Narzędzia użytkownika
notatki:cisco_zbf
Różnice
Różnice między wybraną wersją a wersją aktualną.
| Nowa wersja | Poprzednia wersja | ||
| notatki:cisco_zbf [2025/05/16 16:52] – utworzono administrator | notatki:cisco_zbf [2025/05/16 17:24] (aktualna) – administrator | ||
|---|---|---|---|
| Linia 1: | Linia 1: | ||
| - | ====== | + | ====== Cisco: Konfiguracja |
| - | === 1. Wprowadzenie === | + | === Wprowadzenie === |
| Zone-Based Firewall (ZBF) to nowoczesne podejście do filtrowania ruchu w routerach Cisco, zastępujące klasyczne ACL i CBAC. Bazuje na przydzieleniu interfejsów do stref (zones), a następnie definiowaniu polityk między strefami. | Zone-Based Firewall (ZBF) to nowoczesne podejście do filtrowania ruchu w routerach Cisco, zastępujące klasyczne ACL i CBAC. Bazuje na przydzieleniu interfejsów do stref (zones), a następnie definiowaniu polityk między strefami. | ||
| - | === 2. Kroki konfiguracji === | + | === Kroki konfiguracji === |
| - | == 2.1 Tworzenie stref == | + | == Tworzenie stref == |
| Zdefiniuj strefy, do których przypiszesz interfejsy: < | Zdefiniuj strefy, do których przypiszesz interfejsy: < | ||
| zone security ZONA-WEW | zone security ZONA-WEW | ||
| zone security ZONA-INTERNET </ | zone security ZONA-INTERNET </ | ||
| - | == 2.2 Przypisanie interfejsów do stref == < | + | == Przypisanie interfejsów do stref == |
| + | < | ||
| interface GigabitEthernet0/ | interface GigabitEthernet0/ | ||
| zone-member security ZONA-WEW | zone-member security ZONA-WEW | ||
| Linia 18: | Linia 19: | ||
| zone-member security ZONA-INTERNET </ | zone-member security ZONA-INTERNET </ | ||
| - | == 2.3 Tworzenie klasy ruchu == | + | == Tworzenie klasy ruchu == |
| Określ, jaki typ ruchu będzie rozpoznawany: | Określ, jaki typ ruchu będzie rozpoznawany: | ||
| class-map type inspect match-any CMAP-WWW | class-map type inspect match-any CMAP-WWW | ||
| Linia 24: | Linia 25: | ||
| match protocol https </ | match protocol https </ | ||
| - | == 2.4 Tworzenie polityki ruchu == < | + | == Tworzenie polityki ruchu == |
| + | < | ||
| policy-map type inspect PMAP-WEW-INTERNET | policy-map type inspect PMAP-WEW-INTERNET | ||
| class type inspect CMAP-WWW | class type inspect CMAP-WWW | ||
| Linia 31: | Linia 33: | ||
| drop </ | drop </ | ||
| - | == 2.5 Powiązanie polityki z ruchem między strefami == < | + | == Powiązanie polityki z ruchem między strefami == |
| + | < | ||
| zone-pair security ZP-WEW-DO-INTERNET source ZONA-WEW destination ZONA-INTERNET | zone-pair security ZP-WEW-DO-INTERNET source ZONA-WEW destination ZONA-INTERNET | ||
| service-policy type inspect PMAP-WEW-INTERNET </ | service-policy type inspect PMAP-WEW-INTERNET </ | ||
| - | === 3. Weryfikacja === < | + | === Weryfikacja === |
| + | < | ||
| show zone security | show zone security | ||
| show zone-pair security | show zone-pair security | ||
| show policy-map type inspect zone-pair </ | show policy-map type inspect zone-pair </ | ||
| - | === 4. Uwagi === | + | === Uwagi === |
| - | * Jeśli interfejs nie należy do żadnej strefy, to nie może wymieniać ruchu z żadnym innym interfejsem. | + | |
| - | * Komenda `inspect` oznacza zezwolenie i śledzenie sesji. | + | * Komenda `inspect` oznacza zezwolenie i śledzenie sesji. |
| - | * Komenda `drop` blokuje nieokreślony ruch domyślnie. | + | * Komenda `drop` blokuje nieokreślony ruch domyślnie. |
| - | === 5. Przykład rozszerzenia === | + | === Przykład rozszerzenia === |
| Dodanie reguły dla ICMP: < | Dodanie reguły dla ICMP: < | ||
| class-map type inspect match-any CMAP-PING | class-map type inspect match-any CMAP-PING | ||
| Linia 58: | Linia 62: | ||
| class class-default | class class-default | ||
| drop </ | drop </ | ||
| + | |||
| + | ====== Przykład konfiguracji ====== | ||
| + | |||
| + | {{: | ||
| + | |||
| + | konfiguracja routera: | ||
| + | < | ||
| + | *Mar 1 00: | ||
| + | R1#show running-config | ||
| + | Building configuration... | ||
| + | |||
| + | Current configuration : 1701 bytes | ||
| + | ! | ||
| + | version 12.4 | ||
| + | service timestamps debug datetime msec | ||
| + | service timestamps log datetime msec | ||
| + | no service password-encryption | ||
| + | ! | ||
| + | hostname R1 | ||
| + | ! | ||
| + | boot-start-marker | ||
| + | boot-end-marker | ||
| + | ! | ||
| + | ! | ||
| + | no aaa new-model | ||
| + | memory-size iomem 5 | ||
| + | no ip icmp rate-limit unreachable | ||
| + | ip cef | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | no ip domain lookup | ||
| + | ! | ||
| + | multilink bundle-name authenticated | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | archive | ||
| + | log config | ||
| + | hidekeys | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ip tcp synwait-time 5 | ||
| + | ! | ||
| + | class-map type inspect match-any TELNET-CLASS | ||
| + | match protocol telnet | ||
| + | ! | ||
| + | ! | ||
| + | policy-map type inspect POLICY-INSIDE-TO-OUTSIDE | ||
| + | class type inspect TELNET-CLASS | ||
| + | inspect | ||
| + | class class-default | ||
| + | drop | ||
| + | ! | ||
| + | zone security INSIDE | ||
| + | zone security OUTSIDE | ||
| + | zone-pair security ZP-INSIDE-OUTSIDE source INSIDE destination OUTSIDE | ||
| + | | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | interface FastEthernet0/ | ||
| + | ip address 1.0.0.1 255.255.255.0 | ||
| + | | ||
| + | | ||
| + | speed auto | ||
| + | ! | ||
| + | interface Serial0/0 | ||
| + | no ip address | ||
| + | | ||
| + | clock rate 2000000 | ||
| + | ! | ||
| + | interface FastEthernet0/ | ||
| + | ip address 2.0.0.1 255.255.255.0 | ||
| + | | ||
| + | | ||
| + | speed auto | ||
| + | ! | ||
| + | interface Serial0/1 | ||
| + | no ip address | ||
| + | | ||
| + | clock rate 2000000 | ||
| + | ! | ||
| + | interface Serial0/2 | ||
| + | no ip address | ||
| + | | ||
| + | clock rate 2000000 | ||
| + | ! | ||
| + | interface FastEthernet1/ | ||
| + | no ip address | ||
| + | | ||
| + | | ||
| + | speed auto | ||
| + | ! | ||
| + | interface FastEthernet2/ | ||
| + | no ip address | ||
| + | | ||
| + | | ||
| + | speed auto | ||
| + | ! | ||
| + | ip forward-protocol nd | ||
| + | ! | ||
| + | ! | ||
| + | no ip http server | ||
| + | no ip http secure-server | ||
| + | ! | ||
| + | no cdp log mismatch duplex | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | control-plane | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | ! | ||
| + | line con 0 | ||
| + | | ||
| + | | ||
| + | | ||
| + | line aux 0 | ||
| + | | ||
| + | | ||
| + | | ||
| + | line vty 0 4 | ||
| + | login | ||
| + | ! | ||
| + | ! | ||
| + | end | ||
| + | |||
| + | </ | ||
| + | Test: | ||
| + | < | ||
| + | R3# ping 2.0.0.2 | ||
| + | |||
| + | Type escape sequence to abort. | ||
| + | Sending 5, 100-byte ICMP Echos to 2.0.0.2, timeout is 2 seconds: | ||
| + | ..... | ||
| + | Success rate is 0 percent (0/5) | ||
| + | R3#telnet 2.0.0.2 | ||
| + | Trying 2.0.0.2 ... Open | ||
| + | |||
| + | |||
| + | User Access Verification | ||
| + | |||
| + | Username: admin | ||
| + | Password: | ||
| + | R2> | ||
| + | |||
| + | </ | ||
notatki/cisco_zbf.1747407124.txt.gz · ostatnio zmienione: 2025/05/16 16:52 przez administrator
Narzędzia strony
Wszystkie treści w tym wiki, którym nie przyporządkowano licencji, podlegają licencji: GNU Free Documentation License 1.3
