网络安全管理案例解析
网络安全管理案例解析
1 网络拓扑
2 配置解析
2.1 IGP/MPLS配置
2.1.1 RH4(BRAS)配置
mpls lsr-id 4.4.4.4 mpls ldp quit
isis 595
network-entity 86.4725.0004.0004.0004.00 is-level level-2 quit
interface LoopBack 0 ip address 4.4.4.4 32 isis enable 595
isis circuit-level level-2
quit
interface LoopBack 101 ip address 44.44.44.44 32 isis enable 595
isis circuit-level level-2 quit
interface GigabitEthernet 1/0 undo shut
ip address 45.45.45.4 24 isis enable 595
isis circuit-level level-2 mpls enable mpls ldp enable quit
2.1.2 RH5(CR)配置
mpls lsr-id 5.5.5.5 mpls mpls ldp quit
isis 595
network-entity 86.4725.0005.0005.0005.00 is-level level-2 quit
interface LoopBack 0 ip address 5.5.5.5 32 isis enable 595
isis circuit-level level-2 quit
interface LoopBack 101 ip address 55.55.55.55 32 isis enable 595
isis circuit-level level-2 quit
interface Ethernet0/0/0 undo shut
ip address 45.45.45.5 24 isis enable 595
isis circuit-level level-2
mpls mpls ldp quit
interface Ethernet0/0/1 undo shut
ip address 56.56.56.5 24 isis enable 595
isis circuit-level level-2 mpls mpls ldp quit
2.1.3 RH6(SR)配置
mpls lsr-id 6.6.6.6 mpls
mpls ldp quit
isis 595
network-entity 86.4725.0006.0006 is-level level-2 quit
interface LoopBack 0 ip address 6.6.6.6 32 isis enable 595
isis circuit-level level-2 quit
interface LoopBack 101 ip address 66.66.66.66 32 isis enable 595
isis circuit-level level-2 quit
interface Ethernet0/0/0 undo shut
ip address 56.56.56.6 24 isis enable 595
isis circuit-level level-2 mpls mpls ldp quit
2.1.4 结果验证
从RH5 PING RH4和RH6的接口IP,确认是否正常。
ping 45.45.45.4
PING 45.45.45.4: 56 data bytes, press CTRL_C to break
Reply from 45.45.45.4: bytes=56 Sequence=1 ttl=255 time=20 ms Reply from 45.45.45.4: bytes=56 Sequence=2 ttl=255 time=10 ms Reply from 45.45.45.4: bytes=56 Sequence=3 ttl=255 time=20 ms
--- 45.45.45.4 ping statistics --- 3 packet(s) transmitted 3 packet(s) received 0.00% packet loss
round-trip min/avg/max = 10/16/20 ms
ping 56.56.56.6
PING 56.56.56.6: 56 data bytes, press CTRL_C to break
Reply from 56.56.56.6: bytes=56 Sequence=1 ttl=255 time=40 ms Reply from 56.56.56.6: bytes=56 Sequence=2 ttl=255 time=40 ms Reply from 56.56.56.6: bytes=56 Sequence=3 ttl=255 time=40 ms
--- 56.56.56.6 ping statistics --- 3 packet(s) transmitted 3 packet(s) received 0.00% packet loss
round-trip min/avg/max = 40/40/40 ms
查看ISIS邻居、MPLS对等体信息,确认是否正常。
disp isis peer
Peer information for ISIS(595)
System Id Interface Circuit Id State HoldTime Type -------------------------------------------------------------------------------
0004.0004.0004 Eth0/0/0 0005.0005.0005.01 Up 30s L2 0006.0006.0006 Eth0/0/1 0005.0005.0005.02 Up 25s L2
disp mpls ldp peer
LDP Peer Information in Public network
A '*' before a peer means the peer is being deleted.
------------------------------------------------------------------------------
PeerID TransportAddress DiscoverySource ------------------------------------------------------------------------------
PRI 64 64
4.4.4.4:0 4.4.4.4 Ethernet0/0/0 6.6.6.6:0 6.6.6.6 Ethernet0/0/1 ------------------------------------------------------------------------------ TOTAL: 2 Peer(s) Found.
disp mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop -------------------------------------------------------------------------------
4.4.4.4/32 NULL/3 - 45.45.45.4 4.4.4.4/32 1026/3 4.4.4.4 45.45.45.4 4.4.4.4/32 1026/3 6.6.6.6 45.45.45.4 *4.4.4.4/32 Liberal
5.5.5.5/32 3/NULL 6.6.6.6 127.0.0.1 5.5.5.5/32 3/NULL 4.4.4.4 127.0.0.1 *5.5.5.5/32 Liberal *5.5.5.5/32 Liberal
6.6.6.6/32 NULL/3 - 56.56.56.6 6.6.6.6/32 1025/3 6.6.6.6 56.56.56.6 6.6.6.6/32 1025/3 4.4.4.4 56.56.56.6 *6.6.6.6/32 Liberal
44.44.44.44/32 NULL/3 - 45.45.45.4 44.44.44.44/32 1027/3 4.4.4.4 45.45.45.4 44.44.44.44/32 1027/3 6.6.6.6 45.45.45.4 *44.44.44.44/32 Liberal
55.55.55.55/32 3/NULL 6.6.6.6 127.0.0.1 55.55.55.55/32 3/NULL 4.4.4.4 127.0.0.1 *55.55.55.55/32 Liberal *55.55.55.55/32 Liberal
66.66.66.66/32 NULL/3 - 56.56.56.6 66.66.66.66/32 1024/3 6.6.6.6 56.56.56.6 66.66.66.66/32 1024/3 4.4.4.4 56.56.56.6 *66.66.66.66/32 Liberal
------------------------------------------------------------------------------- TOTAL: 16 Normal LSP(s) Found. TOTAL: 8 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state A '*' before a NextHop means the LSP is FRR LSP
OutInterface Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/1
4.4.4.4:0 4.4.4.4 Ethernet0/0/0 6.6.6.6:0 6.6.6.6 Ethernet0/0/1 ------------------------------------------------------------------------------ TOTAL: 2 Peer(s) Found.
disp mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop -------------------------------------------------------------------------------
4.4.4.4/32 NULL/3 - 45.45.45.4 4.4.4.4/32 1026/3 4.4.4.4 45.45.45.4 4.4.4.4/32 1026/3 6.6.6.6 45.45.45.4 *4.4.4.4/32 Liberal
5.5.5.5/32 3/NULL 6.6.6.6 127.0.0.1 5.5.5.5/32 3/NULL 4.4.4.4 127.0.0.1 *5.5.5.5/32 Liberal *5.5.5.5/32 Liberal
6.6.6.6/32 NULL/3 - 56.56.56.6 6.6.6.6/32 1025/3 6.6.6.6 56.56.56.6 6.6.6.6/32 1025/3 4.4.4.4 56.56.56.6 *6.6.6.6/32 Liberal
44.44.44.44/32 NULL/3 - 45.45.45.4 44.44.44.44/32 1027/3 4.4.4.4 45.45.45.4 44.44.44.44/32 1027/3 6.6.6.6 45.45.45.4 *44.44.44.44/32 Liberal
55.55.55.55/32 3/NULL 6.6.6.6 127.0.0.1 55.55.55.55/32 3/NULL 4.4.4.4 127.0.0.1 *55.55.55.55/32 Liberal *55.55.55.55/32 Liberal
66.66.66.66/32 NULL/3 - 56.56.56.6 66.66.66.66/32 1024/3 6.6.6.6 56.56.56.6 66.66.66.66/32 1024/3 4.4.4.4 56.56.56.6 *66.66.66.66/32 Liberal
------------------------------------------------------------------------------- TOTAL: 16 Normal LSP(s) Found. TOTAL: 8 Liberal LSP(s) Found. TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state A '*' before a NextHop means the LSP is FRR LSP
OutInterface Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/0 Eth0/0/0 InLoop0 InLoop0 Eth0/0/1 Eth0/0/1 Eth0/0/1 Eth0/0/0 Eth0/0/1
2.2 BGP配置
2.2.1 RH4(BRAS)配置
bgp 64725
peer 5.5.5.5 as-number 64725
peer 5.5.5.5 connect-interface LoopBack 0 peer 55.55.55.55 as-number 64725
peer 55.55.55.55 connect-interface LoopBack 101 address-family ipv4 unicast peer 55.55.55.55 enable quit
address-family vpnv4 peer 5.5.5.5 enable quit quit
2.2.2 RH5(CR)配置
bgp 64725
peer 4.4.4.4 as-number 64725
peer 4.4.4.4 connect-interface LoopBack0 peer 44.44.44.44 as-number 64725
peer 44.44.44.44 connect-interface LoopBack101 peer 6.6.6.6 as-number 64725
peer 6.6.6.6 connect-interface LoopBack0 peer 66.66.66.66 as-number 64725
peer 66.66.66.66 connect-interface LoopBack101 undo peer 4.4.4.4 enable undo peer 6.6.6.6 enable
peer 44.44.44.44 reflect-client peer 66.66.66.66 reflect-client ipv4-family vpn
peer 4.4.4.4 enable peer 6.6.6.6 enable
peer 4.4.4.4 reflect-client peer 6.6.6.6 reflect-client undo policy vpn-target quit quit
2.2.3 RH6(SR)配置
bgp 64725
peer 5.5.5.5 as-number 64725
peer 5.5.5.5 connect-interface LoopBack 0 peer 55.55.55.55 as-number 64725
peer 55.55.55.55 connect-interface LoopBack 101 undo peer 5.5.5.5 enable ipv4-family vpnv4 peer 5.5.5.5 enable quit quit
2.2.4 结果验证
查看BGP对等体信息,确认是否正常。
disp bgp peer
BGP local router ID : 45.45.45.5 Local AS number : 64725
Total number of peers : 2
Peer V AS
44.44.44.44 4 64725 66.66.66.66 4 64725
disp bgp vpnv4 all peer
BGP local router ID : 45.45.45.5 Local AS number : 64725
Total number of peers : 2
Peer V AS
4.4.4.4 4 64725 6.6.6.6 4 64725 2.3 PPPOE业务配置
2.3.1 RH2(接入交换机)配置
vlan batch 2 3
interface Ethernet0/0/1 undo shutdown
port link-type access port default vlan 3 quit
interface Ethernet0/0/0 undo shutdown
Peers in established state : 2 MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3 4 0 00:00:32 Established 0 9 9 0 00:04:24 Established 0 Peers in established state : 2 MsgRcvd MsgSent OutQ Up/Down State PrefRcv 3 2 0 00:00:21 Established 0 5 5 0 00:03:41 Established 0
port link-type access port default vlan 2 quit
interface Eth-Trunk2 quit
interface Ethernet0/0/2 undo shutdown eth-trunk 2 quit
interface Ethernet0/0/3 undo shutdown eth-trunk 2 quit
interface Eth-Trunk2 port link-type trunk
port trunk allow-pass vlan 2 3 quit
2.3.2 RH3(汇聚交换机)配置
vlan batch 22 33
interface Eth-Trunk2 quit
interface Ethernet0/0/0 undo shutdown eth-trunk 2 quit
interface Ethernet 0/0/2 undo shutdown eth-trunk 2 quit
interface Eth-Trunk2 portswitch
port vlan-stacking outside-vlan 2 stack-vlan 22 port vlan-stacking outside-vlan 3 stack-vlan 33 quit
interface Ethernet0/0/3
undo shutdown port link-type trunk
port trunk allow-pass vlan 22 33 quit
2.3.3 RH4(BRAS)配置
ip pool pppoe-1 100.0.0.2 100.0.0.254 ip pool pppoe-1 100.0.0.1
domain qzadsl
authorization-attribute ip-pool pppoe-1
authorization-attribute primary-dns ip 218.85.152.99 authorization-attribute secondary-dns ip 218.85.157.99 authentication ppp local authorization ppp local accounting ppp local quit
domain default enable qzadsl
local-user 22594511 class network service-type ppp
password simple 22594511 quit
interface Virtual-Template 1 ppp authentication-mode pap
ip address unnumbered interface LoopBack 0 quit
interface GigabitEthernet 2/0.3
vlan-type dot1q vid 33 second-dot1q 3 pppoe-server bind virtual-template 1 quit
2.3.4 RH4(BRAS)路由发布
ip route-static 100.0.0.0 24 NULL 0
bgp 64725
address-family ipv4 unicast import-route static quit
2.3.5 结果验证
在RH4路由发布前,RH5的路由表项如下。
disp ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------ Routing Tables: Public
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
4.4.4.4/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 5.5.5.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 6.6.6.6/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 44.44.44.44/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 45.45.45.0/24 Direct 0 0 D 45.45.45.5 Ethernet0/0/0 45.45.45.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 55.55.55.55/32 Direct 0 0 D 127.0.0.1 InLoopBack0 56.56.56.0/24 Direct 0 0 D 56.56.56.5 Ethernet0/0/1 56.56.56.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 66.66.66.66/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
在RH4路由发布后,RH5的路由表项如下。
disp ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------ Routing Tables: Public
Destinations : 13 Routes : 13
Destination/Mask Proto Pre Cost Flags NextHop Interface
4.4.4.4/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 5.5.5.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 6.6.6.6/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 44.44.44.44/32 ISIS 15 10 D 45.45.45.4 Ethernet0/0/0 45.45.45.0/24 Direct 0 0 D 45.45.45.5 Ethernet0/0/0 45.45.45.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 55.55.55.55/32 Direct 0 0 D 127.0.0.1 InLoopBack0 56.56.56.0/24 Direct 0 0 D 56.56.56.5 Ethernet0/0/1 56.56.56.5/32 Direct 0 0 D 127.0.0.1 InLoopBack0 66.66.66.66/32 ISIS 15 10 D 56.56.56.6 Ethernet0/0/1 100.0.0.0/24 BGP 255 0 RD 44.44.44.44 Ethernet0/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
在WinXP1创建PPPOE拨号连接,用户名22594511,密码22594511,拨号成功后,ping
5.5.5.5正常。在RH4查看上线记录如下。
[H3C]disp ppp access-user domain qzadsl
Interface Username MAC address IP address IPv6 address IPv6 PDPrefix VA0 22594511 00d0-f826-0100 100.0.0.1 - -
2.4 MPLS VPN业务配置
2.4.1 RH6(SR)配置
ip vpn-instance QZVPN1650001-IPLAB route-distinguisher 4809:1650001 vpn-target 4809:165001500 quit
interface Ethernet0/0/1
ip binding vpn-instance QZVPN1650001-IPLAB ip address 192.168.0.1 25 quit
ip route-static vpn-instance QZVPN1650001-IPLAB 0.0.0.0 0.0.0.0 192.168.0.2
ip route-static vpn-instance QZVPN1650001-IPLAB 192.168.0.0 255.255.255.0 NULL0
bgp 64725
ipv4-family vpn-instance QZVPN1650001-IPLAB import-route static default-route imported quit
在掩码相同的情况下,直连路由优于静态路由,会导致黑洞路由失效,所以,采用引入静态路由的方式时,黑洞路由的掩码不能配置一样。 2.4.2 RH4(BRAS)配置
ip vpn-instance QZVPN1650001-IPLAB route-distinguisher 4809:1650001 vpn-target 4809:165001500 quit
interface GigabitEthernet 2/0.2
vlan-type dot1q vid 22 second-dot1q 2
ip binding vpn-instance QZVPN1650001-IPLAB ip address 10.0.0.1 25 quit
ip route-static vpn-instance QZVPN1650001-IPLAB 10.0.0.0 255.255.255.0 NULL 0
bgp 64725
ip vpn-instance QZVPN1650001-IPLAB address-family ipv4 unicast import-route static quit quit quit
2.4.3 结果验证
查看VPN路由表项,确认路由发布正常。
[RH6]DISP IP routing-table vpn-instance QZVPN1650001-IPLAB Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------ Routing Tables: QZVPN1650001-IPLAB Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop
10.0.0.0/24 BGP 255 0 RD 4.4.4.4 192.168.0.0/24 Static 60 0 D 0.0.0.0 192.168.0.0/25 Direct 0 0 D 192.168.0.1 192.168.0.1/32 Direct 0 0 D 127.0.0.1 2.4.4 防火墙配置
interface gigabitEthernet 1 nameif outside security-level 0
ip address 10.0.0.2 255.255.255.128 exit
interface gigabitEthernet 0 nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0 exit
route outside 0.0.0.0 0.0.0.0 10.0.0.1
object network fuwuqi host 172.16.0.1
nat (dmz,outside) static 10.0.0.3 service tcp 23 6060 exit
access-list 100 extended permit tcp host 192.168.0.2 host 172.16.0.1
Interface Ethernet0/0/0 NULL0
Ethernet0/0/1
InLoopBack0
access-group 100 in interface outside
2.4.5 RH1(服务器)配置
interface Ethernet0/0/0 undo shutdown
ip address 172.16.0.1 255.255.255.0 quit
ip route-static 0.0.0.0 0.0.0.0 172.16.0.254
acl number 2000
rule permit source 192.168.0.2 0 quit aaa
local-user qz password simple qz local-user qz level 15 quit
user-interface vty 0 4 acl 2000 inbound
authentication-mode aaa quit
2.4.6 结果验证
从RH7 telnet 10.0.0.3的6060端口,查看是否可以telnet到RH1上。telnet 10.0.0.3 6060 Trying 10.0.0.3 ...
Press CTRL+K to abort Connected to 10.0.0.3 ...
Login authentication
Username:qz Password:
Info: The max number of VTY users is 10, and the number of current VTY users on line is 1.