Tweet
Mục đích
Cấu hình router để reflexive access-list có thể ước lượng được (evaluate) các traffic tạo bởi router.
Mô hình
Hướng dẫn
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình access-list INBOUND và OUTBOUND trên router R4
ip access-list extended INBOUND
evaluate MIRROR
permit ospf any any
deny ip any any log
!
ip access-list extended OUTBOUND
permit tcp any any eq telnet reflect MIRROR
permit tcp any any eq www reflect MIRROR
permit icmp any any echo reflect MIRROR
Apply access-list OUTBOUND (hướng out) và INBOUND (hướng in) trên interface Fa0/0 của R4.
interface FastEthernet0/0
ip access-group INBOUND in
ip access-group OUTBOUND out
Bước 3: Cấu hình extended access-list LOCAL_TRAFFIC và route-map LOCAL_POLICY
ip access-list extended LOCAL_TRAFFIC
permit tcp any any
permit icmp any any
!
route-map LOCAL_POLICY
match ip address LOCAL_TRAFFIC
set interface Loopback0
!
ip local policy route-map LOCAL_POLICY
Bước 4: Kiểm tra
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/49/64 ms
R4#show ip access-lists MIRROR
Reflexive IP access list MIRROR
permit icmp host 150.1.5.5 host 155.1.45.4 (8 matches) (time left 297)
permit icmp host 150.1.5.5 host 155.1.0.4 (12 matches) (time left 297)
R4#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5>exit
[Connection to 150.1.5.5 closed by foreign host]
R4#sh ip access-lists MIRROR
Reflexive IP access list MIRROR
permit tcp host 150.1.5.5 eq telnet host 155.1.0.4 eq 47175 (78 matches)
(time left 1)
permit icmp host 150.1.5.5 host 155.1.45.4 (8 matches) (time left 233)
permit icmp host 150.1.5.5 host 155.1.0.4 (12 matches) (time left 233)
Chú ý: Bậy giờ router R4 đã ping và telnet được 150.1.5.5. Ở bìa LAB 2, khi chưa apply route-map LOCAP_POLICY thì R4 không ping và telnet được 150.1.5.5 vì traffic do R4 tạo ra không được evaluate bởi reflexive access-list .
R4#show ip access-lists LOCAL_TRAFFIC
Extended IP access list LOCAL_TRAFFIC
10 permit tcp any any (42 matches)
20 permit icmp any any (29 matches)
R4#show route-map
route-map LOCAL_POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): LOCAL_TRAFFIC
Set clauses:
interface Loopback0
Policy routing matches: 70 packets, 4678 bytes
Cấu hình router để reflexive access-list có thể ước lượng được (evaluate) các traffic tạo bởi router.
Mô hình
Hướng dẫn- Cấu hình router (định tuyến, NAT, …) giống như bìa LAB 2 ‘Lọc traffic với reflexive access-list’.
- Tạo extended access-list LOCAL_TRAFFIC và match TCP/ICMP từ any đến any.
- Tạo route-map LOCAL_POLICY, mathc access-list LOCAL_TRAFFIC và set interface Loopback0.
- Apply route-map LOCAL_POLICY vào policy cục bộ (local).
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình access-list INBOUND và OUTBOUND trên router R4
ip access-list extended INBOUND
evaluate MIRROR
permit ospf any any
deny ip any any log
!
ip access-list extended OUTBOUND
permit tcp any any eq telnet reflect MIRROR
permit tcp any any eq www reflect MIRROR
permit icmp any any echo reflect MIRROR
Apply access-list OUTBOUND (hướng out) và INBOUND (hướng in) trên interface Fa0/0 của R4.
interface FastEthernet0/0
ip access-group INBOUND in
ip access-group OUTBOUND out
Bước 3: Cấu hình extended access-list LOCAL_TRAFFIC và route-map LOCAL_POLICY
ip access-list extended LOCAL_TRAFFIC
permit tcp any any
permit icmp any any
!
route-map LOCAL_POLICY
match ip address LOCAL_TRAFFIC
set interface Loopback0
!
ip local policy route-map LOCAL_POLICY
Bước 4: Kiểm tra
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/49/64 ms
R4#show ip access-lists MIRROR
Reflexive IP access list MIRROR
permit icmp host 150.1.5.5 host 155.1.45.4 (8 matches) (time left 297)
permit icmp host 150.1.5.5 host 155.1.0.4 (12 matches) (time left 297)
R4#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R5>exit
[Connection to 150.1.5.5 closed by foreign host]
R4#sh ip access-lists MIRROR
Reflexive IP access list MIRROR
permit tcp host 150.1.5.5 eq telnet host 155.1.0.4 eq 47175 (78 matches)
(time left 1)
permit icmp host 150.1.5.5 host 155.1.45.4 (8 matches) (time left 233)
permit icmp host 150.1.5.5 host 155.1.0.4 (12 matches) (time left 233)
Chú ý: Bậy giờ router R4 đã ping và telnet được 150.1.5.5. Ở bìa LAB 2, khi chưa apply route-map LOCAP_POLICY thì R4 không ping và telnet được 150.1.5.5 vì traffic do R4 tạo ra không được evaluate bởi reflexive access-list .
R4#show ip access-lists LOCAL_TRAFFIC
Extended IP access list LOCAL_TRAFFIC
10 permit tcp any any (42 matches)
20 permit icmp any any (29 matches)
R4#show route-map
route-map LOCAL_POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): LOCAL_TRAFFIC
Set clauses:
interface Loopback0
Policy routing matches: 70 packets, 4678 bytes