The topology can be used for reflexive ACL, dynamic ACL, time-based ACL.
|
Device |
Interface |
IP Address |
Subnet Mask |
Default Gateway |
| R1
|
Fa0 / 0 |
10.118.1.1 |
255.255.255.0 |
N/A |
| Fa0 / 1 |
14.118.1.4 |
255.255.255.0 |
N/A |
|
| R2 |
Fa0 / 0 |
10.118.1.2 |
255.255.255.0 |
N/A |
| R3 |
Fa0 / 0 |
10.118.1.3 |
255.255.255.0 |
N/A |
| R4 |
Fa0 / 1 |
14.118.1.4 |
255.255.255.0 |
N/A |
Before the experiment all- PING-pass test
( 1) can not ICMP configuration allows the marker to enter the network, the other must be marked before returning
r1(config)#ip access-list extended come
r1 (config-ext-nacl) #permit icmp any any ICMP is not allowed to enter the network of markers
r1 (config-ext-nacl) #evaluate abc other to enter the network, it must be marked as the abc
( 2) Application ACL
r1(config)#int f0/1
r1(config-if)#ip access-group come in
- Test Results
( 1) Test external network to access the ICMP network R4
Note: You can see, ICMP is any access.
(2) Test external network R4 telnet network
Note: You can see, in addition to outside the ICMP, other traffic can not enter the network.
(3) within the test network R2 of the access network ICMP
Note: You can see that the network send ICMP to the external network, but also returned to normal
(4)测试内网R2发起telnet到外网的
(5)配置内网出去时,telnet被记录为abc,将会被允许返回
r1(config)#ip access-list extended goto
r1(config-ext-nacl)#permit tcp any any eq telnet reflect abc timeout 60 telnet已记为abc
r1(config-ext-nacl)#permit ip any any
(6)应用ACL
r1(config)#int f0/1
r1(config-if)#ip access-group goto out
4.测试结果
(1)查看R2到外网的ICMP
说明:ICMP属正常
(2)查看内网向外网发起telnet
r2#telnet 14.118.1.4
Trying 14.118.1.4 ... Open
说明:可以看出,此时内网发向外网的telnet因为被标记为abc,所以在回来时,开了缺口,也就可以允许返回了。
(3)查看ACL
说明:可以看到,有一条为abc的ACL为允许外网到内网的telnet,正是由于内网发到外网的telnet被标记了,所以也自动产生了允许其返回的ACL,并且后面跟有剩余时间。