3750的访问列表in 与out 的测试
2008-12-03 19:17
176 查看
××安全部来检查了说我的列表不好
我就测试了一下
简单测试访问列表为in 还是out
同样对外发起连接
3750#
no ip access ext vlan6
ip acces ext vlan6
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 255.255.255.255
deny ip any any log-input
interface Vlan6
ip address 192.168.*******
ip access-group vlan6 out
测试结果 当方向为Out
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012615: Dec 3 06:45:08: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet(有个别的网段捣乱数据包)
012616: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
012617: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
数据包被处理后丢弃
当测试结果为 in 的方向
30F_3750#sh access-lists guest_vlan6
no ip access ext guest_vlan6
ip acces ext guest_vlan6
permit ip any host 192.168.*
permit ip any host 192.168.*
permit ip any host 192.168.8
permit ip any host 192.168.*
permit ip any host 192.168.*9
permit ip any host 255.255.*
deny ip any any log-input
接口配置interface Vlan6
ip address 192.168.7****
ip access-group g_vlan6 in
012639: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.99(0), 6 packets
012640: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.73.53(0), 8 packets
012641: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.104(0), 6 packets
012642: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied udp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.79.127(0), 7 packets
012643: Dec 3 07:00:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet
012644: Dec 3 07:01:22: %SEC-6-IPACCESSLOGDP: list guest_vlan6 denied icmp 192.168.79.110 (Vlan6 0016.d406.653f) -> 192.168.56.156 (0/0), 1 packet
数据包没有参与到进程
本文出自 “song8575” 博客,请务必保留此出处http://song8575.blog.51cto.com/20429/117011
我就测试了一下
简单测试访问列表为in 还是out
同样对外发起连接
3750#
no ip access ext vlan6
ip acces ext vlan6
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 192.168.73.*
permit ip any host 255.255.255.255
deny ip any any log-input
interface Vlan6
ip address 192.168.*******
ip access-group vlan6 out
测试结果 当方向为Out
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012613: Dec 3 06:44:03: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012614: Dec 3 06:44:24: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 1 packet
012615: Dec 3 06:45:08: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet(有个别的网段捣乱数据包)
012616: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.99(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
012617: Dec 3 06:49:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 203.208.37.104(0) (GigabitEthernet1/0/22 001b.d4db.6920) -> 192.168.79.110(0), 27 packets
数据包被处理后丢弃
当测试结果为 in 的方向
30F_3750#sh access-lists guest_vlan6
no ip access ext guest_vlan6
ip acces ext guest_vlan6
permit ip any host 192.168.*
permit ip any host 192.168.*
permit ip any host 192.168.8
permit ip any host 192.168.*
permit ip any host 192.168.*9
permit ip any host 255.255.*
deny ip any any log-input
接口配置interface Vlan6
ip address 192.168.7****
ip access-group g_vlan6 in
012639: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.99(0), 6 packets
012640: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.73.53(0), 8 packets
012641: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 203.208.37.104(0), 6 packets
012642: Dec 3 06:56:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied udp 192.168.79.110(0) (Vlan6 0016.d406.653f) -> 192.168.79.127(0), 7 packets
012643: Dec 3 07:00:26: %SEC-6-IPACCESSLOGP: list guest_vlan6 denied tcp 192.168.73.53(0) (Vlan73 0016.e6f6.c341) -> 192.168.79.110(0), 1 packet
012644: Dec 3 07:01:22: %SEC-6-IPACCESSLOGDP: list guest_vlan6 denied icmp 192.168.79.110 (Vlan6 0016.d406.653f) -> 192.168.56.156 (0/0), 1 packet
数据包没有参与到进程
本文出自 “song8575” 博客,请务必保留此出处http://song8575.blog.51cto.com/20429/117011
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 访问控制列表in与out的区别
- 关于cisco网络设备访问控制列表ACL中IN、OUT的理解
- nginx通过hmux协议访问resin--测试项目列表
- ACL阻断QQ的访问列表,经测试有效
- ACL阻断QQ的访问列表,经测试有效
- Pat(Advanced Level)Practice--1006(Sign In and Sign Out)
- 思科路由器--基于时间的访问列表控制
- CCNA--LAB-6:配置ACL(访问控制列表-经典实例)
- IN OUT NOCOPY
- MSDN中API参数说明前的[in]和[out]是什么意思
- USACO历年比赛题目列表,测试数据和解题报告下载
- Email营销相关名词解释:PEM,UCE,Opt-in,Double Opt-In,Opt-out
- 网站同样是1000次访问程序测试,但是分100个线程、每个线程100次循环来测试程序的大并发压力会更靠谱
- Script Callback in ASP.NET 2.0 (脚本回调,无刷新访问数据)
- ACL-访问控制列表 介绍
- 第六节--访问属性和方法 -- Classes and Objects in PHP5 [6](转)
- PAT 1006 Sign In and Sign Out
- 1006. Sign In and Sign Out