Описание:
На текущей версии ПО 1.20.4 отсутствует возможность использования Firewall при настройке MPLS (необходимо применить команду ip firewall disable на интерфейсе, с которого устанавливается MPLS). В данном примере приведена настройка ограничения доступа с оборудования CE по ssh/telnet с помощью списка адресов на PE1(ESR) через L3VPN.
Решение:
Для ограничения доступа по ssh/telnet используются команды ip ssh access-addresses vrf VRF <object-group name>/ip telnet access-addresses vrf VRF <object-group name>. Производится настройка L3VPN over GRE с отключением Firewall (ip firewall disable) на tunnel gre.
Настройка PE1:
PE1# sh ru
hostname PE1
object-group network ssh_access
ip prefix 192.168.30.0/24
exit
object-group network telnet_access
ip prefix 10.101.0.0/24
ip prefix 192.168.30.0/24
exit
ip vrf VRF
ip protocols bgp max-routes 10
rd 1:1
route-target export 1:1
route-target import 1:1
exit
syslog file tmpsys:syslog/debug
severity debug
exit
security zone untrusted
exit
router bgp 1
neighbor 172.16.1.2
remote-as 1
update-source gre 1
address-family ipv4 unicast
send-label
enable
exit
enable
exit
neighbor 192.168.1.2
remote-as 1
update-source loopback 1
address-family vpnv4 unicast
send-community extended
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.1.1/32
exit
enable
vrf VRF
address-family ipv4 unicast
redistribute connected
exit
exit
exit
interface gigabitethernet 1/0/1
description "WAN"
security-zone untrusted
ip address 192.0.2.1/30
exit
interface loopback 1
ip address 192.168.1.1/32
exit
interface loopback 2
ip vrf forwarding VRF
description "Management_ip"
ip address 192.168.20.1/32
exit
tunnel gre 1
description "to_PE2"
mtu 1472
ip firewall disable
local address 192.0.2.1
remote address 198.51.100.1
ip address 172.16.1.1/30
enable
exit
mpls
forwarding interface gre 1
exit
security zone-pair untrusted self
rule 1
action permit
match protocol gre
enable
exit
exit
ip route 198.51.100.0/30 192.0.2.2
ip telnet server vrf VRF
ip telnet access-addresses vrf VRF telnet_access
ip ssh server vrf VRF
ip ssh access-addresses vrf VRF ssh_access
PE1# sh bgp neighbors
BGP neighbor is 172.16.1.2
BGP state: Established
Type: Static neighbor
Neighbor address: 172.16.1.2
Neighbor AS: 1
Neighbor ID: 192.168.1.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 103/180
Keepalive timer: 19/60
Address family ipv4 unicast:
Send-label: Yes
Default originate: No
Default information originate: No
Uptime: 178 s
BGP neighbor is 192.168.1.2
BGP state: Established
Type: Static neighbor
Neighbor address: 192.168.1.2
Neighbor AS: 1
Neighbor ID: 192.168.1.2
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.168.1.1
Weight: 0
Hold timer: 137/180
Keepalive timer: 29/60
Address family vpnv4 unicast:
Uptime: 131 s
PE1#
PE1# sh bgp vpnv4 unicast all
Status codes: * - valid, > - best, i - internal, S - stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Codes Route Distinguisher IP Prefix Next hop Metric Label LocPrf Weight Path
----- --------------------- ------------------ --------------- ---------- ------- ---------- ------ ----------------
*>i 1:1 192.168.40.0/24 192.168.1.2 -- 16 100 0 ?
*>i 1:1 192.168.30.0/24 192.168.1.2 -- 16 100 0 ?
*> 1:1 192.168.20.1/32 -- -- 16 -- -- ?
Настройка PE2:
PE2# sh ru
hostname PE2
ip vrf VRF
ip protocols bgp max-routes 10
rd 1:1
route-target export 1:1
route-target import 1:1
exit
security zone untrusted
exit
router bgp 1
neighbor 172.16.1.1
remote-as 1
update-source gre 1
address-family ipv4 unicast
send-label
enable
exit
enable
exit
neighbor 192.168.1.1
remote-as 1
update-source loopback 1
address-family vpnv4 unicast
send-community extended
enable
exit
enable
exit
address-family ipv4 unicast
network 192.168.1.2/32
exit
enable
vrf VRF
address-family ipv4 unicast
redistribute connected
exit
exit
exit
interface gigabitethernet 1/0/1
description "WAN"
security-zone untrusted
ip address 198.51.100.1/30
exit
interface gigabitethernet 1/0/2
ip vrf forwarding VRF
ip firewall disable
ip address 192.168.30.1/24
ip address 192.168.40.1/24
exit
interface loopback 1
ip address 192.168.1.2/32
exit
tunnel gre 1
mtu 1472
ip firewall disable
local address 198.51.100.1
remote address 192.0.2.1
ip address 172.16.1.2/30
enable
exit
mpls
forwarding interface gre 1
exit
security zone-pair untrusted self
rule 1
action permit
match protocol gre
enable
exit
exit
ip route 192.0.2.0/30 198.51.100.2
PE2# sh bgp neighbors
BGP neighbor is 172.16.1.1
BGP state: Established
Type: Static neighbor
Neighbor address: 172.16.1.1
Neighbor AS: 1
Neighbor ID: 192.168.1.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 172.16.1.2
Weight: 0
Hold timer: 132/180
Keepalive timer: 29/60
Address family ipv4 unicast:
Send-label: Yes
Default originate: No
Default information originate: No
Uptime: 270 s
BGP neighbor is 192.168.1.1
BGP state: Established
Type: Static neighbor
Neighbor address: 192.168.1.1
Neighbor AS: 1
Neighbor ID: 192.168.1.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: internal multihop AS4
Source address: 192.168.1.2
Weight: 0
Hold timer: 161/180
Keepalive timer: 50/60
Address family vpnv4 unicast:
Uptime: 223 s
PE2#
PE2#
PE2# sh bgp vpnv4 unicast all
Status codes: * - valid, > - best, i - internal, S - stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Codes Route Distinguisher IP Prefix Next hop Metric Label LocPrf Weight Path
----- --------------------- ------------------ --------------- ---------- ------- ---------- ------ ----------------
*> 1:1 192.168.40.0/24 -- -- 16 -- -- ?
*> 1:1 192.168.30.0/24 -- -- 16 -- -- ?
*>i 1:1 192.168.20.1/32 192.168.1.1 -- 16 100 0 ?
Подключение по ssh хоста CE из сети 192.168.30.0/24 к PE1:
PE1# sh users
SID User name Logged in at Host Timers Login/Priv level
---- -------------------- ----------------- -------------------- ----------------- -----
1 admin 16/01/24 04:38:10 192.168.30.2 00:29:54/00:00:00 15
PE1# monitor gre 1
04:39:40.136173 In ethertype MPLS unicast (0x8847), length 136: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x10, ttl 63, id 25340, offset 0, flags [DF], proto TCP (6), length 116)
192.168.30.2.34068 > 192.168.20.1.22: Flags [P.], cksum 0x4eb1 (correct), seq 421000999:421001063, ack 1498711829, win 276, options [nop,nop,TS val 336768366 ecr 34812582], length 64
04:39:40.137460 Out ethertype MPLS unicast (0x8847), length 72: MPLS (label 16, exp 0, [S], ttl 64)
(tos 0x80, ttl 64, id 25785, offset 0, flags [DF], proto TCP (6), length 52)
192.168.20.1.22 > 192.168.30.2.34068: Flags [.], cksum 0x518d (correct), ack 64, win 432, options [nop,nop,TS val 34813573 ecr 336768366], length 0
Подключение по telnet хоста CE из сети 192.168.30.0/24 к PE1:
PE1# sh users
SID User name Logged in at Host Timers Login/Priv level
---- -------------------- ----------------- -------------------- ----------------- -----
1 admin 16/01/24 04:43:39 192.168.30.2 00:29:53/00:00:00 15
PE1# monitor gre 1
04:44:01.778469 In ethertype MPLS unicast (0x8847), length 74: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 19073, offset 0, flags [DF], proto TCP (6), length 54)
192.168.30.2.53088 > 192.168.20.1.23: Flags [P.], cksum 0x47a4 (correct), seq 1:3, ack 1, win 206, options [nop,nop,TS val 336794529 ecr 34837663], length 2
04:44:01.795869 Out ethertype MPLS unicast (0x8847), length 74: MPLS (label 16, exp 0, [S], ttl 64)
(tos 0x80, ttl 64, id 17980, offset 0, flags [DF], proto TCP (6), length 54)
192.168.20.1.23 > 192.168.30.2.53088: Flags [P.], cksum 0x3f74 (correct), seq 1:3, ack 3, win 224, options [nop,nop,TS val 34839739 ecr 336794529], length 2
Попытка подключения по ssh/telnet хоста CE из сети 192.168.40.0/24 к PE1:
#ssh connect
PE1# monitor gre 1
04:47:32.403406 In ethertype MPLS unicast (0x8847), length 80: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 26830, offset 0, flags [DF], proto TCP (6), length 60)
192.168.40.2.34014 > 192.168.20.1.22: Flags [S], cksum 0x12a4 (correct), seq 172625192, win 25200, options [mss 1260,sackOK,TS val 336815590 ecr 0,nop,wscale 7], length 0
04:47:33.396775 In ethertype MPLS unicast (0x8847), length 80: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 26831, offset 0, flags [DF], proto TCP (6), length 60)
192.168.40.2.34014 > 192.168.20.1.22: Flags [S], cksum 0x1240 (correct), seq 172625192, win 25200, options [mss 1260,sackOK,TS val 336815690 ecr 0,nop,wscale 7], length 0
04:47:35.396939 In ethertype MPLS unicast (0x8847), length 80: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 26832, offset 0, flags [DF], proto TCP (6), length 60)
192.168.40.2.34014 > 192.168.20.1.22: Flags [S], cksum 0x1178 (correct), seq 172625192, win 25200, options [mss 1260,sackOK,TS val 336815890 ecr 0,nop,wscale 7], length 0
#telnet connect
PE1# monitor gre 1
04:48:37.596065 In ethertype MPLS unicast (0x8847), length 80: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 28160, offset 0, flags [DF], proto TCP (6), length 60)
192.168.40.2.42313 > 192.168.20.1.23: Flags [S], cksum 0x9d16 (correct), seq 1103040861, win 25200, options [mss 1260,sackOK,TS val 336822109 ecr 0,nop,wscale 7], length 0
04:48:38.589994 In ethertype MPLS unicast (0x8847), length 80: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 28161, offset 0, flags [DF], proto TCP (6), length 60)
192.168.40.2.42313 > 192.168.20.1.23: Flags [S], cksum 0x9cb2 (correct), seq 1103040861, win 25200, options [mss 1260,sackOK,TS val 336822209 ecr 0,nop,wscale 7], length 0
04:48:40.590125 In ethertype MPLS unicast (0x8847), length 80: MPLS (label 16, exp 0, [S], ttl 63)
(tos 0x0, ttl 63, id 28162, offset 0, flags [DF], proto TCP (6), length 60)
192.168.40.2.42313 > 192.168.20.1.23: Flags [S], cksum 0x9bea (correct), seq 1103040861, win 25200, options [mss 1260,sackOK,TS val 336822409 ecr 0,nop,wscale 7], length 0