首页 > 其他分享 >router+firewall+switch

router+firewall+switch

时间:2024-09-01 21:26:15浏览次数:7  
标签:10.1 service firewall GigabitEthernet0 admin switch user interface router

1、网络拓扑图

router+firewall+switch_ci

2、核心配置

1)端口ip地址

int g0/0/0

ip address 10.1.2.2 24

int g1/0/0

ip address 10.1.1.1 24

2)加入trust untrust dmz

firewall zone trust

add int g0/0/0

firewall zone untrust

add int g1/0/0

3)security-policy

security-policy

rule name intoout

 source-zone trust

 destination-zone untrust

 service ftp

 service http

 service https

 service icmp

 service ssh

 service telnet

 action permit

rule name outtoin

 source-zone untrust

 destination-zone trust

 service ftp

 service http

 service https

 service icmp

 service ssh

 service telnet

 action permit

4)路由

ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

ip route-static 10.1.3.0 255.255.255.0 10.1.2.1

ip route-static 10.1.4.0 255.255.255.0 10.1.2.1

3、主要设备配置

R1:

<r1>display current-configuration  

[V200R003C00]

#

sysname r1

#

snmp-agent local-engineid 800007DB03000000000000

snmp-agent  

#

clock timezone China-Standard-Time minus 08:00:00

#

portal local-server load portalpage.zip

#

drop illegal-mac alarm

#

set cpu-usage threshold 80 restore 75

#

acl number 2000  

rule 5 permit source 10.1.3.0 0.0.0.255  

rule 10 permit source 10.1.4.0 0.0.0.255  

rule 15 permit source 10.1.2.0 0.0.0.255  

#

aaa  

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default  

domain default_admin  

local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$

local-user admin service-type http

#

firewall zone Local

priority 15

#

nat address-group 1 100.1.1.10 100.1.1.200

#

interface GigabitEthernet0/0/0

ip address 10.1.1.2 255.255.255.0  

#

interface GigabitEthernet0/0/1

ip address 100.1.1.1 255.255.255.0  

nat outbound 2000 address-group 1  

#

interface GigabitEthernet0/0/2

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 100.1.1.2

ip route-static 10.1.2.0 255.255.255.0 10.1.1.1

ip route-static 10.1.3.0 255.255.255.0 10.1.1.1

ip route-static 10.1.4.0 255.255.255.0 10.1.1.1

#

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

#

wlan ac

#

return

<r1> 

FIREWALL:

[firewall]display current-configuration  

2024-09-01 12:40:03.840  

!Software Version V500R005C10SPC300

#

sysname firewall

#

l2tp domain suffix-separator @

#

ipsec sha2 compatible enable

#

undo telnet server enable

undo telnet ipv6 server enable

#

update schedule location-sdb weekly Sun 03:28

#

firewall defend action discard

#

banner enable

#

user-manage web-authentication security port 8887

undo privacy-statement english

undo privacy-statement chinese

page-setting

user-manage security version tlsv1.1 tlsv1.2

password-policy

level high

user-manage single-sign-on ad

user-manage single-sign-on tsm

user-manage single-sign-on radius

user-manage auto-sync online-user

#

web-manager security version tlsv1.1 tlsv1.2

web-manager enable

web-manager security enable

#

firewall dataplane to manageplane application-apperceive default-action drop

#

undo ips log merge enable

#

decoding uri-cache disable

#

update schedule ips-sdb daily 05:37

update schedule av-sdb daily 05:37

update schedule sa-sdb daily 05:37

update schedule cnc daily 05:37

update schedule file-reputation daily 05:37

#

ip vpn-instance default

ipv4-family

#

time-range worktime

 period-range 08:00:00 to 18:00:00 working-day

#

ike proposal default

encryption-algorithm aes-256 aes-192 aes-128

dh group14

authentication-algorithm sha2-512 sha2-384 sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

#

aaa

authentication-scheme default

authentication-scheme admin_local

authentication-scheme admin_radius_local

authentication-scheme admin_hwtacacs_local

authentication-scheme admin_ad_local

authentication-scheme admin_ldap_local

authentication-scheme admin_radius

authentication-scheme admin_hwtacacs

authentication-scheme admin_ad

authorization-scheme default

accounting-scheme default

domain default

 service-type internetaccess ssl-vpn l2tp ike

 internet-access mode password

 reference user current-domain

manager-user audit-admin

 password cipher @%@%LD%J$ajl=(F]yiRJ8BYPM0]-:"Mn>)H*y<'em4Tpy_<R0]0M@%@%

 service-type web terminal

 level 15


manager-user api-admin

 password cipher @%@%n_$'S;-aE17|G=Jqlpe+Ng}<(R(R.u_*V>g)PjHEOTX5g}~N@%@%

 level 15


manager-user admin

 password cipher @%@%G^}.J|`_0/C;a*0<b9xW&q-VuTpwW447\BNekj4-;s;Pq-Y&@%@%

 service-type web terminal

 level 15


role system-admin

role device-admin

role device-admin(monitor)

role audit-admin

bind manager-user audit-admin role audit-admin

bind manager-user admin role system-admin

#

l2tp-group default-lns

#

interface GigabitEthernet0/0/0

undo shutdown

ip address 10.1.2.2 255.255.255.0

alias GE0/METH

#

interface GigabitEthernet1/0/0

undo shutdown

ip address 10.1.1.1 255.255.255.0

#

interface GigabitEthernet1/0/1

undo shutdown

#

interface GigabitEthernet1/0/2

undo shutdown

#

interface GigabitEthernet1/0/3

undo shutdown

#

interface GigabitEthernet1/0/4

undo shutdown

#

interface GigabitEthernet1/0/5

undo shutdown

#

interface GigabitEthernet1/0/6

undo shutdown

#

interface Virtual-if0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

#

firewall zone untrust

set priority 5

add interface GigabitEthernet1/0/0

#

firewall zone dmz

set priority 50

#

ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

ip route-static 10.1.3.0 255.255.255.0 10.1.2.1

ip route-static 10.1.4.0 255.255.255.0 10.1.2.1

#

undo ssh server compatible-ssh1x enable

ssh authentication-type default password

ssh server cipher aes256_ctr aes128_ctr

ssh server hmac sha2_256 sha1

ssh client cipher aes256_ctr aes128_ctr

ssh client hmac sha2_256 sha1

#

firewall detect ftp

#

user-interface con 0

authentication-mode aaa

idle-timeout 0 0

user-interface vty 0 4

authentication-mode aaa

protocol inbound ssh

user-interface vty 16 20

#

pki realm default

#

sa

#

location

#

multi-linkif

mode proportion-of-weight

#

right-manager server-group

#

device-classification

device-group pc

device-group mobile-terminal

device-group undefined-group

#

user-manage server-sync tsm

#

security-policy

rule name intoout

 source-zone trust

 destination-zone untrust

 service ftp

 service http

 service https

 service icmp

 service ssh

 service telnet

 action permit

rule name outtoin

 source-zone untrust

 destination-zone trust

 service ftp

 service http

 service https

 service icmp

 service ssh

 service telnet

 action permit

#

auth-policy

#

traffic-policy

#

policy-based-route

#

nat-policy

#

quota-policy

#

pcp-policy

#

dns-transparent-policy

#

rightm-policy

#

return

[firewall]

SWITCH:

[sw1]display current-configuration  

#

sysname sw1

#

vlan batch 10 20 30

#

cluster enable

ntdp enable

ndp enable

#

drop illegal-mac alarm

#

diffserv domain default

#

drop-profile default

#

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password simple admin

local-user admin service-type http

#

interface Vlanif1

#

interface Vlanif10

ip address 10.1.3.1 255.255.255.0

#

interface Vlanif20

ip address 10.1.4.1 255.255.255.0

#

interface Vlanif30

ip address 10.1.2.1 255.255.255.0

#

interface MEth0/0/1

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 10

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 20

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 30

#

interface GigabitEthernet0/0/4

#

interface GigabitEthernet0/0/5

#

interface GigabitEthernet0/0/6

#

interface GigabitEthernet0/0/7

#

interface GigabitEthernet0/0/8

#

interface GigabitEthernet0/0/9

#

interface GigabitEthernet0/0/10

#

interface GigabitEthernet0/0/11

#

interface GigabitEthernet0/0/12

#

interface GigabitEthernet0/0/13

#

interface GigabitEthernet0/0/14

#

interface GigabitEthernet0/0/15

#

interface GigabitEthernet0/0/16

#

interface GigabitEthernet0/0/17

#

interface GigabitEthernet0/0/18

#

interface GigabitEthernet0/0/19

#

interface GigabitEthernet0/0/20

#

interface GigabitEthernet0/0/21

#

interface GigabitEthernet0/0/22

#

interface GigabitEthernet0/0/23

#

interface GigabitEthernet0/0/24

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 10.1.2.2

#

user-interface con 0

idle-timeout 0 0

user-interface vty 0 4

#

return

[sw1]

4、测试结果

router+firewall+switch_sed_02


router+firewall+switch_Standard_03

标签:10.1,service,firewall,GigabitEthernet0,admin,switch,user,interface,router
From: https://blog.51cto.com/u_13560030/11890206

相关文章

  • 【Material-UI】Switches with FormGroup:如何有效管理多选控件
    文章目录一、Switch组件与FormGroup的基本概述1.Switch组件简介2.FormGroup组件的作用二、SwitcheswithFormGroup的应用场景三、如何实现SwitcheswithFormGroup1.代码详解2.事件处理四、使用FormGroup的注意事项1.确保控件关联性2.多选情况下的替代......
  • switch语句中default语句不在末尾的情况
    在c语言中,default只用在switch语句中,代表默认处理,代表着默认值,default的作用就是switch语句里所有的case都不成立时所要执行的语句,default关键字用来标记switch语句中的默认分支。一般来说default语句都是放在最后一个case,假如default语句为switch语句一个第一个case,如果没有任何......
  • antd vue switch组件怎么把值true、false改为uint32类型的1和0
    背景已知switch组件的checked属性默认是传入true和false的,但是有这样的业务情景,既需要使用的是开关,又需要传入的是整数,那么我们应该如何修改呢?解决方案<a-form-itemlabel="允许失败时保存"><a-switch:checked="switchValue===1"@change="handleSwitchChan......
  • Angular路由RouterLink指令和Router
      RouterLink指令RouterLink的属性[queryParams](查询参数)用法:<a[routerLink]="['/danone']"[queryParams]="{id:1,name:'abc',date:'2020-6-19'}"[state]="{tracingId:123}">达能</a> url......
  • 红帽系的linux系统中防火墙--firewalld
    firewalld简介firewalld是RedHat系列Linux发行版(如Fedora、CentOS等)引入的一种动态防火墙管理工具,它充当了Linux内核的Netfilter框架的前端,具体防火墙执行是由内核的netfilter来执行的。firewalld提供了一个基于区域(zone)和服务(service)的简化配置界面,使得管理防火墙规则更......
  • firewalld: 接口interface操作
    一,查看zone和interface的关系1,查看活动区域:[root@blog~]#firewall-cmd--get-active-zonesdropsources:11.20.12.18publicinterfaces:eth0trustedsources:13.27.13.15可以看到public这个zone绑定了eth0这个interface2,查询一个interface绑定的zone[root@blo......
  • firewalld: 打印调试信息
    一,打开调试选项1,官方文档地址:https://firewalld.org/documentation/howto/debug-firewalld.html2,编辑配置文件:[root@blog~]#vi/etc/sysconfig/firewalld把FIREWALLD_ARGS=--debug=10 这一行取消注释就可以[root@blog~]#more/etc/sysconfig/firewalld#firewall......
  • 3.3 switch语句
    1.switch语句C语言中,除了if语句外,还有switch语句也可用来实现分支结构。switch语句是一种特殊形式的if……else结构,用于判断条件有多个结果的情况,把多重的elseif改成更易用、可读性更好的形式。switch-开关switch (expression){      casevalue1:statement......
  • switch&回调函数
    #include<stdio.h>//函数原型声明floatcalc(floata,floaty,constcharop);floatadd(floata,floatb);floatminus(floata,floatb);floatmultiple(floata,floatb);floatdivide(floata,floatb);floatcalc_using_callback(floata,floatb,floa......
  • vue-router 跳转异常 Error: Navigation cancelled from “/“ to “/home“ with a n
    异常信息:Error:Havigationcancelledfrom"/"to"/home"withanewnavigation ,如下图:原因:    1、这个错误是vue-router内部错误,没有进行catch处理,导致的编程式导航跳转问题,往同一地址跳转时会报错的情况。push和replace都会导致这个情况的发生。   ......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99