单向访问测试（VACL和自反ACL）

一.测试拓扑：

二.基本配置：

R1：（模拟为一三层交换机）

vlan database 
 vlan 2
 vlan 3
exit
config t
interface f0/2
 sw mo ac
 sw ac vlan 2
interface f0/3
 sw mo ac
 sw ac vlan 3
interface f0/4
 sw mo ac
 sw ac vlan 1
int vlan 1
 ip add 192.168.1.1 255.255.255.0
int vlan 2
 ip add 192.168.2.1 255.255.255.0
int vlan 3
 ip add 192.168.3.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.4
R2：（模拟VLAN2一台PC)

int e0/0
 ip add 192.168.2.2 255.255.255.0
 no sh
ip route 0.0.0.0 0.0.0.0 192.168.2.1

R3：（模拟VLAN3一台PC)

int e0/0
 ip add 192.168.3.3 255.255.255.0
 no sh
ip route 0.0.0.0 0.0.0.0 192.168.3.1

R4：(模拟连接互联网的路由器）

int e0/0
 ip add 192.168.1.4 255.255.255.0
 no sh
int e0/1
 ip add 202.100.1.1 255.255.255.0
 no sh
ip route 0.0.0.0 0.0.0.0 202.100.1.2
ip route 192.168.0.0 255.255.0.0 192.168.1.1

三.访问控制

A.方案一：自反ACL

R1：
ip access-list extended ACLOUT
  permit ip  192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 reflect REF 
  permit ip   any  192.168.3.0 0.0.0.255
ip access-list extended ACLIN
  evaluate REF
  deny   ip   192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 
  permit ip   192.168.3.0 0.0.0.255 any
interface Vlan3
 ip access-group ACLIN in
 ip access-group ACLOUT out
R4：
ip access-list extended ACLOUT
  permit ip  192.168.0.0 0.0.255.255 any reflect REF 
ip access-list extended ACLIN
  evaluate REF
interface e0/1
 ip access-group ACLIN in
 ip access-group ACLOUT out
B.方案二：ACL（只能控制TCP的单向访问）

R1:
ip access-list extended ACLIN
   permit tcp  192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 established
   deny   tcp  192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
   permit ip  192.168.3.0 0.0.0.255 any
interface Vlan3
 ip access-group ACLIN in
R4:
ip access-list extended ACLIN
   permit tcp  any 192.168.0.0 0.0.255.255  established
   deny   tcp  any 192.168.0.0 0.0.255.255
   permit ip  any 192.168.0.0 0.0.255.255
interface e0/1
 ip access-group ACLIN in

本文转自 碧云天 51CTO博客，原文链接：http://blog.51cto.com/333234/1039955，如需转载请自行联系原作者