网络安全管理案例解析
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
网络安全管理案例解析1网络拓扑
2配置解析
2.1 IGP/MPLS配置
2.1.1 RH4(BRAS)配置
mpls lsr-id 4.4.4.4
mpls ldp
quit
isis 595
network-entity 86.4725.0004.0004.0004.00
is-level level-2
quit
interface LoopBack 0
ip address 4.4.4.4 32
isis enable 595
isis circuit-level level-2
interface LoopBack 101
ip address 44.44.44.44 32
isis enable 595
isis circuit-level level-2
quit
interface GigabitEthernet 1/0
undo shut
ip address 45.45.45.4 24
isis enable 595
isis circuit-level level-2
mpls enable
mpls ldp enable
quit
2.1.2 RH5(CR)配置
mpls lsr-id 5.5.5.5
mpls
mpls ldp
quit
isis 595
network-entity 86.4725.0005.0005.0005.00 is-level level-2
quit
interface LoopBack 0
ip address 5.5.5.5 32
isis enable 595
isis circuit-level level-2
quit
interface LoopBack 101
ip address 55.55.55.55 32
isis enable 595
isis circuit-level level-2
quit
interface Ethernet0/0/0
undo shut
ip address 45.45.45.5 24
isis enable 595
isis circuit-level level-2
mpls ldp
quit
interface Ethernet0/0/1
undo shut
ip address 56.56.56.5 24
isis enable 595
isis circuit-level level-2
mpls
mpls ldp
quit
2.1.3 RH6(SR)配置
mpls lsr-id 6.6.6.6
mpls
mpls ldp
quit
isis 595
network-entity 86.4725.0006.0006 is-level level-2
quit
interface LoopBack 0
ip address 6.6.6.6 32
isis enable 595
isis circuit-level level-2
quit
interface LoopBack 101
ip address 66.66.66.66 32
isis enable 595
isis circuit-level level-2
quit
interface Ethernet0/0/0
undo shut
ip address 56.56.56.6 24
isis enable 595
isis circuit-level level-2
mpls
mpls ldp
quit
2.1.4 结果验证
从RH5 PING RH4和RH6的接口IP,确认是否正常。
<RH5>ping 45.45.45.4
PING 45.45.45.4: 56 data bytes, press CTRL_C to break
Reply from 45.45.45.4: bytes=56 Sequence=1 ttl=255 time=20 ms
Reply from 45.45.45.4: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 45.45.45.4: bytes=56 Sequence=3 ttl=255 time=20 ms
--- 45.45.45.4 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 10/16/20 ms
<RH5>ping 56.56.56.6
PING 56.56.56.6: 56 data bytes, press CTRL_C to break
Reply from 56.56.56.6: bytes=56 Sequence=1 ttl=255 time=40 ms
Reply from 56.56.56.6: bytes=56 Sequence=2 ttl=255 time=40 ms
Reply from 56.56.56.6: bytes=56 Sequence=3 ttl=255 time=40 ms
--- 56.56.56.6 ping statistics ---
3 packet(s) transmitted
3 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/40/40 ms
查看ISIS邻居、MPLS对等体信息,确认是否正常。
<RH5>disp isis peer
Peer information for ISIS(595)
System Id Interface Circuit Id State HoldTime Type PRI
-------------------------------------------------------------------------------
0004.0004.0004 Eth0/0/0 0005.0005.0005.01 Up 30s L2 64 0006.0006.0006 Eth0/0/1 0005.0005.0005.02 Up 25s L2 64
<RH5>disp mpls ldp peer
LDP Peer Information in Public network
A '*' before a peer means the peer is being deleted.
------------------------------------------------------------------------------
PeerID TransportAddress DiscoverySource
------------------------------------------------------------------------------
4.4.4.4:0 4.4.4.4 Ethernet0/0/0
6.6.6.6:0 6.6.6.6 Ethernet0/0/1
------------------------------------------------------------------------------
TOTAL: 2 Peer(s) Found.
<RH5>disp mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface -------------------------------------------------------------------------------
4.4.4.4/32 NULL/3 - 4
5.45.45.4 Eth0/0/0
4.4.4.4/32 1026/3 4.4.4.4 4
5.45.45.4 Eth0/0/0
4.4.4.4/32 1026/3 6.6.6.6 4
5.45.45.4 Eth0/0/0
*4.4.4.4/32 Liberal
5.5.5.5/32 3/NULL
6.6.6.6 12
7.0.0.1 InLoop0
5.5.5.5/32 3/NULL 4.4.4.4 127.0.0.1 InLoop0
*5.5.5.5/32 Liberal
*5.5.5.5/32 Liberal
6.6.6.6/32 NULL/3 - 56.56.56.6 Eth0/0/1
6.6.6.6/32 1025/3 6.6.6.6 56.56.56.6 Eth0/0/1
6.6.6.6/32 1025/3 4.4.4.4 56.56.56.6 Eth0/0/1
*6.6.6.6/32 Liberal
44.44.44.44/32 NULL/3 - 45.45.45.4 Eth0/0/0
44.44.44.44/32 1027/3 4.4.4.4 45.45.45.4 Eth0/0/0
44.44.44.44/32 1027/3 6.6.6.6 45.45.45.4 Eth0/0/0
*44.44.44.44/32 Liberal
55.55.55.55/32 3/NULL 6.6.6.6 127.0.0.1 InLoop0
55.55.55.55/32 3/NULL 4.4.4.4 127.0.0.1 InLoop0
*55.55.55.55/32 Liberal
*55.55.55.55/32 Liberal
66.66.66.66/32 NULL/3 - 56.56.56.6 Eth0/0/1
66.66.66.66/32 1024/3 6.6.6.6 56.56.56.6 Eth0/0/1
66.66.66.66/32 1024/3 4.4.4.4 56.56.56.6 Eth0/0/1
*66.66.66.66/32 Liberal
-------------------------------------------------------------------------------
TOTAL: 16 Normal LSP(s) Found.
TOTAL: 8 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USC
B or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP
2.2 BGP配置
2.2.1 RH4(BRAS)配置
bgp 64725
peer 5.5.5.5 as-number 64725
peer 5.5.5.5 connect-interface LoopBack 0
peer 55.55.55.55 as-number 64725
peer 55.55.55.55 connect-interface LoopBack 101 address-family ipv4 unicast
peer 55.55.55.55 enable
quit
address-family vpnv4
peer 5.5.5.5 enable
quit
quit
2.2.2 RH5(CR)配置
bgp 64725
peer 4.4.4.4 as-number 64725
peer 4.4.4.4 connect-interface LoopBack0
peer 44.44.44.44 as-number 64725
peer 44.44.44.44 connect-interface LoopBack101 peer 6.6.6.6 as-number 64725
peer 6.6.6.6 connect-interface LoopBack0
peer 66.66.66.66 as-number 64725
peer 66.66.66.66 connect-interface LoopBack101 undo peer 4.4.4.4 enable
undo peer 6.6.6.6 enable
peer 44.44.44.44 reflect-client
peer 66.66.66.66 reflect-client
ipv4-family vpn
peer 4.4.4.4 enable
peer 6.6.6.6 enable
peer 4.4.4.4 reflect-client
peer 6.6.6.6 reflect-client
undo policy vpn-target
quit
quit
2.2.3 RH6(SR)配置
bgp 64725
peer 5.5.5.5 as-number 64725
peer 5.5.5.5 connect-interface LoopBack 0
peer 55.55.55.55 as-number 64725
peer 55.55.55.55 connect-interface LoopBack 101
undo peer 5.5.5.5 enable
ipv4-family vpnv4
peer 5.5.5.5 enable
quit
quit
2.2.4 结果验证
查看BGP对等体信息,确认是否正常。
<RH5>disp bgp peer
BGP local router ID : 45.45.45.5
Local AS number : 64725
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
44.44.44.44 4 64725 3 4 0 00:00:32 Established 0
66.66.66.66 4 64725 9 9 0 00:04:24 Established 0
<RH5>disp bgp vpnv4 all peer
BGP local router ID : 45.45.45.5
Local AS number : 64725
Total number of peers : 2 Peers in established state : 2
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
4.4.4.4 4 64725 3 2 0 00:00:21 Established 0
6.6.6.6 4 64725 5 5 0 00:03:41 Established 0
2.3 PPPOE业务配置
2.3.1 RH2(接入交换机)配置
vlan batch 2 3
interface Ethernet0/0/1
undo shutdown
port link-type access
port default vlan 3
quit
interface Ethernet0/0/0
undo shutdown
port link-type access
port default vlan 2
quit
interface Eth-Trunk2
quit
interface Ethernet0/0/2
undo shutdown
eth-trunk 2
quit
interface Ethernet0/0/3
undo shutdown
eth-trunk 2
quit
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 2 3
quit
2.3.2 RH3(汇聚交换机)配置
vlan batch 22 33
interface Eth-Trunk2
quit
interface Ethernet0/0/0
undo shutdown
eth-trunk 2
quit
interface Ethernet 0/0/2
undo shutdown
eth-trunk 2
quit
interface Eth-Trunk2
portswitch
port vlan-stacking outside-vlan 2 stack-vlan 22 port vlan-stacking outside-vlan 3 stack-vlan 33 quit
interface Ethernet0/0/3
undo shutdown
port link-type trunk
port trunk allow-pass vlan 22 33
quit
2.3.3 RH4(BRAS)配置
ip pool pppoe-1 100.0.0.2 100.0.0.254
ip pool pppoe-1 100.0.0.1
domain qzadsl
authorization-attribute ip-pool pppoe-1
authorization-attribute primary-dns ip 218.85.152.99 authorization-attribute secondary-dns ip 218.85.157.99 authentication ppp local
authorization ppp local
accounting ppp local
quit
domain default enable qzadsl
local-user 22594511 class network
service-type ppp
password simple 22594511
quit
interface Virtual-Template 1
ppp authentication-mode pap
ip address unnumbered interface LoopBack 0
quit
interface GigabitEthernet 2/0.3
vlan-type dot1q vid 33 second-dot1q 3
pppoe-server bind virtual-template 1
quit
2.3.4 RH4(BRAS)路由发布
ip route-static 100.0.0.0 24 NULL 0
bgp 64725
address-family ipv4 unicast
import-route static
quit
2.3.5 结果验证
在RH4路由发布前,RH5的路由表项如下。
<RH5>disp ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
4.4.4.4/32 ISIS 15 10 D 4
5.45.45.4 Ethernet0/0/0
5.5.5.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0
6.6.6.6/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1
44.44.44.44/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0
45.45.45.0/24 Direct 0 0 D 45.45.45.5 Ethernet0/0/0
45.45.45.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0
55.55.55.55/32 Direct 0 0 D 127.0.0.1 InLoopBack0
56.56.56.0/24 Direct 0 0 D 56.56.56.5 Ethernet0/0/1
56.56.56.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0
66.66.66.66/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
在RH4路由发布后,RH5的路由表项如下。
<RH5>disp ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
4.4.4.4/32 ISIS 15 10 D 4
5.45.45.4 Ethernet0/0/0
5.5.5.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0
6.6.6.6/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1
44.44.44.44/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0
45.45.45.0/24 Direct 0 0 D 45.45.45.5 Ethernet0/0/0
45.45.45.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0
55.55.55.55/32 Direct 0 0 D 127.0.0.1 InLoopBack0
56.56.56.0/24 Direct 0 0 D 56.56.56.5 Ethernet0/0/1
56.56.56.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0
66.66.66.66/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1
100.0.0.0/24 BGP 255 0 RD 44.44.44.44 Ethernet0/0/0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
在WinXP1创建PPPOE拨号连接,用户名22594511,密码22594511,拨号成功后,ping
5.5.5.5正常。
在RH4查看上线记录如下。
[H3C]disp ppp access-user domain qzadsl
Interface Username MAC address IP address IPv6 address IPv6 PDPrefix
VA0 22594511 00d0-f826-0100 100.0.0.1 - -
2.4 MPLS VPN业务配置
2.4.1 RH6(SR)配置
ip vpn-instance QZVPN1650001-IPLAB
route-distinguisher 4809:1650001
vpn-target 4809:165001500
quit
interface Ethernet0/0/1
ip binding vpn-instance QZVPN1650001-IPLAB
ip address 192.168.0.1 25
quit
ip route-static vpn-instance QZVPN1650001-IPLAB 0.0.0.0 0.0.0.0 192.168.0.2
ip route-static vpn-instance QZVPN1650001-IPLAB 192.168.0.0 255.255.255.0 NULL0
bgp 64725
ipv4-family vpn-instance QZVPN1650001-IPLAB
import-route static
default-route imported
quit
在掩码相同的情况下,直连路由优于静态路由,会导致黑洞路由失效,所以,采用引入静态路由的方式时,黑洞路由的掩码不能配置一样。
2.4.2 RH4(BRAS)配置
ip vpn-instance QZVPN1650001-IPLAB
route-distinguisher 4809:1650001
vpn-target 4809:165001500
quit
interface GigabitEthernet 2/0.2
vlan-type dot1q vid 22 second-dot1q 2
ip binding vpn-instance QZVPN1650001-IPLAB
ip address 10.0.0.1 25
quit
ip route-static vpn-instance QZVPN1650001-IPLAB 10.0.0.0 255.255.255.0 NULL 0
bgp 64725
ip vpn-instance QZVPN1650001-IPLAB
address-family ipv4 unicast
import-route static
quit
quit
quit
2.4.3 结果验证
查看VPN路由表项,确认路由发布正常。
[RH6]DISP IP routing-table vpn-instance QZVPN1650001-IPLAB
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: QZVPN1650001-IPLAB
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.0.0/24 BGP 255 0 RD 4.4.4.4 Ethernet0/0/0
192.168.0.0/24 Static 60 0 D 0.0.0.0 NULL0
192.168.0.0/25 Direct 0 0 D 192.168.0.1 Ethernet0/0/1 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
2.4.4 防火墙配置
interface gigabitEthernet 1
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.128
exit
interface gigabitEthernet 0
nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0
exit
route outside 0.0.0.0 0.0.0.0 10.0.0.1
object network fuwuqi
host 172.16.0.1
nat (dmz,outside) static 10.0.0.3 service tcp 23 6060
exit
access-list 100 extended permit tcp host 192.168.0.2 host 172.16.0.1
access-group 100 in interface outside
2.4.5 RH1(服务器)配置
interface Ethernet0/0/0
undo shutdown
ip address 172.16.0.1 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 172.16.0.254
acl number 2000
rule permit source 192.168.0.2 0
quit
aaa
local-user qz password simple qz
local-user qz level 15
quit
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
quit
2.4.6 结果验证
从RH7 telnet 10.0.0.3的6060端口,查看是否可以telnet到RH1上。
<RH7>telnet 10.0.0.3 6060
Trying 10.0.0.3 ...
Press CTRL+K to abort
Connected to 10.0.0.3 ...
Login authentication
Username:qz
Password:
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 1.。