配置自反ACL的步骤如下: 1.定义命名扩展ACL:
b! V! w. F Q& S Aiko(config)#ip access-list extended {name}2 O6 m: o$ q2 y
2.定义自反ACL:
$ W5 m. z0 i5 C1 ^) h; T Aiko(config-ext-nacl)#permit {protocol} any any reflect {name} [timeout seconds]3.嵌套自反ACL:# o d5 @, R$ R/ Q6 K: t1 A' e. l. ~
Aiko(config-ext-nacl)#evaluate {name}
2 R, d( F3 p! l0 ]. L 4.应用自反ACL:
$ L5 u1 L. X" Q& w7 X: c' _ Aiko(config-if)#ip access-group {name} {in|out}3 z# u. A) r# h9 F! p- n
5.全局定义自反ACL的超时时间.可选:
3 e) ~2 M1 P" n1 j Y: n Aiko(config)#ip reflexive-list timeout {seconds}" Z8 q& {1 N5 a
Case 2
) _4 n8 ]8 Z* S- q+ f 路由器B连接的网段192.168.0.0/24为内部区域,路由器B的串行接口所连的10.0.0.0/30以及上游网段为外部区域.路由器A和B运行EIGRP.要求允许EIGRP和ICMP信息;允许到达外部区域的TCP和UDP信息;而不允许进入内部区域的TCP和UDP信息:& {/ a( I/ d) L3 `
路由器B配置如下:
' i- c7 R9 T) t1 e# p !
& [, \: ~: Y5 g" a; D: c ip access-list extended inbound& T. ~4 {% w2 z8 C, X# r
permit eigrp any any0 O" I3 N k9 C5 o- X6 C
permit icmp any any
0 T9 W1 o2 n0 ]4 P evaluate Aiko
4 i3 H' H( G2 S/ h ip access-list extended outbound, b: R* i2 K) [7 d4 r
permit eigrp any any& s0 J! _% m9 K; y# [
permit icmp any any
) U) k6 f1 W3 h permit tcp any any reflect Aiko6 y$ s# s1 b( [. p% T1 H
permit udp any any reflect Aiko
5 b, u3 X4 P+ t& z) E$ @ !
4 D- ~' l5 e& y2 m5 i* o. u1 m6 y7 F interface Ethernet0
\ P8 h4 f& k4 N4 s( X/ a7 _ ip address 192.168.0.1 255.255.255.0, b) V H4 H/ n2 L
ip access-group inbound in
$ B V9 n1 I) R" s/ u7 ~) V ip access-group outbound out) I J) R( F% M8 r/ T2 W- U
! |