华为srg2200配置1实用模板.docx
《华为srg2200配置1实用模板.docx》由会员分享,可在线阅读,更多相关《华为srg2200配置1实用模板.docx(15页珍藏版)》请在冰豆网上搜索。
华为srg2200配置1实用模板
华为SRG2200路由器配置模板
SRG2200作为华为新一代的业务路由器设备。
其特点较之前用过的AR28-11等设备更为明显。
全面支持了IPv4/IPv6双协议栈,提供了丰富的IPv4向IPv6过渡方案,包括双栈技术、隧道技术、地址转换技术(NAT-PT)等等。
同时,其安全防护功能也大大加强。
集成的状态检测防火墙功能在抵御各种网络攻击和DDoS攻击的同时,提供完备的网络地址转换(NAT)功能,还能对应用层攻击进行实时检测与防护;集成的反病毒AV(Anti-Virus)功能,采用Symantec强效病毒库,能够有效地保护网络抵御来自病毒、钓鱼、间谍软件、广告软件等的危险;集成的反垃圾AS(Anti-Spam)功能,过滤垃圾,阻止垃圾和钓鱼攻击,支持外部反垃圾联盟RBL阻断扩展;集成的URL过滤和P2P/IM控制功能能更好的抵御对网络安全的威胁,减少对网络违规使用的行为,节约业务带宽,提高员工工作效率的同时也减少了访问违法容所带来的法律风险。
丰富的路由特性
SRG2200系列提供丰富的路由特性。
IPv6作为下一代网络的基础协议以其鲜明的技术优势得到广泛的认可,SRG2200系列全面支持IPv4/IPv6双协议栈,提供了丰富的IPv4向IPv6过渡方案,包括双栈技术、隧道技术、地址转换技术(NAT-PT)等等。
SRG2200系列支持通用的IPv4/1Pv6路由协议和IPv4组播路由协议,包括静态路由、RIPv2、RIPng、OSPFv2、OSPFv3、BGP-4、BGP-4+、IS-IS、IS-ISv6、PIM等等,同时支持MPLS、路由策略和路由迭代,从而使组网应用更加灵活。
专业级安全防御
∙集成的状态检测防火墙功能在抵御各种网络攻击和DDoS攻击的同时,提供完备的网络地址转换(NAT)功能,还能对应用层攻击进行实时检测与防护;
∙集成的VPN(IPSec&SSLVPN)功能在高性能硬件加解密芯片保障下,加密性能在业界同类产品中处于领先位置,且支持DES、3DES、AES与RSA等多种加密算法,能够提供高强度加密传输的自由安全连接;
∙集成的入侵防御系统IPS能实时检测网络系统中的信息数据,并通过综合分析和比较,判断是否有入侵和可疑行为的发生,可采用多种方式实时告警,记录攻击行为,阻断攻击者的进攻,从而更好的防护网络外部和部的攻击;
∙集成的反病毒AV(Anti-Virus)功能,采用Symantec强效病毒库,能够有效地保护网络抵御来自病毒、钓鱼、间谍软件、广告软件等的危险;
∙集成的反垃圾AS(Anti-Spam)功能,过滤垃圾,阻止垃圾和钓鱼攻击,支持外部反垃圾联盟RBL阻断扩展;
∙集成的URL过滤和P2P/IM控制功能能更好的抵御对网络安全的威胁,减少对网络违规使用的行为,节约业务带宽,提高员工工作效率的同时也减少了访问违法容所带来的法律风险。
一配置E1模块
controllerE11/0/0
channel-set0timeslot-list1-31
undoshut
二配置端口IP
1配置以太网子接口IP
interfaceGigabitEthernet0/0/0
undshut
interfaceGigabitEthernet0/0/0.1
vlan-typedot1q700
descriptiondescriptionto_DEFAULT_VLAN
ipaddress10.6.215.54255.255.255.248
iprelayaddress10.6.200.1
iprelayaddress10.6.200.9
dhcpselectrelay
interfaceGigabitEthernet0/0/0.2
vlan-typedot1q751
descriptiondescriptionto_BOSS_VPN
ipaddress10.6.158.190255.255.255.240
iprelayaddress10.6.200.1
iprelayaddress10.6.200.9
dhcpselectrelay
interfaceGigabitEthernet0/0/0.5
vlan-typedot1q810
descriptionYYT_JK
ipaddress10.6.106.38255.255.255.252
interfaceGigabitEthernet0/0/0.6
vlan-typedot1q820
descriptionYYT_TYPT
ipaddress10.6.117.86255.255.255.248
interfaceGigabitEthernet0/0/0.7
vlan-typedot1q830
descriptionYYT_PDJ
ipaddress10.6.252.86255.255.255.248
interfaceGigabitEthernet0/0/0.8
vlan-typedot1q840
descriptionYYT_ZZZD
ipaddress10.6.34.86255.255.255.248
interfaceLoopBack0
ipaddress10.6..140255.255.255.255
3配置广域网端口,启用OSPF协议。
interfaceSerial1/0/0:
0
link-protocolppp
descriptionliqiaozhen-caishikou-2m
ipaddress10.4.244.142255.255.255.252
interfaceGigabitEthernet0/0/1.1
vlan-typedot1q213
descriptionto_wangjing_7613B
ipaddress10.4.236.142255.255.255.252
;其中每个营业厅都有一个DOT1Q封装时的VLAN号。
营业厅之前不能混用。
ospf200
area0.0.0.204
network10.4.244.1400.0.0.3
network10.6.158.1760.0.0.15
network10.6..1400.0.0.0
network10.6.215.480.0.0.7
network10.4.236.1400.0.0.3
network10.6.106.360.0.0.3
network10.6.117.800.0.0.7
network10.6.252.800.0.0.7
network10.6.34.800.0.0.7
stub
4配置安全策略,实现营业厅各个网段(除广域网之外)两两不能互联。
(1)
将为各个接口设置安全策略等级,在设置防火墙策略时,priority值越高则安全级越高。
优先级高的可以访问优先级低的区域,优先级低的不能访问优先级高的区域。
firewallzoneuntrust
setpriority5
addinterfaceSerial1/0/0:
0
addinterfaceGigabitEthernet0/0/1.1;默认untrust区域一般用于设置广域网端口。
firewallzonenamedefault
setpriority90
addinterfaceGigabitEthernet0/0/0.1;新增default区域匹配到对应端口
firewallzonenameboss
setpriority80
addinterfaceGigabitEthernet0/0/0.2;新增boss区域匹配到对应端口
firewallzonenamejk
setpriority81
addinterfaceGigabitEthernet0/0/0.5;新增jk区域匹配到对应端口
firewallzonenametypt
setpriority82
addinterfaceGigabitEthernet0/0/0.6;新增typt区域匹配到对应端口
firewallzonenamepdj
setpriority83
addinterfaceGigabitEthernet0/0/0.7;新增pdj区域匹配到对应端口
firewallzonenamezzzd
setpriority84
addinterfaceGigabitEthernet0/0/0.8;新增zzzd区域匹配到对应端口
(2)配置安全策略
policyinterzonedefaultuntrustoutbound;以下配置了default区域的策略
policy1
actionpermit
policysource10.6.215.480.0.0.7
policydestination10.4.41.10
policydestination10.4.41.20
policydestination10.4.41.50
policydestination10.4.41.70
policy2
actionpermit
policysource10.6.158.1760.0.0.15
policysource10.4.236.1400.0.0.3
policysource10.6.34.800.0.0.7
policysource10.6.252.800.0.0.7
policysource10.6.117.800.0.0.7
policysource10.6.106.360.0.0.3
policysource10.6..1400
policysource10.6.215.480.0.0.7
policysource10.4.244.1400.0.0.3
policydestinationany
policy3
actionpermit
policysource10.6.215.540
policydestination10.6.200.10
policydestination10.6.200.90
policy4
actiondeny
policysourceany
policydestinationany
policyinterzonebossuntrustoutbound;以下配置了boss区域的策略
policy1
actionpermit
policysource10.6.215.480.0.0.7
policydestination10.4.41.10
policydestination10.4.41.20
policydestination10.4.41.50
policydestination10.4.41.70
policy2
actionpermit
policysource10.6.158.1760.0.0.15
policysource10.4.236.1400.0.0.3
policysource10.6.34.800.0.0.7
policysource10.6.252.800.0.0.7
policysource10.6.117.800.0.0.7
policysource10.6.106.360.0.0.3
policysource10.6..1400
policysource10.6.215.480.0.0.7
policysource10.4.244.1400.0.0.3
policydestinationany
policy3
actionpermit
policysource10.6.215.540
policydestination10.6.200.10
policydestination10.6.200.90
policy4
actiondeny
policysourceany
policydestinationany
policyinterzonejkuntrustoutbound;以下配置了jk区域的策略
policy1
actionpermit
policysource10.6.215.480.0.0.7
policydestination10.4.41.10
policydestination10.4.41.20
policydestination10.4.41.50
policydestination10.4.41.70
policy2
actionpermit
policysource10.6.158.1760.0.0.15
policysource10.4.236.1400.0.0.3
policysource10.6.34.800.0.0.7
policysource10.6.252.800.0.0.7
policysource10.6.117.800.0.0.7
policysource10.6.106.360.0.0.3
policysource10.6..1400
policysource10.6.215.480.0.0.7
policysource10.4.244.1400.0.0.3
policydestinationany
policy3
actionpermit
policysource10.6.215.540
policydestination10.6.200.10
policydestination10.6.200.90
policy4
actiondeny
policysourceany
policydestinationany
policyinterzonetyptuntrustoutbound;以下配置了typt区域的策略
policy1
actionpermit
policysource10.6.215.480.0.0.7
policydestination10.4.41.10
policydestination10.4.41.20
policydestination10.4.41.50
policydestination10.4.41.70
policy2
actionpermit
policysource10.6.158.1760.0.0.15
policysource10.4.236.1400.0.0.3
policysource10.6.34.800.0.0.7
policysource10.6.252.800.0.0.7
policysource10.6.117.800.0.0.7
policysource10.6.106.360.0.0.3
policysource10.6..1400
policysource10.6.215.480.0.0.7
policysource10.4.244.1400.0.0.3
policydestinationany
policy3
actionpermit
policysource10.6.215.540
policydestination10.6.200.10
policydestination10.6.200.90
policy4
actiondeny
policysourceany
policydestinationany
policyinterzonepdjuntrustoutbound;以下配置了pdj区域的策略
policy1
actionpermit
policysource10.6.215.480.0.0.7
policydestination10.4.41.10
policydestination10.4.41.20
policydestination10.4.41.50
policydestination10.4.41.70
policy2
actionpermit
policysource10.6.158.1760.0.0.15
policysource10.4.236.1400.0.0.3
policysource10.6.34.800.0.0.7
policysource10.6.252.800.0.0.7
policysource10.6.117.800.0.0.7
policysource10.6.106.360.0.0.3
policysource10.6..1400
policysource10.6.215.480.0.0.7
policysource10.4.244.1400.0.0.3
policydestinationany
policy3
actionpermit
policysource10.6.215.540
policydestination10.6.200.10
policydestination10.6.200.90
policy4
actiondeny
policysourceany
policydestinationany
policyinterzonezzzduntrustoutbound;以下配置了zzzd区域的策略
policy1
actionpermit
policysource10.6.215.480.0.0.7
policydestination10.4.41.10
policydestination10.4.41.20
policydestination10.4.41.50
policydestination10.4.41.70
policy2
actionpermit
policysource10.6.158.1760.0.0.15
policysource10.4.236.1400.0.0.3
policysource10.6.34.800.0.0.7
policysource10.6.252.800.0.0.7
policysource10.6.117.800.0.0.7
policysource10.6.106.360.0.0.3
policysource10.6..1400
policysource10.6.215.480.0.0.7
policysource10.4.244.1400.0.0.3
policydestinationany
policy3
actionpermit
policysource10.6.215.540
policydestination10.6.200.10
policydestination10.6.200.90
policy4
actiondeny
policysourceany
policydestinationany
(3)在全局应用策略,使得营业厅各网段两两不能互联。
firewallpacket-filterdefaultdenyinterzonedefaultbossdirectioninbound
firewallpacket-filterdefaultdenyinterzonedefaultbossdirectionoutbound
firewallpacket-filterdefaultdenyinterzonedefaultjkdirectioninbound
firewallpacket-filterdefaultdenyinterzonedefaultjkdirectionoutbound
firewallpacket-filterdefaultdenyinterzonedefaulttyptdirectioninbound
firewallpacket-filterdefaultdenyinterzonedefaulttyptdirectionoutbound
firewallpacket-filterdefaultdenyinterzonedefaultpdjdirectioninbound
firewallpacket-filterdefaultdenyinterzonedefaultpdjdirectionoutbound
firewallpacket-filterdefaultdenyinterzonedefaultzzzddirectioninbound
firewallpacket-filterdefaultdenyinterzonedefaultzzzddirectionoutbound
firewallpacket-filterdefaultdenyinterzonejkbossdirectioninbound
firewallpacket-filterdefaultdenyinterzonejkbossdirectionoutbound
firewallpacket-filterdefaultdenyinterzonetyptbossdirectioninbound
firewallpacket-filterdefaultdenyinterzonetyptbossdirectionoutbound
firewallpacket-filterdefaultdenyinterzonepdjbossdirectioninbound
firewallpacket-filterdefaultdeny
升级会员 