Cisco IOS:本地接口上的 ACL

网络工程 ACL cisco-ios-12
2021-07-08 23:30:05

是否有将 ACL 应用于路由器本身发起的数据包的解决方法?如何阻止某些未转发但由匹配 ACL 的路由器发送的数据包?我不想通过配置 ICMP 来解决这个问题。

比如三个路由器,通过R02连接。

R0001#sh ip int Fa0/0 | inc Internet
  Internet address is 10.0.1.1/30
R0001#


R0002#sh ip int Fa0/0 | inc Internet
  Internet address is 10.0.1.2/30
R0002#
R0002#sh ip int Fa0/0 | inc access list
  Outgoing access list is ipv4_out
  Inbound  access list is ipv4_in
R0002#
R0002#
R0002#show ip int Fa0/1 | inc Internet
  Internet address is 10.0.2.1/30
R0002#
R0002#sh ip int Fa0/0 | inc access list
  Outgoing access list is ipv4_out
  Inbound  access list is ipv4_in
R0002#


R0003#sh ip int Fa0/1 | inc Internet
  Internet address is 10.0.2.2/30
R0003#

一个 ICMP Echo 从 R0001 发送到 R0002:

R0001#ping 10.0.2.2 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
R0001#

R0002 通知 R0003 它的 Echo Reply 已被阻止:

R0003#
02:41:48: ICMP: echo reply sent, src 10.0.2.2, dst 10.0.1.1
02:41:48: ICMP: dst (10.0.2.2) administratively prohibited unreachable rcv from 10.0.2.1
R0003#

ICMP Echo 确实匹配了相关规则。Echo Reply 与ipv4_out ACL的规则不匹配

R0002#show ip access-list ipv4_in 
Extended IP access list ipv4_in
    200 deny icmp 10.0.2.0 0.0.0.3 10.0.1.0 0.0.0.3 echo-reply (3 matches)
    998 permit ip any any (1 match)
    999 deny ip any any
R0002#
R0002#show ip access-list ipv4_out
Extended IP access list ipv4_out
    200 deny icmp host 10.0.2.1 10.0.2.0 0.0.0.3
    998 permit ip any any (1 match)
    999 deny ip any any
R0002#

即使我尝试另一种方法,仍然没有匹配项:

R0001#ping 10.0.2.2 repeat 1

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.2.2, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
R0001#


R0003#
02:56:15: ICMP: echo reply sent, src 10.0.2.2, dst 10.0.1.1
02:56:15: ICMP: dst (10.0.2.2) administratively prohibited unreachable rcv from 10.0.2.1
R0003#


R0002#show ip access-list ipv4_in 
Extended IP access list ipv4_in
    998 permit ip any any (2 matches)
    999 deny ip any any
R0002#
R0002#
R0002#show ip access-list ipv4_out
Extended IP access list ipv4_out
    200 deny icmp host 10.0.2.1 10.0.2.0 0.0.0.3
    201 deny icmp host 10.0.2.2 10.0.1.0 0.0.0.3 (2 matches)
    998 permit ip any any (1 match)
    999 deny ip any any
R0002#

解决方案:

这是受埃弗顿启发的配置

ip access-list extended No_response_IPv4
 permit icmp host 10.0.2.1 10.0.2.0 0.0.0.3
 deny   ip any any

route-map No_response permit 10
 match ip address No_response_IPv4
 set interface Null0

ip local policy route-map No_response

这可以防止 R0002 通知 R0003 已阻止其回声回复。否则,R0003 将记录此消息:ICMP: dst (10.0.2.2) administratively prohibited unreachable rcv from 10.0.2.1但是通过使用 PBR,R0002 会默默地丢弃从 R0003 收到的 Echo Reply。R0002 阻止来自 R0003 的传入 Echo Reply,因为 R0002 的接口有一个 ACLdeny icmp host 10.0.2.1 10.0.2.0 0.0.0.3作为规则。

2个回答

尝试将基于策略的路由 (PBR) 应用于本地流量:

ip access-list extended DROP
 permit icmp host 10.0.2.1 10.0.2.0 0.0.0.3

route-map LOCAL_DROP permit 10
 match ip address DROP
 set interface null0

ip local policy route-map LOCAL_DROP

另请参阅“本地 PBR”:http : //www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

您还可以使用 QoS 类映射来匹配流量(您必须匹配源 IP 地址),然后使用策略映射删除该类中的流量。笨重的...

其它你可能感兴趣的问题
上一篇如何在 Mikrotik 路由器/交换机上配置 802.1q 中继? 下一篇如何连接以在 Mikrotik 路由器上使用两个 Internet 连接?