0.0.255 reflect v111
  permit ip any any
  ip access-list extended v11
  evaluate v111
  deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
  deny icmp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
  deny udp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
  deny tcp 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255
  permit ip 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit udp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit icmp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit tcp 192.168.0.0 0.0.0.255 172.18.0.0 0.0.255.255 reflect v133
  permit ip any any
  ip access-list extended v13
  evaluate v133
  deny icmp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
  deny ip 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
  deny udp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
  deny tcp 172.18.0.0 0.0.255.255 172.16.1.0 0.0.0.255
  deny icmp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
  deny ip 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
  deny tcp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
  deny udp 172.18.0.0 0.0.255.255 192.168.0.0 0.0.0.255
  permit ip any any
  ip access-list logging interval 100
  
  
  以上配置实现三个等级的网段访问,使用于企业的总经理、财务、员工三个网段
  
  测试方法:
  配置完成之后,在不同网段使用ping命令开两个窗口,分别ping其他两个网段
  这时在router 上用sh ip access-l 查看有没有产生你所需要的acl,如果没有,查看是哪一条acl起效(根据acl后面的条目数,ping的过程会有一个acl的条目逐渐增加)

本文来源:天下网吧 作者:网吧方案

相关文章
没有相关文章
声明
声明:本站所发表的文章、评论及图片仅代表作者本人观点,与本站立场无关。若文章侵犯了您的相关权益,请及时与我们联系,我们会及时处理,感谢您对本站的支持!联系Email:support@txwb.com,系统开号,技术支持,服务联系QQ:1175525021本站所有有注明来源为天下网吧或天下网吧论坛的原创作品,各位转载时请注明来源链接!
天下网吧·网吧天下