××安全部来检查了说我的列表不好
我就测试了一下
简单测试访问列表为in 还是out
同样对外发起连接
3750#
no ip access ext vlan6
ip acces ext vlan6
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 255.255.255.255
deny ip any any log-input
interface Vlan6
ip address 192.168.*******
ip access-group vlan6 out
测试结果 当方向为Out
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012615: Dec 3 06:45:08: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet(有个别的网段捣乱数据包)
012616: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
012617: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
数据包被处理后丢弃
当测试结果为 in 的方向
30F_3750#sh access-lists guest_vlan6
no ip access ext guest_vlan6
ip acces ext guest_vlan6
permit ip any host 192.168.*
permit ip any host 192.168.*
permit ip any host 192.168.8
permit ip any host 192.168.*
permit ip any host 192.168.*9
permit ip any host 255.255.*
deny ip any any log-input
接口配置interface Vlan6
ip address 192.168.7****
ip access-group g_vlan6 in
012639: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.99(0), 6 packets
012640: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.73.53(0), 8 packets
012641: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.104(0), 6 packets
012642: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied udp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.79.127(0), 7 packets
012643: Dec 3 07:00:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet
012644: Dec 3 07:01:22: %SEC-6-IPACCESSLOGDP: list guest_vlan6 denied icmp 192.168.79.110 (Vlan6 0016.d406.653f) -> 192.168.56.156 (0/0), 1 packet
数据包没有参与到进程
我就测试了一下
简单测试访问列表为in 还是out
同样对外发起连接
3750#
no ip access ext vlan6
ip acces ext vlan6
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 255.255.255.255
deny ip any any log-input
interface Vlan6
ip address 192.168.*******
ip access-group vlan6 out
测试结果 当方向为Out
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012615: Dec 3 06:45:08: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet(有个别的网段捣乱数据包)
012616: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
012617: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
数据包被处理后丢弃
当测试结果为 in 的方向
30F_3750#sh access-lists guest_vlan6
no ip access ext guest_vlan6
ip acces ext guest_vlan6
permit ip any host 192.168.*
permit ip any host 192.168.*
permit ip any host 192.168.8
permit ip any host 192.168.*
permit ip any host 192.168.*9
permit ip any host 255.255.*
deny ip any any log-input
接口配置interface Vlan6
ip address 192.168.7****
ip access-group g_vlan6 in
012639: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.99(0), 6 packets
012640: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.73.53(0), 8 packets
012641: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.104(0), 6 packets
012642: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied udp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.79.127(0), 7 packets
012643: Dec 3 07:00:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet
012644: Dec 3 07:01:22: %SEC-6-IPACCESSLOGDP: list guest_vlan6 denied icmp 192.168.79.110 (Vlan6 0016.d406.653f) -> 192.168.56.156 (0/0), 1 packet
数据包没有参与到进程
本文转自 song8575 51CTO博客,原文链接:http://blog.51cto.com/song8575/117011