写下此文的目的只是为了记录遇到的问题,以防下次再遇到此类问题可以备查。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
一、需求
公司要求为开发部门提供一个SIT集成测试环境:
1、能上外网
2、按需开放要访问的业务
3、除以上外,默认禁止访问其他
4、其他所有业务网段可访问此网段
二、环境现状
文中的设备及ip都是使用H3C模拟器HCLv2.1.1比照真实环境搭建的。
使用MSR36-20路由器模拟其他环境下的主机server1和SIT环境下主机server2,使用S5820V2-54QS模拟核心交换机core-sw
注意:
在真实机上的配置已经测试成功。而模拟器中虽然能输入命令,但并不生效,建议用真实机做测试。
真实机基本信息:H3C S5500-58C-HI ,Comware Software, Version 5.20, Release 5206
三、测试环境交换机基本信息:
[core-sw]dis version
H3C Comware Software, Version 7.1.075, Alpha 7571
Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.
H3C S5820V2-54QS-GE uptime is 0 weeks, 0 days, 0 hours, 24 minutes
Last reboot reason: User reboot
Boot image: flash:/s5820v2_5830v2-cmw710-boot-a7514.bin
Boot image version: 7.1.075, Alpha 7571
Compiled Sep 20 2017 16:00:00
Boot image: flash:/s5820v2_5830v2-cmw710-system-a7514.bin
Boot image version: 7.1.075, Alpha 7571
Compiled Sep 20 2017 16:00:00
原有配置,包含vlan10 和 ip
core-sw的vlan配置
interface Vlan-interface10
description other
ip address 10.1.10.254 255.255.255.0
接口配置
interface GigabitEthernet1/0/1
port link-mode bridge
port access vlan 10
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode bridge
combo enable fiber
四、设计思路
基于H3C交换机的产品特性,通过ACL及QOS实现上述需求。
提示:H3C交换机和思科交换机在ACL上的最大区别就是,H3C在ACL中匹配源目后,是双向管控,CISCO是单向。
1、确认各个网段下的ip互通
2、基于以上添加策略
-
策略内容:
-
10.1.20.1 禁止访问所有
-
10.1.10.0网段和10.1.30.0网段的主机可访问===>10.1.20.1
3、后续需求
10.1.20.1 可访问===>10.1.30.1主机,其他不可访问
4、应用策略
在vlan20的inbound方向应用策略
五、拓扑说明
MSR36-20_2(server1)在其他业务网段other中,ip 10.1.10.1/24
[server1]接口信息
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 10.1.10.1 255.255.255.0
[server1]默认路由
ip route-static 0.0.0.0 0 10.1.10.254
打开telnet功能,即打开23端口,便于之后的验证
[server1]telnet server enable
MSR36-20_3(server2)在新增网段SIT中,ip 10.1.20.1/24
server2的接口信息
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 10.1.20.1 255.255.255.0
server2的路由信息
ip route-static 0.0.0.0 0 10.1.20.254
打开23端口,便于之后验证
[server2]telnet server enable
六、交换机配置
实施步骤
1、在交换机上建立新网段用于SIT,如:vlan20,ip 10.1.20.254,掩码24位;真实环境中交换机上还有其他网段,在此环境中,用loopback接口模拟
[core-sw]vlan 20
[core-sw-vlan20]quit
[core-sw]
[core-sw]int vlan 20
[core-sw-Vlan-interface20]description SIT
[core-sw-Vlan-interface20]ip add 10.1.20.254 255.255.255.0
[core-sw-Vlan-interface20]quit
便于后面的测试,增加一个回环口,模拟其他网段
[core-sw]int LoopBack 0
[core-sw-LoopBack0]ip add 10.1.30.1 24
打开23端口
telnet server enable
2、交换机与server2相连的G2接口划入vlan20
[core-sw]int g1/0/2
[core-sw-GigabitEthernet1/0/2]port access vlan 20
[core-sw-GigabitEthernet1/0/2]quit
3、确认server1和server2以及交换机上模拟的loopback0互通
<server1>telnet 10.1.20.1
Trying 10.1.20.1 ...
Press CTRL+K to abort
Connected to 10.1.20.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
The connection was closed by the remote host!
<server1>ping 10.1.20.1
Ping 10.1.20.1 (10.1.20.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.20.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.1.20.1: icmp_seq=1 ttl=254 time=1.000 ms
<server1>telnet 10.1.30.1
Trying 10.1.30.1 ...
Press CTRL+K to abort
Connected to 10.1.30.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
The connection was closed by the remote host!
<server1>
<server1>ping 10.1.30.1
Ping 10.1.30.1 (10.1.30.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.30.1: icmp_seq=0 ttl=255 time=0.000 ms
56 bytes from 10.1.30.1: icmp_seq=1 ttl=255 time=0.000 ms
<server2>telnet 10.1.10.1
Trying 10.1.10.1 ...
Press CTRL+K to abort
Connected to 10.1.10.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
The connection was closed by the remote host!
<server2>ping 10.1.10.1
Ping 10.1.10.1 (10.1.10.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.10.1: icmp_seq=0 ttl=254 time=1.000 ms
56 bytes from 10.1.10.1: icmp_seq=1 ttl=254 time=1.000 ms
<server2>ping 10.1.30.1
Ping 10.1.30.1 (10.1.30.1): 56 data bytes, press CTRL_C to break
56 bytes from 10.1.30.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.1.30.1: icmp_seq=1 ttl=255 time=1.000 ms
<server2>telnet 10.1.30.1
Trying 10.1.30.1 ...
Press CTRL+K to abort
Connected to 10.1.30.1 ...
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
Login failed.
The connection was closed by the remote host!
已经互通,Login failed是因为没有配置用户名密码,此处可忽略
提示:真实环境中,server可能是windows、linux或者交换机系统,根据各系统的情况使用测试命令
4、配置ACL要匹配的报文
[core-sw]acl adv 3001
[core-sw-acl-ipv4-adv-3001]des 3001permit
[core-sw-acl-ipv4-adv-3001]rule 100 permit tcp ack 1 destination 10.1.10.0 0.0.0.255
[core-sw-acl-ipv4-adv-3001]rule 101 permit tcp ack 1 destination 10.1.30.0 0.0.0.255
[core-sw]acl adv 3002
[core-sw-acl-ipv4-adv-3002]description 3002deny
[core-sw-acl-ipv4-adv-3002]rule 100 permit tcp syn 1 destination 10.1.10.0 0.0.0.255
[core-sw-acl-ipv4-adv-3002]rule 101 permit tcp syn 1 destination 10.1.30.0 0.0.0.255
5、配置匹配报文分类
[core-sw]traffic classifier SIT-Permit operator and
[core-sw-classifier-SIT-Permit]if-match acl 3001
[core-sw-classifier-SIT-Permit]quit
[core-sw]traffic classifier SIT-Deny operator and
[core-sw-classifier-SIT-Deny]if-match acl 3002
[core-sw-classifier-SIT-Deny]quit
6、配置流的行为
[core-sw]traffic behavior SIT-Permit
[core-sw-behavior-SIT-Permit]filter permit
[core-sw-behavior-SIT-Permit]quit
[core-sw]traffic behavior SIT-Deny
[core-sw-behavior-SIT-Deny]filter deny
[core-sw-behavior-SIT-Deny]quit
7、配置qos策略
[core-sw]qos policy SIT-Control
[core-sw-qospolicy-SIT-Control]classifier SIT-Permit behavior SIT-Permit
[core-sw-qospolicy-SIT-Control]classifier SIT-Deny behavior SIT-Deny
[core-sw-qospolicy-SIT-Control]quit
8、应用到接口或vlan的inbound方向
[core-sw]qos vlan-policy SIT-Control vlan 20 inbound
9、后续需求
10.1.20.1 可访问===>10.1.30.1这个主机
[core-sw]acl adv 3001
[core-sw-acl-ipv4-adv-3001]des 3001permit
[core-sw-acl-ipv4-adv-3001]rule 90 deny ip destination 10.1.30.1 0
[core-sw]dis acl 3001
Advanced IPv4 ACL 3001, 3 rules,
3001permit
ACL's step is 5
rule 90 deny ip destination 10.1.30.1 0
rule 100 permit tcp destination 10.1.10.0 0.0.0.255 ack 1
rule 101 permit tcp destination 10.1.30.0 0.0.0.255 ack 1
deny掉要访问的这个主机
注:在做qos policy SIT-Control时,先permit后deny
七、测试效果
1、基本需求测试
在server2上访问server1的23端口(telnet 10.1.10.1 23),访问失败
在server1上访问server2的23端口(telent 10.1.20.1 23),访问成功
2、后续需求测试
在server2上访问loopback接口的23端口(telnet 10.1.30.1 23),访问成功
八、结论
如果在ACL中只匹配源ip和目的ip,就会双向不通,需要使用ACL中的tcp的标志位来进行匹配,实现单向访问。
补充知识:
从tcp这个层面看,tcp通过三次握手建立连接后传输数据
tcp标志位,有6种标示:SYN(synchronous同步位) ACK(acknowledgement 确认位) PSH(push急迫位) FIN(finish终止位) RST(reset重置位) URG(urgent紧急位)
注:涉及到seq和ack的内容,为了便于理解不做详细说明
第一次握手:客户端发送了SYN包给对方,SYN位 置1
第二次握手:服务器回复给客户端SYN包,SYN位和ACK位 置1
第三次握手,客户端回复ACK包,ACK位 置1,tcp建立连接
接着说,同理,根据策略,我们允许10.1.20.1和10.1.30.1可以访问10.1.20.1
当10.1.10.1和10.1.30.1访问10.1.20.1
-
先发送SYN包,没有匹配任何策略,正常通过
当10.1.20.1回复10.1.10.1和10.1.30.1时
-
发送ACK包,匹配到了允许通过的策略,10.1.20.1和10.1.30.1访问10.1.20.1的方向tcp建立成功
当10.1.20.1访问10.1.10.1和10.1.30.1
-
发送SYN包,匹配到了禁止通过的策略,tcp建立失败。