一: <H3C>sy 进入系统管理模式 二: [H3C]local-us huawei 新建HUAWEI用户 三: [H3C-luser-huawei]pass cipher huawei0606 修改HUAWEI用户的密码为huawei0606 四: [H3C-luser-huawei]service-type telnet 给HUAWEI打开TELNET管理权限 五: [H3C-luser-huawei]service-type ftp 打开FTP权限 [H3C-luser-huawei]lev 3 设置用户等级权限为管理级 六 [H3C-luser-huawei]q 退出 七: [H3C] nat address-group 1 59.40.116.201 59.40.116.209 设置地址池 八: [H3C]acl nu 3000 新建 ACL 名为3000 九: [H3C-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 添加 3000的IP范围 [H3C-acl-adv-3000]rule deny ipinip (acl number 3000 rule 1 permit ip source 192.168.0.0 0.0.3.255 rule 2 deny ip)0-3网段方法 十: [H3C-acl-adv-3000]int g1/0 进入网卡1 [H3C-GigabitEthernet1/0]ip add 59.40.116.201 28 配置网卡1的IP 十一: [H3C-GigabitEthernet1/0]tcp mss 1024 设置网卡1的MSS值 十二: [H3C-GigabitEthernet1/0]arp se 1 firewall packet-filter 3001 inbound (启用防火墙)先建3001 十三: [H3C-GigabitEthernet1/0]nat ou 3000 ad 1 qos car inbound acl 3100 cir 640000 cbs 640000 ebs 0 green pass red discard(启用外网限速) 十四: [H3C-GigabitEthernet1/0]int g2/0 进入网卡2 十五: [H3C-GigabitEthernet2/0]ip add 192.168.1.254 24 配置网卡2的IP 十六: [H3C-GigabitEthernet2/0]arp send-gratuitous-arp 1 firewall packet-filter 3002 inbound (启用防火墙)先建3002 十七: [H3C-GigabitEthernet2/0]tcp mss 1024 同上 qos car inbound carl 1 cir 800000 cbs 400000 ebs 0 green pass red discard qos car outbound carl 11 cir 1600000 cbs 1600000 ebs 0 green pass red discard(限速)先建qos carl 1 限速 十八 [H3C-GigabitEthernet2/0]q 十九: [H3C]firewall zone trust 二十: [H3C-zone-trust]add int g2/0 二十一: [H3C-zone-trust]st en ip in 二十二: [H3C-zone-trust]st en ip ou 二十三: [H3C-zone-trust]st en z in 二十四: [H3C-zone-trust]st en z ou 二十五: [H3C-zone-trust]q 二十六: [H3C]firewall zone untrust 二十七: [H3C-zone-untrust]add int g1/0 二十八: [H3C-zone-untrust]st en ip in 二十九: [H3C-zone-untrust]st en ip ou 三十: [H3C-zone-untrust]st en zo in 三十一: [H3C-zone-untrust]st en zo ou 三十二: [H3C]firewall defend all 三十三: [H3C]firewall defend enable 三十四: [H3C]firewall packet-filter enable 三十五: [H3C]user-interface vty 0 4 三十六: [H3C-ui-vty0-4]aut sc 三十七: [H3C-ui-vty0-4]q 三十八: [H3C]ip ro 0.0.0.0 0.0.0.0 59.40.186.206 三十九: [H3C] sa 四十:acl number 3001 rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 61 deny udp destination-port eq tftp rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 159 deny icmp destination 59.40.186.205 0 rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 202 deny tcp destination-port eq ftp rule 204 deny tcp destination-port eq 3389 rule 205 permit tcp destination-port eq telnet rule 2000 permit ip destination 59.40.186.192 0.0.0.15 rule 2001 permit ip destination 192.168.0.0 0.0.3.255 rule 2002 deny ip 四十一: acl number 3002 rule 10 deny tcp destination-port eq 445 rule 11 deny udp destination-port eq 445 rule 20 deny tcp destination-port eq 135 rule 21 deny udp destination-port eq 135 rule 30 deny tcp destination-port eq 137 rule 31 deny udp destination-port eq netbios-ns rule 40 deny tcp destination-port eq 138 rule 41 deny udp destination-port eq netbios-dgm rule 50 deny tcp destination-port eq 139 rule 51 deny udp destination-port eq netbios-ssn rule 70 deny tcp destination-port eq 593 rule 80 deny tcp destination-port eq 4444 rule 90 deny tcp destination-port eq 707 rule 100 deny tcp destination-port eq 1433 rule 101 deny udp destination-port eq 1433 rule 110 deny tcp destination-port eq 1434 rule 111 deny udp destination-port eq 1434 rule 120 deny tcp destination-port eq 5554 rule 130 deny tcp destination-port eq 9996 rule 141 deny udp source-port eq bootps rule 150 deny tcp destination-port range 3076 3078 rule 151 deny tcp destination-port eq 5200 rule 152 deny tcp destination-port eq 6200 rule 153 deny udp destination-port eq 5200 rule 154 deny udp destination-port eq 6200 rule 155 deny udp destination-port range 3076 3078 rule 160 permit icmp icmp-type echo rule 161 permit icmp icmp-type echo-reply rule 162 permit icmp icmp-type ttl-exceeded rule 165 deny icmp rule 2030 permit ip source 192.168.0.0 0.0.3.255 acl number 3100 match-order auto rule 23 permit tcp source-port eq ftp-data rule 21 permit tcp source-port eq ftp rule 6 permit tcp source-port eq 3076 rule 5 permit tcp source-port eq 3077 rule 11 permit tcp source-port eq 3318 rule 14 permit tcp source-port eq 3751 rule 15 permit tcp source-port eq 3753 rule 19 permit tcp source-port eq 4004 rule 9 permit tcp source-port eq 4242 rule 8 permit tcp source-port eq 4461 rule 7 permit tcp source-port eq 4462 rule 16 permit tcp source-port eq 4772 rule 17 permit tcp source-port eq 4774 rule 10 permit tcp source-port eq 7000 rule 20 permit udp source-port eq 8008 rule 18 permit tcp source-port eq 11000 rule 12 permit tcp source-port eq 16881 rule 24 permit udp source-port range 13000 14000 rule 13 permit ip source 202.108.156.206 0 rule 25 permit ip source 202.96.155.91 0 rule 26 permit ip source 210.22.12.53 0 rule 27 permit ip source 61.128.198.97 0 四十二:firewall packet-filter enable下传 # nat aging-time tcp 300 nat aging-time udp 150 nat aging-time icmp 30 nat aging-time pptp 300 nat aging-time dns 10 nat aging-time ftp-ctrl 300 nat aging-time tcp-fin 10 nat aging-time tcp-syn 10 四十三: undo icmp redirect send undo icmp unreach send 四十四: firewall defend enable # firewall statistic system enable # firewall mac-binding enable # radius scheme system # domain system 四十五: firewall defend ip-spoofing firewall defend land firewall defend smurf firewall defend fraggle firewall defend winnuke firewall defend icmp-redirect firewall defend icmp-unreachable firewall defend source-route firewall defend route-record firewall defend tracert firewall defend ping-of-death firewall defend tcp-flag firewall defend ip-fragment firewall defend large-icmp firewall defend teardrop firewall defend ip-sweep max-rate 300 firewall defend port-scan max-rate 300 firewall defend arp-spoofing firewall defend arp-reverse-query firewall defend arp-flood max-rate 500 firewall defend frag-flood firewall defend syn-flood enable firewall defend udp-flood enable firewall defend icmp-flood enable firewall defend syn-flood zone local max-rate 500 tcp-proxy firewall defend icmp-flood zone local max-rate 500 firewall defend syn-flood zone trust max-rate 500 tcp-proxy firewall defend udp-flood zone trust max-rate 500 firewall defend icmp-flood zone trust max-rate 500 firewall defend syn-flood zone untrust max-rate 500 tcp-proxy firewall defend udp-flood zone untrust max-rate 500 firewall defend icmp-flood zone untrust max-rate 500 四十六: qos carl 1 source-ip-address range 192.168.1.11 to 192.168.1.252 per-address qos carl 11 destination-ip-address range 192.168.1.11 to 192.168.1.252 per-addr |
|
|
||
|
|
||
|
|
开班时间 | 班级类型 | 报名情况 |
---|
7月14日 |
H3CTE认证 |
热报中 |
7月7日 |
H3CSE培训 |
热报中 |
7月7日 |
H3CNE认证 |
热报中 |
7月14日 |
H3CTE认证 |
热报中 |
7月7日 |
H3CSE培训 |
热报中 |
7月7日 |
H3CNE培训 |
热报中 |
7月14日 |
H3CTE认证 |
热报中 |
7月7日 |
H3CSE认证 |
热报中 |
7月7日 |
H3CNE培训 |
热报中 |
7月21日 |
H3CIMC培训 |
热报中 |
7月8日 |
H3C无线培训 |
热报中 |
7月8日 |
H3CEAD培训 |
热报中 |
7月28日 |
H3CPME认证 |
热报中 |
7月14日 |
H3C安全认证 |
热报中 |
7月21日 |
H3CIMC培训 |
热报中 |
7月8日 |
H3C无线培训 |
热报中 |
7月8日 |
H3CEAD培训 |
热报中 |
7月28日 |
H3CPME认证 |
热报中 |
7月14日 |
H3C安全认证 |
热报中 |
7月21日 |
H3CIMC培训 |
热报中 |
7月8日 |
H3C无线培训 |
热报中 |
7月8日 |
H3CEAD培训 |
热报中 |
7月28日 |
H3CPME认证 |
热报中 |
7月14日 |
H3C安全认证 |
热报中 |