IP Security


securty

Genel yapılandırma ayarları.
[Huawei]sysname CLIGURU-R1
[Huawei]sysname CLIGURU-R2
[Huawei]sysname CLIGURU-R3
 [Huawei]sysname CLIGURU-S1
[CLIGURU-S1]vlan 4
[CLIGURU-S1-vlan4]quit
[CLIGURU-S1]interface vlanif 4
[CLIGURU-S1-Vlanif4]ip address 10.0.4.254 24
 [Huawei]sysname CLIGURU-S2
[CLIGURU-S2]vlan 6
[CLIGURU-S2-vlan6]quit
[CLIGURU-S2]interface vlanif 6
[CLIGURU-S2-Vlanif6]ip address 10.0.6.254 24
İp address yapılandırması .
Şekilde gösterildiği gibi 10.0.13.0/24 , 10.0.4.0/24 ve 10.0.6.0/24 network aralıklarında ip adressler verelim.
 [CLIGURU-R1]interface GigabitEthernet 0/0/0
[CLIGURU-R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24
 [CLIGURU-R2]interface GigabitEthernet 0/0/0
[CLIGURU-R2-GigabitEthernet0/0/0]ip address 10.0.13.2 24
[CLIGURU-R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[CLIGURU-R2-GigabitEthernet0/0/1]ip address 10.0.4.2 24
[CLIGURU-R2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[CLIGURU-R2-GigabitEthernet0/0/2]ip address 10.0.6.2 24
[CLIGURU-R3]interface GigabitEthernet 0/0/0
[CLIGURU-R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24
CLIGURU-S1 ve CLIGURU-S2 için Vlan trunk hattı oluşturmamız gerekir.
[CLIGURU-S1]interface GigabitEthernet 0/0/2
[CLIGURU-S1-GigabitEthernet0/0/2]port link-type trunk
[CLIGURU-S1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[CLIGURU-S1-GigabitEthernet0/0/2]port trunk pvid vlan 4
[CLIGURU-S1-GigabitEthernet0/0/2]quit
[CLIGURU-S2]interface GigabitEthernet 0/0/2
[CLIGURU-S2-GigabitEthernet0/0/2]port link-type trunk
[CLIGURU-S2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[CLIGURU-S2-GigabitEthernet0/0/2]port trunk pvid vlan 6
[CLIGURU-S2-GigabitEthernet0/0/2]quit
Network iletişimini etkinleştirmek için OSPF konfigürasyonunu yapılandıralım.
CLIGURU-R1,CLIGURU-R2 ve CLIGURU-R3 için OSPF’i kuralım.Cihazlara bağlı olan tüm networkleri anons edelim.
[CLIGURU-R1]ospf
[CLIGURU-R1-ospf-1]area 0
[CLIGURU-R1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[CLIGURU-R2]ospf
[CLIGURU-R2-ospf-1]area 0
[CLIGURU-R2-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[CLIGURU-R2-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
[CLIGURU-R2-ospf-1-area-0.0.0.0]network 10.0.6.0 0.0.0.255
[CLIGURU-R3]ospf
[CLIGURU-R3-ospf-1]area 0
[CLIGURU-R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
CLIGURU-S1 ve CLIGURU-S2, statik route yazalım ve private network gateway olarak bir sonraki nexthopu yazalım.
 [CLIGURU-S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
 [CLIGURU-S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
Vlan haberleşmeleri kontrol edelim.
<CLIGURU-R1>ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=254 time=670 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=254 time=80 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=254 time=90 ms
— 10.0.4.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/208/670 ms
<CLIGURU-R1>ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=254 time=110 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=254 time=80 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=254 time=110 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=254 time=100 ms
— 10.0.6.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/96/110 ms
<CLIGURU-R3>ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=254 time=80 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=254 time=100 ms
— 10.0.4.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/92/100 ms
<CLIGURU-R3>ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=254 time=130 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=254 time=90 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=254 time=100 ms
— 10.0.6.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/96/130 ms

Access Control Lists kullanarak filtering yapılandırmak.
CLIGURU-S1’i telnet server olarak yapılandıralım.
[CLIGURU-S1]user-interface vty 0 4
[CLIGURU-S1-ui-vty0-4]authentication-mode password
[CLIGURU-S1-ui-vty0-4]set authentication password cipher huawei
CLIGURU-S2’yi FTP server olarak yapılandıralım
[CLIGURU-S2]ftp server enable
Info: Succeeded in starting the FTP server.
[CLIGURU-S2]aaa
[CLIGURU-S2-aaa]local-user huawei password cipher huawei
Info: Add a new user.
[CLIGURU-S2-aaa]local-user huawei service-type ftp
[CLIGURU-S2-aaa]local-user huawei ftp-directory flash:
CLIGURU-R1 telnet server’ınden , CLIGURU-R3 FTP sunucusuna ulaşabilmek için CLIGURU-R2 üzerinde bir access kontrol listesi oluşturalım.
[CLIGURU-R2]acl 3000
[CLIGURU-R2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination 10.0.4.254 0.0.0.0 destination-port eq 23
[CLIGURU-R2-acl-adv-3000]rule 10 permit tcp source 10.0.13.3 0.0.0.0 destination 10.0.6.254 0.0.0.0 destination-port range 20 21
[CLIGURU-R2-acl-adv-3000]rule 15 deny ip source any
[CLIGURU-R2-acl-adv-3000]quit
CLIGURU-R2 Gigabit Ethernet 0/0/0 interface için ACL uygulayalım.
[CLIGURU-R2]interface GigabitEthernet 0/0/0
[CLIGURU-R2-GigabitEthernet 0/0/0]traffic-filter inbound acl 3000
Ağdaki access control lists doğrulugunu kontrol edelim.
<CLIGURU-R1>telnet 10.0.4.254
Press CTRL+K to quit telnet mode
Trying 10.0.4.254 …
Connected to 10.0.4.254 …
Login authentication
Password:
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
<CLIGURU-S1>
NOT:Telnet oturumundan çıkmak için quit komutunu kullanın.
<CLIGURU-R1>ftp 10.0.6.254
Trying 10.0.6.254 …
Press CTRL+K to abort
Error:Failed to connect to the remote host.
FTP bağlantısı yanıt vermek için bi süre bekleyebilir(60 seconds)
<CLIGURU-R3>telnet 10.0.4.254
Press CTRL+K to quit telnet mode
Trying 10.0.4.254 …
Error:Can’t connect to the remote host.
<CLIGURU-R3>ftp 10.0.6.254
Trying 10.0.6.254 …
Press CTRL+K to abort
Connected to 10.0.6.254.
220 FTP service ready.
User(10.0.6.254:(none)):huawei
331 Password required for huawei.
Enter password:
530 Logged incorrect.
[CLIGURU-R3-ftp]
Not ;Bye komutu FTP bağlantısı kapatmak için kullanılır
Sonuç  ..
<CLIGURU-R1>display current-configuration
#
sysname CLIGURU-R1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
interface GigabitEthernet0/0/0
ip address 10.0.13.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return
<CLIGURU-R2>display current-configuration
#
sysname CLIGURU-R2
#
acl number 3000
rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port e
q telnet
rule 10 permit tcp source 10.0.13.3 0 destination 10.0.6.254 0 destination-port
range ftp-data ftp
rule 15 deny ip
#
interface GigabitEthernet0/0/0
ip address 10.0.13.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.4.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.0.6.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return
<CLIGURU-R3>display current-configuration
#
sysname CLIGURU-R3
#
interface GigabitEthernet0/0/0
ip address 10.0.13.3 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return
<CLIGURU-S1>display current-configuration
#
sysname CLIGURU-S1
#
vlan batch 4
#
interface Vlanif4
ip address 10.0.4.254 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 4
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
#
user-interface con 0
user-interface vty 0 4
set authentication password cipher A@Pc;6w5b@uqcXT}k’OI%9n#
#
Return
<CLIGURU-S2>display current-configuration
#
sysname CLIGURU-S2
#
FTP server enable
#
vlan batch 6
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user huawei password cipher $K&%QCXM$NYNZPO3JBXBHA!!
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
interface Vlanif6
ip address 10.0.6.254 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 6
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
#
user-interface con 0
user-interface vty 0 4
#
return