锐捷的自反ACL实现DMZ区域内的主机不可以主动对外发起访问配置示例

# ip reflexive-list timeout 300

# ip access -list extened AclOut
# permit any any reflect Ref
# permit icmp any any reflect Ref

# ip acces-list extened AclIn
# evaluate Ref

# int Gi/0/1
# ip access-group AclOut out
# ip access-group AclIn in

此时ping一下DMZ内的主机,查看ACL有一条:
permit icmp host sip1 host dip1(10 matches) (time left 295)

你可能感兴趣的:(数通,运维,网络,运维)