DynagenでCCIEを目指す
Time-Based Acsess List
最終更新:
it_certification
-
view
1. 目的
- Time-Based ACLの使い方を確認します。
2. 構成
2.1. 設定概要
- OSPFによってルーティングします。
2.2. 構成図
2.3. netファイル
model = 3660 [localhost] [[3660]] image = C:\Program Files\Dynamips\images\c3660-ik9o3s-mz.124-6.T.bin ram = 128 [[ROUTER R1]] f0/0 = R2 f0/0 [[ROUTER R2]] f0/1 = R3 f0/1 [[ROUTER R3]]
2.4. 初期設定
- R1
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.12.1 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! router ospf 1 log-adjacency-changes passive-interface default no passive-interface FastEthernet0/0 network 1.1.1.1 0.0.0.0 area 0 network 192.168.12.1 0.0.0.0 area 0 ! ip http server no ip http secure-server ! ! ! no cdp run ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end
- R2
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface FastEthernet0/0 ip address 192.168.12.2 255.255.255.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.23.2 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes passive-interface default no passive-interface FastEthernet0/0 no passive-interface FastEthernet0/1 network 2.2.2.2 0.0.0.0 area 0 network 192.168.12.2 0.0.0.0 area 0 network 192.168.23.2 0.0.0.0 area 0 ! ip http server no ip http secure-server ! ! ! no cdp run ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end
- R3
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 5 ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.23.3 255.255.255.0 duplex auto speed auto ! router ospf 1 log-adjacency-changes passive-interface default no passive-interface FastEthernet0/1 network 3.3.3.3 0.0.0.0 area 0 network 192.168.23.3 0.0.0.0 area 0 ! ip http server no ip http secure-server ! ! ! no cdp run ! ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end
3. [検証] Time-Based ACL
3.1. 検証準備
全ルータ間でtelnet, ssh接続がせきるように設定します。設定例は以下の通りです。(R2, R3の設定については省略)
なお、設定の意味につきましてはトップページ/動作検証 ネットワーク系/telnet and ssh managementを参照下さい。
なお、設定の意味につきましてはトップページ/動作検証 ネットワーク系/telnet and ssh managementを参照下さい。
R1(config)#enable secret cisco R1(config)#ip domain-name cisco.com R1(config)#username cisco secret sanjose R1(config)# R1(config)# R1(config)# R1(config)#crypto key generate rsa The name for the keys will be: R1.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable...[OK] R1(config)# *Mar 1 00:23:05.843: %SSH-5-ENABLED: SSH 1.99 has been enabled R1(config)# R1(config)# R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#transport input telnet ssh R1(config-line)#login local
全ルータ間で互いにtelnet, sshログインができる事を確認して下さい。
R1#telnet 192.168.23.3 Trying 192.168.23.3 ... Open User Access Verification Username: cisco Password: R3> R3> R3>exit [Connection to 192.168.23.3 closed by foreign host] R1# R1# R1#ssh -l cisco 192.168.23.3 Password: R3> R3> R3>exit [Connection to 192.168.23.3 closed by foreign host] R1#
3.2. 設定投入
時間によって設定が変わるACLを投入します。営業時間はsshのみを許可し、営業時間外はtelnet, sshを許可するように設定します。
R2(config)#time-range WORK_TIME R2(config-time-range)#periodic weekdays 09:00 to 15:00 R2(config-time-range)#exit R2(config)# R2(config)# R2(config)#ip access-list extended EXT_IN R2(config-ext-nacl)#permit tcp any any eq 22 R2(config-ext-nacl)#permit tcp any any eq telnet time-range WORK_TIME R2(config-ext-nacl)#permit ospf any any R2(config-ext-nacl)#exit R2(config)# R2(config)# R2(config)#interface FastEthernet 0/0 R2(config-if)#ip access-group EXT_IN in
3.3. 営業時間内の動作確認
R1からR3へのアクセスで、telnetは失敗するもののsshは成功する事を確認します。
R1#telnet 192.168.23.3 Trying 192.168.23.3 ... % Destination unreachable; gateway or host down R1# R1# R1#ssh -l cisco 192.168.23.3 Password: R3>
3.4. 営業時間外の動作確認
営業時間外の動作を確認するために、R2の時刻を変更します。
R2#clock set 10:00:00 1 Jan 1993 R2# *Jan 1 10:00:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 00:14:41 UTC Fri Mar 1 2002 to 10:00:00 UTC Fri Jan 1 1993, configured from console by console. R2#
R1からR3へのtelnetアクセスが成功する事を確認します。
R1#telnet 192.168.23.3 Trying 192.168.23.3 ... Open User Access Verification Username: cisco Password: R3>
添付ファイル
