|
각 POD IP 설정
Interface Devices |
e0/0 |
se1/0 |
E0/1 |
e0 |
R1 |
10.1.1.1/24 |
1.1.12.1/30 |
|
|
R5 |
14.1.1.1/24 |
1.1.12.2/30 |
dhcp |
|
Win7 |
|
|
|
10.1.1.11 |
Linux |
|
|
|
14.1.1.11 |
| Win8 | 14.1.1.12 |
R1 |
BBR#sh run Building configuration... Current configuration : 1635 bytes ! ! Last configuration change at 07:17:52 EET Fri Apr 28 2017 ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname BBR ! boot-start-marker boot-end-marker ! aqm-register-fnf ! ! no aaa new-model clock timezone EET 2 0 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ip dhcp excluded-address 10.1.1.1 10.1.1.10 ! ip dhcp pool KG network 10.1.1.0 255.255.255.0 default-router 10.1.1.1 lease infinite ! ! ! ip inspect name CBAC http (내부에서 시작되는 HTTP통신을 허용하기 위한 설정) ip inspect name CBAC dns(내부에서 시작되는 DNS통신을 허용하기 위한 설정) ip inspect name CBAC icmp(내부에서 시작되는 ICMP통신을 허용하기 위한 설정) ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0/1 no ip address shutdown ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! interface Serial1/0 ip address 1.1.12.1 255.255.255.252 ip access-group alldeny in ip inspect CBAC out serial restart-delay 0 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 Serial1/0 1.1.12.2 ! ip access-list extended denyall deny ip any any (외부에서 시작하는 모든 통신을 필터링한다.) ! ! ! ! control-plane ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 logging synchronous login transport input none ! ! end |
R5 |
Internet#sh run Building configuration... Current configuration : 1572 bytes ! ! Last configuration change at 07:12:45 EET Fri Apr 28 2017 ! version 15.4 service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Internet ! boot-start-marker boot-end-marker ! aqm-register-fnf ! ! no aaa new-model clock timezone EET 2 0 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ip dhcp excluded-address 14.1.1.1 14.1.1.10 ! ip dhcp pool ISP network 14.1.1.0 255.255.255.0 default-router 14.1.1.1 lease infinite ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 14.1.1.1 255.255.255.0 ! interface Ethernet0/1 ip address dhcp ! interface Ethernet0/2 no ip address shutdown ! interface Ethernet0/3 no ip address shutdown ! interface Serial1/0 ip address 1.1.12.2 255.255.255.252 serial restart-delay 0 ! interface Serial1/1 no ip address shutdown serial restart-delay 0 ! interface Serial1/2 no ip address shutdown serial restart-delay 0 ! interface Serial1/3 no ip address shutdown serial restart-delay 0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 10.1.1.0 255.255.255.0 Serial1/0 1.1.12.1 ! ! ! ! control-plane ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 exec-timeout 0 0 logging synchronous login transport input none ! ! pnp profile pnp_profile transport http host pnpserver.localdomain port 80 source Ethernet0/1 ! end |
Win7 (내부 사용자) |
|
Win8(외부 사용자) |
|
R1 |
내부사용자에서 시작된 ICMP패킷이 외부로의 통신이 허용될 수 있도록 세션을 형성한 모습 |
Win7 (내부 사용자) |
내부 사용자에서 외부의 웹서버에 접근된 모습 |
R1 |
내부사용자의 웹 세션을 CBAC에 의해서 관리되고 있는 모습 |
Win7( 내부사용자) |
URL 필터링을 구현하기 위하여 클라이언트의 hosts파일을 편집했다. 이름으로 외부웹서버 접속에 성공된 모습 |
R1 라우터 |
URL필터를 구성하고 적용한 모습 |
|
Win7(내부사용자) URL 필터에 적용되어 블락킹 된 모습 |
R1 라우터에서 세션을 모습  |
참고 예제 |
ip access-list extended internal_ACL permit tcp host 192.1.1.1 host 192.1.2.1 eq smtp deny tcp any any eq pop deny tcp any any eq smtp deny ip host 192.1.1.1 any permit ip any any exit ip inspect name internal_CBAC smtp audit-trail on ip inspect name internal_CBAC ftp ip inspect name internal_CBAC http ip inspect name internal_CBAC realaudio ip inspect name internal_CBAC tcp ip inspect name internal_CBAC udp ip inspect name internal_CBAC icmp ip access-list extended DMZ_ACL permit tcp host 192.1.2.1 any eq smtp permit udp host 192.1.2.2 any eq dns exit ip inspect name DMZ_CBAC smtp audit-trail on ip inspect name DMZ_CBAC http ip inspect name DMZ_CBAC tcp ip inspect name DMZ_CBAC udp Router(config)# ip access-list extended external_ACL permit tcp any host 192.1.2.1 eq smtp permit udp any host 192.1.2.2 eq dns permit tcp any host 192.1.2.3 eq http exit Router(config)# ip inspect name external_CBAC smtp audit-trail on ip inspect name external_CBAC ftp ip inspect name external_CBAC http ip inspect name external_CBAC realaudio ip inspect name external_CBAC tcp ip inspect name external_CBAC udp ip inspect name external_CBAC icmp Router(config)# interface ethernet0 description Internal Network ip access-group internal_ACL in ip inspect internal_CBAC in exit interface ethernet2 description DMZ ip access-group DMZ_ACL in ip inspect DMZ_CBAC in exit interface ethernet1 description Internet ip access-group external_ACL in exit ip inspect tcp synwait-time 15 ip inspect tcp idle-time 120 ip inspect udp idle-time 20 |
