华为设备安全配置

涵盖了访问控制、防火墙(都不通, 得配置域间通行策略)配置、认证授权、加密技术等多个方面

(一)访问控制列表 ACL

ACL被用于过滤网络流量   控制哪些流量允许通过或拒绝

[Huawei]acl number 2000 # 创建一个基本ACL或高级ACL(取决于编号)

[Huawei-acl-basic-2000]rule permit ip source 192.168.1.0 0.0.0.255 # 允许特定源IP地址的IP流量

[Huawei-acl-basic-2000]quit

将ACL应用到接口

 

[Huawei]interface GigabitEthernet0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 2000  # 在入方向应用ACL
[Huawei-GigabitEthernet0/0/1]quit

2. 防火墙配置

华为设备支持基于状态的防火墙功能,可以配置规则来允许或拒绝特定类型的流量。

# 开启防火墙功能

[Huawei]firewall zone trust

[Huawei-zone-trust]add interface GigabitEthernet0/0/1 # 将接口加入信任区域

[Huawei-zone-trust]quit


[Huawei]firewall zone untrust

[Huawei-zone-untrust]add interface GigabitEthernet0/0/2 # 将接口加入非信任区域

[Huawei-zone-untrust]quit

#配置安全策略

 

[Huawei]security-policy

 

[Huawei-policy-security]rule name policy1

 

[Huawei-policy-security-rule-policy1]source-zone trust

 

[Huawei-policy-security-rule-policy1]destination-zone untrust

 

[Huawei-policy-security-rule-policy1]action permit

[Huawei-policy-security-rule-policy1]quit

 

3. 认证与授权 

 

华为设备支持多种认证方式,如本地认证、RADIUS认证等。

 

# 配置本地用户 

[Huawei]aaa

[Huawei-aaa]local-user admin password irreversible-cipher $c$3$admin

[Huawei-aaa]local-user admin privilege level 15

[Huawei-aaa]local-user admin service-type ssh

[Huawei-aaa]quit

 

# 配置VTY接口认证

[Huawei]user-interface vty 0 4

[Huawei-ui-vty0-4]authentication-mode aaa

[Huawei-ui-vty0-4]protocol inbound ssh

[Huawei-ui-vty0-4]quit

 

4. IPSec VPN配置

IPSec VPN用于在两个或多个远程网络之间建立加密的通信隧道

# 配置IKE提案

[Huawei] ike proposal 1

[Huawei-ike-proposal-1] encryption-algorithm aes-256

[Huawei-ike-proposal-1]authentication-algorithm sha2-256

[Huawei-ike-proposal-1]dh group14

[Huawei-ike-proposal-1]quit

# 配置IKE对等体

[Huawei] ike peer remote-peer

[Huawei-ike-peer-remote-peer] exchange-mode main

[Huawei-ike-peer-remote-peer] pre-shared-key cipher %^%#K8m.Nt84Dz1f=eTr34vf34%^%#

[Huawei-ike-peer-remote-peer] ike-proposal 1

[Huawei-ike-peer-remote-peer] remote-address ipv4 1.1.1.1

[Huawei-ike-peer-remote-peer] quit

# 配置IPSec安全策略 

[Huawei] ipsec policy map1 10

[Huawei-ipsec-policy-map1-10] security acl 3000

[Huawei-ipsec-policy-map1-10] ike-peer remote-peer

[Huawei-ipsec-policy-map1-10] proposal 1

[Huawei-ipsec-policy-map1-10] quit

# 应用IPSec策略到接口

[Huawei] interface GigabitEthernet0/0/1

[Huawei-GigabitEthernet0/0/1] ipsec policy map1

[Huawei-GigabitEthernet0/0/1] quit

 

posted @ 2026-01-10 16:41  techNote  阅读(15)  评论(0)    收藏  举报