网络安全管理案例解析

网络安全管理案例解析

1 网络拓扑

2 配置解析

2.1 IGP/MPLS配置

2.1.1 RH4(BRAS)配置

mpls lsr-id 4.4.4.4 mpls ldp quit

isis 595

network-entity 86.4725.0004.0004.0004.00 is-level level-2 quit

interface LoopBack 0 ip address 4.4.4.4 32 isis enable 595

isis circuit-level level-2

quit

interface LoopBack 101 ip address 44.44.44.44 32 isis enable 595

isis circuit-level level-2 quit

interface GigabitEthernet 1/0 undo shut

ip address 45.45.45.4 24 isis enable 595

isis circuit-level level-2 mpls enable mpls ldp enable quit

2.1.2 RH5(CR)配置

mpls lsr-id 5.5.5.5 mpls mpls ldp quit

isis 595

network-entity 86.4725.0005.0005.0005.00 is-level level-2 quit

interface LoopBack 0 ip address 5.5.5.5 32 isis enable 595

isis circuit-level level-2 quit

interface LoopBack 101 ip address 55.55.55.55 32 isis enable 595

isis circuit-level level-2 quit

interface Ethernet0/0/0 undo shut

ip address 45.45.45.5 24 isis enable 595

isis circuit-level level-2

mpls mpls ldp quit

interface Ethernet0/0/1 undo shut

ip address 56.56.56.5 24 isis enable 595

isis circuit-level level-2 mpls mpls ldp quit

2.1.3 RH6(SR)配置

mpls lsr-id 6.6.6.6 mpls

mpls ldp quit

isis 595

network-entity 86.4725.0006.0006 is-level level-2 quit

interface LoopBack 0 ip address 6.6.6.6 32 isis enable 595

isis circuit-level level-2 quit

interface LoopBack 101 ip address 66.66.66.66 32 isis enable 595

isis circuit-level level-2 quit

interface Ethernet0/0/0 undo shut

ip address 56.56.56.6 24 isis enable 595

isis circuit-level level-2 mpls mpls ldp quit

2.1.4 结果验证

 从RH5 PING RH4和RH6的接口IP，确认是否正常。

ping 45.45.45.4

PING 45.45.45.4: 56 data bytes, press CTRL_C to break

Reply from 45.45.45.4: bytes=56 Sequence=1 ttl=255 time=20 ms Reply from 45.45.45.4: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 45.45.45.4: bytes=56 Sequence=3 ttl=255 time=20 ms

--- 45.45.45.4 ping statistics --- 3 packet(s) transmitted 3 packet(s) received 0.00% packet loss

round-trip min/avg/max = 10/16/20 ms

ping 56.56.56.6

PING 56.56.56.6: 56 data bytes, press CTRL_C to break

Reply from 56.56.56.6: bytes=56 Sequence=1 ttl=255 time=40 ms Reply from 56.56.56.6: bytes=56 Sequence=2 ttl=255 time=40 ms Reply from 56.56.56.6: bytes=56 Sequence=3 ttl=255 time=40 ms

--- 56.56.56.6 ping statistics --- 3 packet(s) transmitted 3 packet(s) received 0.00% packet loss

round-trip min/avg/max = 40/40/40 ms

 查看ISIS邻居、MPLS对等体信息，确认是否正常。

disp isis peer

Peer information for ISIS(595)

System Id Interface Circuit Id State HoldTime Type -------------------------------------------------------------------------------

0004.0004.0004 Eth0/0/0 0005.0005.0005.01 Up 30s L2 0006.0006.0006 Eth0/0/1 0005.0005.0005.02 Up 25s L2

disp mpls ldp peer

LDP Peer Information in Public network

A '*' before a peer means the peer is being deleted.

------------------------------------------------------------------------------

PeerID TransportAddress DiscoverySource ------------------------------------------------------------------------------

PRI 64 64

4.4.4.4:0 4.4.4.4 Ethernet0/0/0 6.6.6.6:0 6.6.6.6 Ethernet0/0/1 ------------------------------------------------------------------------------ TOTAL: 2 Peer(s) Found.

disp mpls ldp lsp

LDP LSP Information

-------------------------------------------------------------------------------

DestAddress/Mask In/OutLabel UpstreamPeer NextHop -------------------------------------------------------------------------------

4.4.4.4/32 NULL/3 - 45.45.45.4 4.4.4.4/32 1026/3 4.4.4.4 45.45.45.4 4.4.4.4/32 1026/3 6.6.6.6 45.45.45.4 *4.4.4.4/32 Liberal

5.5.5.5/32 3/NULL 6.6.6.6 127.0.0.1 5.5.5.5/32 3/NULL 4.4.4.4 127.0.0.1 *5.5.5.5/32 Liberal *5.5.5.5/32 Liberal

6.6.6.6/32 NULL/3 - 56.56.56.6 6.6.6.6/32 1025/3 6.6.6.6 56.56.56.6 6.6.6.6/32 1025/3 4.4.4.4 56.56.56.6 *6.6.6.6/32 Liberal

44.44.44.44/32 NULL/3 - 45.45.45.4 44.44.44.44/32 1027/3 4.4.4.4 45.45.45.4 44.44.44.44/32 1027/3 6.6.6.6 45.45.45.4 *44.44.44.44/32 Liberal

55.55.55.55/32 3/NULL 6.6.6.6 127.0.0.1 55.55.55.55/32 3/NULL 4.4.4.4 127.0.0.1 *55.55.55.55/32 Liberal *55.55.55.55/32 Liberal

66.66.66.66/32 NULL/3 - 56.56.56.6 66.66.66.66/32 1024/3 6.6.6.6 56.56.56.6 66.66.66.66/32 1024/3 4.4.4.4 56.56.56.6 *66.66.66.66/32 Liberal

------------------------------------------------------------------------------- TOTAL: 16 Normal LSP(s) Found. TOTAL: 8 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found.

A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale

A '*' before a UpstreamPeer means the session is in GR state A '*' before a NextHop means the LSP is FRR LSP

OutInterface Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/1

4.4.4.4:0 4.4.4.4 Ethernet0/0/0 6.6.6.6:0 6.6.6.6 Ethernet0/0/1 ------------------------------------------------------------------------------ TOTAL: 2 Peer(s) Found.

disp mpls ldp lsp

LDP LSP Information

-------------------------------------------------------------------------------

DestAddress/Mask In/OutLabel UpstreamPeer NextHop -------------------------------------------------------------------------------

4.4.4.4/32 NULL/3 - 45.45.45.4 4.4.4.4/32 1026/3 4.4.4.4 45.45.45.4 4.4.4.4/32 1026/3 6.6.6.6 45.45.45.4 *4.4.4.4/32 Liberal

5.5.5.5/32 3/NULL 6.6.6.6 127.0.0.1 5.5.5.5/32 3/NULL 4.4.4.4 127.0.0.1 *5.5.5.5/32 Liberal *5.5.5.5/32 Liberal

6.6.6.6/32 NULL/3 - 56.56.56.6 6.6.6.6/32 1025/3 6.6.6.6 56.56.56.6 6.6.6.6/32 1025/3 4.4.4.4 56.56.56.6 *6.6.6.6/32 Liberal

44.44.44.44/32 NULL/3 - 45.45.45.4 44.44.44.44/32 1027/3 4.4.4.4 45.45.45.4 44.44.44.44/32 1027/3 6.6.6.6 45.45.45.4 *44.44.44.44/32 Liberal

55.55.55.55/32 3/NULL 6.6.6.6 127.0.0.1 55.55.55.55/32 3/NULL 4.4.4.4 127.0.0.1 *55.55.55.55/32 Liberal *55.55.55.55/32 Liberal

66.66.66.66/32 NULL/3 - 56.56.56.6 66.66.66.66/32 1024/3 6.6.6.6 56.56.56.6 66.66.66.66/32 1024/3 4.4.4.4 56.56.56.6 *66.66.66.66/32 Liberal

------------------------------------------------------------------------------- TOTAL: 16 Normal LSP(s) Found. TOTAL: 8 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found.

A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale

A '*' before a UpstreamPeer means the session is in GR state A '*' before a NextHop means the LSP is FRR LSP

OutInterface Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/1

2.2 BGP配置

2.2.1 RH4(BRAS)配置

bgp 64725

peer 5.5.5.5 as-number 64725

peer 5.5.5.5 connect-interface LoopBack 0 peer 55.55.55.55 as-number 64725

peer 55.55.55.55 connect-interface LoopBack 101 address-family ipv4 unicast peer 55.55.55.55 enable quit

address-family vpnv4 peer 5.5.5.5 enable quit quit

2.2.2 RH5(CR)配置

bgp 64725

peer 4.4.4.4 as-number 64725

peer 4.4.4.4 connect-interface LoopBack0 peer 44.44.44.44 as-number 64725

peer 44.44.44.44 connect-interface LoopBack101 peer 6.6.6.6 as-number 64725

peer 6.6.6.6 connect-interface LoopBack0 peer 66.66.66.66 as-number 64725

peer 66.66.66.66 connect-interface LoopBack101 undo peer 4.4.4.4 enable undo peer 6.6.6.6 enable

peer 44.44.44.44 reflect-client peer 66.66.66.66 reflect-client ipv4-family vpn

peer 4.4.4.4 enable peer 6.6.6.6 enable

peer 4.4.4.4 reflect-client peer 6.6.6.6 reflect-client undo policy vpn-target quit quit

2.2.3 RH6(SR)配置

bgp 64725

peer 5.5.5.5 as-number 64725

peer 5.5.5.5 connect-interface LoopBack 0 peer 55.55.55.55 as-number 64725

peer 55.55.55.55 connect-interface LoopBack 101 undo peer 5.5.5.5 enable ipv4-family vpnv4 peer 5.5.5.5 enable quit quit

2.2.4 结果验证

 查看BGP对等体信息，确认是否正常。

disp bgp peer

BGP local router ID : 45.45.45.5 Local AS number : 64725

Total number of peers : 2

Peer V AS

44.44.44.44 4 64725 66.66.66.66 4 64725

disp bgp vpnv4 all peer

BGP local router ID : 45.45.45.5 Local AS number : 64725

Total number of peers : 2

Peer V AS

4.4.4.4 4 64725 6.6.6.6 4 64725 2.3 PPPOE业务配置

2.3.1 RH2(接入交换机)配置

vlan batch 2 3

interface Ethernet0/0/1 undo shutdown

port link-type access port default vlan 3 quit

interface Ethernet0/0/0 undo shutdown

Peers in established state : 2 MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3 4 0 00:00:32 Established 0 9 9 0 00:04:24 Established 0 Peers in established state : 2 MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3 2 0 00:00:21 Established 0 5 5 0 00:03:41 Established 0

port link-type access port default vlan 2 quit

interface Eth-Trunk2 quit

interface Ethernet0/0/2 undo shutdown eth-trunk 2 quit

interface Ethernet0/0/3 undo shutdown eth-trunk 2 quit

interface Eth-Trunk2 port link-type trunk

port trunk allow-pass vlan 2 3 quit

2.3.2 RH3(汇聚交换机)配置

vlan batch 22 33

interface Eth-Trunk2 quit

interface Ethernet0/0/0 undo shutdown eth-trunk 2 quit

interface Ethernet 0/0/2 undo shutdown eth-trunk 2 quit

interface Eth-Trunk2 portswitch

port vlan-stacking outside-vlan 2 stack-vlan 22 port vlan-stacking outside-vlan 3 stack-vlan 33 quit

interface Ethernet0/0/3

undo shutdown port link-type trunk

port trunk allow-pass vlan 22 33 quit

2.3.3 RH4(BRAS)配置

ip pool pppoe-1 100.0.0.2 100.0.0.254 ip pool pppoe-1 100.0.0.1

domain qzadsl

authorization-attribute ip-pool pppoe-1

authorization-attribute primary-dns ip 218.85.152.99 authorization-attribute secondary-dns ip 218.85.157.99 authentication ppp local authorization ppp local accounting ppp local quit

domain default enable qzadsl

local-user 22594511 class network service-type ppp

password simple 22594511 quit

interface Virtual-Template 1 ppp authentication-mode pap

ip address unnumbered interface LoopBack 0 quit

interface GigabitEthernet 2/0.3

vlan-type dot1q vid 33 second-dot1q 3 pppoe-server bind virtual-template 1 quit

2.3.4 RH4(BRAS)路由发布

ip route-static 100.0.0.0 24 NULL 0

bgp 64725

address-family ipv4 unicast import-route static quit

2.3.5 结果验证

 在RH4路由发布前，RH5的路由表项如下。

disp ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------ Routing Tables: Public

Destinations : 12 Routes : 12

Destination/Mask Proto Pre Cost Flags NextHop Interface

4.4.4.4/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 5.5.5.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 6.6.6.6/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 44.44.44.44/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 45.45.45.0/24 Direct 0 0 D 45.45.45.5 Ethernet0/0/0 45.45.45.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 55.55.55.55/32 Direct 0 0 D 127.0.0.1 InLoopBack0 56.56.56.0/24 Direct 0 0 D 56.56.56.5 Ethernet0/0/1 56.56.56.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 66.66.66.66/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

 在RH4路由发布后，RH5的路由表项如下。

disp ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------ Routing Tables: Public

Destinations : 13 Routes : 13

Destination/Mask Proto Pre Cost Flags NextHop Interface

4.4.4.4/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 5.5.5.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 6.6.6.6/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 44.44.44.44/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 45.45.45.0/24 Direct 0 0 D 45.45.45.5 Ethernet0/0/0 45.45.45.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 55.55.55.55/32 Direct 0 0 D 127.0.0.1 InLoopBack0 56.56.56.0/24 Direct 0 0 D 56.56.56.5 Ethernet0/0/1 56.56.56.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 66.66.66.66/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 100.0.0.0/24 BGP 255 0 RD 44.44.44.44 Ethernet0/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

 在WinXP1创建PPPOE拨号连接，用户名22594511，密码22594511，拨号成功后，ping

5.5.5.5正常。在RH4查看上线记录如下。

[H3C]disp ppp access-user domain qzadsl

Interface Username MAC address IP address IPv6 address IPv6 PDPrefix VA0 22594511 00d0-f826-0100 100.0.0.1 - -

2.4 MPLS VPN业务配置

2.4.1 RH6(SR)配置

ip vpn-instance QZVPN1650001-IPLAB route-distinguisher 4809:1650001 vpn-target 4809:165001500 quit

interface Ethernet0/0/1

ip binding vpn-instance QZVPN1650001-IPLAB ip address 192.168.0.1 25 quit

ip route-static vpn-instance QZVPN1650001-IPLAB 0.0.0.0 0.0.0.0 192.168.0.2

ip route-static vpn-instance QZVPN1650001-IPLAB 192.168.0.0 255.255.255.0 NULL0

bgp 64725

ipv4-family vpn-instance QZVPN1650001-IPLAB import-route static default-route imported quit

 在掩码相同的情况下，直连路由优于静态路由，会导致黑洞路由失效，所以，采用引入静态路由的方式时，黑洞路由的掩码不能配置一样。 2.4.2 RH4(BRAS)配置

ip vpn-instance QZVPN1650001-IPLAB route-distinguisher 4809:1650001 vpn-target 4809:165001500 quit

interface GigabitEthernet 2/0.2

vlan-type dot1q vid 22 second-dot1q 2

ip binding vpn-instance QZVPN1650001-IPLAB ip address 10.0.0.1 25 quit

ip route-static vpn-instance QZVPN1650001-IPLAB 10.0.0.0 255.255.255.0 NULL 0

bgp 64725

ip vpn-instance QZVPN1650001-IPLAB address-family ipv4 unicast import-route static quit quit quit

2.4.3 结果验证

 查看VPN路由表项，确认路由发布正常。

[RH6]DISP IP routing-table vpn-instance QZVPN1650001-IPLAB Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------ Routing Tables: QZVPN1650001-IPLAB Destinations : 4 Routes : 4

Destination/Mask Proto Pre Cost Flags NextHop

10.0.0.0/24 BGP 255 0 RD 4.4.4.4 192.168.0.0/24 Static 60 0 D 0.0.0.0 192.168.0.0/25 Direct 0 0 D 192.168.0.1 192.168.0.1/32 Direct 0 0 D 127.0.0.1 2.4.4 防火墙配置

interface gigabitEthernet 1 nameif outside security-level 0

ip address 10.0.0.2 255.255.255.128 exit

interface gigabitEthernet 0 nameif dmz

security-level 50

ip address 172.16.0.254 255.255.255.0 exit

route outside 0.0.0.0 0.0.0.0 10.0.0.1

object network fuwuqi host 172.16.0.1

nat (dmz,outside) static 10.0.0.3 service tcp 23 6060 exit

access-list 100 extended permit tcp host 192.168.0.2 host 172.16.0.1

Interface Ethernet0/0/0 NULL0

Ethernet0/0/1

InLoopBack0

access-group 100 in interface outside

2.4.5 RH1(服务器)配置

interface Ethernet0/0/0 undo shutdown

ip address 172.16.0.1 255.255.255.0 quit

ip route-static 0.0.0.0 0.0.0.0 172.16.0.254

acl number 2000

rule permit source 192.168.0.2 0 quit aaa

local-user qz password simple qz local-user qz level 15 quit

user-interface vty 0 4 acl 2000 inbound

authentication-mode aaa quit

2.4.6 结果验证

 从RH7 telnet 10.0.0.3的6060端口，查看是否可以telnet到RH1上。telnet 10.0.0.3 6060 Trying 10.0.0.3 ...

Press CTRL+K to abort Connected to 10.0.0.3 ...

Login authentication

Username:qz Password:

Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.