实验拓扑图及实现需求
1.创建Zone的名字zonesecurity Outside
zonesecurity Inside2.创建监控类型的class-map,匹配Outbound流量TCP协议
class-map type inspect match-any In-to-Out
match protocol tcp3.创建监控类型的class-map,匹配Outbound流量ICMP协议
class-map type inspect match-all In-to-out-ICMP
match protocol icmp4.定义IP ACL,匹配主机间Telnet流量
ip access-list extended Out-to-In
permit tcp host 202.100.1.1host 10.1.1.1 eq telnet5.创建监控类型的class-map,调用IP ACL
class-map type inspect match-all Telnet
match access-group name Out-to-In6.创建监控类型的policy-map,调用class-map,并作出相应行为
policy-map type inspectIn-to-Out-policy
class type inspect In-to-Out
inspect
class type inspect In-to-out-ICMP
inspect
police rate 8000 burst 1000
classclass-default
drop log
policy-map type inspect Out-to-In-policy
class type inspect Telnet
inspect
class class-default
drop log7.创建zone pair,并调用policy-map
zone-pair security Inside-to-Outsidesource Inside destination Outside
service-policy type inspect In-to-Out-policy
zone-pair security Outside-to-Insidesource Outside destination Inside
service-policy type inspect Out-to-In-policy8.指派ZBF的设备的接口到zone
interface FastEthernet0/0
ip address 10.1.1.10255.255.255.0
zone-member security Insideinterface FastEthernet1/0
ip address 202.100.1.10255.255.255.0
zone-member security Outside
我这里采取反向的讲解可能比较容易理解一些。
在Out设备上做Telnet测试:
在InR1设备上做ICMP测试,违反policy的ping就会丢包
在ZBF设备上查看监控信息
ICMP的会话表