7월 19일 (컨버전스 타임, Zone-based 종합 실습)

BGP 설정 TIP

neighbor ~ remote-as ~

1. network ~ mask ~

2. redistribute ospf ~

그리고 redistribute connected 

=> 1번과 2번 중 2번이 좀 더 편리하다

---

라우터끼리의 Hello packet => 10초 간격

라우터끼리의 Dead Interval => 40초 간격

그러나 라우터끼리의 라우팅테이블 변화를 주고받는 시간이 추가되어 실제로는 40초 + a (컨버전스 타임)

 

컨버전스 타임 문제를 해결하기 위한 방법이 있다.

1. Dead Interval => 40초에서 1초로 줄임

2. BFD (KeepAlive만 응용하는 프로토콜) 추가설정 => Dead Interval를 msec단위로 줄일 수 있다.

3. 스위치를 라우터로 바꾼다.

---

ACL

eq => equal

lt => less than => eq와 다르게 lt로 지정한 번호 밑의 포트들 모두 포함 => ex. lt 20 => 0~20

gt => greater than => lt와 다르게 gt로 지정한 번호 위의 포트들 모두 포함 => ex. gt 20 => 20~65535

 

=> telnet, http 접속은 성공

=> ping은 실패

 

-> ping 실패

-> 웹 접속 성공

---

DMZ Zone 기반 ACL 구성

=> OSPF 설정으로 라우팅테이블은 만들어줘야함.

 

R1

class-map type inspect match-any class-111-map

match access-group 101

class-map type inspect match-any class-122-map

match access-group 102

 

policy-map type inspect policy-111-map

class type inspect class-111-map

inspect

 

policy-map type inspect policy-122-map

class type inspect class-122-map

inspect

 

zone security outzone

zone security inzone

zone security dmzzone

zone-pair security zonepair1 source inzone destination outzone

service-policy type inspect policy-111-map

zone-pair security zonepair2 source outzone destination dmzzone

service-policy type inspect policy-122-map

 

interface FastEthernet0/0

ip address 11.2.2.1 255.255.255.0

zone-member security outzone

ip ospf 1 area 0

 

interface FastEthernet0/1

ip address 10.1.3.2 255.255.255.0

zone-member security inzone

ip ospf 1 area 0

 

interface FastEthernet1/0

ip address 11.2.3.1 255.255.255.0

zone-member security dmzzone

ip ospf 1 area 0

 

access-list 101 permit tcp 10.0.0.0 0.255.255.255 any eq www

access-list 101 permit tcp 10.0.0.0 0.255.255.255 any eq telnet

access-list 101 permit icmp 10.0.0.0 0.255.255.255 any echo

access-list 102 permit tcp any 11.2.3.0 0.0.0.255 eq www

---

 

R1

ip dhcp excluded-address 66.1.2.1

!

ip dhcp pool test

network 66.1.2.0 255.255.255.0

default-router 66.1.2.1

dns-server 88.1.1.2

 

router bgp 661

bgp log-neighbor-changes

no synchronization

neighbor 66.1.3.2 remote-as 771

neighbor 66.1.4.2 remote-as 881

redistribute connected

 

R2

interface FastEthernet0/0

ip address dhcp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.1.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

 

ip nat inside source list 1 interface FastEthernet0/0 overload

 

access-list 1 permit any

 

R3

router bgp 771

bgp log-neighbor-changes

no synchronization

neighbor 66.1.3.1 remote-as 661

neighbor 99.1.1.2 remote-as 881

neighbor 77.1.2.2 remote-as 1100

neighbor 77.1.3.2 remote-as 1000

redistribute connected

 

R4

router bgp 881

bgp log-neighbor-changes

no synchronization

neighbor 66.1.4.1 remote-as 661

neighbor 99.1.1.1 remote-as 771

neighbor 88.1.2.2 remote-as 1100

neighbor 88.1.3.2 remote-as 1000

redistribute connected

 

R5

class-map type inspect match-any class-111-map

match access-group 111

!

policy-map type inspect policy-111-map

class type inspect class-111-map

inspect

!

!

!

zone security outzone

zone security dmzzone

zone-pair security zonepair1 source dmzzone destination outzone

service-policy type inspect policy-111-map

!

!

interface FastEthernet0/0

ip address 77.1.2.2 255.255.255.0

zone-member security outzone

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 88.1.2.2 255.255.255.0

zone-member security outzone

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 78.1.3.1 255.255.255.0

zone-member security dmzzone

ip ospf 1 area 0

 

router ospf 1

log-adjacency-changes

default-information originate

!

router bgp 1100

bgp log-neighbor-changes

no synchronization

neighbor 77.1.2.1 remote-as 771

neighbor 88.1.2.1 remote-as 881

network 78.1.3.0 mask 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 77.1.2.1

ip route 0.0.0.0 0.0.0.0 88.1.2.1

!

ip flow-export version 9

!

!

access-list 111 permit tcp any any eq www

access-list 111 permit icmp any any echo

access-list 111 permit udp any any eq domain

 

R6

class-map type inspect match-any class-114-map

match access-group 114

class-map type inspect match-any class-123-map

match access-group 123

!

policy-map type inspect policy-114-map

class type inspect class-114-map

inspect

!

policy-map type inspect policy-123-map

class type inspect class-123-map

inspect

!

!

!

zone security outzone

zone security inzone

zone security dmzzone

zone-pair security zonepair3 source inzone destination outzone

service-policy type inspect policy-114-map

zone-pair security zonepair4 source outzone destination dmzzone

service-policy type inspect policy-123-map

!

!

interface FastEthernet0/0

ip address 88.1.3.2 255.255.255.0

zone-member security outzone

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 77.1.3.2 255.255.255.0

zone-member security outzone

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 88.1.4.1 255.255.255.0

zone-member security dmzzone

duplex auto

speed auto

!

interface FastEthernet1/1

ip address 100.1.1.1 255.255.255.0

zone-member security inzone

ip ospf 1 area 0

 

router ospf 1

log-adjacency-changes

default-information originate

!

router bgp 1000

bgp log-neighbor-changes

no synchronization

neighbor 88.1.3.1 remote-as 881

neighbor 77.1.3.1 remote-as 771

network 88.1.4.0 mask 255.255.255.0

redistribute ospf 1

!

ip classless

ip route 0.0.0.0 0.0.0.0 77.1.3.1

ip route 0.0.0.0 0.0.0.0 88.1.3.1

!

ip flow-export version 9

!

!

access-list 114 permit tcp any any eq www

access-list 114 permit tcp any any eq telnet

access-list 114 permit icmp any any echo

access-list 123 permit tcp any any eq www

access-list 123 permit icmp any any echo

 

R7

class-map type inspect match-any class-113-map

match access-group 113

!

policy-map type inspect policy-113-map

class type inspect class-113-map

inspect

!

!

!

zone security inzone

zone security dmzzone

zone-pair security zonepair2 source inzone destination dmzzone

service-policy type inspect policy-113-map

!

!

interface FastEthernet0/0

ip address 78.1.3.2 255.255.255.0

zone-member security dmzzone

ip ospf 1 area 0

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 11.1.1.1 255.255.255.0

zone-member security inzone

ip ospf 1 area 0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 12.1.1.1 255.255.255.0

zone-member security inzone

ip ospf 1 area 0

ip nat inside

 

router ospf 1

log-adjacency-changes

!

ip nat inside source list 2 interface FastEthernet0/0 overload

ip classless

!

ip flow-export version 9

!

!

access-list 2 permit any

access-list 113 permit tcp any any eq www

!

 

R8

interface FastEthernet0/0

ip address 100.1.1.2 255.255.255.0

ip ospf 1 area 0

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 105.1.1.1 255.255.255.0

ip access-group 190 in

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 106.1.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/1

ip address 101.1.1.1 255.255.255.0

ip nat inside

 

ip nat inside source list 5 interface FastEthernet0/0 overload

ip classless

ip route 103.0.0.0 255.0.0.0 101.1.1.2

ip route 102.0.0.0 255.0.0.0 101.1.1.2

ip route 104.0.0.0 255.0.0.0 101.1.1.2

ip route 107.0.0.0 255.0.0.0 101.1.1.2

ip route 108.0.0.0 255.0.0.0 101.1.1.2

ip route 0.0.0.0 0.0.0.0 100.1.1.1

!

ip flow-export version 9

!

!

access-list 5 permit any

access-list 190 permit tcp host 105.1.1.6 host 106.1.1.6 eq www

 

R9

interface FastEthernet0/0

ip address 17.1.1.2 255.255.255.0

ip ospf 1 area 0

 

router ospf 1

log-adjacency-changes

redistribute static subnets

!

ip classless

ip route 201.1.1.0 255.255.255.0 200.1.1.2

 

R10

ip route 0.0.0.0 0.0.0.0 200.1.1.1

 

SW1

router eigrp 100

redistribute static

network 103.1.1.0 0.0.0.255

network 102.1.1.0 0.0.0.255

network 107.1.1.0 0.0.0.255

network 108.1.1.0 0.0.0.255

auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 101.1.1.1

 

SW2

router eigrp 100

network 102.1.1.0 0.0.0.255

network 104.1.1.0 0.0.0.255

network 107.1.1.0 0.0.0.255

network 108.1.1.0 0.0.0.255

 

SW3

interface Vlan10

mac-address 000a.f3d8.8e01

ip address 107.1.1.1 255.255.255.0

!

interface Vlan20

mac-address 000a.f3d8.8e02

ip address 108.1.1.1 255.255.255.0

!

router eigrp 100

network 107.1.1.0 0.0.0.255

network 103.1.1.0 0.0.0.255

network 104.1.1.0 0.0.0.255

network 108.1.1.0 0.0.0.255

 

SW4

interface FastEthernet0/1

no switchport

ip address 11.1.1.2 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/2

no switchport

ip address 13.1.1.1 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/3

no switchport

ip address 14.1.1.1 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/4

no switchport

ip address 17.1.1.1 255.255.255.0

ip ospf 1 area 0

 

SW5

interface FastEthernet0/1

no switchport

ip address 12.1.1.2 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/2

no switchport

ip address 15.1.1.1 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/3

no switchport

ip address 16.1.1.1 255.255.255.0

ip ospf 1 area 0

 

SW6

interface FastEthernet0/1

no switchport

ip address 13.1.1.2 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/2

no switchport

ip address 15.1.1.2 255.255.255.0

ip ospf 1 area 0

 

interface Vlan10

mac-address 0060.2f1a.0801

ip address 18.1.1.3 255.255.255.0

ip helper-address 19.1.1.6

standby 10 ip 18.1.1.1

standby 10 priority 150

standby 10 preempt

!

interface Vlan20

mac-address 0060.2f1a.0802

ip address 19.1.1.3 255.255.255.0

ip helper-address 19.1.1.6

standby 20 ip 19.1.1.1

standby 20 priority 50

!

router ospf 1

log-adjacency-changes

network 18.0.0.0 0.255.255.255 area 0

network 19.0.0.0 0.255.255.255 area 0

 

SW7

interface FastEthernet0/1

no switchport

ip address 14.1.1.2 255.255.255.0

ip ospf 1 area 0

duplex auto

speed auto

!

interface FastEthernet0/2

no switchport

ip address 16.1.1.2 255.255.255.0

ip ospf 1 area 0

 

interface Vlan10

mac-address 0004.9aa0.7301

ip address 18.1.1.4 255.255.255.0

ip helper-address 19.1.1.6

standby 10 ip 18.1.1.1

standby 10 priority 50

!

interface Vlan20

mac-address 0004.9aa0.7302

ip address 19.1.1.4 255.255.255.0

ip helper-address 19.1.1.6

standby 20 ip 19.1.1.1

standby 20 priority 150

standby 20 preempt

!

router ospf 1

log-adjacency-changes

network 18.0.0.0 0.255.255.255 area 0

network 19.0.0.0 0.255.255.255 area 0