Reflexive Access-Lists and Router-Generated Traffic 自反列表与路由器产生的流量-阿里云开发者社区

Reflexive Access-Lists and Router-Generated Traffic 自反列表与路由器产生的流量

2017-11-12 1299

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介：

【实验说明】

配置路由器，使得自反访问控制列表能够计算路由器产生的流量

IOS：c3640-jk9s-mz.124-16.bin

【实验拓扑】

【实验配置向导】

将上述网络配置为“Traffic Filtering with ReflexiveAccess-Lists”
为access-list OUTBOUND 增加一行允许出站的 TCP 79端口流量并自反到MIRROR
创建扩展访问控制列表LOCAL_TRAFFIC 匹配任意到任意的TCP与ICMP 流量
创建 route-map LOCAL_POLICY; 匹配访问控制列表 LOCAL_TRAFFIC 后 set interface Loopback0
将 route-map LOCAL_POLICY 应用到本地策略中

【实验 Traffic Filtering with Reflexive Access-Lists 配置】

--------------------------------实验PAT配置---------------------------------------------------------

R1:

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.0.4

no sh

R6:

interface FastEthernet0/0

ip address 10.0.0.6 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.0.0.4

no sh

R4：

interface Loopback0

ip address 150.1.4.4 255.255.255.0

ip ospf network point-to-point

no sh

interface FastEthernet0/0

ip address 10.0.0.4 255.255.255.0

ip nat inside

no sh

interface serial0/0

en fram

no sh

interface Serial0/0.1 point-to-point

ip address 155.1.0.4 255.255.255.0

frame-relay interface-dlci 405

ip nat outside

no sh

interface Serial0/1

ip address 155.1.45.4 255.255.255.0

clock rate 2000000

ip nat outside

no sh

router ospf 1

router-id 150.1.4.4

network 150.1.4.4 0.0.0.0 area 0

network 155.1.0.4 0.0.0.0 area 0

network 155.1.45.4 0.0.0.0 area 0

router bgp 1

bgp router-id 150.1.4.4

neighbor 150.1.5.5 remote-as 2

neighbor 150.1.5.5 ebgp-multihop 255

neighbor 150.1.5.5 update-source Loopback0

ip access-list standard INSIDE_NETWORK

permit 10.0.0.0 0.0.0.255

ip nat inside source list INSIDE_NETWORK interface Loop0 overload

R5:

interface Loopback0

ip address 150.1.5.5 255.255.255.0

ip ospf network point-to-point

no sh

interface Serial0/0

encapsulation frame-relay

no sh

interface Serial0/0.1 point-to-point

ip address 155.1.0.5 255.255.255.0

frame-relay interface-dlci 504

no sh

interface Serial0/1

ip address 155.1.45.5 255.255.255.0

clock rate 2000000

no sh

router ospf 1

router-id 150.1.5.5

network 150.1.5.5 0.0.0.0 area 0

network 155.1.0.5 0.0.0.0 area 0

network 155.1.45.5 0.0.0.0 area 0

router bgp 2

bgp router-id 150.1.5.5

neighbor 150.1.4.4 remote-as 1

neighbor 150.1.4.4 ebgp-multihop 255

neighbor 150.1.4.4 update-source Loopback0

neighbor 150.1.4.4 default-originate

----------------------------------------------自反访问控制列表配置-----------------------------------------------------

R4:

ip access-list extended OUTBOUND

permit tcp any any eq 80 reflect MIRROR

permit tcp any any eq 23 reflect MIRROR

permit icmp any any echo reflect MIRROR

ip access-list extended INBOUND

evaluate MIRROR

permit ospf any any

deny ip any any log

int s0/1

ip access-group OUTBOUND out

ip access-group INBOUND in

int s0/0.1

ip access-group OUTBOUND out

ip access-group INBOUND in

【实验配置】

ip access-list ext OUTBOUND

permit tcp any any eq 179 reflect MIRROR

ip access-list extended LOCAL_TRAFFIC

permit tcp any any

permit icmp any any

route-map LOCAL_POLICY

match ip address LOCAL_TRAFFIC

set interface Loopback0

ip local policy route-map LOCAL_POLICY

【实验验证】

该实验验证了默认情况下，路由器自身产生的流量不会进行自反，本实验配置如何让路由器产生的流量也能够自反，我们使用 ip local policy 它是应用于本地的策略，即应用于自身路由器的策略

R4#ping 150.1.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/48/72 ms

R4#telnet 150.1.5.5

Trying 150.1.5.5 ... Open

R4#show access-list MIRROR

Reflexive IP access list MIRROR

permit tcp host 150.1.5.5 eq telnet host 155.1.45.4 eq 39870 (38 matches) (time left 2)

permit tcp host 150.1.5.5 eq bgp host 150.1.4.4 eq 27752 (23 matches) (time left 274)

permit icmp host 150.1.5.5 host 155.1.0.4 (28 matches) (time left 292)

permit icmp host 150.1.5.5 host 155.1.45.4 (32 matches) (time left 292)

本文转自zcm8483 51CTO博客，原文链接:http://blog.51cto.com/haolun/992192

Reflexive Access-Lists and Router-Generated Traffic 自反列表与路由器产生的流量

热门文章

最新文章

相关电子书

探索云世界

热门

云计算

大数据

云原生

人工智能

数据库

开发与运维

活动广场

任务中心

训练营

直播

乘风者计划

下载

镜像站

技术资料

Reflexive Access-Lists and Router-Generated Traffic 自反列表与路由器产生的流量

热门文章

最新文章

相关电子书