配置IP会话过滤(自反访问列表) 推荐

1，外部接口配置

拓扑环境：R1属于内部路由器，R2为边界路由器，R3属于外部路由器。R1, R2通过局域网交换机相连。R2, R3通过FRAME-RELAY交换机相连。

配置实例

初始配置

R1
conf t
int f0/0
ip ad 10.1.1.1 255.255.255.0
no shut
router eigrp 1
no au
net 10.0.0.0
end

R2
conf t
int f 0/0
ip ad 10.1.1.2 255.255.255.0
no shut
int s2/0
ip ad 10.1.2.2 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.3 203 b
frame map ip 10.1.2.4 204 b
no shut
router eigrp 1
no au
net 10.0.0.0
exit

R3
conf t
int s2/0
ip ad 10.1.2.3 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.2 302 b
frame map ip 10.1.2.4 302 b
no shut
router eigrp 1
no au
net 10.0.0.0
end

当EIGRP邻居建立后，对边界路由器(R2)配置自反访问列表类过虑内网用户对外网的访问

R2

conf t

ip access-list extended intraffic

per eigrp any any

deny icmp any any

evaluate tcptraffic

exit

ip access-list extended outtraffic

per tcp any any reflect tcptraffic

exit

int s2/0

ip access-group intraffic in

ip access-group outtraffic out

exit

ip reflexiver-list timeout 180

end

校验

在R3上配置
conf t
line v 0 4
password comeon
login
end

在R1上检验
R1#ping 10.1.2.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.3, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R1#telnet 10.1.2.3
Trying 10.1.2.3 ... Open

User Access Verification

Password:
R3>quit

[Connection to 10.1.2.3 closed by foreign host]
R1#

在R2上观察EIGRP邻居表
R2#sh ip ei n
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.1.2.4 Se2/0 20 00:04:31 1 5000 0 2
1 10.1.1.1 Fa0/0 13 00:04:33 784 4704 0 2
0 10.1.2.3 Se2/0 118 00:04:33 1 5000 0 2
说明R2是允许EIGRP和TCP流量通过的，而不允许ICMP流量通过。

检验R2的ACL。
R2#sh access-list
Extended IP access list intraffic
10 permit tcp any any reflect tcptraffic (116 matches)
Extended IP access list outtraffic
10 permit eigrp any any (27 matches)
20 deny icmp any any (8 matches)
30 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 10.1.2.3 eq telnet host 10.1.1.1 eq 25369 (75 matches) (time left 2)
自动添加了一条自反访问控制列表。

2,内部接口配置

拓扑图如上。R1为内部路由器，R2为边界路由器，R3为内部路由器，且属于内网的DMZ区域。R4为外部路由器。

R1, R2通过局域网交换机连接，R2, R3, R4通过FRAME-RELAY交换机连接

在R2上配置IP会话过虑后，R4不能访问R1，但是可以访问R3。当R1触发R2上的自反访问列表后，可以使R1与R4相互通信

R1, R2, R3初始配置同上

R4
conf t
int s2/0
ip ad 10.1.2.4 255.255.255.0
encap f
no arp f
no frame inver
frame map ip 10.1.2.2 402 b
frame map ip 10.1.2.3 402 b
no shut
router eigrp 1
no au
net 10.0.0.0

line v 0 4

password come

login
end

当EIGRP邻居建立后，对边界路由器(R2)配置自反访问列表类过虑内网用户对外网的访问

R2

conf t

ip access-list extend intraffic

per eigrp any any

per tcp any any reflect tcptraffic

exit

ip access-list extended outtraffic

deny icmp any any

evaluate tcptraffic

exit

int f0/0

ip access-group intraffic in

ip access-group outtraffic out

exit

ip reflexive-list timeout 180

end

校验

R1#telnet 10.1.2.4
Trying 10.1.2.4 ... Open

User Access Verification

Password:
R4>quit

[Connection to 10.1.2.4 closed by foreign host]
R1#ping 10.1.2.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R2#sh access-l
Extended IP access list intraffic
10 permit eigrp any any (63 matches)
20 permit tcp any any reflect tcptraffic (119 matches)
Extended IP access list outtraffic
10 deny icmp any any
20 evaluate tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 10.1.2.4 eq telnet host 10.1.1.1 eq 47535 (43 matches) (time left 177)
R2#sh ip ei n
IP-EIGRP neighbors for process 1
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.1.1 Fa0/0 11 00:05:55 1 4500 0 8
2 10.1.2.4 Se2/0 147 00:12:40 1 3000 0 4
1 10.1.2.3 Se2/0 131 00:12:56 1 5000 0 6