有一个 Cisco IOS 路由器,其中有以下代码。下面的代码似乎定义了基于上下文的访问控制引擎检查规则。我认为这些都没有用到。
单词SDM_HIGH、DEFAULT100、inspect、唯一出现appfw的就是我在下面显示的配置块中。
这是否意味着这些规则没有被使用?我非常希望从配置中消除这些规则,以便配置更小,更容易理解。
ip inspect log drop-pkt
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 bliff
ip inspect name DEFAULT100 imap
ip inspect name DEFAULT100 imaps
ip inspect name DEFAULT100 imap3
ip inspect name DEFAULT100 lotusnote
ip inspect name DEFAULT100 lotusmtap
ip inspect name DEFAULT100 pop3
ip inspect name DEFAULT100 pop3s
ip inspect name DEFAULT100 qmtp-tcp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH bliff
ip inspect name SDM_HIGH imaps
ip inspect name SDM_HIGH imap3
ip inspect name SDM_HIGH lotusnote
ip inspect name SDM_HIGH lotusmtap
ip inspect name SDM_HIGH pop3s
ip inspect name SDM_HIGH qmtp-tcp
....
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
audit-trail on
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
appfw policy-name DEFAULT100
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse tunneling action reset alarm
audit-trail on
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
答案1
根据您的配置,这些规则是不是正在使用。仔细检查每个路由器接口是否有“ip inspect”命令的证据以确保(show run | in inspect)。如果启用了它们,我希望看到(例如):
interface serial 0/0
ip inspect SDM_HIGH in
ip inspect DEFAULT100 in
下面的文档可能有助于准确解释您所看到的内容,并提供这些命令如何结合在一起的示例:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fw_im.html