收藏 分享(赏)
下载资源 加入VIP,免费下载

华为srg2200配置1模板.doc

上传人:精品资料 文档编号:10029679 上传时间:2019-09-30 格式:DOC 页数:11 大小:73KB
下载 相关 举报
华为srg2200配置1模板.doc_第1页
第1页 / 共11页
华为srg2200配置1模板.doc_第2页
第2页 / 共11页
华为srg2200配置1模板.doc_第3页
第3页 / 共11页
华为srg2200配置1模板.doc_第4页
第4页 / 共11页
华为srg2200配置1模板.doc_第5页
第5页 / 共11页
点击查看更多>>
资源描述

1、华为 SRG2200 路由器配置模板SRG2200 作为华为新一代的业务路由器设备。其特点较之前用过的 AR28-11 等设备更为明显。全面支持了 IPv4/IPv6 双协议栈,提供了丰富的 IPv4 向 IPv6 过渡方案,包括双栈技术、隧道技术、地址转换技术(NAT-PT)等等。同时,其安全防护功能也大大加强。 集成的状态检测防火墙功能在抵御各种网络攻击和 DDoS 攻击的同时,提供完备的网络地址转换( NAT)功能,还能对应用层攻击进行实时检测与防护;集成的反病毒 AV(Anti-Virus)功能,采用Symantec 强效病毒库,能够有效地保护网络抵御来自病毒、钓鱼、间谍软件、广告软件

2、等的危险;集成的反垃圾邮件 AS(Anti-Spam)功能,过滤垃圾邮件,阻止垃圾邮件和钓鱼攻击,支持外部反垃圾邮件联盟 RBL 邮件阻断扩展;集成的 URL 过滤和 P2P/IM 控制功能能更好的抵御对网络安全的威胁,减少对网络违规使用的行为,节约业务带宽,提高员工工作效率的同时也减少了访问违法内容所带来的法律风险。丰富的路由特性 SRG2200 系列提供丰富的路由特性。IPv6 作为下一代网络的基础协议以其鲜明的技术优势得到广泛的认可,SRG2200 系列全面支持 IPv4/IPv6 双协议栈,提供了丰富的 IPv4 向 IPv6 过渡方案,包括双栈技术、隧道技术、地址转换技术(NAT-P

3、T)等等。 SRG2200 系列支持通用的IPv4/1Pv6 路由协议和 IPv4 组播路由协议,包括静态路由、RIPv2、 RIPng、OSPFv2、OSPFv3 、BGP-4、BGP-4+、 IS-IS、IS-ISv6、PIM 等等,同时支持 MPLS、路由策略和路由迭代,从而使组网应用更加灵活。专业级安全防御 集成的状态检测防火墙功能在抵御各种网络攻击和 DDoS 攻击的同时,提供完备的网络地址转换(NAT)功能,还能对应用层攻击进行实时检测与防护; 集成的 VPN(IPSec 其中每个营业厅都有一个 DOT1Q 封装时的 VLAN 号。营业厅之前不能混用。ospf 200area 0.

4、0.0.204network 10.4.244.140 0.0.0.3network 10.6.158.176 0.0.0.15network 10.6.197.140 0.0.0.0network 10.6.215.48 0.0.0.7network 10.4.236.140 0.0.0.3network 10.6.106.36 0.0.0.3network 10.6.117.80 0.0.0.7network 10.6.252.80 0.0.0.7network 10.6.34.80 0.0.0.7stub4 配置安全策略,实现营业厅各个网段(除广域网之外)两两不能互联。(1)将为各个接口

5、设置安全策略等级,在设置防火墙策略时,priority 值越高则安全级越高。优先级高的可以访问优先级低的区域,优先级低的不能访问优先级高的区域。firewall zone untrustset priority 5add interface Serial1/0/0:0add interface GigabitEthernet0/0/1.1 ; 默认 untrust 区域一般用于设置广域网端口。firewall zone name defaultset priority 90add interface GigabitEthernet0/0/0.1 ;新增 default 区域匹配到对应端口fir

6、ewall zone name bossset priority 80add interface GigabitEthernet0/0/0.2 ;新增 boss 区域匹配到对应端口firewall zone name jkset priority 81add interface GigabitEthernet0/0/0.5 ;新增 jk 区域匹配到对应端口firewall zone name typtset priority 82add interface GigabitEthernet0/0/0.6 ;新增 typt 区域匹配到对应端口firewall zone name pdjset pr

7、iority 83add interface GigabitEthernet0/0/0.7 ;新增 pdj 区域匹配到对应端口firewall zone name zzzdset priority 84add interface GigabitEthernet0/0/0.8 ;新增 zzzd 区域匹配到对应端口(2) 配置安全策略policy interzone default untrust outbound ;以下配置了 default 区域的策略policy 1action permitpolicy source 10.6.215.48 0.0.0.7policy destination

8、 10.4.41.1 0policy destination 10.4.41.2 0policy destination 10.4.41.5 0policy destination 10.4.41.7 0policy 2action permitpolicy source 10.6.158.176 0.0.0.15policy source 10.4.236.140 0.0.0.3policy source 10.6.34.80 0.0.0.7policy source 10.6.252.80 0.0.0.7policy source 10.6.117.80 0.0.0.7policy sou

9、rce 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0policy source 10.6.215.48 0.0.0.7policy source 10.4.244.140 0.0.0.3policy destination anypolicy 3action permitpolicy source 10.6.215.54 0policy destination 10.6.200.1 0policy destination 10.6.200.9 0policy 4action denypolicy source anypolicy destin

10、ation any policy interzone boss untrust outbound ;以下配置了 boss 区域的策略policy 1action permitpolicy source 10.6.215.48 0.0.0.7policy destination 10.4.41.1 0policy destination 10.4.41.2 0policy destination 10.4.41.5 0 policy destination 10.4.41.7 0policy 2action permitpolicy source 10.6.158.176 0.0.0.15pol

11、icy source 10.4.236.140 0.0.0.3policy source 10.6.34.80 0.0.0.7policy source 10.6.252.80 0.0.0.7policy source 10.6.117.80 0.0.0.7policy source 10.6.106.36 0.0.0.3policy source 10.6.197.140 0policy source 10.6.215.48 0.0.0.7policy source 10.4.244.140 0.0.0.3policy destination anypolicy 3action permit

12、policy source 10.6.215.54 0policy destination 10.6.200.1 0policy destination 10.6.200.9 0policy 4action deny policy source anypolicy destination anypolicy interzone jk untrust outbound ;以下配置了 jk 区域的策略policy 1action permitpolicy source 10.6.215.48 0.0.0.7policy destination 10.4.41.1 0policy destinati

13、on 10.4.41.2 0policy destination 10.4.41.5 0policy destination 10.4.41.7 0policy 2action permitpolicy source 10.6.158.176 0.0.0.15policy source 10.4.236.140 0.0.0.3policy source 10.6.34.80 0.0.0.7policy source 10.6.252.80 0.0.0.7policy source 10.6.117.80 0.0.0.7policy source 10.6.106.36 0.0.0.3polic

14、y source 10.6.197.140 0policy source 10.6.215.48 0.0.0.7policy source 10.4.244.140 0.0.0.3 policy destination anypolicy 3action permitpolicy source 10.6.215.54 0policy destination 10.6.200.1 0policy destination 10.6.200.9 0policy 4action denypolicy source anypolicy destination anypolicy interzone ty

15、pt untrust outbound ;以下配置了 typt 区域的策略policy 1action permitpolicy source 10.6.215.48 0.0.0.7policy destination 10.4.41.1 0policy destination 10.4.41.2 0policy destination 10.4.41.5 0policy destination 10.4.41.7 0policy 2 action permitpolicy source 10.6.158.176 0.0.0.15policy source 10.4.236.140 0.0.0

16、.3policy source 10.6.34.80 0.0.0.7policy source 10.6.252.80 0.0.0.7policy source 10.6.117.80 0.0.0.7policy source 10.6.106.36 0.0.0.3policy source 10.6.197.140 0policy source 10.6.215.48 0.0.0.7policy source 10.4.244.140 0.0.0.3policy destination anypolicy 3action permitpolicy source 10.6.215.54 0po

17、licy destination 10.6.200.1 0policy destination 10.6.200.9 0policy 4action denypolicy source anypolicy destination anypolicy interzone pdj untrust outbound ;以下配置了 pdj 区域的策略policy 1action permitpolicy source 10.6.215.48 0.0.0.7policy destination 10.4.41.1 0policy destination 10.4.41.2 0policy destina

18、tion 10.4.41.5 0policy destination 10.4.41.7 0policy 2action permitpolicy source 10.6.158.176 0.0.0.15policy source 10.4.236.140 0.0.0.3policy source 10.6.34.80 0.0.0.7policy source 10.6.252.80 0.0.0.7policy source 10.6.117.80 0.0.0.7policy source 10.6.106.36 0.0.0.3policy source 10.6.197.140 0polic

19、y source 10.6.215.48 0.0.0.7policy source 10.4.244.140 0.0.0.3policy destination anypolicy 3 action permitpolicy source 10.6.215.54 0policy destination 10.6.200.1 0policy destination 10.6.200.9 0policy 4action denypolicy source anypolicy destination anypolicy interzone zzzd untrust outbound ;以下配置了 z

20、zzd 区域的策略policy 1action permitpolicy source 10.6.215.48 0.0.0.7policy destination 10.4.41.1 0policy destination 10.4.41.2 0policy destination 10.4.41.5 0policy destination 10.4.41.7 0policy 2action permitpolicy source 10.6.158.176 0.0.0.15policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0

21、.0.0.7policy source 10.6.252.80 0.0.0.7policy source 10.6.117.80 0.0.0.7policy source 10.6.106.36 0.0.0.3policy source 10.6.197.140 0policy source 10.6.215.48 0.0.0.7policy source 10.4.244.140 0.0.0.3policy destination anypolicy 3action permitpolicy source 10.6.215.54 0policy destination 10.6.200.1

22、0policy destination 10.6.200.9 0policy 4action denypolicy source anypolicy destination any(3) 在全局应用策略,使得营业厅各网段两两不能互联。firewall packet-filter default deny interzone default boss direction inboundfirewall packet-filter default deny interzone default boss direction outboundfirewall packet-filter default

23、 deny interzone default jk direction inboundfirewall packet-filter default deny interzone default jk direction outboundfirewall packet-filter default deny interzone default typt direction inboundfirewall packet-filter default deny interzone default typt direction outboundfirewall packet-filter defau

24、lt deny interzone default pdj direction inboundfirewall packet-filter default deny interzone default pdj direction outboundfirewall packet-filter default deny interzone default zzzd direction inboundfirewall packet-filter default deny interzone default zzzd direction outboundfirewall packet-filter d

25、efault deny interzone jk boss direction inboundfirewall packet-filter default deny interzone jk boss direction outboundfirewall packet-filter default deny interzone typt boss direction inboundfirewall packet-filter default deny interzone typt boss direction outboundfirewall packet-filter default den

26、y interzone pdj boss direction inboundfirewall packet-filter default deny interzone pdj boss direction outboundfirewall packet-filter default deny interzone zzzd boss direction inboundfirewall packet-filter default deny interzone zzzd boss direction outboundfirewall packet-filter default deny interz

27、one typt jk direction inboundfirewall packet-filter default deny interzone typt jk direction outboundfirewall packet-filter default deny interzone pdj jk direction inboundfirewall packet-filter default deny interzone pdj jk direction outboundfirewall packet-filter default deny interzone zzzd jk dire

28、ction inboundfirewall packet-filter default deny interzone zzzd jk direction outboundfirewall packet-filter default deny interzone pdj typt direction inboundfirewall packet-filter default deny interzone pdj typt direction outboundfirewall packet-filter default deny interzone zzzd typt direction inbo

29、undfirewall packet-filter default deny interzone zzzd typt direction outboundfirewall packet-filter default deny interzone zzzd pdj direction inboundfirewall packet-filter default deny interzone zzzd pdj direction outbound5 安全策略续acl number 2000 ; 配置 SNMP 策略rule 0 permit source 10.4.83.192 0.0.0.15ru

30、le 1 permit source 10.4.41.12 0snmp-agentsnmp-agent local-engineid 000007DB7F00000100002FA9snmp-agent community read !Bmcc%&8 acl 2000snmp-agent sys-info location BeiJing Chinasnmp-agent sys-info version allacl number 2010rule 0 permit source 10.6.90.0 0.0.0.15 rule 1 permit source 10.4.253.18 0rule

31、 2 permit source 10.4.253.225 0rule 4 permit source 10.4.236.140 0.0.0.3rule 5 permit source 10.4.244.140 0.0.0.3rule 6 denyuser-interface vty 0 4acl 2010 inbound6 登录密码设置 user-interface con 0authentication-mode passwordset authentication password cipher XXXX,ZT,XXXidle-timeout 5 0user-interface vty 0 4authentication-mode passwordset authentication password cipher XXXX,ZT,XXXidle-timeout 5 0super pass ci XXXX,ZT,XXX

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 企业管理 > 管理学资料

本站链接:文库   一言   我酷   合作

客服QQ:2549714901微博号:道客多多官方知乎号:道客多多

经营许可证编号: 粤ICP备2021046453号世界地图

道客多多©版权所有2020-2025营业执照举报