为什么我的简单标准ACL出站不阻止网关的流量/VLAN的SVI？

Question

我正在使用路由器/交换机Cisco C1111-8p with IOS XE 16.8。

我有三个虚拟局域网：

• 1:本地/管理
• 20:发展
• 50:客人

我想阻止客人/VLAN50 50与除互联网以外的其他任何人进行交流。

为此，我创建了一个带有VLAN50子网的访问列表标准。并将此ACL应用于VLAN1 1/本机/管理和VLAN1 20/dev出站的SVI (从路由器的角度来看)。

conf t
access-list 10 deny 192.168.50.0 0.0.0.255
access-list 10 permit any
end

# VLAN 1 DEFAULT NATIVE
conf t
vlan 1
interface vlan 1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

# VLAN 20
conf t
vlan 20
name Dev
interface vlan 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip access-group 10 out
end

连接到VLAN1本机的设备的Ping 筛选：

$ ping 192.168.0.200
PING 192.168.0.200 (192.168.0.200) 56(84) bytes of data.
From 192.168.50.1 icmp_seq=1 Packet filtered
From 192.168.50.1 icmp_seq=2 Packet filtered
From 192.168.50.1 icmp_seq=3 Packet filtered

尽管如此，我仍然可以平VLAN1和VLAN20网关192.168.0.1和192.168.20.1。

$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=255 time=17.9 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=30.4 ms

$ ping 192.168.20.1
PING 192.168.20.1 (192.168.20.1) 56(84) bytes of data.
64 bytes from 192.168.20.1: icmp_seq=1 ttl=255 time=2.73 ms
64 bytes from 192.168.20.1: icmp_seq=2 ttl=255 time=23.7 ms

为什么？

我使用无线接入点为每个不同的VLAN和VLAN1作为本地VLAN使用SSID进行测试。在使用扩展之前，我想先用ACL标准进行测试。

参考的完整配置(我不编写DHCP部分)：

vlan internal allocation policy ascending
!         
!         
!         
!         
!         
!         
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!         
interface GigabitEthernet0/0/0
 description WAN
 ip address x.x.x.x 255.255.255.252
 ip nat outside
 negotiation auto
!         
interface GigabitEthernet0/0/1
 no ip address
 shutdown 
 negotiation auto
!         
interface GigabitEthernet0/1/0
 switchport mode trunk
 switchport nonegotiate
!         
interface GigabitEthernet0/1/1
 shutdown 
!         
interface GigabitEthernet0/1/2
 switchport access vlan 10
 switchport mode access
!         
interface GigabitEthernet0/1/3
 switchport access vlan 20
 switchport mode access
!         
interface GigabitEthernet0/1/4
 shutdown 
!         
interface GigabitEthernet0/1/5
 shutdown 
!         
interface GigabitEthernet0/1/6
 switchport mode access
!         
interface GigabitEthernet0/1/7
 switchport mode access
!         
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip access-group 10 in
!         
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip access-group 10 out
!         
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip access-group 10 out
!         
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
!         
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!         
!         
ip access-list standard NAT
 permit 192.168.10.0 0.0.0.255
 permit 192.168.0.0 0.0.0.255
 permit 192.168.20.0 0.0.0.255
 permit 192.168.50.0 0.0.0.255
!         
access-list 10 deny   192.168.50.0 0.0.0.255
access-list 10 permit any
!         
!         
!         
!         
control-plane
!         
!         
line con 0
 transport input none
 stopbits 1
line vty 0 4
 login local
 transport input ssh
!         
wsma agent exec
!         
wsma agent config
!         
wsma agent filesys
!         
wsma agent notify
!         
!         
end

Answer 1

根据user56700的说法，ACL规则被应用于通过的流量，而不是接口本身，因此也不是接口的网关。另外，由于我使用的是带有SVI的VLAN，SVI是路由器的内部组件，因此无法用出站规则阻止内部产生的内容。我们需要在交通被路由之前堵住它。

要隔离整个来宾VLAN，但允许使用Internet，标准ACL是不够的。我们需要使用INBOUND规则。

通过在VLAN50接口中使用扩展ACL的名称，我可以停止对其他VLAN的所有通信，因为该规则应用于入站，基本上在到达任何内容之前都会拒绝流量。

conf t
ip access-list extended GUESTSACL
deny ip any 192.168.0.0 0.0.0.255
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
permit ip any any
end
conf t
int vlan 50
ip access-group GUESTSACL in
end

VLAN50 50‘S网关将用一条Communication administratively filtered ICMP消息回复每个ICMP回波。这可能导致较高的CPU使用率，并提示什么在网络中被阻塞。

要停止发送此消息，我们需要将no ip unreachables添加到接口中：

conf t
interface vlan 50
no ip unreachables
end

Answer 2

您仍然可以对路由器IP进行平分，因为ACL只应用于通过接口的通信，而不应用于接口本身。

好吧，如果你想像上面所说的那样做，你必须这样做：

vlan 1- 192.168.0.0/24

vlan 10 - 192.168.10.0/24

vlan 20 - 192.168.20.0/24

vlan 50 - 192.168.50.0/24

access-list 10 deny 192.168.50.0 0.0.0.255
access-list 10 permit any

access-list 20 deny 192.168.0.0 0.0.0.255
access-list 20 deny 192.168.10.0 0.0.0.255
access-list 20 deny 192.168.20.0 0.0.0.255
access-list 20 permit any

interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip access-group 10 out

interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip access-group 10 out

interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip access-group 10 out

interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip access-group 20 out