1、网络实践之交换机7506与防火墙配置中心机房核心交换机与防火墙的配置核心交换机 在中心机房安装的核心交换机选用了H3C公司的S7503全模块化多业务核心交换机。该核心交换机配置为:双冗余电源引擎,3个业务插槽,1个主控插槽;该核心交换机背板带宽:1000Gbps,包转发速率:274Mpps,FLASH内存:64MB,DRAM内存:512MB,网络标准:IEEE802.1d,IEEE802.1x,IEEE802.3,IEEE 802.3u,IEEE802.3x,IEEE802.3z,IEEE802.1Q,IEEE802.1p,传输速率:10/100/1000/10000Mbps,1个Consol
2、e接口,1个10/100 BASE-TX管理接口,48个千兆以太网电口。其对应的指示灯含义如下:指示灯灭:表示链路没有连通;指示灯常亮:表示链路已经连通。指示灯闪烁:表示有数据收发。防火墙 在中心机房安装的防火墙选用了H3C公司的SecPath F1000-S企业级高端防火墙。该防火墙配置为:双冗余电源引擎,1个CON配置口,1个备份口(AUX),2个10/100/1000M以太网口(支持光口或者电口),2个10/100/1000M以太网口(支持电口),2个MIM插槽,CPU主频:600MHz,FLASH内存:16MB,DDRRAM:512MB。其对应的指示灯含义如下:指示灯灭:表示链路没有连
3、通;指示灯常亮:表示链路已经连通。指示灯闪烁:表示有数据收发。核心交换机配置如下:Login authenticationUsername:adminPassword:dis curr# version 5.20, Release 6605P06# sysname 7503# domain default enable system# telnet server enable# mirroring-group 1 local#switch-mode standard# time-range web 12:00 to 13:00 daily#acl number 3000 rule 0 deny
4、 ip source 172.16.6.100 0 destination 172.16.3.103 0 time-range web rule 1 deny ip source 172.16.6.100 0 destination 172.16.3.104 0 time-range web rule 2 deny ip source 172.16.6.100 0 destination 172.16.3.105 0 time-range webacl number 3001 rule 0 deny ip#vlan 1 description Default#vlan 2 descriptio
5、n F1000-S#vlan 3 description SERVER#vlan 4 description SERVER_MANAGER#vlan 5 description DAPING#vlan 6 description WEB#vlan 10 description VPN_Line#domain system access-limit disable state active idle-cut disable self-service-url disable#traffic classifier web2 operator and if-match acl 3001traffic
6、classifier web operator and if-match acl 3000#traffic behavior web2 filter denytraffic behavior web filter permit#qos policy web classifier web behavior web classifier web2 behavior web2#user-group system#local-user admin password simple Center!# authorization-attribute level 3 service-type telnet t
7、erminallocal-user center password cipher $.T)1&WJ-%DJL.:OE)Q! authorization-attribute level 3 service-type telnet terminal#interface NULL0#interface LoopBack10 ip address 172.16.10.1 255.255.255.255#interface Vlan-interface1 description VLAN1 ip address 172.16.1.254 255.255.255.0#interface Vlan-inte
8、rface2 description connect to Firewall ip address 172.16.2.254 255.255.255.0#interface Vlan-interface3 description SERVER ip address 172.16.3.254 255.255.255.0#interface Vlan-interface4 description SERVER_MANAGER ip address 172.16.4.254 255.255.255.0#interface Vlan-interface5 description DAPING ip a
9、ddress 192.168.1.254 255.255.255.0#interface Vlan-interface6 description WEB ip address 172.16.6.254 255.255.255.0#interface Vlan-interface10 description connect to Local-VPN-Special-Line ip address 172.16.99.1 255.255.255.0#interface GigabitEthernet0/0/1#interface GigabitEthernet0/0/2#interface Gig
10、abitEthernet0/0/3#interface GigabitEthernet0/0/4#interface GigabitEthernet0/0/5 shutdown#interface GigabitEthernet0/0/6 shutdown#interface GigabitEthernet0/0/7 shutdown#interface GigabitEthernet0/0/8 shutdown#interface GigabitEthernet0/0/9#interface GigabitEthernet0/0/10#interface GigabitEthernet0/0
11、/11#interface GigabitEthernet0/0/12#interface GigabitEthernet0/0/13#interface GigabitEthernet0/0/14#interface GigabitEthernet0/0/15#interface GigabitEthernet0/0/16#interface GigabitEthernet0/0/17#interface GigabitEthernet0/0/18#interface GigabitEthernet0/0/19 port access vlan 10#interface GigabitEth
12、ernet0/0/20 port access vlan 10#interface GigabitEthernet0/0/21 port access vlan 10#interface GigabitEthernet0/0/22 port access vlan 10#interface GigabitEthernet0/0/23 port access vlan 10#interface GigabitEthernet0/0/24 port access vlan 10#interface GigabitEthernet0/0/25 port access vlan 10#interfac
13、e GigabitEthernet0/0/26 port access vlan 10#interface GigabitEthernet0/0/27#interface GigabitEthernet0/0/28 mirroring-group 1 mirroring-port both#interface GigabitEthernet1/0/1 port access vlan 3#interface GigabitEthernet1/0/2 port access vlan 3#interface GigabitEthernet1/0/3 port access vlan 3#inte
14、rface GigabitEthernet1/0/4 port access vlan 3#interface GigabitEthernet1/0/5 port access vlan 3#interface GigabitEthernet1/0/6 description Connect to Center Monitor PC port access vlan 3#interface GigabitEthernet1/0/7 port access vlan 3#interface GigabitEthernet1/0/8 description Connect to Center Fl
15、ag Manage PC port access vlan 3#interface GigabitEthernet1/0/9 description connect to Storage System Controller A Port 1 port access vlan 3#interface GigabitEthernet1/0/10 port access vlan 3#interface GigabitEthernet1/0/11 port access vlan 4#interface GigabitEthernet1/0/12 port access vlan 4#interfa
16、ce GigabitEthernet1/0/13 port access vlan 4#interface GigabitEthernet1/0/14 port access vlan 4#interface GigabitEthernet1/0/15 description connect to Storage System Controller B Port 1 port access vlan 4#interface GigabitEthernet1/0/16 port access vlan 4#interface GigabitEthernet1/0/17 description C
17、onnect to WEB_Manage_Interface port access vlan 6 qos apply policy web outbound#interface GigabitEthernet1/0/18 description Connect to WEB port access vlan 6 qos apply policy web outbound#interface GigabitEthernet1/0/19 port access vlan 3#interface GigabitEthernet1/0/20 port access vlan 3#interface
18、GigabitEthernet1/0/21 description Connect to DAPING Manage PC port access vlan 5#interface GigabitEthernet1/0/22 description Connect to DAPING Control Host port access vlan 5#interface GigabitEthernet1/0/23 description Connect to F1000-S port access vlan 2#interface GigabitEthernet1/0/24 port access
19、 vlan 2#interface M-Ethernet0/0/0# ip route-static 0.0.0.0 0.0.0.0 172.16.2.1 ip route-static 172.16.21.0 255.255.255.0 172.16.99.2 ip route-static 172.16.22.0 255.255.255.0 172.16.99.3 ip route-static 172.16.23.0 255.255.255.0 172.16.99.4 ip route-static 172.16.24.0 255.255.255.0 172.16.99.5 ip rou
20、te-static 172.16.25.0 255.255.255.0 172.16.99.6 ip route-static 192.168.0.0 255.255.255.0 172.16.2.1# load xml-configuration#user-interface aux 0 authentication-mode scheme idle-timeout 5 0user-interface vty 0 4 authentication-mode scheme user privilege level 3 idle-timeout 5 0#return防火墙配置如下:Login a
21、uthenticationUsername:adminPassword:dis curr# sysname F1000-S# l2tp enable# ike local-name vpn# firewall packet-filter enable firewall packet-filter default permit# firewall statistic system enable# DNS server 219.150.32.132#radius scheme system server-type extended#domain system ip pool 1 172.16.25
22、4.1 172.16.254.253#local-user admin password cipher $.T)1&WJ-%DJL.:OE)Q! service-type telnet terminal level 3local-user btvpn password simple 666666 service-type ppplocal-user center password cipher $.T)1&WJ-%DJL.:OE)Q! service-type telnet terminal level 3#ike proposal 1 encryption-algorithm 3des-cb
23、c authentication-algorithm md5#ike peer 1 exchange-mode aggressive pre-shared-key 333333 id-type name remote-name vpnclient nat traversal#ipsec proposal p1 esp authentication-algorithm sha1 esp encryption-algorithm 3des#ipsec policy-template l2tp 1 ike-peer 1 proposal p1#ipsec policy l2tppolicy 1 is
24、akmp template l2tp#acl number 2000 rule 0 permit source 172.16.3.106 0 rule 1 permit source 172.16.4.206 0 rule 2 permit source 172.16.6.100 0 rule 3 permit source 172.16.6.200 0 rule 6 permit source 172.16.3.120 0 rule 7 permit source 172.16.3.150 0 rule 8 permit source 172.16.3.130 0 rule 9 permit
25、 source 172.16.3.140 0 rule 10 permit source 172.16.3.110 0 rule 11 permit source 172.16.24.130 0 rule 12 permit source 172.16.22.130 0 rule 13 permit source 172.16.23.130 0 rule 14 permit source 172.16.21.130 0 rule 15 permit source 172.16.25.130 0#acl number 3012 description L2TP VPN access contro
26、l rule 1 permit icmp rule 2 permit tcp destination 172.16.3.0 0.0.0.255 rule 3 permit udp destination 172.16.3.106 0 destination-port eq dns rule 4 permit tcp destination 172.16.6.100 0 destination-port eq www rule 80 permit udp destination 192.168.2.200 0 destination-port eq 1701 rule 81 permit udp
27、 destination 192.168.2.200 0 destination-port eq 500 rule 82 permit udp source-port eq 500 rule 83 permit udp destination 192.168.2.200 0 destination-port eq 4500 rule 84 permit udp source-port eq 4500 rule 85 permit 50 destination 192.168.2.200 0 rule 86 permit 51 destination 192.168.2.200 0 rule 1
28、00 deny ip#interface Virtual-Template0 ppp authentication-mode pap ppp ipcp dns 172.16.3.106 172.16.4.206 ip address 172.16.254.254 255.255.255.0 remote address pool 1#interface Aux0 async mode flow#interface GigabitEthernet0/0 description connect to Switch_7503E ip address 172.16.2.1 255.255.255.0#
29、interface GigabitEthernet0/1 description connect to Internet ip address 13.65.2.100 255.255.255.0 nat outbound 2000#interface GigabitEthernet1/0#interface GigabitEthernet1/1 description Connect to HuanBaoJu ip address 192.168.2.200 255.255.255.0#interface Encrypt2/0#interface NULL0#interface LoopBac
30、k10 ip address 172.16.10.1 255.255.255.0#firewall zone local set priority 100#firewall zone trust add interface GigabitEthernet0/0 add interface GigabitEthernet0/1 add interface GigabitEthernet1/1 add interface Virtual-Template0 set priority 85#firewall zone untrust set priority 5#firewall zone DMZ set priority 50#firewall interzone local trust#firewall interzone local untrust#fir
copyright@ 2008-2023 冰点文库 网站版权所有
经营许可证编号:鄂ICP备19020893号-2