【实验说明】
配置路由器,使得自反访问控制列表能够计算路由器产生的流量
IOS:c3640-jk9s-mz.124-16.bin
【实验拓扑】
【实验配置向导】
- 将上述网络配置为“Traffic Filtering with ReflexiveAccess-Lists”
- 为access-list OUTBOUND 增加一行允许出站的 TCP 79端口流量 并自反到MIRROR
- 创建扩展访问控制列表LOCAL_TRAFFIC 匹配任意到任意的TCP与ICMP 流量
- 创建 route-map LOCAL_POLICY; 匹配访问控制列表 LOCAL_TRAFFIC 后 set interface Loopback0
- 将 route-map LOCAL_POLICY 应用到本地策略中
【实验
Traffic Filtering with Reflexive
Access-Lists
配置】
--------------------------------实验PAT配置---------------------------------------------------------
----------------------------------------------自反访问控制列表配置-----------------------------------------------------
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
no sh
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
no sh
R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
no sh
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
no sh
!
interface serial0/0
en fram
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
no sh
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
no sh
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
!
ip access-list standard INSIDE_NETWORK
permit 10.0.0.0 0.0.0.255
!
ip nat inside source list INSIDE_NETWORK interface Loop0 overload
|
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
no sh
!
interface Serial0/0
encapsulation frame-relay
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
no sh
!
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
no sh
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
|
----------------------------------------------自反访问控制列表配置-----------------------------------------------------
R4:
ip access-list extended OUTBOUND
permit tcp any any eq 80 reflect MIRROR
permit tcp any any eq 23 reflect MIRROR
permit icmp any any echo reflect MIRROR
!
ip access-list extended INBOUND
evaluate MIRROR
permit ospf any any
deny ip any any log
!
int s0/1
ip access-group OUTBOUND out
ip access-group INBOUND in
!
int s0/0.1
ip access-group OUTBOUND out
ip access-group INBOUND in
【实验配置】
ip access-list ext OUTBOUND
permit tcp any any eq 179 reflect MIRROR
!
ip access-list extended LOCAL_TRAFFIC
permit tcp any any
permit icmp any any
!
route-map LOCAL_POLICY
match ip address
LOCAL_TRAFFIC
set interface Loopback0
!
ip local policy route-map
LOCAL_POLICY
【实验验证】
R4#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/72 ms
R4#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
R4#show access-list MIRROR
Reflexive IP access list MIRROR
permit tcp host 150.1.5.5 eq telnet host 155.1.45.4 eq 39870 (38 matches) (time left 2)
permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 eq 27752 (23 matches) (time left 274)
permit icmp host 150.1.5.5 host 155.1.0.4 (28 matches) (time left 292)
permit icmp host 150.1.5.5 host 155.1.45.4 (32 matches) (time left 292)
本文转自zcm8483 51CTO博客,原文链接:http://blog.51cto.com/haolun/992192