 |
|
HP : 0 / 254
MP : 49 / 3377
EXP : 18%
|
|
武林奇才
成员等级: 11
发表总数: 147
金币总数: 254
所属组别: 普通成员
注册日期: 2004/06/25
|
cbac的几个问题cbac的几个问题cbac几个地方搞的不是很明白,在这里请高人帮助。如下面的配置。
ip inspect name cisco tcp
ip inspect name cisco udp
ip inspect name cisco icmp
ip audit po max-events 100
!
interface Ethernet0/0
ip address 1.1.14.4 255.255.255.0
half-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 1.1.46.4 255.255.255.0
ip access-group 100 in
ip inspect cisco out
half-duplex
!
ip route 1.1.1.0 255.255.255.0 1.1.14.1
!
!
access-list 100 permit ip host 1.1.46.6 host 1.1.1.1
access-list 100 deny ip any any
!
如上面基本的配置,cbac都有一些比较默认的值都设置好的。比如下面:
r4#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name cisco
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Interface Configuration
Interface Ethernet0/1
Inbound inspection rule is not set
Outgoing inspection rule is cisco
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Inbound access list is 100
Outgoing access list is not set
这些默认的timeout数值,是针对访问控制的,还是针对所有ip地址。而且是针对e0/1接口in 的还是 out的。
还有就是cbac可以做到限制一台正常主机的session吗?比如限制某台pc机器的最大tcp session 为10.可以做到吗?
什么是最高,什么是最低,今天你最高,那么明天呢! |
