Страницы

Поиск по этому блогу

23.04.2009

ACL Object-group на маршрутизаторах Cisco

Точно не скажу, но с версии IOS 12.4(20)T появилась возможность создавать группы для access-list'ов, как это было реализовано давным давно в cisco pix. Работает пока не все!
Пример с маршрутизатора:
object-group network east.net
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
!
object-group network west.net
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
!
object-group network west.srv
host 192.168.2.241
host 192.168.2.242
host 192.168.2.243
!
object-group service winports
group-object winports.tcp
group-object winports.udp
!
object-group service winports.tcp
tcp range 135 139
tcp eq 445
!
object-group service winports.udp
udp range 135 netbios-ss
!
ip access-list extended uplink.in
permit ip any object-group west.srv
deny   tcp any object-group west.net eq 445
deny   tcp any object-group west.net range 135 139
deny   udp any object-group west.net range 135 netbios-ss
permit ip any object-group west.net
deny   tcp any object-group east.net eq 445
deny   tcp any object-group east.net range 135 139
deny   udp any object-group east.net range 135 netbios-ss
permit ip any object-group east.net
ip access-list extended uplink.out
permit ip object-group west.srv any
deny   tcp object-group west.net any eq 445
deny   tcp object-group west.net any range 135 139
deny   udp object-group west.net any range 135 netbios-ss
permit ip object-group west.net any
deny   tcp object-group east.net any eq 445
deny   tcp object-group east.net any range 135 139
deny   udp object-group east.net any range 135 netbios-ss
permit ip object-group east.net any
!
interface Serial0/0/0
ip access-group uplink.in in
ip access-group uplink.out out

Хочу обратить внимание, что в pix можно было сделать так:
deny  tcp object-group west.net any object-group winports.tcp
deny  udp object-group west.net any object-group winports.udp

Поэтому две группы по привычке и создал. В ссылке на документацию (в начале) видим конструкцию как в pix:
Creating a Service Object Group: Example

The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects.

Router> enable
Router# configure terminal
Router(config)# object-group service my_service_object_group
Router(config-service-group)# icmp echo
Router(config-service-group)# tcp smtp
Router(config-service-group)# tcp telnet
Router(config-service-group)# tcp source range 1 65535 snmp
Router(config-service-group)# udp domain
Router(config-service-group)# tcp-udp range 2000 2005
Router(config-service-group)# group-object sjc_eng_svcs

Creating an Object Group-Based ACL: Example

The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group.

Router> enable
Router# configure terminal
Router(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit tcp object-group my_network_object_group object-group my_service_object_group any
Router(config-ext-nacl)# deny tcp any any
Router(config-ext-nacl)# exit
Router(config)# exit


Но на самом деле такое реализовать нельзя (12.4(22)T1). Возможности вставить service object group нет:
router(config-ext-nacl)#deny tcp ?
A.B.C.D       Source address
any           Any source host
host          A single source host
object-group  Source network object group

router(config-ext-nacl)#deny tcp object-group west.net ?
A.B.C.D       Destination address
any           Any destination host
eq            Match only packets on a given port number
gt            Match only packets with a greater port number
host          A single destination host
lt            Match only packets with a lower port number
neq           Match only packets not on a given port number
object-group  Destination network object group
range         Match only packets in the range of port numbers


3845-service(config-ext-nacl)#deny tcp object-group west.net object-group west.net ?
ack          Match on the ACK bit
dscp         Match packets with given dscp value
eq           Match only packets on a given port number
established  Match established connections
fin          Match on the FIN bit
fragments    Check non-initial fragments
gt           Match only packets with a greater port number
log          Log matches against this entry
log-input    Log matches against this entry, including input interface
lt           Match only packets with a lower port number
match-all    Match if all specified flags are present
match-any    Match if any specified flag is present
neq          Match only packets not on a given port number
option       Match packets with given IP Options value
precedence   Match packets with given precedence value
psh          Match on the PSH bit
range        Match only packets in the range of port numbers
rst          Match on the RST bit
syn          Match on the SYN bit
time-range   Specify a time-range
tos          Match packets with given TOS value
ttl          Match packets with given TTL value
urg          Match on the URG bit

Зато можно составить вот такую конструкцию:
router(config-ext-nacl)#deny ?
<0-255>       An IP protocol number
ahp           Authentication Header Protocol
eigrp         Cisco's EIGRP routing protocol
esp           Encapsulation Security Payload
gre           Cisco's GRE tunneling
icmp          Internet Control Message Protocol
igmp          Internet Gateway Message Protocol
ip            Any Internet Protocol
ipinip        IP in IP tunneling
nos           KA9Q NOS compatible IP over IP tunneling
object-group  Service object group
ospf          OSPF routing protocol
pcp           Payload Compression Protocol
pim           Protocol Independent Multicast
tcp           Transmission Control Protocol
udp           User Datagram Protocol


ip access-list extended uplink.in
deny   object-group winports any object-group west.net

Или такую:
ip access-list extended uplink.in
deny object-group winports.tcp any object-group west.net
deny object-group winports.udp any object-group west.net

Причем они будут блокировать все подряд, как будто бы это было вот так:
ip access-list extended uplink.in
deny tcp any object-group west.net
deny udp any object-group west.net
Автор: опубликовано
Ярлыки:

22.04.2009

Voip калькулятор и сжатие RTP

У Cisco есть страничка, где дается теория о расчете полосы для разных кодеков. Там же для зарегистрированных клиентов имеется ссылка на Voice Codec Bandwidth Calculator.

Полезные результаты по расчету полосы при использовании кодека g.729



Codec Bit Rate 8 kbps = (Codec Sample Size * 8) / (Codec Sample Interval)
Codec Sample Size 10 bytes size of each individual codec sample
Codec Sample Interval 10 msec the time it takes for a single sample

Codec: g729_All_Variants
Voice Payload Size: 20 bytes
Voice Protocol: VoIP
Compression: Not Applicable
Media Access: Ethernet
Tunnel/Security/Misc: None
Number of Calls: 1

Total Bandwidth (including Overhead) 32.76 kbps

Codec: g729_All_Variants
Voice Payload Size: 20 bytes
Voice Protocol: VoIP
Compression: off
Media Access: Frame-Relay
Tunnel/Security/Misc: None
Number of Calls: 1

Total Bandwidth (including Overhead) 28.14 kbps

Codec: g729_All_Variants
Voice Payload Size: 20 bytes
Voice Protocol: VoIP
Compression: on
Media Access: Frame-Relay
Tunnel/Security/Misc: None
Number of Calls: 1

Total Bandwidth (including Overhead) 12.18 kbps


Codec: g729_All_Variants
Voice Payload Size: 30 bytes
Voice Protocol: VoFR
Media Access: Not Applicable
Tunnel/Security/Misc: Not Applicable
Number of Calls: 1

Cisco IOS Total Bandwidth Needed for 1.0 Calls 10 kbps


Компрессия заголовков работает только на WAN интерфейсах с PPP,HDLC,FR-инкапсуляцией.
Пример:
interface Serial0/2/0:0.100 point-to-point
ip unnumbered Loopback0
frame-relay interface-dlci 100
frame-relay ip rtp header-compression

interface Serial0/1/0
ip unnumbered Loopback0
ip rtp header-compression
encapsulation ppp
Автор: опубликовано
Ярлыки:

ACL для протоколов маршрутизации и не только

Было сохранено в качестве памятки откуда-то. Как раз для случаев, когда "permit ip any any" почему-то "не работает".

Here’s a handy list of ACL entries to allow your devices to speak routing protocols, availability protocols, and some other stuff. We’ll assume you have ACL 101 applied to your Ethernet inbound; your Ethernet has an IP of 192.168.0.1.

BGP : Runs on TCP/179 between the neighbors
access-list 101 permit tcp any host 192.168.0.1 eq 179

EIGRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.10
access-list 101 permit eigrp any host 224.0.0.10

OSPF : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.5; also talks to 224.0.0.6 for DR/BDR routers
access-list 101 permit ospf any host 224.0.0.5
access-list 101 permit ospf any host 224.0.0.6

HSRP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.2. I’ve seen in the past that it runs on UDP/1985, but I didn’t find any evidence of that in a quick Google for it. Can someone verify?
access-list 101 permit udp any host 224.0.0.2

RIP : Runs on UDP/520 from the source interface IP to the multicast address of 224.0.0.9
access-list 101 permit udp any host 224.0.0.9 eq 520

VRRP : Runs on its own protocol number from the source interface IP to the multicast address of 224.0.0.18
access-list 101 permit 112 any host 224.0.0.18

GLBP : Runs on UDP from the source interface IP to the multicast address of 224.0.0.102
access-list 101 permit udp any host 224.0.0.102

DHCPD (or bootps) : Runs on UDP/67 from 0.0.0.0 (since the client doesn’t have an address yet) to 255.255.255.255 (the broadcast).
access-list 101 permit udp any host 255.255.255.255 eq 67
Автор: опубликовано
Ярлыки: