一直以為自己對(duì)這個(gè)ip access-group num in | out 應(yīng)用很理解,當(dāng)自己做實(shí)驗(yàn)分析的時(shí)候分現(xiàn)很模糊,以下是認(rèn)真的分析總結(jié):
首先:
路由器每個(gè)接口應(yīng)用ACL是針對(duì)每個(gè)數(shù)據(jù)包的過濾�,三層是IP數(shù)據(jù)包��,二層是數(shù)據(jù)幀MAC
路由器對(duì)自己內(nèi)部產(chǎn)生的數(shù)據(jù)不會(huì)起作用
in就是路由器接口收到的數(shù)據(jù)�����,out就是路由器接口離開的數(shù)據(jù)
站在路由器的角度�����,路由器只能是一個(gè)接口in���,從另一個(gè)接口out(不會(huì)是從一個(gè)接口in����,又從這個(gè)接口out)
如下圖:一個(gè)純LAN的網(wǎng)絡(luò),在R1的f0/0應(yīng)該ip access-group /out
!
interface FastEthernet0/0
ip address .1 255.255.255.0
ip access-group 1 out
duplex auto
speed auto
!
access-list 1 deny .2
access-list 1 permit .3
如果:ACL在接口out方向不起數(shù)據(jù)包過濾的作用
R1#ping .2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to .2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/44/136 ms
R1#ping .3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to .3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/136 ms
分析為什么:在R1路由器產(chǎn)生ping .2的數(shù)據(jù)包,源地址12.1.1.1���,目的地址12.1.1.2但由于是路由器自己產(chǎn)生的數(shù)據(jù)包在接口上不起作用��,所以相對(duì)f0/0的out方向不起作用����?��?椿氐膒ing包,從R2路由器產(chǎn)生回包,源地址12.1.1.2,目的地址12.1.1.1相對(duì)R1的f0/0接口是in方向����,但沒做in方向的數(shù)據(jù)過濾,同理ping 12.1.1.3也通
!
interface FastEthernet0/0
ip address .1 255.255.255.0
ip access-group
duplex auto
speed auto
!
相反在f0/0接口上起in方向的數(shù)據(jù)過濾結(jié)果:
R1#
R1#ping .1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to .1, timeout is 2 seconds:
....
Success rate is 0 percent (0/4)
R1#ping .2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to .2, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R1#ping .3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to .3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms
結(jié)果分析:R1路由器自己產(chǎn)生數(shù)據(jù)包ping .2 源地址:12.1.1.1����,目的地址:12.1.1.2,相對(duì)f0/0接口數(shù)據(jù)發(fā)送出去,但是內(nèi)部自己產(chǎn)生的數(shù)據(jù)包不起作用���,所以發(fā)送成功��,看回的數(shù)據(jù)包,R2產(chǎn)生回的數(shù)據(jù)包,源地址:12.1.1.2�,目的地址:12.1.1.1到達(dá)R1的f0/0接口相對(duì)R1路由器f0/0就是為in方向這時(shí)作用ACL過濾,過濾掉源為12.1.1.2的地址����,所以不成功
相反�,源地址.3滿足ACL,所以ping通.
