大家好,欢迎来到IT知识分享网。
本篇文章为“H3C防火墙开局基础配置”,主要涵盖配置管理地址、聚合端口、安全区域、安全策略、静态路由、ACL,WEB和SSH远程管理、Console、SNMP、NTP时钟、日志主机等内容,对比交换机配置开局,增加两处配置,安全区域和安全策略。方便调试人员远程管理、调试。
目录
#Step-1_设备名称配置:
system-view sysname SecPath_F1000 #Step-2_邻居发现协议:
lldp global enable#Step-3_VLAN配置:
vlan 100 # vlan 100 description For_Device_Manage#Step-4_管理IP配置:
interface Vlan-interface100 description For_DevManage_Vlanif ip address 172.28.115.253 255.255.255.0 quit interface GigabitEthernet 1/0/1 port link-mode bridge port link-type access port access vlan 100 #华三防火墙端口默认为路由口 #Step-5_链路聚接口配置:
interface Bridge-Aggregation 2 Quit # interface Ten-GigabitEthernet 1/0/20 port link-mode bridge description To_Core_S7503X_XG5/0/47 port link-aggregation group 2 interface Ten-GigabitEthernet 1/0/21 port link-mode bridge description To_Core_S7503X_XG5/0/48 port link-aggregation group 2 Quit # interface Bridge-Aggregation2 description To_Core_S7503X_BAGG1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 link-aggregation mode dynamic #Step-6_安全区域配置:
security-zone name Management import interface Vlan-interface100 security-zone name Trust import interface Bridge-Aggregation2 VLAN XXXX #Step-7_安全策略配置:
security-policy ip rule 1 name Any_To_Any_Permit action pass#Step-8_静态路由配置:
ip route-static 0.0.0.0 0 X.X.X.X description To_DefaultRoute#Step-9_ACL配置:
acl advanced name 3000 rule 5 permit ip source X.X.X.X 0 rule 5 comment For_Device_Manage_Server acl advanced name 3001 rule 5 permit ip source X.X.X.X 0 rule 5 comment For_eSight_Server#Step-10_本地账号配置:
local-user admin password simple Admin@123 service-type ssh http https authorization-attribute user-role network-admin quit #Step-11_SSH配置:
ssh server enable ssh server acl 3000 public-key local create rsa y 2048 # ssh user admin service-type all authentication-type password #Step-12_终端登录,Console配置:
line console 0 authentication-mode password set authentication password simple Admin@123 screen-length 0 #指定下一屏所显示的行数,取值范围为0~512,0表示一次性显示全部信息,即不进行分屏显示。 idle-timeout 10 0#Step-13_终端登录,VTY配置:
line vty 0 4 authentication-mode scheme protocol inbound ssh screen-length 0 idle-timeout 10 0 #Step-14_网络管理协议SNMP配置:
snmp-agent snmp-agent community read simple SNMP@Read mib-view view_all acl 3001 snmp-agent community write simple SNMP@Write mib-view view_all acl 3001 snmp-agent sys-info location XXXX snmp-agent sys-info version v2c snmp-agent mib-view included view_all iso snmp-agent trap enable snmp-agent target-host trap address udp-domain X.X.X.X params securityname Trap@Auth v2c #Step-15_NTP时钟配置:
clock timezone BeiJing add 08:00:00ntp-service unicast-server X.X.X.X source Vlan-interface100 #因北京处于+8时区,时间偏移量增加了8;所以在配置时,就需要在系统默认的UTC时区的基础上,加上偏移量8,才能得到预期的BJ时区。#Step-16_日志主机配置:
info-center enable info-center loghost source Vlan-interface100 info-center loghost X.X.X.X facility local6 #Step-17_保存配置:
Return # Save force 补充:
1、开启设备的ICMP超时报文的发送功能
ip ttl-expires enable 【缺省情况】ICMP超时报文发送功能处于关闭状态。 开启设备的ICMP目的不可达报文的发送功能——H3C ip unreachables enable 【缺省情况】ICMP目的不可达报文发送功能处于关闭状态。 Huawei设备默认开启;2、H3C防火墙默认用户名是admin,密码是admin
3、开启WEB服务
ip http enable ip https enable #缺省情况下,HTTP和HTTPS服务处于开启状态免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://haidsoft.com/157882.html
