随着IPv4地址的枯竭,IPv4地址将成为历史,取而代之的将是IPv6地址。我发现很多企业的网管在向IPv6迁移的问题上都显得犹豫不决,可能是觉得这是个全新的领域,迁移起来会很麻烦。但实际工作,比如防火墙服务的调整,并没有大家想象的那么难。Cisco IOS可以支持多种防火墙配置方式。比如你的设备有以下几个静态
- access-list:
- access-list 101 permit tcp any host 10.1.1.1 eq www
- access-list 101 permit tcp any host 10.1.1.1 eq ftp
- access-list 101 permit tcp any host 10.1.1.1 eq 22
- 在 IPv6 路由器中,access-list配置也同样存在,只不过像有了扩展名的access-list。
- IPv6访问列表范例:
- permit tcp any host 2001:DB9:2:3::3 eq www sequence 10
- permit tcp any host 2001:DB9:2:3::3 eq telnet sequence 20
- permit tcp any host 2001:DB9:2:3::3 eq 22 sequence 30
- permit tcp any host 2001:DB9:2:3::3 eq ftp sequence 40
- 使用ip traffic-filter命令控制端口要比我们习惯的ip access-group 命令使用起来更简单明了。
- IOS中的Reflexive Access-list:
- interface Ethernet0/1
- ip address 172.16.1.2 255.255.255.0
- ip access-group inboundfilter in
- ip access-group outboundfilter out
- ip access-list extended inboundfilter
- permit icmp 172.16.1.0 0.0.0.255 10.1.1.0 0.0.0.255
- evaluate tcptraffic
- ip access-list extended outboundfilter
- permit icmp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
- permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcptraffic
- 同样需要配置reflexive access-lists的IPv6模式,操作差别不大:
- interface Ethernet0/1
- ipv6 address 2001:db9:1::1/64
- ipv6 traffic-filter inboundfilter in
- ipv6 traffic-filter outboundfilter out
- ipv6 access-list inboundfilter
- permit icmp host 2001:db8:1::F host 2001:db9:2::2
- evaluate tcptraffic
- ipv6 access-list outboundfilter
- permit tcp any any reflect tcptraffic
- Permit icmp any any
- 基于内容的访问控制 (CBAC)也被称作IOS防火墙。
- 在 IPv4 环境下,这个防火墙看起来是下面这样:
- ip inspect name FW tcp
- !
- interface Ethernet0
- ip address 10.10.10.2 255.255.255.0
- ip access-group 101 in
- ip inspect FW in
- !
- interface Serial0.1 point-to-point
- ip address 10.10.11.2 255.255.255.252
- ip access-group 102 in
- frame-relay interface-dlci 200 IETF
- !
- 在 IPv6环境,基本没什么变化:
- ip inspect name FW tcp
- !
- interface Ethernet0
- ipv6 address 2001:db9:1::1/64
- ipv6 traffic-filter inboundfilter in
- ip inspect FW in
- !
- interface Serial0.1 point-to-point
- ipv6 address 2001:db9:2::A/64
- ipv6 traffic-filter outboundfilter in
- frame-relay interface-dlci 200 IETF
- !
- 另外还有Zone-Based防火墙,在IPv4和IPv6环境都是这样:
- class-map type inspect match-any MYPROTOS
- match protocol tcp
- match protocol udp
- match protocol icmp
- !
- policy-map type inspect OUTBOUND
- class type inspect MYPROTOS
- inspect
- !
- zone security inside
- zone security outside
- !
- zone-pair security IN>OUT source inside destination outside
- service-policy type inspect OUTBOUND
- !
- interface fastethernet0/0
- zone-member security private
- !
- interface fastethernet0/1
- zone-member security public
- !
- TechTarget中国原创内容,原文链接:http://www.searchnetworking.com.cn/showcontent_53322.htm
通过上述策略,你可以将IPv4或IPv6地址添加到端口上。TCP, UDP, 和 ICMP并不属于三层协议,因此防火墙服务不会受到影响。
总之,上面是个很简单的例子,主要就是为了说明一件事,即在Cisco IOS设备上配置防火墙不论是IPv4还是IPv6,差别都不太大。所以,大家现在就可以开始考虑让自己企业的网络能够支持双协议,同时让防火墙正常工作。
【编辑推荐】