PDA

View Full Version : Sử dụng NBAR để lọc Traffic



danghoangkhanh
02-06-2007, 06:32 PM
SỬ DỤNG NBAR ĐỂ LỌC TRAFFIC

Mục đích: Cấu hình router để lọc traffic dựa trên các tiêu chuẩn mức ứng dụng (application)

Mô hình:

http://usera.imagecave.com/vnpro2/NBAR.JPG

Hướng dẫn:
• Cấu hình router (định tuyến, NAT, …) giống như bài LAB 2 ‘Lọc traffic với reflexive access-list’.
• Chắc chằn rằng CEF được cho phép toàn cục (global) trên R4.
• Tạo class-map IMAGES trên R4 để match tất cả các HTTP URLs đang nhận một file ảnh (.gif, .jpeg, .jpg).
• Tạo policy-map DROP_IMAGES và cấu hình nó để drop tất cả các traffic trong class IMAGES.
• Apply policy-map DROP_IMAGES theo hướng vào (ingress) tren interface Fa0/0.

Cấu hình tham khảo:

Bước 1: Cấu hình cơ bản: địa chỉ IP, định tuyến OSPF, NAT PAT

Router R4

interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface FastEthernet0/0
ip address 155.1.45.4 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.4 255.255.255.0
ip nat inside
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 150.1.4.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
ip http server
ip nat inside source list 1 interface Loopback0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login

Router R5

interface FastEthernet0/0
ip address 155.1.45.5 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 150.1.5.5 255.255.255.0
duplex auto
speed auto
no keepalive
!
router ospf 1
log-adjacency-changes
network 150.1.5.0 0.0.0.255 area 0
network 155.1.45.0 0.0.0.255 area 0
!
ip classless
!
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login

Router R1

interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.4
!
line con 0
line aux 0
line vty 0 4
privilege level 15
no login

Bước 2: Cấu hình class-map IMAGES và policy-map DROP_IMAGES trên R4

ip cef
class-map match-any IMAGES
match protocol http url “*.gif”
match protocol http url “*.jpeg|*.jpg”
!
policy-map DROP_IMAGES
class IMAGES
drop

Apply policy-map DROP_IMAGES theo hướng vào (ingress) trên interface Fa0/0.

interface Fa0/0
service-policy input DROP_IMAGES

Bước 3: Kiểm tra

Cấu hình R5 thành web server có chứa các file .gif, .jpeg, .jpg, .txt

R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#ip http server
R5(config)#ip http path flash:
R5(config)#do copy start flash:test.gif
Destination filename [test.gif]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)

R5(config)#do copy start flash:test.jpg
Destination filename [test.jpg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.300 secs (5560 bytes/sec)

R5(config)#do copy start flash:test.jpeg
Destination filename [test.jpeg]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.288 secs (5792 bytes/sec)

R5(config)#do copy start flash:test.txt
Destination filename [test.txt]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0x10CB)
1668 bytes copied in 0.294 secs (5670 bytes/sec)

Kiểm tra trên R1

R1#copy http://150.1.5.5/test.txt null:
Loading http://150.1.5.5/test.txt !
1668 bytes copied in 2.496 secs (668 bytes/sec)

R1#copy http://150.1.5.5/test.gif null:
%Error opening http://150.1.5.5/test.gif (I/O error)

R1#copy http://150.1.5.5/test.jpeg null:
%Error opening http://150.1.5.5/test.jpeg (I/O error)

R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)

Kiểm tra trên R4

R4#show policy-map interface FastEthernet 0/0

FastEthernet 0/0

Service-policy input: DROP_IMAGES

Class-map: IMAGES (match-any)
24 packets, 4971 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.jpeg|*.jpg"
16 packets, 3314 bytes
5 minute rate 0 bps
Match: protocol http url "*.gif"
8 packets, 1657 bytes
5 minute rate 0 bps
drop

Class-map: class-default (match-any)
70 packets, 7822 bytes
5 minute offered rate 0 bps, drop rate 0 bps Match: any