.
This commit is contained in:
commit
46c5ff0cec
62
FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt
Normal file
62
FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
R1(config)#ip http server
|
||||||
|
|
||||||
|
R1(config)#crypto pki server R1CA
|
||||||
|
R1(cs-server)#issuer-name cn="R1CA"
|
||||||
|
R1(cs-server)#grant auto
|
||||||
|
R1(cs-server)#no shutdown
|
||||||
|
|
||||||
|
R1(config)#ip domain name NWL.LAB
|
||||||
|
R1(config)#crypto pki trustpoint R1CLIENT
|
||||||
|
R1(ca-trustpoint)#enrollment url http://192.168.1.1
|
||||||
|
R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM
|
||||||
|
R1(config)#crypto pki authenticate R1CLIENT
|
||||||
|
R1(config)#crypto pki enroll R1CLIENT
|
||||||
|
|
||||||
|
|
||||||
|
R1(config)#aaa new-model
|
||||||
|
|
||||||
|
R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local
|
||||||
|
R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local
|
||||||
|
|
||||||
|
R1(config)#username test password mojehaslo
|
||||||
|
|
||||||
|
R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
|
||||||
|
R1(config-ikev2-author-policy)#pool VPN_POOL
|
||||||
|
R1(config-ikev2-author-policy)#def-domain CONTOSO.COM
|
||||||
|
R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255
|
||||||
|
R1(config-ikev2-author-policy)#dns 1.1.1.1
|
||||||
|
R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10
|
||||||
|
|
||||||
|
|
||||||
|
R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL
|
||||||
|
R1(config-ikev2-proposal)#encryption aes-cbc-256
|
||||||
|
R1(config-ikev2-proposal)#integrity sha256
|
||||||
|
R1(config-ikev2-proposal)#group 14
|
||||||
|
|
||||||
|
R1(config)#crypto ikev2 policy default
|
||||||
|
R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL
|
||||||
|
|
||||||
|
R1(config)#crypto ikev2 profile IKEV2_PROFILE
|
||||||
|
R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$*
|
||||||
|
R1(config-ikev2-profile)#authentication local rsa-sig
|
||||||
|
R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
|
||||||
|
R1(config-ikev2-profile)#pki trustpoint R1-CLIENT
|
||||||
|
R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
|
||||||
|
R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
|
||||||
|
R1(config-ikev2-profile)#virtual-template 1
|
||||||
|
|
||||||
|
R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
|
||||||
|
R1(cfg-crypto-trans)#mode tunnel
|
||||||
|
|
||||||
|
R1(config)#crypto ipsec profile IKEV2_PROFILE
|
||||||
|
R1(ipsec-profile)#set transform-set TRANSFORM_SET
|
||||||
|
R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE
|
||||||
|
|
||||||
|
R1(config)#interface Virtual-Template1 type tunnel
|
||||||
|
R1(config-if)#ip unnumbered Loopback0
|
||||||
|
R1(config-if)#ip mtu 1400
|
||||||
|
R1(config-if)#tunnel mode ipsec ipv4
|
||||||
|
R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE
|
||||||
|
|
||||||
|
|
||||||
|
|
37
FlexVPN/flexvpn1.txt
Normal file
37
FlexVPN/flexvpn1.txt
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer R2
|
||||||
|
address 198.51.100.2
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 198.51.100.2 255.255.255.255
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
|
||||||
|
|
||||||
|
crypto ikev2 proposal ikeprop1
|
||||||
|
integrity sha256 sha384 sha512
|
||||||
|
group 14 15
|
||||||
|
encryption aes-cbc-128 aes-cbc-256
|
||||||
|
|
||||||
|
crypto ikev2 policy ikepol1
|
||||||
|
proposal ikeprop1
|
||||||
|
|
||||||
|
ip access-list extended ACLR2
|
||||||
|
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto map CM1 10 ipsec-isakmp
|
||||||
|
match address ACLR2
|
||||||
|
set peer 198.51.100.2
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
|
||||||
|
int g0/1
|
||||||
|
crypto map CM1
|
||||||
|
|
87
FlexVPN/flexvpn2.txt
Normal file
87
FlexVPN/flexvpn2.txt
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
Dla R1 i R2:
|
||||||
|
|
||||||
|
no int tunnel 1
|
||||||
|
no router ospf 1
|
||||||
|
|
||||||
|
|
||||||
|
Dla R1:
|
||||||
|
interface Loopback1
|
||||||
|
ip address 172.16.1.1 255.255.255.0
|
||||||
|
|
||||||
|
############################################
|
||||||
|
Dla R1:
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer R2
|
||||||
|
address 198.51.100.2
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 198.51.100.2 255.255.255.255
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer R1
|
||||||
|
address 192.0.2.1
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 192.0.2.1 255.255.255.255
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dla R1:
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
|
||||||
|
int tun 12
|
||||||
|
ip add 10.0.12.1 255.255.255.0
|
||||||
|
tunnel source 192.0.2.1
|
||||||
|
tunnel destination 198.51.100.2
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
tunnel mode ipsec ipv4
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
|
||||||
|
int tun 12
|
||||||
|
ip add 10.0.12.2 255.255.255.0
|
||||||
|
tunnel source 198.51.100.2
|
||||||
|
tunnel destination 192.0.2.1
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
tunnel mode ipsec ipv4
|
||||||
|
|
||||||
|
|
||||||
|
Dla R1:
|
||||||
|
router eigrp 1
|
||||||
|
network 10.0.12.0 0.0.0.255
|
||||||
|
network 172.16.1.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
router eigrp 1
|
||||||
|
network 10.0.12.0 0.0.0.255
|
||||||
|
network 172.16.2.0 0.0.0.255
|
||||||
|
|
||||||
|
|
||||||
|
|
105
FlexVPN/flexvpn3.txt
Normal file
105
FlexVPN/flexvpn3.txt
Normal file
@ -0,0 +1,105 @@
|
|||||||
|
FLexVPN HUB-SPOKE
|
||||||
|
Dla R2, R3, R4:
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer R1
|
||||||
|
address 192.0.2.1
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 192.0.2.1 255.255.255.255
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
#####
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
int loopback 3
|
||||||
|
ip add 2.2.2.2 255.255.255.255
|
||||||
|
|
||||||
|
Dla R3:
|
||||||
|
int loopback 3
|
||||||
|
ip add 3.3.3.3 255.255.255.255
|
||||||
|
|
||||||
|
Dla R4:
|
||||||
|
int loopback 3
|
||||||
|
ip add 4.4.4.4 255.255.255.255
|
||||||
|
|
||||||
|
Dla wszystkich Spoke (R2, R3, R4):
|
||||||
|
int tun 12
|
||||||
|
ip unnumbered loopback 3
|
||||||
|
tunnel source g0/1
|
||||||
|
tunnel destination 192.0.2.1
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
|
||||||
|
#####
|
||||||
|
Koncentrator (R1):
|
||||||
|
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer ANYROUTER
|
||||||
|
address 0.0.0.0
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 0.0.0.0 0.0.0.0
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
virtual-template 1
|
||||||
|
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
int loopback 3
|
||||||
|
ip add 1.1.1.1 255.255.255.255
|
||||||
|
|
||||||
|
interface virtual-template 1 type tunnel
|
||||||
|
tunnel source g0/1
|
||||||
|
ip unnumbered loopback 3
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
|
||||||
|
####
|
||||||
|
Dla R1:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.1 0.0.0.0
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
router eigrp 1
|
||||||
|
network 2.2.2.2 0.0.0.0
|
||||||
|
network 172.16.2.0 0.0.0.255
|
||||||
|
network 192.168.2.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R3:
|
||||||
|
router eigrp 1
|
||||||
|
network 3.3.3.3 0.0.0.0
|
||||||
|
network 172.16.3.0 0.0.0.255
|
||||||
|
network 192.168.3.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R4:
|
||||||
|
router eigrp 1
|
||||||
|
network 4.4.4.4 0.0.0.0
|
||||||
|
network 172.16.4.0 0.0.0.255
|
||||||
|
network 192.168.4.0 0.0.0.255
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
116
FlexVPN/flexvpn4.txt
Normal file
116
FlexVPN/flexvpn4.txt
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
FLexVPN HUB-SPOKE
|
||||||
|
Dla R2, R3, R4:
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer R1
|
||||||
|
address 192.0.2.1
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 192.0.2.1 255.255.255.255
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
|
||||||
|
aaa new-model
|
||||||
|
aaa authorization network default local
|
||||||
|
|
||||||
|
crypto ikev2 authorization policy AUTHPOLICY1
|
||||||
|
route set interface
|
||||||
|
|
||||||
|
|
||||||
|
#####
|
||||||
|
|
||||||
|
|
||||||
|
Dla wszystkich Spoke (R2, R3, R4):
|
||||||
|
int tun 12
|
||||||
|
ip address negotiated
|
||||||
|
tunnel source g0/1
|
||||||
|
tunnel destination 192.0.2.1
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
|
||||||
|
#####
|
||||||
|
Koncentrator (R1):
|
||||||
|
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer ANYROUTER
|
||||||
|
address 0.0.0.0
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
int loopback 3
|
||||||
|
ip add 1.1.1.1 255.255.255.0
|
||||||
|
|
||||||
|
interface virtual-template 1 type tunnel
|
||||||
|
tunnel source g0/1
|
||||||
|
ip unnumbered loopback 3
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
|
||||||
|
|
||||||
|
ip local pool PULAIP 1.1.1.2 1.1.1.10
|
||||||
|
|
||||||
|
aaa new-model
|
||||||
|
aaa authorization network default local
|
||||||
|
|
||||||
|
crypto ikev2 authorization policy AUTHPOLICY1
|
||||||
|
pool PULAIP
|
||||||
|
route set interface
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 0.0.0.0 0.0.0.0
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
virtual-template 1
|
||||||
|
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||||
|
|
||||||
|
|
||||||
|
####
|
||||||
|
Dla R1:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
network 172.16.2.0 0.0.0.255
|
||||||
|
network 192.168.2.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R3:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
network 172.16.3.0 0.0.0.255
|
||||||
|
network 192.168.3.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R4:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
network 172.16.4.0 0.0.0.255
|
||||||
|
network 192.168.4.0 0.0.0.255
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
138
FlexVPN/flexvpn5.txt
Normal file
138
FlexVPN/flexvpn5.txt
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
FLexVPN SPOKE-SPOKE
|
||||||
|
Dla R2, R3, R4:
|
||||||
|
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer ANYPEER
|
||||||
|
address 0.0.0.0
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 0.0.0.0 0.0.0.0
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
|
||||||
|
aaa new-model
|
||||||
|
aaa authorization network default local
|
||||||
|
|
||||||
|
crypto ikev2 authorization policy AUTHPOLICY1
|
||||||
|
route set interface
|
||||||
|
|
||||||
|
|
||||||
|
#####
|
||||||
|
|
||||||
|
|
||||||
|
Dla wszystkich Spoke (R2, R3, R4):
|
||||||
|
int tun 12
|
||||||
|
ip address negotiated
|
||||||
|
tunnel source g0/1
|
||||||
|
tunnel destination 192.0.2.1
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
ip nhrp network-id 1
|
||||||
|
ip nhrp shortcut virtual-template 12
|
||||||
|
|
||||||
|
|
||||||
|
int virtual-template 12 type tunnel
|
||||||
|
ip unnumbered tunnel 12
|
||||||
|
tunnel source g0/1
|
||||||
|
ip nhrp network-id 1
|
||||||
|
ip nhrp shortcut virtual-template 12
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#####
|
||||||
|
Koncentrator (R1):
|
||||||
|
|
||||||
|
|
||||||
|
int loopback 3
|
||||||
|
ip add 1.1.1.1 255.255.255.0
|
||||||
|
|
||||||
|
ip local pool PULAIP 1.1.1.2 1.1.1.10
|
||||||
|
|
||||||
|
aaa new-model
|
||||||
|
aaa authorization network default local
|
||||||
|
|
||||||
|
|
||||||
|
crypto ikev2 authorization policy AUTHPOLICY1
|
||||||
|
pool PULAIP
|
||||||
|
route set interface
|
||||||
|
|
||||||
|
|
||||||
|
crypto ikev2 keyring KEYR1
|
||||||
|
peer ANYPEER
|
||||||
|
address 0.0.0.0
|
||||||
|
pre-shared-key local Cisco
|
||||||
|
pre-shared-key remote Cisco
|
||||||
|
|
||||||
|
crypto ikev2 profile Profil1
|
||||||
|
match identity remote address 0.0.0.0 0.0.0.0
|
||||||
|
authentication local pre-share
|
||||||
|
authentication remote pre-share
|
||||||
|
keyring local KEYR1
|
||||||
|
virtual-template 1
|
||||||
|
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||||
|
|
||||||
|
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||||
|
|
||||||
|
crypto ipsec profile IPprof1
|
||||||
|
set transform-set TR1
|
||||||
|
set ikev2-profile Profil1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
interface virtual-template 1 type tunnel
|
||||||
|
tunnel source g0/1
|
||||||
|
ip unnumbered loopback 3
|
||||||
|
tunnel protection ipsec profile IPprof1
|
||||||
|
ip nhrp network-id 1
|
||||||
|
ip nhrp redirect
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
####
|
||||||
|
Dla R1:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R2:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
network 172.16.2.0 0.0.0.255
|
||||||
|
network 192.168.2.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R3:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
network 172.16.3.0 0.0.0.255
|
||||||
|
network 192.168.3.0 0.0.0.255
|
||||||
|
|
||||||
|
Dla R4:
|
||||||
|
router eigrp 1
|
||||||
|
network 1.1.1.0 0.0.0.255
|
||||||
|
network 172.16.4.0 0.0.0.255
|
||||||
|
network 192.168.4.0 0.0.0.255
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
91
ip_source_guard.txt
Normal file
91
ip_source_guard.txt
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
Router:
|
||||||
|
hostname R1
|
||||||
|
!
|
||||||
|
ip dhcp pool MY_POOL
|
||||||
|
network 192.168.1.0 255.255.255.0
|
||||||
|
!
|
||||||
|
ip cef
|
||||||
|
!
|
||||||
|
interface FastEthernet0/0
|
||||||
|
ip address 192.168.1.254 255.255.255.0
|
||||||
|
!
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
Przełącznik (router podłączony na porcie g0/1):
|
||||||
|
hostname SW1
|
||||||
|
!
|
||||||
|
ip dhcp snooping vlan 1
|
||||||
|
no ip dhcp snooping information option
|
||||||
|
ip dhcp snooping
|
||||||
|
!
|
||||||
|
interface GigabitEthernet0/1
|
||||||
|
switchport mode access
|
||||||
|
spanning-tree portfast
|
||||||
|
ip dhcp snooping trust
|
||||||
|
!
|
||||||
|
interface GigabitEthernet0/2
|
||||||
|
switchport mode access
|
||||||
|
spanning-tree portfast
|
||||||
|
!
|
||||||
|
interface GigabitEthernet0/3
|
||||||
|
switchport mode access
|
||||||
|
spanning-tree portfast
|
||||||
|
!
|
||||||
|
interface GigabitEthernet0/4
|
||||||
|
switchport mode access
|
||||||
|
spanning-tree portfast
|
||||||
|
!
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
Konfigurujemy "IP Source Guard" dla komputera podłączonego na porcie g0/2:
|
||||||
|
SW1(config)#interface GigabitEthernet 0/2
|
||||||
|
SW1(config-if)#ip verify source
|
||||||
|
|
||||||
|
SW1#show ip verify source
|
||||||
|
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||||
|
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||||
|
Gi0/2 ip active 192.168.1.1 1 disabled
|
||||||
|
|
||||||
|
|
||||||
|
SW1 zezwala teraz tylko na źródłowy adres IP 192.168.1.1 (bo taki PC dostanie pierwszy z brzegu) na interfejsie GigabitEthernet 0/2. Pole adresu MAC jest puste, także w tej chwili przełącznik sprawdza tylko źródłowy adres IP. Można jednak również sprawdzać źródłowy adres MAC.
|
||||||
|
Do tego celu trzeba wykorzystać jeszcze mechanizm port-security:
|
||||||
|
SW1(config)#interface GigabitEthernet 0/2
|
||||||
|
SW1(config-if)#switchport port-security
|
||||||
|
SW1(config-if)#ip verify source port-security
|
||||||
|
|
||||||
|
SW1#show ip verify source
|
||||||
|
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||||
|
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||||
|
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
|
||||||
|
|
||||||
|
|
||||||
|
Załóżmy, że skonfigurujemy na porcie G0/3 kolejny PC, który będzie mieć statycznie przypisane dane adresowe:
|
||||||
|
SW1(config)#interface GigabitEthernet 0/3
|
||||||
|
SW1(config-if)#switchport port-security
|
||||||
|
SW1(config-if)#ip verify source port-security
|
||||||
|
|
||||||
|
SW1#show ip verify source
|
||||||
|
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||||
|
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||||
|
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
|
||||||
|
Gi0/3 ip-mac active deny-all deny-all 1
|
||||||
|
|
||||||
|
Jeżeli teraz z tego powyższego komputera spróbujemy wykonać jakąkolwiek transmisję (choćby ping), to nie pwoiedzie się, będzie blokowane.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Możemy również przypisać statycznie adres mac oraz adres IP do zadanego portu, np. dla portu G0/4:
|
||||||
|
SW1(config)#interface GigabitEthernet 0/4
|
||||||
|
SW1(config-if)#switchport port-security
|
||||||
|
SW1(config-if)#ip verify source port-security
|
||||||
|
SW1(config)#ip source binding 0011.aabb.0088 vlan 1 192.168.1.200 interface GigabitEthernet 0/4
|
||||||
|
|
||||||
|
|
||||||
|
SW1#show ip verify source
|
||||||
|
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||||
|
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||||
|
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
|
||||||
|
Gi0/3 ip-mac active deny-all deny-all 1
|
||||||
|
Gi0/4 ip-mac active 192.168.1.200 00:16:C7:BE:0E:C8 1 disabled
|
Loading…
Reference in New Issue
Block a user