[KEDUIT] 클라우드 컴퓨팅과 보안솔루션을 활용한 DC 엔지니어 양성교육 - Day28
1. 서론
오늘은 RIP와 Static Routing이 있는 맵에서 ACL를 활용하는 법을 배워보았다.
2. 본론
1. Cisco IOS
1. ACL
1. Mapping
//R1-4
# conf t
# no ip domain lookup
# line c 0
# logging sync
# exec-t 0
# exit
!
# int s1/0
# no sh
# clock rate 64000
# encap fram
# no fram inverse
//R1
# int s1/0
# ip 16.16.12.1 255.255.255.0
# fram map ip 16.16.12.2 102 br
# exit
!
# int lo0
# ip add 16.16.1.1 255.255.255.0
//R2
# int lo0
# ip add 16.16.2.2 255.255.255.0
# exit
!
# int s1/0.12 m
# ip add 16.16.12.2 255.255.255.0
# fram map ip 16.16.12.1 201 br
# exit
!
# int s1/0.23 m
# ip add 16.16.23.2 255.255.255.0
# fram map ip 16.16.23.3 203 br
//R3
# int lo0
# ip add 16.16.3.3 255.255.255.0
# exit
!
# int s1/0.23 m
# ip add 16.16.23.3 255.255.255.0
# fram map ip 16.16.23.2 302 br
# exit
!
# int s1/0.34 p
# ip add 16.16.34.3 255.255.255.0
# fram inter 304
//R4
# int lo0
# ip add 16.16.4.4 255.255.255.0
# exit
!
# int s1/0.34 p
# ip add 16.16.34.4 255.255.255.0
# fram inter 403
//Next hop ping
//R1
# p 16.16.12.2
//R2
# p 16.16.23.3
//R3
# p 16.16.34.4
2. RIP
//R1-2
# router rip
# ver 2
# network 16.0.0.0
# no auto
# pass lo0
//R1
# p 16.16.1.1 //verify
3. Static
//R2
# ip route 16.16.3.0 255.255.255.0 s1/0.23 16.16.23.3
# ip route 16.16.4.0 255.255.255.0 s1/0.23 16.16.23.3
# ip route 16.16.34.0 255.255.255.0 s1/0.23 16.16.23.3
//R3
# ip route 0.0.0.0 0.0.0.0 s1/0.23 16.16.23.2
# ip route 16.16.4.0 255.255.255.0 s1/0.34 16.16.34.4
//R4
# ip route 0.0.0.0 0.0.0.0 s1/0.34 16.16.34.3
//R2
# p 16.16.4.4 //verify
4. RIP(redistribute, passive, split-horizon)
//R2
# conf t
# ip prefix-list HOP2 permit 16.16.3.0/24 //이름에 숫자가 앞에오면 안됨
# ip prefix-list HOP2 permit 16.16.34.0/24
# ip prefix-list HOP3 permit 16.16.4.0/24
# route-map STATIC_NET 10
!
# match ip address prefix HOP2
# set metric 2
# exit
!
# route-map STATIC_NET 20
# match ip address prefix HOP3
# set metric 3
# exit
!
# do show route-map //verify
# router rip
!
# redistribute static route-map STATIC_NET
//R1
# show ip route //verify
# p 16.16.4.4 source lo0 //verify
# int s1/0
!
# ip split-horizon
//R1-2
# router rip
# passive lo0
5. ACL
//Named Access list
//문제상 16.16.4.0/24 permit 하도록 설정
//R1
# ip access-list standard TELNET
# permit 16.16.4.0 0.0.0.255
# line vty 0 4
!
# password WHATEVER
# access-class TELNET in
//Numbered Access list
//문제상 16.16.4.4 deny 하도록 설정
//R1
# conf t
# access-list 10 deny 16.16.4.4 0.0.0.0 //host 16.16.4.4로 대체 가능
# access-list 10 permit any
# line vty 0 4
!
# password WHATEVER
# access-class 10 in
//R3
# telnet 16.16.12.1 //verify
//R4
# conf t
# ip telnet source-interface lo0
# end
!
# telnet 16.16.12.1 //verify
//VMnet4에서 R1으로 Telnet 가능하게 설정하기
//R3
# int f0/0
# no sh
# ip add 16.16.33.3 255.255.255.0
//R4
# int f0/0
# no sh
# ip add 16.16.44.4 255.255.255.0
//R2
# show ip prefix-list
# conf t
!
# ip prefix-list HOP2 permit 16.16.33.0/24
# ip prefix-list HOP3 permit 16.16.44.0/24
# ip route 16.16.33.0 255.255.255.0 s1/0.23 16.16.23.3
# ip route 16.16.44.0 255.255.255.0 s1/0.23 16.16.23.3
//VMnet1
ip : 16.16.11.100/24
gateway : 16.16.11.1
DNS : 16.16.11.100
DNS(Sub) : 168.126.63.1
//VMnet3
ip : 16.16.33.33/24
gateway : 16.16.33.3
DNS : 16.16.11.100
DNS(Sub) : 168.126.63.1
//VMnet4
ip : 16.16.44.44/24
gateway : 16.16.44.4
DNS : 16.16.11.100
DNS(Sub) : 168.126.63.1
//R1
# access-list 10 permit 16.16.44.0 0.0.0.255
//R3
# ip route 16.16.44.0 255.255.255.0 s1/0.34 16.16.34.4
//문제상 일정 시간에만 접속 가능하도록 만들기
# ip access-list extended TIME_LIMIT
# 5 permit tcp 16.16.44.0 0.0.0.255 host 16.16.11.100 eq 80 time-range WORK_ONLY //seq permit protocol [source source-wildcard] {any | host {address | name} {destination [destination-wildcard] {any | host {address | name} [log]
# time-range WORK_ONLY
# periodic weekdays 09:00 to 18:00
# do sh access-list //verify. 위에 설정한 시간대가 아니면 inactive 상태인것을 확인 가능
3. 결론
하루만 더있으면 주말이다.
4. 참고자료
Ⅰ. 문웅호, 정보통신망
클라우드 엔지니어를 꿈꾸며 공부를 시작한 초보 엔지니어입니다. 틀린점 또는 조언해주실 부분이 있으시면 친절하게 댓글 부탁드립니다. 방문해 주셔서 감사합니다 :)
댓글남기기