IP Security – HUAWEI GURU

Genel yapılandırma ayarları.

[Huawei]sysname CLIGURU-R1

[Huawei]sysname CLIGURU-R2

[Huawei]sysname CLIGURU-R3

[Huawei]sysname CLIGURU-S1

[CLIGURU-S1]vlan 4

[CLIGURU-S1-vlan4]quit

[CLIGURU-S1]interface vlanif 4

[CLIGURU-S1-Vlanif4]ip address 10.0.4.254 24

[Huawei]sysname CLIGURU-S2

[CLIGURU-S2]vlan 6

[CLIGURU-S2-vlan6]quit

[CLIGURU-S2]interface vlanif 6

[CLIGURU-S2-Vlanif6]ip address 10.0.6.254 24

İp address yapılandırması .

Şekilde gösterildiği gibi 10.0.13.0/24 , 10.0.4.0/24 ve 10.0.6.0/24 network aralıklarında ip adressler verelim.

[CLIGURU-R1]interface GigabitEthernet 0/0/0

[CLIGURU-R1-GigabitEthernet0/0/0]ip address 10.0.13.1 24

[CLIGURU-R2]interface GigabitEthernet 0/0/0

[CLIGURU-R2-GigabitEthernet0/0/0]ip address 10.0.13.2 24

[CLIGURU-R2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1

[CLIGURU-R2-GigabitEthernet0/0/1]ip address 10.0.4.2 24

[CLIGURU-R2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2

[CLIGURU-R2-GigabitEthernet0/0/2]ip address 10.0.6.2 24

[CLIGURU-R3]interface GigabitEthernet 0/0/0

[CLIGURU-R3-GigabitEthernet0/0/0]ip address 10.0.13.3 24

CLIGURU-S1 ve CLIGURU-S2 için Vlan trunk hattı oluşturmamız gerekir.

[CLIGURU-S1]interface GigabitEthernet 0/0/2

[CLIGURU-S1-GigabitEthernet0/0/2]port link-type trunk

[CLIGURU-S1-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[CLIGURU-S1-GigabitEthernet0/0/2]port trunk pvid vlan 4

[CLIGURU-S1-GigabitEthernet0/0/2]quit

[CLIGURU-S2]interface GigabitEthernet 0/0/2

[CLIGURU-S2-GigabitEthernet0/0/2]port link-type trunk

[CLIGURU-S2-GigabitEthernet0/0/2]port trunk allow-pass vlan all

[CLIGURU-S2-GigabitEthernet0/0/2]port trunk pvid vlan 6

[CLIGURU-S2-GigabitEthernet0/0/2]quit

Network iletişimini etkinleştirmek için OSPF konfigürasyonunu yapılandıralım.

CLIGURU-R1,CLIGURU-R2 ve CLIGURU-R3 için OSPF’i kuralım.Cihazlara bağlı olan tüm networkleri anons edelim.

[CLIGURU-R1]ospf

[CLIGURU-R1-ospf-1]area 0

[CLIGURU-R1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255

[CLIGURU-R2]ospf

[CLIGURU-R2-ospf-1]area 0

[CLIGURU-R2-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255

[CLIGURU-R2-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255

[CLIGURU-R2-ospf-1-area-0.0.0.0]network 10.0.6.0 0.0.0.255

[CLIGURU-R3]ospf

[CLIGURU-R3-ospf-1]area 0

[CLIGURU-R3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255

CLIGURU-S1 ve CLIGURU-S2, statik route yazalım ve private network gateway olarak bir sonraki nexthopu yazalım.

[CLIGURU-S1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.2

[CLIGURU-S2]ip route-static 0.0.0.0 0.0.0.0 10.0.6.2

Vlan haberleşmeleri kontrol edelim.

<CLIGURU-R1>ping 10.0.4.254

PING 10.0.4.254: 56 data bytes, press CTRL_C to break

Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=254 time=670 ms

Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=254 time=100 ms

Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=254 time=80 ms

Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=254 time=100 ms

Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=254 time=90 ms

— 10.0.4.254 ping statistics —

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 80/208/670 ms

<CLIGURU-R1>ping 10.0.6.254

PING 10.0.6.254: 56 data bytes, press CTRL_C to break

Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=254 time=110 ms

Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=254 time=80 ms

Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=254 time=80 ms

Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=254 time=110 ms

Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=254 time=100 ms

— 10.0.6.254 ping statistics —

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 80/96/110 ms

<CLIGURU-R3>ping 10.0.4.254

PING 10.0.4.254: 56 data bytes, press CTRL_C to break

Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=254 time=100 ms

Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=254 time=80 ms

Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=254 time=100 ms

Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=254 time=80 ms

Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=254 time=100 ms

— 10.0.4.254 ping statistics —

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 80/92/100 ms

<CLIGURU-R3>ping 10.0.6.254

PING 10.0.6.254: 56 data bytes, press CTRL_C to break

Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=254 time=70 ms

Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=254 time=130 ms

Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=254 time=90 ms

Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=254 time=90 ms

Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=254 time=100 ms

— 10.0.6.254 ping statistics —

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 70/96/130 ms

Access Control Lists kullanarak filtering yapılandırmak.

CLIGURU-S1’i telnet server olarak yapılandıralım.

[CLIGURU-S1]user-interface vty 0 4

[CLIGURU-S1-ui-vty0-4]authentication-mode password

[CLIGURU-S1-ui-vty0-4]set authentication password cipher huawei

CLIGURU-S2’yi FTP server olarak yapılandıralım

[CLIGURU-S2]ftp server enable

Info: Succeeded in starting the FTP server.

[CLIGURU-S2]aaa

[CLIGURU-S2-aaa]local-user huawei password cipher huawei

Info: Add a new user.

[CLIGURU-S2-aaa]local-user huawei service-type ftp

[CLIGURU-S2-aaa]local-user huawei ftp-directory flash:

CLIGURU-R1 telnet server’ınden , CLIGURU-R3 FTP sunucusuna ulaşabilmek için CLIGURU-R2 üzerinde bir access kontrol listesi oluşturalım.

[CLIGURU-R2]acl 3000

[CLIGURU-R2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination 10.0.4.254 0.0.0.0 destination-port eq 23

[CLIGURU-R2-acl-adv-3000]rule 10 permit tcp source 10.0.13.3 0.0.0.0 destination 10.0.6.254 0.0.0.0 destination-port range 20 21

[CLIGURU-R2-acl-adv-3000]rule 15 deny ip source any

[CLIGURU-R2-acl-adv-3000]quit

CLIGURU-R2 Gigabit Ethernet 0/0/0 interface için ACL uygulayalım.

[CLIGURU-R2]interface GigabitEthernet 0/0/0

[CLIGURU-R2-GigabitEthernet 0/0/0]traffic-filter inbound acl 3000

Ağdaki access control lists doğrulugunu kontrol edelim.

<CLIGURU-R1>telnet 10.0.4.254

Press CTRL+K to quit telnet mode

Trying 10.0.4.254 …

Connected to 10.0.4.254 …

Login authentication

Password:

Info: The max number of VTY users is 5, and the number

of current VTY users on line is 1.

<CLIGURU-S1>

NOT:Telnet oturumundan çıkmak için quit komutunu kullanın.

<CLIGURU-R1>ftp 10.0.6.254

Trying 10.0.6.254 …

Press CTRL+K to abort

Error:Failed to connect to the remote host.

FTP bağlantısı yanıt vermek için bi süre bekleyebilir(60 seconds)

<CLIGURU-R3>telnet 10.0.4.254

Press CTRL+K to quit telnet mode

Trying 10.0.4.254 …

Error:Can’t connect to the remote host.

<CLIGURU-R3>ftp 10.0.6.254

Trying 10.0.6.254 …

Press CTRL+K to abort

Connected to 10.0.6.254.

220 FTP service ready.

User(10.0.6.254:(none)):huawei

331 Password required for huawei.

Enter password:

530 Logged incorrect.

[CLIGURU-R3-ftp]

Not ;Bye komutu FTP bağlantısı kapatmak için kullanılır

Sonuç ..

<CLIGURU-R1>display current-configuration

#

sysname CLIGURU-R1

#

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#

local-user admin service-type http

#

interface GigabitEthernet0/0/0

ip address 10.0.13.1 255.255.255.0

#

ospf 1

area 0.0.0.0

network 10.0.13.0 0.0.0.255

#

user-interface con 0

user-interface vty 0 4

user-interface vty 16 20

#

Return

<CLIGURU-R2>display current-configuration

#

sysname CLIGURU-R2

#

acl number 3000

rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port e

q telnet

rule 10 permit tcp source 10.0.13.3 0 destination 10.0.6.254 0 destination-port

range ftp-data ftp

rule 15 deny ip

#

interface GigabitEthernet0/0/0

ip address 10.0.13.2 255.255.255.0

#

interface GigabitEthernet0/0/1

ip address 10.0.4.2 255.255.255.0

#

interface GigabitEthernet0/0/2

ip address 10.0.6.2 255.255.255.0

#

ospf 1

area 0.0.0.0

network 10.0.13.0 0.0.0.255

network 10.0.4.0 0.0.0.255

network 10.0.6.0 0.0.0.255

#

user-interface con 0

user-interface vty 0 4

user-interface vty 16 20

#

Return

<CLIGURU-R3>display current-configuration

#

sysname CLIGURU-R3

#

interface GigabitEthernet0/0/0

ip address 10.0.13.3 255.255.255.0

#

ospf 1

area 0.0.0.0

network 10.0.13.0 0.0.0.255

#

user-interface con 0

user-interface vty 0 4

user-interface vty 16 20

#

Return

<CLIGURU-S1>display current-configuration

#

sysname CLIGURU-S1

#

vlan batch 4

#

interface Vlanif4

ip address 10.0.4.254 255.255.255.0

#

interface GigabitEthernet0/0/2

port link-type trunk

port trunk pvid vlan 4

port trunk allow-pass vlan 2 to 4094

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 10.0.4.2

#

user-interface con 0

user-interface vty 0 4

set authentication password cipher A@Pc;6w5b@uqcXT}k’OI%9n#

#

Return

<CLIGURU-S2>display current-configuration

#

sysname CLIGURU-S2

#

FTP server enable

#

vlan batch 6

#

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password simple admin

local-user admin service-type http

local-user huawei password cipher $K&%QCXM$NYNZPO3JBXBHA!!

local-user huawei ftp-directory flash:

local-user huawei service-type ftp

#

interface Vlanif6

ip address 10.0.6.254 255.255.255.0

#

interface GigabitEthernet0/0/2

port link-type trunk

port trunk pvid vlan 6

port trunk allow-pass vlan 2 to 4094

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 10.0.6.2

#

user-interface con 0

user-interface vty 0 4

#

return