为什么 ACL 中的“全部拒绝”语句不起作用?

网络工程 路由 ACL
2021-07-27 07:09:53

我想阻止主机 192.168.1.1 到达 192.168.2.0/24 网络,为了实现这一点,我在 R2 的 serial2/0 接口上应用了扩展 ACL“ACL_FOR_R2”。现在我们都知道,在每个访问列表的末尾都有一个隐含的“拒绝所有流量”标准声明。因此,如果数据包与您的任何标准语句都不匹配,则该数据包将被阻止。所以我没有提到 ACL“ACL_FOR_R2”中的任何声明,假设我们在该 ACL 中只有一个声明为“拒绝所有”,但问题是当我从 R1 ping 到 192.168.2.2 时,R2 不会阻止流量并且ping 到达 R3。为什么?

以下是配置:

- R1's configurations:

    R1#show running-config
    Building configuration...

    Current configuration : 1557 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    archive
     log config
      hidekeys
    !
    !
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    !
    !
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet1/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface Serial2/0
     ip address 192.168.1.1 255.255.255.0
     ip access-group ACL_FOR_R1 out
     serial restart-delay 0
    !
    interface Serial2/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    router eigrp 1
     network 192.168.1.0
     auto-summary
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    no cdp log mismatch duplex
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    banner motd ^C
    **********************************
    This is a Cisco .
    **********************************^C
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     password cisco
     logging synchronous
     login
    line aux 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
    line vty 0 4
     password cisco
     login
    line vty 5 15
     password cisco
     login
    !
    !
    end

    R1#un all
    All possible debugging has been turned off
    R1#

    R1#show run
    R1#show running-config
    Building configuration...

    Current configuration : 1557 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    archive
     log config
      hidekeys
    !
    !
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    !
    !
    !
    interface FastEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet1/0
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface Serial2/0
     ip address 192.168.1.1 255.255.255.0
     ip access-group ACL_FOR_R1 out
     serial restart-delay 0
    !
    interface Serial2/1
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/2
     no ip address
     shutdown
     serial restart-delay 0
    !
    interface Serial2/3
     no ip address
     shutdown
     serial restart-delay 0
    !
    router eigrp 1
     network 192.168.1.0
     auto-summary
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    no cdp log mismatch duplex
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    banner motd ^C
    **********************************
    This is a Cisco .
    **********************************^C
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     password cisco
     logging synchronous
     login
    line aux 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
    line vty 0 4
     password cisco
     login
    line vty 5 15
     password cisco
     login
    !
    !
    end

 - R2's configurations:

R2#show running-config
Building configuration...

Current configuration : 1627 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 192.168.1.2 255.255.255.0
 ip access-group ACL_FOR_R2 in
 serial restart-delay 0
!
interface Serial2/1
 ip address 192.168.2.1 255.255.255.0
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 1
 network 192.168.1.0
 network 192.168.2.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ACL_FOR_R2
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
**********************************
This is a Cisco .
**********************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password cisco
 logging synchronous
 login
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password cisco
 login
line vty 5 15
 password cisco
 login
!
!
end

 - R3's configurations:

R3#show running-config
Building configuration...

Current configuration : 1525 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 ip address 192.168.2.2 255.255.255.0
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
router eigrp 1
 network 192.168.2.0
 auto-summary
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
**********************************
This is a Cisco .
**********************************^C
!
line con 0
 exec-timeout 0 0
 privilege level 15
 password cisco
 logging synchronous
 login
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 password cisco
 login
line vty 5 15
 password cisco
 login
!
!
end

R1#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/46/88 ms
R1#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/46/104 ms
2个回答

通常你是对的,每个访问列表的末尾都有一个隐含的“拒绝”。但是,您发现了异常,因为您使用了一个空的访问列表:

interface Serial2/0
 ip address 192.168.1.2 255.255.255.0
 ip access-group ACL_FOR_R2 in
 serial restart-delay 0
!
<snip>
!
ip access-list extended ACL_FOR_R2
!

根据文档

“应用了空访问列表的接口或命令允许所有流量进入网络。”

因此,只要您向 ACL 中添加任何术语,它就会开始阻止所有其他流量。

你的配置真的一团糟;您甚至没有在 R1 上定义 ACL,但是您正在将一个应用于接口。拒绝主机(而不是除您要特别允许的流量之外的所有流量)192.168.1.1访问192.168.2.0/24网络的正确方法是:

将标准访问列表应用于 R2Serail2/1以阻止来自该主机out与该网络out接口的流量,同时允许该接口的任何其他流量并允许来自该主机的out任何流量任何其他接口:

interface Serial2/1
 ip address 192.168.2.1 255.255.255.0
 ip access-group DENY_HOST in
!
ip access-list standard DENY_HOST
 deny host 192.168.1.1
 permit any
!

您可以明确允许不同的地址并使用隐式deny all来阻止其他所有内容(网络甚至不在您的网络上退出都没有关系):

interface Serial2/1
 ip address 192.168.2.1 255.255.255.0
 ip access-group PERMIT_BOGUS in
!
ip access-list standard PERMIT_BOGUS
 permit 192.168.0.0 0.0.0.255
!

将扩展访问列表应用于 R2Serail2/0以丢弃in来自该主机的任何发往该网络的流量,同时允许in来自该主机的流量或任何其他流量到其他任何地方:

interface Serial2/0
 ip address 192.168.1.2 255.255.255.0
 ip access-group DENY_HOST out
!
ip access-list extended DENY_HOST
 deny ip host 192.168.1.1 192.168.2.0 0.0.0.255
 permit ip any any
!

您可以明确允许不同的地址并使用隐式deny all来阻止其他所有内容(网络甚至不在您的网络上退出都没有关系):

interface Serial2/0
 ip address 192.168.1.2 255.255.255.0
 ip access-group PERMIT_BOGUS out
!
ip access-list extended PERMIT_BOGUS
 permit ip 192.168.0.0 0.0.0.255 any
!

我认为您很困惑,因为最后的隐式拒绝将拒绝来自任何主机的所有流量,而不仅仅是一台主机,除非您明确允许,这不是您的问题想要做的。在任何情况下,您都需要在访问列表中包含一些内容。

其它你可能感兴趣的问题
上一篇块的第一个IP叫什么? 下一篇Quagga 是否支持跨平台路由?(Linux 发行版)