按键盘上方向键 ← 或 → 可快速上下翻页,按键盘上的 Enter 键可回到本书目录页,按键盘上方向键 ↑ 可回到本页顶部!
————未阅读完?加入书签已便下次继续阅读!
protocol udp;
port 33434…33600;
}
then {
count traceroute;
accept;
}
}
term allow…UDP {
from {
destination…address {
127。0。0。2/32;
210。82。108。251/32;
}
protocol udp;
}
then accept;
}
term allow…telnet…traininglab {
from {
destination…address {
210。82。108。252/32;
}
protocol tcp;
}
then accept;
}
inactive: term allow…NSM…management {
from {
source…address {
207。17。136。56/32;
}
destination…address {
210。82。108。234/32;
}
}
then {
count NSM…Management;
log;
syslog;
accept;
}
}
/* Discard all other traffic */
term DiscardRest {
then {
count discarded;
log;
syslog;
discard;
}
}
}
filter ProtectRE {
/*Sunnyvale;BJ&HK valid address*/
term ssh…permit {
/* Valid address */
from {
source…address {
207。17。136。129/32;
172。16。0。0/12;
203。193。18。0/28;
210。82。108。192/26;
207。17。136。150/32;
193。110。49。4/32;
203。193。18。222/32;
}
protocol tcp;
destination…port ssh;
}
then {
count ssh…permitted;
accept;
}
}
/* Denies all other SSH counts and logs attempts */
term ssh…deny {
from {
protocol tcp;
destination…port ssh;
}
then {
count ssh…denied;
log;
syslog;
discard;
}
}
/* Denies all telnet counts and logs attempts */
term telnet…denied {
from {
protocol tcp;
destination…port telnet;
}
then {
count telnet…denied;
log;
syslog;
discard;
}
}
/* Allows other traffic for rounting protocols; etc */
term permit…everything {
then {
count other…permitted;
accept;
}
}
}
/* Only allows packets valid BJ source address */
filter StopOutboundSpoof {
term deny…martian…1918 {
from {
destination…address {
172。16。0。0/12;
10。0。0。0/8;
192。168。0。0/16;
0。0。0。0/8;
127。0。0。0/8;
128。0。0。0/16;
191。255。0。0/16;
223。255。255。0/24;
240。0。0。0/4;
}
}
then {
count outbound…martian;
syslog;
discard;
}
}
term valid…address {
from {
source…address {
210。82。108。192/26;
210。82。104。73/32;
}
}
then {
sample;
accept;
}
}
term spoof…address {
then {
count spoof…outbound;
log;
syslog;
discard;
}
}
}
filter block…worm {
term block…port {
from {
protocol ' tcp udp ';
destination…port ' 445 135 139 4444 5800 5900 ';
}
then {
count blocked_port;
log;
discard;
}
}
term bad…icmp {
from {
protocol icmp;
icmp…type echo…request;
icmp…code 0;
tcp…flags 0xaaaaaaaa;
}
then {
count internal_bad…icmp;
syslog;
discard;
}
}
term BadTFTP {
from {
fragment…offset 0;
protocol udp;
destination…port 69;
}
then {
count internal_BadTFTP;
log;
discard;
}
}
term reset_permit {
then accept;
}
}
3。2。3 业务配置
VPN业务采用如图拓扑:
MPLS基本配置
protocols {
ldp {
interface type…fpc/pic/port;
}
mpls{
interface type…fpc/pic/port;
}
}
interfaces {
type…fpc/pic/port {
unit logical…unit…number {
family mpls;
}
}
}
PE之间的MP…IBGP配置为:
lab@T640# show protocols bgp
group pe…pe {
type internal;
local…address 192。168。0。11;
family inet {
unicast;
}
family inet…vpn {
unicast;
}
family l2vpn {
unicast;
}
neighbor 192。168。0。12;
}
MPLS L3 VPN配置
routing…instances {
l3vpn…1 {
instance…type vrf;
interface ge…1/2/0。10;
interface lo0。20;
route…distinguisher 100:1;
vrf…target target:100:1;
}
}
MPLS L2 VPN(Kompella方式)配置
routing…instances {
l2vpn…1 {
instance…type l2vpn;
interface ge…2/3/0。600;
route…distinguisher 100:2;
vrf…target target:100:2;
protocols {
l2vpn {
encapsulation…type ethernet…vlan;
site t640…lr {
site…identifier 2;
interface ge…2/3/0。600 {
remote…site…id 1;
}
}
}
}
}
}
Interfaces {
ge…1/2/0 {
vlan…tagging;
unit 600 {
encapsulation vlan…ccc;
vlan…id 600;
}
}
}
MPLS L2 VPN(Martini方式)配置
l2circuit {
neighbor 192。168。0。12 {
interface so…0/2/2。2 {
protect…interface so…0/2/0。2;
virtual…circuit…id 2;
no…control…word;
}
}
}
Interfaces{
so…0/2/2 {
encapsulation frame…relay…ccc;
unit 1 {
encapsulation frame…relay…ccc;
point…to…point;
dlci 600;
}
}
}
VPLS配置
routing…instances {
vpls…1 {
instance…type vpls;
in