当前位置:网站首页>Implementing reflexive ACL in Cisco packet tracker

Implementing reflexive ACL in Cisco packet tracker

2022-06-12 18:18:00 Confused dream butterfly

Catalog

One 、 Preface

Two 、 experiment

experiment 1: Use ACL Control link connectivity

  experiment 2: In Cisco Simulator Cisco Packet Tracer Reflexive realization ACL

Step one : Give the router 2911 Turn on securityk9 Pattern

Step two : To configure ACL

Step three : Verify connectivity

  3、 ... and 、 summary

One 、 Preface

         Recently passed Cisco Packet Tracer Simulator learning ACL when , A little bit of a problem ,ACL Divided into standard ACL Access control lists and extended access control lists , But when a router is configured with an access control list , Although it is to realize the prohibition of the regulation control list , But not from the opposite end PING Come back . The specific phenomena are as follows :

Two 、 experiment

experiment 1: Use ACL Control link connectivity

Experimental Topology

As shown in the figure :2911 The router connects two terminal devices , In different network segments , Now the link is Ping common

Test connectivity

Of course ,PC0 Yes. Ping through PC1 Of , The other way around, of course !

To configure ACL

Give the router 0 2911 To configure ACL( Here is just a simple use of the standard ACL)

tsy(config)#access-list 11 deny 192.168.10.0 0.0.0.255  // prohibit 192.168.10.0 The network segment is routed through 
tsy(config)#access-list 11 permit any          // Be careful : This line is the most important , stay cisco Inside, as long as the access control list is created ( Last article ), Other network segments are also disabled by default , Only writing this line can access the default prohibition 
tsy(config)#int g0/1
tsy(config-if)#ip access-group 11 out          // Reference to interface G0/1
tsy(config-if)#exit
tsy(config)#exit

View access control list 

tsy#show ip ac
tsy#show ip access-lists 
Standard IP access list 11
    10 deny 192.168.10.0 0.0.0.255
    20 permit any

tsy#

Test connectivity again

PC0 Go to PingPC1, Destination port not reachable

PC1 Go to PingPC0 I can't Ping through , Prompt timeout

Why? PC1 Go to PingPC0 no , It doesn't just limit PC0 Go to PC1 Your route ?!!!

because Ping Implementation process of , Between two terminals Mutual inquiry and confirmation The process of :

This is my understanding

  experiment 2: In Cisco Simulator Cisco Packet Tracer Reflexive realization ACL

         How do we achieve one-way Ping through , The opposite end cannot Ping How about yourself ? I found something in Du Niang's knowledge treasure house , Referring to Baidu's experience :https://jingyan.baidu.com/article/948f5924a79294d80ef5f95c.html

Step one : Give the router 2911 Turn on securityk9 Pattern 

tsy#conf terminal                       // Enter configuration mode 
tsy(config)#license boot module c2900 technology-package securityk9  // Turn on securityk9 Pattern 
                              
 // Omit here                                                                       
                                                                       
ACCEPT? [yes/no]: Y // confirm 
tsy#write 
Building configuration...
[OK]
tsy#reload          // Restart 
// Omit here 
tsy>en
tsy#show lic
tsy#show license fe
tsy#show license feature       // Check the license file after restart ,securityk9 Enabled 
Feature name      Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9          no           no          no             yes      no
securityk9        yes          yes         no             yes      yes
datak9            yes          no          no             no       yes
uck9              yes          yes         no             no       yes

tsy#conf terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
tsy(config)#

Step two : To configure ACL

tsy#conf terminal              // Enter configuration mode 
tsy(config)#ip access-list extended TSY  // Add extended access control list TSY
tsy(config-ext-nacl)#deny ip any any     // Prohibit all network segments from passing through 
tsy(config-ext-nacl)#exit
tsy(config)#int G0/1                     // At the interface G0/1 Application in 
tsy(config-if)#ip access-group TSY in    // Access control list TSY Applied to the interface G0/1 Access to 
tsy(config-if)#exit
tsy(config)#ip inspect name Tong http audit-trail on  // This sentence I understand is to allow http Round trip message execution , Mark is Tong Of 
tsy(config)#ip inspect name Tong icmp audit-trail on  // allow icmp Round trip message execution , Mark is Tong Of 
tsy(config)#int G0/1                     // At the interface G0/1 Application in 
tsy(config-if)#ip inspect Tong out       // Access control list TONG Applied to the interface G0/1 The output channel of 
tsy(config-if)#exit
tsy(config)#exit

I don't know if I understand right here , I hope you can correct me !

View access control list 

tsy#show ip access-lists 
Extended IP access list TSY
    10 deny ip any any (4 match(es))

Step three : Verify connectivity

PC0 Go to PingPC1 Can connect

however PC1 Go to PingPC0 Unable to connect , Prompt that the destination port is unreachable

  3、 ... and 、 summary

there introspect ACL, It's just Cisco Simulator This is how to use , however Correct reflexivity ACL It's not like that !!!

原网站

版权声明
本文为[Confused dream butterfly]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/163/202206121817135458.html

边栏推荐

猜你喜欢

随机推荐