【实验说明】
基于数据包的长度过滤流量
【实验拓扑】
IOS:
c2691-advsecurityk9-mz.124-11.T2.bin
【实验配置步骤】
- 按照上图配置网络为 “Configuring Static NAT”,参照IP-service 中的实验
- 本实验允许数据包小于300的ICMP echo 包通过
- 创建扩展访问控制列表“ICMP_ECHO” 匹配ICMO echo 数据包
- 创建策略路由ICMP_CONTROL,匹配访问控制列表 “ICMP_ECHO”和长度为 301-1500的数据包,将匹配到的数据包发送到空接口
- 应用策略路由到路由器的串口
【实验配置】
我们先来做基本网络的配置,
“Configuring Static NAT”
----------------------------------------Static NAT 配置----------------------------------------------------------------
|
R1:
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R6:
interface FastEthernet0/0
ip address 10.0.0.6 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.4
R4:
interface Loopback0
ip address 150.1.4.4 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 10.0.0.4 255.255.255.0
ip nat inside
!
interface Serial0/0
en fram
no sh
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.4 255.255.255.0
frame-relay interface-dlci 405
ip nat outside
!
interface Serial0/1
ip address 155.1.45.4 255.255.255.0
clock rate 2000000
ip nat outside
!
router ospf 1
router-id 150.1.4.4
network 150.1.4.4 0.0.0.0 area 0
network 155.1.0.4 0.0.0.0 area 0
network 155.1.45.4 0.0.0.0 area 0
!
router bgp 1
bgp router-id 150.1.4.4
neighbor 150.1.5.5 remote-as 2
neighbor 150.1.5.5 ebgp-multihop 255
neighbor 150.1.5.5 update-source Loopback0
ip nat inside source static 10.0.0.1 150.1.4.1
ip nat inside source static 10.0.0.6 150.1.4.6
|
R5:
interface Loopback0
ip address 150.1.5.5 255.255.255.0
ip ospf network point-to-point
!
interface Serial0/0
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 155.1.0.5 255.255.255.0
frame-relay interface-dlci 504
!
interface Serial0/1
ip address 155.1.45.5 255.255.255.0
clock rate 2000000
!
router ospf 1
router-id 150.1.5.5
network 150.1.5.5 0.0.0.0 area 0
network 155.1.0.5 0.0.0.0 area 0
network 155.1.45.5 0.0.0.0 area 0
!
router bgp 2
bgp router-id 150.1.5.5
neighbor 150.1.4.4 remote-as 1
neighbor 150.1.4.4 ebgp-multihop 255
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 default-originate
|
---------------------------------策略路由配置-------------------------------------------------------------------------
R4:
ip access-list extended ICMP_ECHO
permit icmp any any echo
!
route-map ICMP_CONTROL permit 10
match ip address ICMP_ECHO
match length 301 1500
set interface Null0
!
interface Serial 0/1
ip policy route-map ICMP_CONTROL
!
interface Serial 0/0.1
ip policy route-map ICMP_CONTROL
---------------------------------------------------------------------------------------------------------------------------------
【实验验证】
该实验组织外部的用户ping入内部,但内部ping外部不影响
R5#ping 150.1.4.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/39/80 ms
R5#ping 150.1.4.1 size 301
Type escape sequence to abort.
Sending 5, 301-byte ICMP Echos to 150.1.4.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R6#ping 150.1.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/52 ms
R6#ping 150.1.5.5 siz 301
Type escape sequence to abort.
Sending 5, 301-byte ICMP Echos to 150.1.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/33/60 ms
R4#show route-map
route-map ICMP_CONTROL, permit, sequence 10
Match clauses:
ip address (access-lists): ICMP_ECHO
length 301 1500
Set clauses:
interface Null0
Policy routing matches: 10 packets, 3050 bytes