Постановка задачи
Задача: Реализовать автоматическое обнаружение устройств по протоколу mDNS между сетями 172.20.0.0/24 и 172.21.0.0/24. Разрешить обнаруживать и подключаться к мультимедийным устройствам по протоколам SSH и HTTPS.
Описание решения
Начиная с версии ПО ESR 1.6.4 реализована поддержка mDNS reflector. Данный сервис позволяет перекладывать mDNS запросы из одного сегмента L3 сети в другой и может производить фильтрацию сервисов.
Например, мультимедийное устройство подключено к Bridge 20, а клиент подключен к Bridge 21. Все mDNS запросы из Bridge 20 будут попадать в Bridge 21 и наоборот.
Настройка ESR
Настройка клиентских интерфейсов
Мультимедийные устройства расположены в VLAN 20, который подается на ESR в Bridge 20 через саб-интерфейс gi1/0/2.20.
bridge 20
ip firewall disable
ip address 172.20.0.1/24
enable
exit |
Клиенты расположены в VLAN 21, который подается на ESR в Bridge 21 через саб-интерфейс gi1/0/2.21.
bridge 21
ip firewall disable
ip address 172.21.0.1/24
enable
exit |
Конфигурация саб-интерфейсов
interface gigabitethernet 1/0/2.20
bridge-group 20
exit
interface gigabitethernet 1/0/2.21
bridge-group 21
exit |
Настройка mDNS reflector
Команда ip mdns-reflector активирует mDNS reflector. Данный функционал работает на L3 интерфейсах. Для запуска нужно произвести настройку на двух или более интерфейсах. Включим mDNS reflector на Bridge 20 и Bridge 21
bridge 20
ip firewall disable
ip address 172.20.0.1/24
ip mdns-reflector
enable
exit
bridge 21
ip firewall disable
ip address 172.21.0.1/24
ip mdns-reflector
enable
exit |
Если используется функционал BRAS, то для корректной работы mDNS reflector нужно разрешить прохождение mDNS трафика (UDP:5353) в bypass-traffic-acl. |
Просмотр списка сервисов mDNS
Команда show ip mdns-reflector выводит список сервисов mDNS из кэша mDNS reflector.
ESR10# show ip mdns-reflector
Interface IP address Hostname Service Port
--------------- --------------- --------------------------------------------- ------------------------- -----
br20 172.20.0.10 Book-tester-7.local _raop._tcp 5000
br20 172.20.0.10 Book-tester-7.local _net-assistant._udp 3283
br20 172.20.0.10 Book-tester-7.local _afpovertcp._tcp 548
br20 172.20.0.10 Book-tester-7.local _smb._tcp 445
br20 172.20.0.10 Book-tester-7.local _rfb._tcp 5900
br20 172.20.0.10 Book-tester-7.local _eppc._tcp 3031
br20 172.20.0.10 Book-tester-7.local _sftp-ssh._tcp 22
br20 172.20.0.10 Book-tester-7.local _ssh._tcp 22
br20 172.20.0.10 Book-tester-7.local _https._tcp 443 |
Команда clear ip mdns-reflector обновляет данные в кэше mDNS reflector.
Фильтрация сервисов mDNS
Клиенты должны находить и пользоваться только сервисами _ssh._tcp и _https._tcp. Создаем список url с разрешенными сервисами mDSN.
object-group url test_url
url _ssh._tcp.local
url _https._tcp.local
exit |
Если в списке URL нет сервисов, то клиент будет находить все сервисы. |
Включим фильтрацию сервисов mDNS, используем созданные ранее созданный список.
ip mdns-reflector services test_url |
Выводим список сервисов после включения фильтрации.
ESR10# show ip mdns-reflector
Interface IP address Hostname Service Port
--------------- --------------- --------------------------------------------- ------------------------- -----
br20 172.20.0.10 Book-tester-7.local _ssh._tcp 22
br20 172.20.0.10 Book-tester-7.local _https._tcp 443 |
Настройка файрвола
Поместим мультимедийные устройства в зону безопасности multimedia, а клиентов в client. ESR находится в зоне безопасности self Нужно:
- Разрешить прохождение DHCP трафика между мультимедийными/клиентскими устройствами и ESR;
- Разрешить прохождение mDNS трафика между мультимедийными/клиентскими устройствами и ESR;
- Разрешить прохождение HTTPS/SSH трафика между мультимедийными и клиентскими устройствами;
- Разрешить прохождение ICMP трафика между мультимедийными/клиентскими устройствами и ESR;
- Разрешить прохождение ICMP трафика между мультимедийными и клиентскими устройствами.
Создаем сервисы.
object-group service ssh
port-range 22
exit
object-group service https
port-range 443
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service mdns
port-range 5353
exit |
Создаем зоны безопасности.
security zone client
exit
security zone multimedia
exit |
Прописываем зоны безопасности на Bridge и включаем файрвол (командой no ip firewall disable на соответствующих интерфейсах).
bridge 20
security-zone multimedia
ip address 172.20.0.1/24
ip mdns-reflector
enable
exit
bridge 21
security-zone client
ip address 172.21.0.1/24
ip mdns-reflector
enable
exit |
Создаем пары зон безопасности.
security zone-pair multimedia self
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match protocol udp
match destination-port mdns
enable
exit
exit
security zone-pair client self
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match protocol udp
match destination-port mdns
enable
exit
exit
security zone-pair client multimedia
rule 2
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 3
action permit
match protocol tcp
match destination-port https
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
exit |
Приложение
Полная конфигурация ESR
#!/usr/bin/clish
#14
#1.6.4
#06/12/2019
#18:19:37
hostname ESR10
object-group service ssh
port-range 22
exit
object-group service https
port-range 443
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service mdns
port-range 5353
exit
object-group url test_url
url _ssh._tcp.local
url _https._tcp.local
exit
username admin
password encrypted $6$OqYVDdLPN8ILZsQ/$iqWu8CPYGm8744FowOqaYD/mnZQhqXmAuVm9Sf6nyS8nlv3nuA5Ez2Z5ASeKxU7tFFf3SoiPDEdyALKZjVbEP.
exit
vlan 2
exit
security zone client
exit
security zone multimedia
exit
security zone uplink
exit
snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro
snmp-server host 10.10.5.50
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "uplink"
vlan 2
security-zone uplink
ip address dhcp
enable
exit
bridge 20
description "multimedia"
security-zone multimedia
ip address 172.20.0.1/24
ip mdns-reflector
enable
exit
bridge 21
description "client"
security-zone client
ip address 172.21.0.1/24
ip mdns-reflector
enable
exit
interface gigabitethernet 1/0/1
mode switchport
switchport access vlan 2
exit
interface gigabitethernet 1/0/2.20
bridge-group 20
exit
interface gigabitethernet 1/0/2.21
bridge-group 21
exit
security zone-pair multimedia self
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match destination-port mdns
enable
exit
exit
security zone-pair client self
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match destination-port mdns
enable
exit
exit
security zone-pair client multimedia
rule 2
action permit
match protocol tcp
match destination-port ssh
enable
exit
rule 3
action permit
match protocol tcp
match destination-port https
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
exit
security zone-pair uplink self
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol tcp
match destination-port ssh
enable
exit
exit
ip dhcp-server
ip dhcp-server pool br20_local_clients_vlan20
network 172.20.0.0/24
max-lease-time 000:00:15
default-lease-time 000:00:10
address-range 172.20.0.10-172.20.0.250
default-router 172.20.0.1
dns-server 172.20.0.1
exit
ip dhcp-server pool br21_local_clients_vlan21
network 172.21.0.0/24
max-lease-time 000:00:15
default-lease-time 000:00:10
address-range 172.21.0.10-172.21.0.250
default-router 172.21.0.1
dns-server 172.21.0.1
exit
ip mdns-reflector services test_url
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 10.10.5.50
exit |
Пример прохождения трафика
Ethernet II, Src: Apple_93:c3:e0 (70:70:0d:93:c3:e0), Dst: IPv4mcast_fb (01:00:5e:00:00:fb)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 21
Internet Protocol Version 4, Src: 172.21.155.135, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Source Port: 5353
Destination Port: 5353
Length: 62
Checksum: 0xfdc2 [correct]
[Checksum Status: Good]
[Stream index: 30]
Multicast Domain Name System (query)
Transaction ID: 0x0000
Flags: 0x0000 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
MacBook Air - tester._smb._tcp.local: type SRV, class IN, "QU" question
Name: MacBook Air - tester._smb._tcp.local
[Name Length: 36]
[Label Count: 4]
Type: SRV (Server Selection) (33)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = "QU" question: True |
|
Ethernet II, Src: EltexEnt_aa:1d:c0 (a8:f9:4b:aa:1d:c0), Dst: IPv4mcast_fb (01:00:5e:00:00:fb)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 7
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Source Port: 5353
Destination Port: 5353
Length: 62
Checksum: 0x1948 [correct]
[Checksum Status: Good]
[Stream index: 32]
Multicast Domain Name System (query)
Transaction ID: 0x0000
Flags: 0x0000 Standard query
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
MacBook Air - tester._smb._tcp.local: type SRV, class IN, "QM" question
Name: MacBook Air - tester._smb._tcp.local
[Name Length: 36]
[Label Count: 4]
Type: SRV (Server Selection) (33)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = "QU" question: False |
|
Ethernet II, Src: Apple_a5:8f:de (64:76:ba:a5:8f:de), Dst: IPv4mcast_fb (01:00:5e:00:00:fb)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 7
Internet Protocol Version 4, Src: 172.20.0.10, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Source Port: 5353
Destination Port: 5353
Length: 189
Checksum: 0x182b [correct]
[Checksum Status: Good]
[Stream index: 188]
Multicast Domain Name System (response)
Transaction ID: 0x0000
Flags: 0x8400 Standard query response, No error
Questions: 0
Answer RRs: 6
Authority RRs: 0
Additional RRs: 0
Answers
_services._dns-sd._udp.local: type PTR, class IN, _smb._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 12
Domain Name: _smb._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _afpovertcp._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 14
Domain Name: _afpovertcp._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _rfb._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 7
Domain Name: _rfb._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _ssh._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 7
Domain Name: _ssh._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _sftp-ssh._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 12
Domain Name: _sftp-ssh._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _net-assistant._udp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 17
Domain Name: _net-assistant._udp.local
[Unsolicited: True]
|
|
Ethernet II, Src: EltexEnt_aa:1d:c0 (a8:f9:4b:aa:1d:c0), Dst: IPv4mcast_fb (01:00:5e:00:00:fb)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 10
Internet Protocol Version 4, Src: 172.21.0.1, Dst: 224.0.0.251
User Datagram Protocol, Src Port: 5353, Dst Port: 5353
Source Port: 5353
Destination Port: 5353
Length: 189
Checksum: 0x79cb [correct]
[Checksum Status: Good]
[Stream index: 49]
Multicast Domain Name System (response)
Transaction ID: 0x0000
Flags: 0x8400 Standard query response, No error
Questions: 0
Answer RRs: 6
Authority RRs: 0
Additional RRs: 0
Answers
_services._dns-sd._udp.local: type PTR, class IN, _smb._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 12
Domain Name: _smb._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _net-assistant._udp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 17
Domain Name: _net-assistant._udp.local
_services._dns-sd._udp.local: type PTR, class IN, _sftp-ssh._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 12
Domain Name: _sftp-ssh._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _ssh._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 7
Domain Name: _ssh._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _rfb._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 7
Domain Name: _rfb._tcp.local
_services._dns-sd._udp.local: type PTR, class IN, _afpovertcp._tcp.local
Name: _services._dns-sd._udp.local
Type: PTR (domain name PoinTeR) (12)
.000 0000 0000 0001 = Class: IN (0x0001)
0... .... .... .... = Cache flush: False
Time to live: 4500
Data length: 14
Domain Name: _afpovertcp._tcp.local |
|
Клиент получил список сервисов и может произвести подключение к ним.