Mục đích
Cấu hình router để lọc traffic dựa trên các tiêu chuẩn mức ứng dụng (application)
Mô hình
Hướng dẫn
– Cấu hình router (định tuyến, NAT, …) giống như bài LAB 2 ‘Lọc traffic với reflexive access-list’.
– Chắc chằn rằng CEF được cho phép toàn cục (global) trên R4.
– Tạo class-map IMAGES trên R4 để match tất cả các HTTP URLs đang nhận một file ảnh (.gif, .jpeg, .jpg).
– Tạo policy-map DROP_IMAGES và cấu hình nó để drop tất cả các traffic trong class IMAGES.
– Apply policy-map DROP_IMAGES theo hướng vào (ingress) tren interface Fa0/0.
Cấu hình tham khảo
Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT
Router R4
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
Router R5
interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Router R1
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login
Bước 2: Cấu hình class-map IMAGES và policy-map DROP_IMAGES trên R4
ip cef
class-map match-any IMAGES
match protocol http url “*.gif”
match protocol http url “*.jpeg|*.jpg”
!
policy-map DROP_IMAGES
class IMAGES
drop
Apply policy-map DROP_IMAGES theo hướng vào (ingress) trên interface Fa0/0.
interface Fa0/0
service-policy input DROP_IMAGES
Bước 3: Kiểm tra
Cấu hình R5 thành web server có chứa các file .gif, .jpeg, .jpg, .txt
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#ip http server
R5(config)#ip http path flash:
R5(config)#do copy start flash:test.gif
Destination filename [test.gif]?
Erase flash: before copying? [confirm]n
Verifying checksum… OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.jpg
Destination filename [test.jpg]?
Erase flash: before copying? [confirm]n
Verifying checksum… OK (0x10CB)
1668 bytes copied in 0.300 secs (5560 bytes/sec)
R5(config)#do copy start flash:test.jpeg
Destination filename [test.jpeg]?
Erase flash: before copying? [confirm]n
Verifying checksum… OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)
R5(config)#do copy start flash:test.txt
Destination filename [test.txt]?
Erase flash: before copying? [confirm]n
Verifying checksum… OK (0x10CB)
1668 bytes copied in 0.294 secs (5670 bytes/sec)
Kiểm tra trên R1
R1#copy http://150.1.5.5/test.txt null:
Loading http://150.1.5.5/test.txt !
1668 bytes copied in 2.496 secs (668 bytes/sec)
R1#copy http://150.1.5.5/test.gif null:
%Error opening http://150.1.5.5/test.gif (I/O error)
R1#copy http://150.1.5.5/test.jpeg null:
%Error opening http://150.1.5.5/test.jpeg (I/O error)
R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)
Kiểm tra trên R4
R4#show policy-map interface FastEthernet 0/0
FastEthernet 0/0
Service-policy input: DROP_IMAGES
Class-map: IMAGES (match-any)
24 packets, 4971 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url “*.jpeg|*.jpg”
16 packets, 3314 bytes
5 minute rate 0 bps
Match: protocol http url “*.gif”
8 packets, 1657 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
70 packets, 7822 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: any
The post LAB: SỬ DỤNG NBAR ĐỂ LỌC TRAFFIC appeared first on VnPro.