Tweet
Mục đích
Cấu hình router để lọc traffic dựa trên chiều dài gói.
Mô hình
Hướng dẫn
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.1 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source static 10.0.0.1 150.1.4.1
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình extended access-list ICMP_ECHO và route-map ICMP_CONTROL trên router R2
ip access-list extended ICMP_ECHO
permit icmp any any echo
!
route-map ICMP_CONTROL permit 10
match ip address ICMP_ECHO
match length 301 1500
set interface Null0
Apply route-map lên interface Fa0/0
interface Serial 0/1
ip policy route-map ICMP_CONTROL
Bước 3: Kiểm tra
R4#show route-map
route-map ICMP_CONTROL, permit, sequence 10
Match clauses:
ip address (access-lists): ICMP_ECHO
length 301 1500
Set clauses:
interface Null0
Policy routing matches: 0 packets, 0 bytes
R5#ping 150.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/30/32 ms
R5#ping 150.1.4.1 size 301
Type escape sequence to abort.
Sending 5, 301-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#show route-map
route-map ICMP_CONTROL, permit, sequence 10
Match clauses:
ip address (access-lists): ICMP_ECHO
length 301 1500
Set clauses:
interface Null0
Policy routing matches: 10 packets, 3050 bytes
Note:
Khi ta dùng lệnh ping có thêm thông số ‘size’, ta sẽ chỉ định được kích thước datagram của gói.
R5#ping 150.1.4.1 size 1501
Type escape sequence to abort.
Sending 5, 301-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình class-map IMAGES và policy-map DROP_IMAGES trên R4
ip cef
class-map match-any IMAGES
match protocol http url “*.gif”
match protocol http url “*.jpeg|*.jpg”
!
policy-map DROP_IMAGES
class IMAGES
drop
Apply policy-map DROP_IMAGES theo hướng vào (ingress) trên interface Fa0/0.
interface Fa0/0
service-policy input DROP_IMAGES
Bước 3: Kiểm tra
Cấu hình R5 thành web server có chứa các file .gif, .jpeg, .jpg, .txt
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#ip http server
R5(config)#ip http path flash:
R5(config)#do copy start flash:test.gif
Destination filename [test.gif]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.jpg
Destination filename [test.jpg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.300 secs (5560 bytes/sec)
R5(config)#do copy start flash:test.jpeg
Destination filename [test.jpeg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.txt
Destination filename [test.txt]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.294 secs (5670 bytes/sec)
Kiểm tra trên R1
R1#copy http://150.1.5.5/test.txt null:
Loading http://150.1.5.5/test.txt !
1668 bytes copied in 2.496 secs (668 bytes/sec)
R1#copy http://150.1.5.5/test.gif null:
%Error opening http://150.1.5.5/test.gif (I/O error)
R1#copy http://150.1.5.5/test.jpeg null:
%Error opening http://150.1.5.5/test.jpeg (I/O error)
R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)
Kiểm tra trên R4
R4#show policy-map interface FastEthernet 0/0
FastEthernet 0/0
Service-policy input: DROP_IMAGES
Class-map: IMAGES (match-any)
24 packets, 4971 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.jpeg|*.jpg"
16 packets, 3314 bytes
5 minute rate 0 bps
Match: protocol http url "*.gif"
8 packets, 1657 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
70 packets, 7822 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: any
Cấu hình router để lọc traffic dựa trên chiều dài gói.
Mô hình
Hướng dẫn- Cấu hình NAT tĩnh trên router R4
- Nhiệm vụ của ta là cho phép tất cả các gói ICMP echo nhỏ có chiều dài Layer 3 nhỏ hơn hoặc bằng 300 bytes.
- Tạo extended access-list ICMP_ECHO và match tất cả các gói ICMP echo.
- Tạo route-map ICMP_CONTROL; cho phép các gói match với access-list ICMP_ECHO có độ dài từ 301 – 1500 bytes. Route những gói này ra interface Null0.
- Apply route-map len interface Fa0/0.
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.1 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source static 10.0.0.1 150.1.4.1
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình extended access-list ICMP_ECHO và route-map ICMP_CONTROL trên router R2
ip access-list extended ICMP_ECHO
permit icmp any any echo
!
route-map ICMP_CONTROL permit 10
match ip address ICMP_ECHO
match length 301 1500
set interface Null0
Apply route-map lên interface Fa0/0
interface Serial 0/1
ip policy route-map ICMP_CONTROL
Bước 3: Kiểm tra
R4#show route-map
route-map ICMP_CONTROL, permit, sequence 10
Match clauses:
ip address (access-lists): ICMP_ECHO
length 301 1500
Set clauses:
interface Null0
Policy routing matches: 0 packets, 0 bytes
R5#ping 150.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 28/30/32 ms
R5#ping 150.1.4.1 size 301
Type escape sequence to abort.
Sending 5, 301-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R4#show route-map
route-map ICMP_CONTROL, permit, sequence 10
Match clauses:
ip address (access-lists): ICMP_ECHO
length 301 1500
Set clauses:
interface Null0
Policy routing matches: 10 packets, 3050 bytes
Note:
Khi ta dùng lệnh ping có thêm thông số ‘size’, ta sẽ chỉ định được kích thước datagram của gói.
R5#ping 150.1.4.1 size 1501
Type escape sequence to abort.
Sending 5, 301-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
- Mặc dù gói với kích thước datagram 1501 byte không match với route-map (length 301 1500) nhưng ping vẫn không được, lý do là vì MTU trên cổng FastEthernet của các router đều là 1500 byte, nên gói 1501 byte sẽ bị phân mảnh. Lúc đó nó lại match với route-map và sẽ bị route ra interface Null0 (drop).
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình class-map IMAGES và policy-map DROP_IMAGES trên R4
ip cef
class-map match-any IMAGES
match protocol http url “*.gif”
match protocol http url “*.jpeg|*.jpg”
!
policy-map DROP_IMAGES
class IMAGES
drop
Apply policy-map DROP_IMAGES theo hướng vào (ingress) trên interface Fa0/0.
interface Fa0/0
service-policy input DROP_IMAGES
Bước 3: Kiểm tra
Cấu hình R5 thành web server có chứa các file .gif, .jpeg, .jpg, .txt
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#ip http server
R5(config)#ip http path flash:
R5(config)#do copy start flash:test.gif
Destination filename [test.gif]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.jpg
Destination filename [test.jpg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.300 secs (5560 bytes/sec)
R5(config)#do copy start flash:test.jpeg
Destination filename [test.jpeg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.txt
Destination filename [test.txt]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.294 secs (5670 bytes/sec)
Kiểm tra trên R1
R1#copy http://150.1.5.5/test.txt null:
Loading http://150.1.5.5/test.txt !
1668 bytes copied in 2.496 secs (668 bytes/sec)
R1#copy http://150.1.5.5/test.gif null:
%Error opening http://150.1.5.5/test.gif (I/O error)
R1#copy http://150.1.5.5/test.jpeg null:
%Error opening http://150.1.5.5/test.jpeg (I/O error)
R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)
Kiểm tra trên R4
R4#show policy-map interface FastEthernet 0/0
FastEthernet 0/0
Service-policy input: DROP_IMAGES
Class-map: IMAGES (match-any)
24 packets, 4971 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.jpeg|*.jpg"
16 packets, 3314 bytes
5 minute rate 0 bps
Match: protocol http url "*.gif"
8 packets, 1657 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
70 packets, 7822 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: any