交换机防火墙的配置文件参考
H3C SecPath F1000-AI-80 华三防火墙
设置时间
clock timezone Taipei add 08:00:00
irf堆叠(这个功能没理解透彻,实际应用上还是有点问题,而且防火墙听说不建议堆叠)
irf member 1 priority 31
irf member 2 priority 1
#
irf-port 1/2
port group interface Ten-GigabitEthernet1/0/14
port group interface Ten-GigabitEthernet1/0/15
#
irf-port 2/1
port group interface Ten-GigabitEthernet2/0/14
port group interface Ten-GigabitEthernet2/0/15
设置 NAT端口映射(以SSH为例,45.67.89.100:10022-->10.202.1.196:22)
interface Route-Aggregation1
description WAN.ISP.HK------
ip address 45.67.89.100 255.255.255.252
link-aggregation mode dynamic
ip last-hop hold
nat outbound counting
nat server protocol tcp global current-interface 10022 inside 10.202.1.196 22 rule SSH_ServerRule_1 counting description SSH_Server_196
确保端口策略放通
rule 37 name NAT_Server.196
parent-group NATServer
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Trust
destination-ip-host 10.202.1.196
登录前的提示信息
#
header login %
= = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Access is prohibited without authorization, and it is illegal to invade the device.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Contact information of person in charge of equipment configuration:
Zhang San . telephone number:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Equipment site manager contact information:
Li Si . telephone number
= = = = = = = = = = = = = = = = = = = = = = = = = = = = =
%
#
配置console、HTTPS、SSH登录防火墙
# console登录授权配置
line con 0
authentication-mode password
user-role level-15
user-role network-admin
set authentication password hash $h$6$***********u4Di848D3A==
idle-timeout 300 0
# console登录授权配置
line con 1
authentication-mode password
user-role level-15
user-role network-admin
set authentication password hash $h$6$***********u4Di848D3A==
idle-timeout 300 0
# ssh登录授权配置
line vty 0 4
authentication-mode scheme
user-role level-15
user-role network-admin
protocol inbound ssh
idle-timeout 300 0
screen-length 50
# ssh登录授权配置
line vty 5 63
authentication-mode scheme
user-role level-15
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 300 0
screen-length 50
# ssh登录账号
local-user ssh-admin class manage
password hash $h$6$***********u4Di848D3A==
service-type ssh
authorization-attribute user-role network-admin
password-control length 16
password-control composition type-number 4 type-length 1
password-control login-attempt 3 exceed lock-time 30
# web登录账号
local-user web-admin class manage
password hash $h$6$***********u4Di848D3A==
service-type https
authorization-attribute user-role network-admin
password-control length 16
password-control composition type-number 4 type-length 1
password-control login-attempt 3 exceed lock-time 30
# 开启ssh服务
ssh server enable
ssh user ssh-admin service-type stelnet authentication-type password
ssh server acl 2999
# 开启web服务
ip https acl 2998
ip https enable
web idle-timeout 100
# web访问白名单
acl basic 2998
description http.s.login.permit.list--------
rule 0 permit source 10.0.20.0 0.0.0.255 counting
# ssh访问白名单
acl basic 2999
description ssh.login.permit.list--------
rule 0 permit source 10.0.20.0 0.0.0.255 counting
H3C S9850-4C 华三交换机
irf堆叠
irf member 1 priority 31 #在第「1」台交换机里配置,然后保存、一般不用重启
irf member 2 priority 1 #在第「2」台交换机里配置,然后保存、重启
#
irf-port 1/2 #在第「1」台交换机里配置
port group interface FortyGigE1/1/1 #在第「1」台交换机里配置
port group interface FortyGigE1/1/2 #在第「1」台交换机里配置,然后保存
#
irf-port 2/1 #在第「2」台交换机里配置
port group interface FortyGigE2/1/1 #在第「2」台交换机里配置
port group interface FortyGigE2/1/2 #在第「2」台交换机里配置,然后保存
# 连接线检查
<Core|S9850-4C|No.2>dis lld n l | include Core
FGE1/1/1 bcd0-eb86-ce38 FortyGigE2/1/1 Core|S9850-4C|No.2
FGE1/1/2 bcd0-eb86-ce38 FortyGigE2/1/2 Core|S9850-4C|No.2
FGE2/1/1 bcd0-eb86-ce38 FortyGigE1/1/1 Core|S9850-4C|No.2
FGE2/1/2 bcd0-eb86-ce38 FortyGigE1/1/2 Core|S9850-4C|No.2
STP根桥
stp instance 0 root primary
stp pathcost-standard dot1t
stp global enable
连接下级交换机的聚合口配置
# 指定端口配置stp root保护
interface Bridge-Aggregation11
description downlink.to.S.Node.1------
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
link-aggregation mode dynamic
stp root-protection
# 物理口加入聚合口
interface FortyGigE1/1/11
port link-mode bridge
description Join.to.BAGG11------
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
port link-aggregation group 11
# 备机物理口加入聚合
interface FortyGigE2/1/11
port link-mode bridge
description Join.to.BAGG11------
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
port link-aggregation group 11
console、web、ssh登录验证配置
line aux 0
authentication-mode password
user-role network-admin
set authentication password hash $h$6$XulY*******************whf+iQ==
idle-timeout 300 0
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound ssh
idle-timeout 300 0
screen-length 50
#
ssh server enable
ssh server acl 2999
#
acl basic 2998
description http.s.login.permit.list--------
rule 0 permit source 10.0.20.0 0.0.0.255 counting
#
acl basic 2999
description ssh.login.permit.list--------
rule 0 permit source 10.0.20.0 0.0.0.255 counting
#
local-user ssh-admin class manage
password hash $h$6$XulY*******************whf+iQ==
service-type ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
password-control length 16
password-control composition type-number 4 type-length 1
password-control login-attempt 3 exceed lock-time 30
#
local-user web-admin class manage
password hash $h$6$XulY*******************whf+iQ==
service-type https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
password-control length 16
password-control composition type-number 4 type-length 1
password-control login-attempt 3 exceed lock-time 30
#
restful http enable
restful https enable
#
http acl 2998
https acl 2998
#
本文来自博客园,作者:Ojox,转载请注明原文链接:https://www.cnblogs.com/Ojox/p/18488352
浙公网安备 33010602011771号