有一个Cisco IOS路由器,其中包含以下代码。 下面的代码似乎定义了基于上下文的访问控制引擎检查规则。 我不认为这是使用任何。
SDM_HIGH , DEFAULT100 , inspect , appfw出现在我下面显示的configuration块中。
这是否意味着这些规则不被使用? 我非常希望将这些configuration从configuration中删除,以便它可以更小,更容易完全理解。
ip inspect log drop-pkt ip inspect name DEFAULT100 appfw DEFAULT100 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 bliff ip inspect name DEFAULT100 imap ip inspect name DEFAULT100 imaps ip inspect name DEFAULT100 imap3 ip inspect name DEFAULT100 lotusnote ip inspect name DEFAULT100 lotusmtap ip inspect name DEFAULT100 pop3 ip inspect name DEFAULT100 pop3s ip inspect name DEFAULT100 qmtp-tcp ip inspect name DEFAULT100 http ip inspect name DEFAULT100 https ip inspect name DEFAULT100 dns ip inspect name SDM_HIGH appfw SDM_HIGH ip inspect name SDM_HIGH icmp ip inspect name SDM_HIGH dns ip inspect name SDM_HIGH esmtp ip inspect name SDM_HIGH imap reset ip inspect name SDM_HIGH pop3 reset ip inspect name SDM_HIGH tcp ip inspect name SDM_HIGH udp ip inspect name SDM_HIGH https ip inspect name SDM_HIGH bliff ip inspect name SDM_HIGH imaps ip inspect name SDM_HIGH imap3 ip inspect name SDM_HIGH lotusnote ip inspect name SDM_HIGH lotusmtap ip inspect name SDM_HIGH pop3s ip inspect name SDM_HIGH qmtp-tcp .... appfw policy-name SDM_HIGH application im aol service default action reset alarm service text-chat action reset alarm server deny name login.oscar.aol.com server deny name toc.oscar.aol.com server deny name oam-d09a.blue.aol.com audit-trail on application im msn service default action reset alarm service text-chat action reset alarm server deny name messenger.hotmail.com server deny name gateway.messenger.hotmail.com server deny name webmessenger.msn.com audit-trail on application http port-misuse im action reset alarm port-misuse p2p action reset alarm port-misuse tunneling action reset alarm audit-trail on application im yahoo service default action reset alarm service text-chat action reset alarm server deny name scs.msg.yahoo.com server deny name scsa.msg.yahoo.com server deny name scsb.msg.yahoo.com server deny name scsc.msg.yahoo.com server deny name scsd.msg.yahoo.com server deny name messenger.yahoo.com server deny name cs16.msg.dcn.yahoo.com server deny name cs19.msg.dcn.yahoo.com server deny name cs42.msg.dcn.yahoo.com server deny name cs53.msg.dcn.yahoo.com server deny name cs54.msg.dcn.yahoo.com server deny name ads1.vip.scd.yahoo.com server deny name radio1.launch.vip.dal.yahoo.com server deny name in1.msg.vip.re2.yahoo.com server deny name data1.my.vip.sc5.yahoo.com server deny name address1.pim.vip.mud.yahoo.com server deny name edit.messenger.yahoo.com server deny name http.pager.yahoo.com server deny name privacy.yahoo.com server deny name csa.yahoo.com server deny name csb.yahoo.com server deny name csc.yahoo.com audit-trail on ! appfw policy-name DEFAULT100 application im aol service default action reset alarm service text-chat action reset alarm server deny name login.oscar.aol.com server deny name toc.oscar.aol.com server deny name oam-d09a.blue.aol.com audit-trail on application im msn service default action reset alarm service text-chat action reset alarm server deny name messenger.hotmail.com server deny name gateway.messenger.hotmail.com server deny name webmessenger.msn.com audit-trail on application http strict-http action reset alarm port-misuse im action reset alarm port-misuse tunneling action reset alarm audit-trail on application im yahoo service default action reset alarm service text-chat action reset alarm server deny name scs.msg.yahoo.com server deny name scsa.msg.yahoo.com server deny name scsb.msg.yahoo.com server deny name scsc.msg.yahoo.com server deny name scsd.msg.yahoo.com server deny name messenger.yahoo.com server deny name cs16.msg.dcn.yahoo.com server deny name cs19.msg.dcn.yahoo.com server deny name cs42.msg.dcn.yahoo.com server deny name cs53.msg.dcn.yahoo.com server deny name cs54.msg.dcn.yahoo.com server deny name ads1.vip.scd.yahoo.com server deny name radio1.launch.vip.dal.yahoo.com server deny name in1.msg.vip.re2.yahoo.com server deny name data1.my.vip.sc5.yahoo.com server deny name address1.pim.vip.mud.yahoo.com server deny name edit.messenger.yahoo.com server deny name http.pager.yahoo.com server deny name privacy.yahoo.com server deny name csa.yahoo.com server deny name csb.yahoo.com server deny name csc.yahoo.com audit-trail on ! !
根据您的configuration,这些规则不被使用。 仔细检查每个路由器接口是否有“ip检查”命令的证据(show run | in inspect)。 如果启用,我希望看到(例如):
interface serial 0/0 ip inspect SDM_HIGH in ip inspect DEFAULT100 in
下面的文档可能有助于解释您所看到的内容,并提供这些命令如何绑定在一起的示例:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fw_im.html