比如说3个路由器,1和2链接,2和3链接。1和3一个端口链接2 2有两个端口分别链接1和3 从R2上拒绝来自R3访问1那么路由器2上的两个端口怎么区别in和out
ãã1ãå¦æå¨è·¯ç±å¨R1ä¸é
ç½®æ åç访é®æ§å¶å表ï¼é»æ¢PC1访é®PC3ï¼å¦é
ç½®çACL为access-list 1 deny 192.168.1.254 0.0.0.0 access-list 1 permit anyãå¦æå°æ¤è®¿é®å表åºç¨å°f0/1æ¥å£int f0/1
ããip access-group 1 (in/out)ä¸ç®¡æ¤å¤æ¯inè¿æ¯out PC1é½å°æ æ³è®¿é®PC2ï¼ä½æ¯è¿ä¸¤ç§æ åµä¸ï¼æ°æ®å 被é»æ¢çæ åµä¸ä¸æ ·,å¦æåºç¨çæ¯ ip access-group 1 outï¼é£ä¹ä»PC1ä¼ éåºæ¥çæ°æ®å ï¼åªè½ä¼ å°f0/1æ¥å£ï¼ä½ä¸è½éè¿æ¤æ¥å£ï¼å 为æ¤æ¶è®¿é®å表å°PC1åéçæ°æ®å ç»é»æ¢äºã
ããä½æ¯å¦æåºç¨çæ¯ ip access-group 1 inåºç¨å°f0/1æ¥å£çï¼é£ä¹ä»PC1ä¼ è¾çæ°æ®å å¯ä»¥éè¿f0/1æ¥å£å°è¾¾PC2ï¼ä½æ¯ï¼æ¤æ¶ä»PC2è¿åç»PC1çæµéå°æ æ³éè¿f0/1ï¼å 为æ¤æ¶f0/1çç访é®å表åºç¨çæ¯inï¼å³å ¥å£è®¿é®æ¹å¼ï¼,æ以è¿å ¥è¯¥æ¥å£çæ°æ®å å°ä¼è¢«é»æ¢ã
ãã
ãã2ãä½æ¯å¦ææ¤å¤ç¨çä¸æ¯æ åç访é®æ§å¶å表ï¼å³ä½¿ç¨çæ¯æ©å±ç访é®æ§å¶å表ï¼ï¼æ åµå°ä¼æææä¸åã
ããå¦ access-list 100 deny ip host 192.168.1.254 host 192.168.2.254 access-list 100 permit ip any any å¦æå°æ¤è®¿é®æ§å¶å表åºç¨å¨f0/1æ¥å£ä¸,å¦ int f0/1 ip access-group 100 ï¼out/inï¼æ¤å¤åªææ¯ä½¿ç¨çæ¯outæ¶ï¼æè½é»æ¢PC1访é®PC2ï¼å 为ä½PC1åéçæ°æ®å å°è¾¾f0/1æ¥å£æ¶ï¼å°±è¢«è®¿é®æ§å¶å表æé»æ¢äºï¼æ以æ æ³å°è¾¾ç®ç主æºPC2ã
ããä½æ¯å¦æ使ç¨çæ¯ip access-group inåºç¨å¨f0/1æ¥å£ä¸ï¼PC1 çæ°æ®å å°è½éè¿f0/1çæ¥å£å°è¾¾PC2,ä¹è®¸æ¤æ人ä¼è®¤ä¸ºï¼PC1çæ°æ®å è½éè¿f0/1ï¼ä½æ¯PC2è¿åç»PC1 çæ°æ®å éä¸è¿f0/1çï¼å 为f0/1åºç¨çæ¯inï¼å¯ä»¥é»æ¢è¿å ¥çæµéï¼ä½æ¯ä½ æ没æèèå°æ¤æ¶ï¼ä»PC2è¿åçç»PC1çæ°æ®å çæºå°ååç®çå°åæ¯ä»ä¹,ï¼æ¤æ¶è¿åçæºå°åæ¯PC2çIPå°åï¼ç®çå°åæ¯PC1çIPå°åï¼ï¼èåºç¨å¨F0/1çACLçé»æ¢çæºå°åæ¯PC1çIPå°åï¼ç®çå°åæ¯PC2çIPå°åï¼æ以å½å°è¿åç»PC1çæ°æ®å çæºå°ååç®çå°åä¸ACLä¸é»æ¢çå°åç¸æ¯è¾çæ¶åï¼æ ¹æ¬å°±æ²¡æå¹é çï¼æ以æ°æ®å å°±å¯ä»¥éè¿f0/1äºã
ããip access-group 1 (in/out)ä¸ç®¡æ¤å¤æ¯inè¿æ¯out PC1é½å°æ æ³è®¿é®PC2ï¼ä½æ¯è¿ä¸¤ç§æ åµä¸ï¼æ°æ®å 被é»æ¢çæ åµä¸ä¸æ ·,å¦æåºç¨çæ¯ ip access-group 1 outï¼é£ä¹ä»PC1ä¼ éåºæ¥çæ°æ®å ï¼åªè½ä¼ å°f0/1æ¥å£ï¼ä½ä¸è½éè¿æ¤æ¥å£ï¼å 为æ¤æ¶è®¿é®å表å°PC1åéçæ°æ®å ç»é»æ¢äºã
ããä½æ¯å¦æåºç¨çæ¯ ip access-group 1 inåºç¨å°f0/1æ¥å£çï¼é£ä¹ä»PC1ä¼ è¾çæ°æ®å å¯ä»¥éè¿f0/1æ¥å£å°è¾¾PC2ï¼ä½æ¯ï¼æ¤æ¶ä»PC2è¿åç»PC1çæµéå°æ æ³éè¿f0/1ï¼å 为æ¤æ¶f0/1çç访é®å表åºç¨çæ¯inï¼å³å ¥å£è®¿é®æ¹å¼ï¼,æ以è¿å ¥è¯¥æ¥å£çæ°æ®å å°ä¼è¢«é»æ¢ã
ãã
ãã2ãä½æ¯å¦ææ¤å¤ç¨çä¸æ¯æ åç访é®æ§å¶å表ï¼å³ä½¿ç¨çæ¯æ©å±ç访é®æ§å¶å表ï¼ï¼æ åµå°ä¼æææä¸åã
ããå¦ access-list 100 deny ip host 192.168.1.254 host 192.168.2.254 access-list 100 permit ip any any å¦æå°æ¤è®¿é®æ§å¶å表åºç¨å¨f0/1æ¥å£ä¸,å¦ int f0/1 ip access-group 100 ï¼out/inï¼æ¤å¤åªææ¯ä½¿ç¨çæ¯outæ¶ï¼æè½é»æ¢PC1访é®PC2ï¼å 为ä½PC1åéçæ°æ®å å°è¾¾f0/1æ¥å£æ¶ï¼å°±è¢«è®¿é®æ§å¶å表æé»æ¢äºï¼æ以æ æ³å°è¾¾ç®ç主æºPC2ã
ããä½æ¯å¦æ使ç¨çæ¯ip access-group inåºç¨å¨f0/1æ¥å£ä¸ï¼PC1 çæ°æ®å å°è½éè¿f0/1çæ¥å£å°è¾¾PC2,ä¹è®¸æ¤æ人ä¼è®¤ä¸ºï¼PC1çæ°æ®å è½éè¿f0/1ï¼ä½æ¯PC2è¿åç»PC1 çæ°æ®å éä¸è¿f0/1çï¼å 为f0/1åºç¨çæ¯inï¼å¯ä»¥é»æ¢è¿å ¥çæµéï¼ä½æ¯ä½ æ没æèèå°æ¤æ¶ï¼ä»PC2è¿åçç»PC1çæ°æ®å çæºå°ååç®çå°åæ¯ä»ä¹,ï¼æ¤æ¶è¿åçæºå°åæ¯PC2çIPå°åï¼ç®çå°åæ¯PC1çIPå°åï¼ï¼èåºç¨å¨F0/1çACLçé»æ¢çæºå°åæ¯PC1çIPå°åï¼ç®çå°åæ¯PC2çIPå°åï¼æ以å½å°è¿åç»PC1çæ°æ®å çæºå°ååç®çå°åä¸ACLä¸é»æ¢çå°åç¸æ¯è¾çæ¶åï¼æ ¹æ¬å°±æ²¡æå¹é çï¼æ以æ°æ®å å°±å¯ä»¥éè¿f0/1äºã
温馨提示:答案为网友推荐,仅供参考
第1个回答 2013-07-07
in是数据流进入设了ACL这台路由器进行检测out是数据流要出路由器时进行检测在R2与R3连接的端口设in的ACL或在R2与R1连接的端口设out的ACL可以实现
第2个回答 2013-07-07
既然是拒绝访问 直接在r2连接r3的端口上做in的acl就成
第3个回答 2014-11-26
进入设备前ACL就起作用的设为in,进入设备后ACL才起作用的设为out。本回答被网友采纳