您的位置:360文档中心› H3C-S5500 ACL实施要点

H3C-S5500 ACL实施要点

合集下载

华三S5500交换机配置

华三S5500交换机配置

基于多个VLAN 在一个端口
[H3C]interface GigabitEthernet 1/0/2 进入第二个端口设置
[H3C-GigabitEthernet1/0/2]port link-type trunk 端口的链路类型的树干
[H3C-GigabitEthernet1/0/2]port trunk permit vlan all 如果使用单独的就不用增加这项
[H3C]pim
static-rp 192.168.100.1
undo 删除
[H3C]undo vlan 103 删除vlan 103
[H3C]interface GigabitEthernet 1/0/3 进入端口3
Please wait........................................... Done.
[H3C-GigabitEthernet1/0/2]quit 设置好了第二个端口的VLAN可以通过所有
[H3C-GigabitEthernet1/0/2]port trunk permit vlan 122 在此端口上增加VLAN组
[H3C-Vlan-interface104]ip address 192.168.69.1 255.255.255.0 设置IP
步骤三:将所要配置端口加入到VLAN组
[H3C] interface GigabitEthernet 1/0/1 设置第一个端口
[H3C-GigabitEthernet1/0/1]port access vlan 101 设置端口一为VLAN 101组
[H3C-GigabitEthernet1/0/3]undo port link-type 删除port link-type

H3C华为交换机ACL基本配置

H3C华为交换机ACL基本配置

H3C华为交换机ACL基本配置字体: 小中大| 打印发表于: 2007-8-23 19:53 作者: woyao 来源: OSPF社区空间1,二层ACL. 组网需求:通过二层访问控制列表,实现在每天8:00~18:00时间段内对源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303报文的过滤。

该主机从GigabitEthernet0/1接入。

.配置步骤:(1)定义时间段# 定义8:00至18:00的周期时间段。

[Quidway] time-range huawei 8:00 to 18:00 daily(2)定义源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303的ACL# 进入基于名字的二层访问控制列表视图,命名为traffic-of-link。

[Quidway] acl name traffic-of-link link# 定义源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303的流分类规则。

[Quidway-acl-link-traffic-of-link] rule 1 deny ingress 00e0-fc01-0101 0-0-0 egress00e0-fc01-0303 0-0-0 time-range huawei(3)激活ACL。

# 将traffic-of-link的ACL激活。

[Quidway-GigabitEthernet0/1] packet-filter link-group traffic-of-link2,三层ACLa)基本访问控制列表配置案例. 组网需求:通过基本访问控制列表,实现在每天8:00~18:00时间段内对源IP为10.1.1.1主机发出报文的过滤。

该主机从GigabitEthernet0/1接入。

.配置步骤:(1)定义时间段# 定义8:00至18:00的周期时间段。

[Quidway] time-range huawei 8:00 to 18:00 daily(2)定义源IP为10.1.1.1的ACL# 进入基于名字的基本访问控制列表视图,命名为traffic-of-host。

H3C5500详细配置及说明

H3C5500详细配置及说明

version 5.20, Release 1207sysname dunan-s5500 设备重命名super password level 3 simple abcd123456 设置串口连接密码 domain default enable system说明性文字telnet server enable telnet服务开启loopback-detection enable 环回口连接开启注释VLAN连接区域vlan 1description fileserver vlan 2description firewallvlan 10description erp+sql+other vlan 20description caiwu vlan 30description waimaovlan 40description bigofficevlan 50description jishubuvlan 60description erchejianvlan 70description huayivlan 80description zongcaivlan 90description webservlan 130description wlanradius scheme systemdomain system 说明性文字access-limit disablestate activeidle-cut disableself-service-url disable将ACL规则定义策略和行为这里和3600是不同的,分为三部traffic classifier c_vlan operator and if-match acl 3000traffic classifier a_vlan operator and if-match acl 3001traffic behavior d_vlanfilter denytraffic behavior b_vlanfilter denyqos policy p_vlanclassifier c_vlan behavior b_vlanqos policy t_vlanclassifier a_vlan behavior d_vlan设置web访问用户和密码并定义权限为最高local-user h3cpassword simple dafmservice-type telnetlevel 3建立高级访问控制列表并建立子规则acl number 3000rule 0 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 1 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 2 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 3 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 4 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 5 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.50.0 0.0.0.255 rule 6 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 7 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 8 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 9 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 10 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 11 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 12 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 13 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 14 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 15 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 16 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 rule 17 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 18 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 19 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.50.0 0.0.0.255 rule 20 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 21 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 22 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 23 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 acl number 3001rule 0 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 1 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 3 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 4 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 5 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 6 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 7 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 8 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 配置VLAN网关,实际为设置vlan 间路由interface NULL0interface Vlan-interface 1ip address 192.168.1.1 255.255.255.0interface Vlan-interface 2ip address 192.168.2.2 255.255.255.0interface Vlan-interface 10ip address 192.168.10.1 255.255.255.0interface Vlan-interface 20ip address 192.168.20.1 255.255.255.0interface Vlan-interface 30ip address 192.168.30.1 255.255.255.0interface Vlan-interface 40ip address 192.168.40.1 255.255.255.0interface Vlan-interface 50ip address 192.168.50.1 255.255.255.0interface Vlan-interface 60ip address 192.168.60.1 255.255.255.0interface Vlan-interface 70ip address 192.168.70.1 255.255.255.0interface Vlan-interface 80ip address 192.168.80.1 255.255.255.0interface Vlan-interface 90ip address 192.168.90.1 255.255.255.0interface Vlan-interface 30ip address 192.168.130.1 255.255.255.0将接口划入vlaninterface GigabitEthernet1/0/1port access vlan 10interface GigabitEthernet1/0/2port access vlan 10interface GigabitEthernet1/0/3port access vlan 10interface GigabitEthernet1/0/4port access vlan 90定义策略到接口qos apply policy t_vlan inboundinterface GigabitEthernet1/0/5 port access vlan 20 interface GigabitEthernet1/0/6 port access vlan 20 interface GigabitEthernet1/0/7 port access vlan 30 interface GigabitEthernet1/0/8 port access vlan 30 interface GigabitEthernet1/0/9 port access vlan 40 interface GigabitEthernet1/0/10 port access vlan 40 interface GigabitEthernet1/0/11 port access vlan 50 定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/12 port access vlan 50定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/13 port access vlan 60 interface GigabitEthernet1/0/14 port access vlan 60 interface GigabitEthernet1/0/15 port access vlan 70 interface GigabitEthernet1/0/16 port access vlan 70 interface GigabitEthernet1/0/17 port access vlan 80定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/18 port access vlan 80定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/19 port access vlan 130定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/20 port access vlan 130定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/21 duplex full flow-control interface GigabitEthernet1/0/22interface GigabitEthernet1/0/23 port access vlan 2 interface GigabitEthernet1/0/24 port access vlan 2 interface GigabitEthernet1/0/25 shutdowninterface GigabitEthernet1/0/26 shutdowninterface GigabitEthernet1/0/27 shutdowninterface GigabitEthernet1/0/28 shutdown配置到防火墙的默认路由ip route-static 0.0.0.0 0.0.0.0 192.168.2.1简单网络管理协议的描述snmp-agentsnmp-agent local-engineid 800063A20300E0FC123456 snmp-agent sys-info version v3load xml-configuration开启aux口和telnet访问的权限并设定串口访问密码user-interface aux 0authentication-mode passwordset authentication password simple abcd123456user-interface vty 0 4user privilege level 3set authentication password cipher ^BM!.M()1=%X)AG\U/NCA!!protocol inbound telnet华为路由器交换机配置命令:交换机命令[Quidway]dis curr;显示当前配置[Quidway]display interfaces;显示接口信息[Quidway]display vlanall;显示路由信息[Quidway]display version;显示版本信息[Quidway]super password;修改特权用户密码[Quidway]sysname;交换机命名[Quidway]interface ethernet0/1;进入接口视图[Quidway]interface vlanx;进入接口视图[Quidway-Vlan-interfacex]ip address 10.65.1.1 255.255.0.0;配置VLAN的IP地址[Quidway]ip route-static 0.0.0.0 0.0.0.0 10.65.1.2;静态路由=网关[Quidway]rip;三层交换支持[Quidway]user-interface vty 0 4;进入虚拟终端[S3026-ui-vty0-4]authentication-mode password;设置口令模式[S3026-ui-vty0-4]set authentication-mode password simple222;设置口令[S3026-ui-vty0-4]user privilege level3;用户级别[Quidway]interface ethernet0/1;进入端口模式[Quidway]int e0/1;进入端口模式[Quidway-Ethernet0/1]duplex {half|full|auto};配置端口工作状态[Quidway-Ethernet0/1]speed{10|100|auto};配置端口工作速率[Quidway-Ethernet0/1]flow-control;配置端口流控[Quidway-Ethernet0/1]mdi{across|auto|normal};配置端口平接扭接[Quidway-Ethernet0/1]portlink-type{trunk|access|hybrid};设置端口工作模式[Quidway-Ethernet0/1]port access vlan3;当前端口加入到VLAN[Quidway-Ethernet0/2]port trunk permitvlan{ID|All};设trunk允许的VLAN[Quidway-Ethernet0/3]port trunk pvid vlan3;设置trunk端口的PVID [Quidway-Ethernet0/1]undoshutdown;激活端口[Quidway-Ethernet0/1]shutdown;关闭端口[Quidway-Ethernet0/1]quit;返回 [Quidway]vlan3;创建VLAN[Quidway-vlan3]port ethernet0/1;在VLAN中增加端口[Quidway-vlan3]port e0/1;简写方式[Quidway-vlan3]port ethernet0/1 to ethernet0/4;在VLAN中增加端口[Quidway-vlan3]port e0/1 to e0/4;简写方式[Quidway]monitor-port;指定镜像端口[Quidway]port mirror;指定被镜像端口[Quidway]port mirror int_listobserving-portint_typeint_num;指定镜像和被镜像[Quidway]description string;指定VLAN描述字符[Quidway]description;删除VLAN描述字符[Quidway]display vlan[vlan_id];查看VLAN设置[Quidway]stp{enable|disable};设置生成树,默认关闭[Quidway]stp priority 4096;设置交换机的优先级[Quidway]stp root{primary|secondary};设置为根或根的备份[Quidway-Ethernet0/1]stpcost200;设置交换机端口的花费[Quidway]link-aggregatione0/1toe0/4ingress|both;端口的聚合[Quidway]undolink-aggregatione0/1|all;始端口为通道号[SwitchA-vlanx]isolate-user-vlanenable;设置主vlan[SwitchA]isolate-user-vlansecondary;设置主vlan包括的子vlan[Quidway-Ethernet0/2]porthybridpvidvlan;设置vlan的pvid[Quidway-Ethernet0/2]porthybridpvid;删除vlan的pvid[Quidway-Ethernet0/2]porthybridvlanvlan_id_listuntagged;设置无标识的vlan 如果包的vlanid与PVId一致,则去掉vlan信息.默认PVID=1。

H3C交换机典型ACL访问控制列表配置教程

H3C交换机典型ACL访问控制列表配置教程

H3C交换机典型ACL访问控制列表配置教程交换机的主要功能包括物理编址、网络拓扑结构、错误校验、帧序列以及流控。

交换机还具备了一些新的功能,如对VLAN(虚拟局域网)的支持、对链路汇聚的支持,甚至有的还具有防火墙的功能。

对于ACL,可能很多用户还不熟悉怎么设置,本文将介绍如何配置H3C交换机典型(ACL)访问控制列表,需要的朋友可以参考下配置步骤:H3C 3600 5600 5100系列交换机典型访问控制列表配置共用配置1.根据组网图,创建四个vlan,对应加入各个端口system-view[H3C]vlan 10[H3C-vlan10]port GigabitEthernet 1/0/1[H3C-vlan10]vlan 20[H3C-vlan20]port GigabitEthernet 1/0/2[H3C-vlan20]vlan 30[H3C-vlan30]port GigabitEthernet 1/0/3[H3C-vlan30]vlan 40[H3C-vlan40]port GigabitEthernet 1/0/4[H3C-vlan40]quit2.配置各VLAN虚接口地址[H3C]interface vlan 10[H3C-Vlan-interface10]ip address 10.1.1.1 24[H3C-Vlan-interface10]quit[H3C]interface vlan 20[H3C-Vlan-interface20]ip address 10.1.2.1 24[H3C-Vlan-interface20]quit[H3C]interface vlan 30[H3C-Vlan-interface30]ip address 10.1.3.1 24[H3C-Vlan-interface30]quit[H3C]interface vlan 40[H3C-Vlan-interface40]ip address 10.1.4.1 24[H3C-Vlan-interface40]quit3.定义时间段[H3C] time-range huawei 8:00 to 18:00 working-day需求1配置(基本ACL配置)1.进入2000号的基本访问控制列表视图[H3C-GigabitEthernet1/0/1] acl number 20002.定义访问规则过滤10.1.1.2主机发出的报文[H3C-acl-basic-2000] rule 1 deny source 10.1.1.2 0 time-range Huawei3.在接口上应用2000号ACL[H3C-acl-basic-2000] interface GigabitEthernet1/0/1[H3C-GigabitEthernet1/0/1] packet-filter inbound ip-group 2000[H3C-GigabitEthernet1/0/1] quit需求2配置(高级ACL配置)1.进入3000号的高级访问控制列表视图[H3C] acl number 30002.定义访问规则禁止研发部门与技术支援部门之间互访[H3C-acl-adv-3000]rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.2553.定义访问规则禁止研发部门在上班时间8:00至18:00访问工资查询服务器[H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range Huawei[H3C-acl-adv-3000] quit4.在接口上用3000号ACL[H3C-acl-adv-3000] interface GigabitEthernet1/0/2[H3C-GigabitEthernet1/0/2] packet-filter inbound ip-group 3000需求3配置(二层ACL配置)1.进入4000号的二层访问控制列表视图[H3C] acl number 40002.定义访问规则过滤源MAC为00e0-fc01-0101的报文[H3C-acl-ethernetframe-4000] rule 1 deny source 00e0-fc01-0101 ffff-ffff-ffff time-range Huawei3.在接口上应用4000号ACL[H3C-acl-ethernetframe-4000] interface GigabitEthernet1/0/4[H3C-GigabitEthernet1/0/4] packet-filter inbound link-group 40002 H3C 5500-SI 3610 5510系列交换机典型访问控制列表配置需求2配置1.进入3000号的高级访问控制列表视图[H3C] acl number 30002.定义访问规则禁止研发部门与技术支援部门之间互访[H3C-acl-adv-3000]rule 1 deny ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.2553.定义访问规则禁止研发部门在上班时间8:00至18:00访问工资查询服务器[H3C-acl-adv-3000] rule 2 deny ip source any destination 129.110.1.2 0.0.0.0 time-range Huawei[H3C-acl-adv-3000] quit4.定义流分类[H3C] traffic classifier abc[H3C-classifier-abc]if-match acl 3000[H3C-classifier-abc]quit5.定义流行为,确定禁止符合流分类的报文[H3C] traffic behavior abc[H3C-behavior-abc] filter deny[H3C-behavior-abc] quit6.定义Qos策略,将流分类和流行为进行关联[H3C]qos policy abc[H3C-qospolicy-abc] classifier abc behavior abc[H3C-qospolicy-abc] quit7.在端口下发Qos policy[H3C] interface g1/1/2[H3C-GigabitEthernet1/1/2] qos apply policy abc inbound8.补充说明:l acl只是用来区分数据流,permit与deny由filter确定;l 如果一个端口同时有permit和deny的数据流,需要分别定义流分类和流行为,并在同一QoS策略中进行关联;l QoS策略会按照配置顺序将报文和classifier相匹配,当报文和某一个classifier匹配后,执行该classifier所对应的behavior,然后策略执行就结束了,不会再匹配剩下的classifier;l 将QoS策略应用到端口后,系统不允许对应修改义流分类、流行为以及QoS策略,直至取消下发。

H3CACL介绍及配置

H3CACL介绍及配置

H3C ACL介绍及配置ACL配置(一般在路由器防火墙等设备上做设置):ACL配置分类:基本ACL:编号范围2000-2999扩展或高级ACL:编号:3000-3999二层ACL:编号:4000-4999自定义ACL:编号:5000-5999[sys] firewall enable 开启过滤防火墙(在路由器和防火墙上使用) [sys] firewall default permit | deny 修改缺省规则(默认是permit)[sys] acl number xxxx根据实际情况选择ACL类别[sys-acl-basic-2000] rule (rule ID 规则编号可选) deny | permit source ip 地址反掩码[sys] int e0/1/2[sys-ethernet0/1/1] firewall packet-filter acl编号inbound | outbound 在接口应用ACL[sys] dispaly acl all 查看配置的ACL信息[sys] dis firewall-statistics all 查看防火墙统计信息<sys>reset firewall-statistics all 清除防火墙统计信息<sys> resetacl counter acl编号/all 清除ACL统计信息ACL规则匹配顺序:ACL支持两种顺序:config配置顺序(按照手动配置的先后顺序进行匹配)和auto 自动排序(按照深度优先的顺序进行匹配,即地址范围小的规则被优先进行匹配)默认的顺序是CONFIG(配置顺序)修改默认的匹配顺序:[sys] acl number ACL编号match-order auto | config基本ACL的“深度优先”顺序判断原则:1、先比较源IP地址范围,源IP地址范围越小(反掩码中“0”位的数量越多)的规则优先2、如果源IP地址范围相同,则先配置的规则优先高级ACL的“深度优先”顺序判断原则:1、先比较协议范围,指定了IP协议承载的协议类型的规则优先2、如果协议相同,则比较源IP地址,源IP地址范围越小的规则优先3、如果源IP地址相同,则比较目标地址范围,目标IP地址范围越小的规则优先4、如果目标IP地址相同,则比较第四层端口号(TCP/UDP端口号)范围,四层端口号范围小的规则优先5、如果上述范围都相同,则先配置的规则优先网络中配置ACL的原则:1、基本ACL应在不影响其他合法访问的情况下,尽可能使ACL靠近被过滤的源2、高级ACL应尽量靠近被过滤的源端口上应用ACLACL包过滤防火墙是静态防火墙,动态可以应用ASPF,基于应用层状态的包过滤>二层ACL里要写掩码,那么表示单个主机就是FFFF-FFFF-FFFF,所有主机就是0000-0000-0000。

H3C S5500操作手册

H3C S5500操作手册
广州锦兴 IT 部 谭智 2008-12-18
H3C S5500-EI 以太网交换机 电子手册
第 1 章 登录以太网交换机 1.1 登录以太网交换机方法简介 S5500-EI 系列以太网交换机的登录,可以通过以下几种方式实现: 通过 Console 口进行本地登录 通过以太网端口利用 Telnet 进行本地或远程登录 通过 Console 口利用 Modem 拨号进行远程登录 通过 WEB 网管登录 通过 NMS(Network Management Station,网管工作站)登录 1.2 用户界面简介 1.2.1 交换机支持的用户界面 S5500-EI 系列以太网交换机支持两种用户界面:AUX 用户界面、VTY 用户界面。
Copyright (c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. Creation date : Dec 3 2007, 16:21:08 CPU Clock Speed : 533MHz
广州锦兴 IT 部 谭智 2008-12-18
BUS Clock Speed : 133MHz
广州锦兴 IT 部 谭智 2008-12-18
用户登录到交换机上后,可以对 Console 口进行相关的配置.
2.2 通过 Console 口登录交换机 第一步:如图 2-1 所示,建立本地配置环境,只需将 PC 机(或终端)的串口通过配置电缆与以太网交换机 的 Console 口连接。
第二步:在 PC 机上运行终端仿真程序(如 Windows 3.X 的 Terminal 或 Windows 9X/Windows 2000/Windows XP 的超级终端等,以下配置以 Windows XP 为例),选择与交换机相连的串口,配置终端通信参数为:波特 率为 9600bit/s、8 位数据位、1 位停止位、无校验和无流控,如图 2-2 至图 2-4 所示。

S5500-EI交换机利用ACL实现TCP单向访问的配置

S5500-EI交换机利用ACL实现TCP单向访问的配置

S5500-EI交换机利用ACL实现TCP单向访问的配置一、组网需求:2个网段通过一台S5500-EI互联,要求网段A可以访问网段B,网段B不能访问网段A。

二、组网图:S5500-EI交换机G1/0/23端口连接Vlan 100,G1/0/24端口连接Vlan 200。

S5500-EI交换机版本必须为R2202P05以上。

三、配置步骤:#配置端口、虚接口[H3C]vlan 100[H3C-vlan100]port GigabitEthernet 1/0/23 [H3C-vlan100]quit[H3C]interface Vlan-interface 100 [H3C-Vlan-interface100]ip address 1.1.1.1 24 [H3C-Vlan-interface100]quit[H3C]vlan 200[H3C-vlan200]port GigabitEthernet 1/0/24 [H3C-vlan200]quit[H3C]interface Vlan-interface 200 [H3C-Vlan-interface200]ip address 2.2.2.1 24 #创建ACL,其中第1条匹配TCP连接请求报文,第2条匹配TCP连接建立报文[H3C]acl number 3001[H3C-acl-adv-3001]rule 0 permit tcp established source 2.2.2.00.0.0.255destination 1.1.1.0 0.0.0.255[H3C-acl-adv-3001]quit[H3C]acl number 3002[H3C-acl-adv-3002]rule 0 permit tcp source 2.2.2.0 0.0.0.255 destination1.1.1.0 0.0.0.255#创建流分类,匹配相应的ACL[H3C]traffic classifier 3001[H3C-classifier-3001]if-match acl 3001 [H3C-classifier-3001]quit [H3C]traffic classifier 3002[H3C-classifier-3002]if-match acl 3002 #创建流行为,permit TCP连接建立报文,deny从 Vlan 200发送的TCP连接建立请求报文[H3C]traffic behavior 3001[H3C-behavior-3001]filter permit[H3C-behavior-3001]quit[H3C]traffic behavior 3002[H3C-behavior-3002]filter deny#创建Qos策略,关联流分类和流行为[H3C]qos policy 3000[H3C-qospolicy-3000]classifier 3001 behavior 3001 [H3C-qospolicy-3000]classifier 3002 behavior 3002 #在Vlan 200端口入方向下发Qos策略[H3C]interface GigabitEthernet 1/0/24 [H3C-GigabitEthernet1/0/24]qos apply policy 3000 inbound四、配置关键点:1. 在配置ACL和Qos策略前必须全网路由可达。

h3c ACL配置手册

h3c ACL配置手册
1-1
二层 ACL 的编号和名称以及用户自定义 ACL 的编号和名称全局唯一;IPv4 基本和高级 ACL 的编 号和名称只在 IPv4 中唯一;IPv6 基本和高级 ACL 的编号和名称也只在 IPv6 中唯一。
1.1.3 ACL的匹配顺序
一个 ACL 由一条或多条描述报文匹配选项的判断语句组成,这样的判断语句就称为“规则”。由 于每条规则中的报文匹配选项不同,从而使这些规则之间可能存在重复甚至矛盾的地方,因此在 将一个报文与 ACL 的各条规则进行匹配时,就需要有明确的匹配顺序来确定规则执行的优先级。 ACL 的规则匹配顺序有以下两种: • 配置顺序:按照用户配置规则的先后顺序进行匹配,但由于本质上系统是按照规则编号由小
表12各类型acl的深度优先排序法则acl类型深度优先排序法则ipv4基本acl1先看规则中是否携带有vpn实例携带vpn实例者优先2如果vpn实例的携带情况相同再比较源ipv4地址范围范围较小者优先3如果源ip地址范围也相同再比较配置顺序配置在前者优先ipv4高级acl1先看规则中是否携带有vpn实例携带vpn实例者优先2如果vpn实例的携带情况相同再比较协议范围指定有ipv4承载的协议类型者优先3如果协议范围也相同再比较源ipv4地址范围较小者优先
目录
1 ACL配置 ············································································································································ 1-1 1.1 ACL简介 ············································································································································1-1 1.1.1 ACL的分类······························································································································1-1 1.1.2 ACL的编号和名称 ···················································································································1-1 1.1.3 ACL的匹配顺序·······················································································································1-2 1.1.4 ACL的步长······························································································································1-3 1.1.5 ACL的生效时间段 ···················································································································1-3 1.1.6 ACL对IPv4 分片报文的处理····································································································1-3 1.1.7 流模板·····································································································································1-4 1.1.8 ACL的应用······························································································································1-4 1.2 ACL配置任务简介······························································································································1-6 1.3 配置ACL ············································································································································1-6 1.3.1 配置ACL的生效时间段············································································································1-6 1.3.2 配置基本ACL ··························································································································1-6 1.3.3 配置高级ACL ··························································································································1-8 1.3.4 配置二层ACL ························································································································1-10 1.3.5 配置用户自定义ACL ·············································································································1-11 1.3.6 复制ACL ·······························································································································1-12 1.3.7 配置流模板····························································································································1-13 1.3.8 ACL key的长度模式配置·······································································································1-13 1.4 ACL显示和维护 ·······························································································································1-14 1.5 ACL典型配置举例····························································································································1-14 1.5.1 IPv4 ACL典型配置举例·········································································································1-14 1.5.2 IPv6 ACL配置举例 ················································································································1-16 1.5.3 流模板配置举例 ····················································································································1-17 1.5.4 ACL key长度模式的配置举例 ·······························································································1-18

H3C三层交换机S5500初始配置+网络访问策略

H3C三层交换机S5500初始配置+网络访问策略

H3C三层交换机S5500初始配置+网络访问策略H3C三层交换机S5500初始配置+网络访问策略作者:饮马闪客发布于:2014-7-31 22:00 Thursday 分类:网络相关以下为H3C交换机系列S5500型号的初始配置首先连接交换机的CONSOLE口,使用超级终端进入交换机操作的指令界面:配置VLAN1地址:<HG-S5500> sysSystem View: return to User View with Ctrl+Z.[HG-S5500] interface Vlan-interface 1[HG-S5500-Vlan-interface1] ip address 192.168.254.1 24开启web和telnet服务:[HG-S5500] ip http enable[HG-S5500] telnet server enable建立管理用户:[HG-S5500] local-user admin设置密码:[HG-S5500-luser-admin] password cipher admin110为该用户开启web服务:[HG-S5500-luser-admin] service-type web为该用户开启telnet服务:[HG-S5500-luser-admin] service-type telnet将该用户设置为管理员级别:[HG-S5500-luser-admin] authorization-attribute level 3telnet访问(vty)配置:[HG-S5500] user-interface vty 0 4配置本地或远端用户名口令认证方式[HG-S5500-ui-vty0-4] authentication-mode scheme配置静态路由连接外网:[HG-S5500] ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 (注:静态路由地址为外网进来的接口地址)建立网段访问策略,以vlan31为例,首先建立vlan31:[HG-S5500]vlan 31配置vlan31的ip地址:[HG-S5500] interface Vlan-interface 31[HG-S5500-Vlan-interface31] ip address 192.168.31.1 24编写31网段的访问规则如能访问34、35网段,不能访问其他网段:给其能访问的规则名为 acl number 3100:[HG-S5500] acl number 3100[HG-S5500-acl-adv-3100] rule permit ip source 192.168.31.1 0.0.0.255 destination 192.168.34.0 0.0.0.255[HG-S5500-acl-adv-3100] rule permit ip source 192.168.31.1 0.0.0.255 destination 192.168.35.0 0.0.0.255限制其访问其他网段名为 acl number 3600:[HG-S5500] acl number 3600[HG-S5500-acl-adv-3600] rule permit ip source 192.168.31.1 0.0.0.255 destination 192.168.0.0 0.0.255.255首先注意一点交换机S5500不支持packet_filter,因此只能通过Qos实现vlan策略,以上诉vlan31为例接着定义类h3100: [HG-S5500] traffic classifier h3100[HG-S5500-classifier-h3100] if-match acl 3100定义类h3600:[HG-S5500] traffic classifier h3600[HG-S5500-classifier-h3600] if-match acl 3600创建流hb3100为允许访问,hb3600为不允许访问:[HG-S5500] traffic behavior hb3100[HG-S5500-behavior-hb3100] filter permit[HG-S5500] traffic behavior hb3600[HG-S5500-behavior-hb3600] filter deny创建Qos policy:[HG-S5500] qos policy hvlan31绑定:[HG-S5500-qospolicy-hvlan31] classifier h3100 behavior hb3100[HG-S5500-qospolicy-hvlan31] classifier h3600 behavior hb3600绑定Qos策略:[HG-S5500] qos vlan-policy hvlan31 vlan 31 inbound初始化操作:<HG-S5500> reset saved-configuration选择确认初始化Y:<HG-S5500> Y重启即可生效:<HG-S5500> reboot保存配置:[HG-S5500] saveThe current configuration will be written to the device. Are you sure? [Y/N]: yPlease input the file name(*.cfg)[flash:/20130115.cfg](To leave the existing filename unchanged, press the enter key): 20140408.cfg备注:编写其他vlan策略,请仿照红字处vlan31开始根据步骤编写即可。

H3C S5500基本配置思路及实用命令

H3C S5500基本配置思路及实用命令

H3C S5500基本配置思路及实用命令1.总体配置思路:1)添加VLAN1,并将相应端口添加到该VLAN。

(在VLAN状态下才可一次将多个端口加入相应VLAN,interfacee1/0/1toe1/0/24)2)添加VLAN2,并将其置为管理VLAN(在#状态下management-vlan 2),才可设置其VLAN的IP地址。

3)添加静态路由。

4)配置端口TRUNK模式。

5)配置远程登录VTY认证。

6)配置本地用户。

2.进入特权模式System View<H3C> System ViewSystem View:return to User View with Ctrl+Z.[H3C]dis[H3C]display cur3.配置交换机主机名sysnamesysname H3C4.添加VLANvlan 1或在此状态下直接将相应端口加入该VLAN (否则只能一个口的添加)Interface e 1/0/1 to e 1/0/245.配置管理VLAN-- management-vlanmanagement-vlan 26.给管理VLAN添加IP地址interface Vlan-interface1 ip address10."10."40."176255."255."255."07.添加端口到VLAN:port access vlan 1port access vlan 18.远程登录配置及3A认证模式user-interface vty 0 4authentication-mode scheme9.配置3A认证本地用户及属性local-user testpassword simple testpwdauthorization-attribute level 3可能的配置local-user testpassword simple test level 310."将端口配置为Trunk口port link-type trunkport trunk permit vlan all 11."添加静态路由ip route-static0."0.0."00."0.0."010."10."40."112."查看路由表display ip routing-table[H3C]display ip routing-tableRouting Tables:PublicDestinations :7 Routes :7Destination/Mask Proto Pre Cost NextHop Interface0.0."0.0/0 Static 60 010."10."40."1 Vlan210."10."40."0/24 Direct 0 010."10."40."180 Vlan210."40."180/32 Direct 0 0 127."0.0."1 InLoop0127."0.0."0/8 Direct 0 0 127."0.0."1 InLoop0127."0.0."1/32 Direct 0 0 127."0.0."1 InLoop019168."76."0/24 Direct 0 0192."168."76."3 Vlan76192."168."76."3/32 Direct 0 0127."0.0."1 InLoop013."显示当前配置display current-configuration[H3C]display current-configuration14."查看端口及VLAN的up/down状态display brief interface[H3C]display brief interfaceThe brief information of interface(s) under route mode:Interface Link Protocol-link Protocol type Main IPNULL0 UP UP(spoofing) NULL --Vlan1 UP UP ETHERNET192."168."76."3Vlan2 UP UP ETHERNET10."10."40."180The brief information of interface(s) under bridge mode:Interface Link Speed Duplex Link-type PVIDGE1/0/1 UP 1G(a) full(a) access 1GE1/0/2 DOWN auto auto access 1GE1/0/3 DOWN auto auto access 1The brief information of interface(s) under bridge mode:Interface Link Speed Duplex Link-type PVIDGE1/0/1 UP 1G(a) full(a) access 1display brief interface Vlan-interface 1[H3C]display brief interface Vlan-interface 1The brief information of interface(s) under route mode:Interface Link Protocol-link Protocol type Main IPVlan1 UP UP ETHERNET192."168."76."315."查看MAC地址缓存表display mac-address[H3C]display mac-address16."查看某一端口的MAC地址缓存表17."查看ARP缓存表display arp[H3C]display arpType:S-Static D-DynamicIP Address MAC Address VLAN ID Interface Aging Type192."168."76."56 0016-eca2-d69d 1 GE1/0/1 20 D192."168."76."131 0016-3642-e888 1 GE1/0/1 19 D192."168."76."171 0024-1d6e-6fbe 1 GE1/0/1 13 D10."10."40."1 0018-742d-4fc0 2 GE1/0/19 14 D192."168."76."1 0018-742d-4fc0 1 GE1/0/19 10 D18."Tftp备份配置1)查看配置文件名及所在文件夹-dir配置文件名可能为startup.cfg或config.cfg配置文件可能在flash:/或unit1>flash:/目录下<jyzx-px-zhongxin>dir flash:/Directory of flash:/0 -rw- Aug 11 2010 16:27:52 s5500tpsi-cmw520-r2202p11."bin1 -rw- 2365 Apr 26 2000 12:13:58startup.cfg(配置文件名)31496 KB total (23460 KB free)<jyzx-bg-3-d>dirDirectory of unit1>flash:/1 -rw- 3146 Jan 01 2004 00:00:00 config.def2 (*) -rw- Mar 25 2011 16:51:52 s31si_e-cmw310-r2211p07."bin3 (*) -rw- 886025 Jan 01 2004 00:00:00 h3c-http3."1.9-0019."web4 (*) -rw- 2834 Apr 03 2000 01:20:33config.cfg(配置文件名)7239 KB total (2739 KB free)(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute<jyzx-bg-4-x>tftp172."16."8.91 put unit1>flash:/config.cfg10."10."40."185."txtFile will be transferred in binary mode.Sending file to remote tftp server. Please wait... |TFTP:2979 bytes sent in 0 second(s).File uploaded successfully.<jyzx-bg-4-x>dirDirectory ofunit1>flash:/1 -rw- 3146 Jan 01 2004 00:00:00 config.def2 (*) -rw- Mar 25 2011 16:51:52 s31si_e-cmw310-r2211p07."bin3 (*) -rw- 886025 Jan 01 2004 00:00:00 h3c-http3."1.9-0019."web4 (*) -rw- 2979 Apr 02 2000 07:17:02config.cfg7239 KB total (2739 KB free)(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute2)配置可以使用tftp的ACLacl number 2000rule permit source172."16."8.91 0[jyzx-px-zhongxin]acl number 2000[jyzx-px-zhongxin-acl-basic-2000]rule permit source172."18.91 ?0 Wildcard bits :0."0.0."0 ( a host )X.X.X.X Wildcard of source[jyzx-px-zhongxin-acl-basic-2000]rule permit source172."16."8.91 03)配置tftp服务器- tftp-server acl 2000tftp-server acl 2000[jyzx-px-zhongxin]tftp-server acl 2000The ACL number does not exist or contains no rule. Continue? [Y/N]:y(如果还没有配置ACL,则会有此提示)[jyzx-px-zhongxin]tftp client source ip172."16."8.914)备份配置文件到tftp软件所在目录下(在用户视图下,即“>”状态下)172."16."8.91 put flash:/startup.cfg (无目标文件名则表示与源文件名同名)tftp172."16."8.91 put flash:/startup.cfg startup.txt(将配置文件保存为txt文件)<jyzx-px-zhongxin>tftp 172."16."8.91 put flash:/startup.cfgFile will be transferred in binary modeSending file to remote TFTP server. Please wait... \TFTP:2365 bytes sent in 0 second(s).File uploaded successfully.<jyzx-px-zhongxin>tftp172."16."8.91 put flash:/startup.cfg10."10."40."177."txtFile will be transferred in binary modeSending file to remote TFTP server. Please wait... \ TFTP:2365 bytes sent in 0 second(s).File uploaded successfully.5)小结过程在特权状态下配置ACL和Tftp-server信息acl number 2000rule permit source172."16."8.91 0quittftp-server acl 2000save在用户视图下备份配置tftp172."16."8.91 put flash:/startup.cfg10."10."40."177."txt19."关闭实时信息-undo info-center enable[jyzx-bg-4-x]undo info-center enable% Information center is disabled20."21."问题1:无法用system-view命令进入特权模式问题2:无法配置VLAN的IP地址原因:因为local-user中用户认证属性设置不对,level 3必须设置。

H3C-ACL操作

H3C-ACL操作
H3C S3610&S5510 系列以太网交换机 操作手册 ACL
目录
目录
第 1 章 ACL简介......................................................................................................................1-1 1.1 ACL概述............................................................................................................................. 1-1 1.1.1 ACL概述 .................................................................................................................. 1-1 1.1.2 ACL在交换机上的应用方式 ..................................................................................... 1-1 1.2 IPv4 ACL简介..................................................................................................................... 1-2 1.2.1 IPv4 ACL分类 .......................................................................................................... 1-2 1.2.2 IPv4 ACL命名 .......................................................................................................... 1-2 1.2.3 IPv4 ACL匹配顺序................................................................................................... 1-3 1.2.4 IPv4 ACL对分片报文的处理 .................................................................................... 1-4 1.3 IPv6 ACL简介..................................................................................................................... 1-4 1.3.1 IPv6 ACL分类 .......................................................................................................... 1-4 1.3.2 IPv6 ACL命名 .......................................................................................................... 1-4 1.3.3 IPv6 ACL匹配顺序................................................................................................... 1-4

华三原厂培训第07章_ACL原理和基本配置

华三原厂培训第07章_ACL原理和基本配置

华三原厂培训第07章_ACL原理和基本配置ACL(Access Control List,访问控制列表)是一种用于控制网络流量的安全策略工具。

它基于给定的规则集,对网络设备的进出流量进行过滤和限制,从而实现对网络资源的访问控制和保护。

ACL工作原理:ACL根据配置的规则集对经过路由器或交换机的数据包进行过滤,决定是否允许通过。

ACL由允许和拒绝两种规则组成,对于满足其中一条允许规则的数据包,会被允许通过;对于满足其中一条拒绝规则的数据包,会被拒绝通过。

ACL基本配置:1.创建ACL:路由器(config)#acl number [name] {basic,advanced} //创建ACL,指定编号、名称和类型(基本或高级)2.配置ACL规则:路由器(config-acl-basic)#rule [rule-id] {permit, deny} //创建ACL规则,指定规则编号、允许或拒绝路由器(config-acl-basic-rule)#source {ip-address,any} [mask {mask , wildcard}] //指定源IP地址和掩码路由器(config-acl-basic-rule)#destination {ip-address,any} [mask {mask , wildcard}] //指定目的IP地址和掩码3.应用ACL:路由器(config)#interface interface-type interface-number //进入接口配置模式路由器(config-if)#ip access-group acl-number {in,out} //应用ACL于接口的输入或输出方向ACL的优势:1.灵活性和准确性:ACL可以基于多个因素进行过滤,如源IP地址、目的IP地址、传输层协议等,因此具有更高的筛选精度。

2.安全性:ACL可以限制特定IP地址或协议的访问,从而增加网络的安全性。

H3C交换机(S5500)策略路由配置笔记

H3C交换机(S5500)策略路由配置笔记

写过华为S8508的策略路由,这次碰到一台H3C S5500,在配置上和华为交换机有些不同。

大致配置如下:拓扑图:网络情况如下:用户1网络:172.16.1.0/24用户2网络: 192.168.1.0/24至出口1网络:172.16.100.0/24至出口2网络:192.168.100.0/24实现功能:用户1通过互联网出口1,用户2通过互联网出口2。

功能实现:在三层交换台机上配置默认路由,将数据包丢向192.168.100.253,再利用策略路由,凡是用户2网络IP192.168.1.0/24的地址都丢向172.16.100.253。

配置步骤:说明:这里接口的配置等操作就不在写了。

1、首先建立默认路由,将所有的数据包都丢往出口2的下一节点192.168.100.253[H3C5500] ip route-static 0.0.0.0 0.0.0.0 192.168.100.2532、配置流分类1,对象为172.16.1.0/24的数据[H3C5500]acl number 3001[H3C5500-acl-adv-3001] rule 0 permit ip source 172.16.1.0 0.0.0.255 [H3C5500] quit[H3C5500] traffic classifier 1[H3C5500-classifier-1] if-match acl 3001[H3C5500-classifier-1] quit3、配置刚才定义的流分类的行为,定义如果匹配就下一跳至出口1即172.16.100.253[H3C5500] traffic behavior 1[H3C5500-behavior-1] redirect next-hop 172.16.100.253[H3C5500-behavior-1] quit4、将刚才设置的应用至QOS策略中,定义policy 1[H3C5500] qos policy 1[H3C5500-qospolicy-1] classifier 1 behavior 1[H3C5500-qospolicy-1] quit5、在接口上应用定义的QOS策略policy 1[H3C5500] interface GigabitEthernet 1/0/15[H3C5500-GigabitEthernet1/0/15] qos apply policy 1 inbound[H3C5500-GigabitEthernet1/0/15] quit至此,配置已完成。

H3C5500详细配置及说明

H3C5500详细配置及说明

version 5.20, Release 1207sysname dunan-s5500设备重命名super password level 3 simple abcd123456设置串口连接密码domain default enable system说明性文字telnet server enable telnet服务开启loopback-detection enable环回口连接开启注释VLAN连接区域vlan 1vlan 30vlan 70description fileserverdescription waimaodescription huayivlan 2vlan 40vlan 80description firewalldescription bigofficedescription zongcai vlan 10vlan 50vlan 90description erp+sql+otherdescription jishubudescription webser vlan 20vlan 60vlan 130description caiwudescription erchejiandescription wlanradius scheme systemdomain system说明性文字access-limit disablestate activeidle-cut disableself-service-url disable将ACL规则定义策略和行为这里和3600是不同的,分为三部traffic classifier c_vlan operator and if-match acl 3000traffic classifier a_vlan operator and if-match acl 3001traffic behavior d_vlanfilter denytraffic behavior b_vlanfilter denyqos policy p_vlanclassifier c_vlan behavior b_vlanqos policy t_vlanclassifier a_vlan behavior d_vlan设置web访问用户和密码并定义权限为最高local-user h3cpassword simple dafmservice-type telnetlevel 3建立高级访问控制列表并建立子规则acl number 3000rule 0 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255rule 1 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.90.0 0.0.0.2550.0.0.255rule 3 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.30.0 0.0.0.255rule 4 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.40.0 0.0.0.255rule 5 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.50.0 0.0.0.255rule 6 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.60.0 0.0.0.255rule 7 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.70.0 0.0.0.255rule 8 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.80.0 0.0.0.255rule 9 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.80.0 0.0.0.255rule 10 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.70.0 0.0.0.255rule 11 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.60.0 0.0.0.255rule 12 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 13 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.40.0 0.0.0.255rule 14 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.2550.0.0.255rule 16 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.130.00.0.0.255rule 17 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.30.00.0.0.255rule 18 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.40.00.0.0.255rule 19 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.50.00.0.0.255rule 20 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.60.00.0.0.255rule 21 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.70.00.0.0.255rule 22 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.90.00.0.0.255rule 23 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.130.00.0.0.255acl number 3001rule 0 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.1.0 0.0.0.255rule 1 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.10.00.0.0.255rule 2 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.20.00.0.0.255rule 3 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.30.00.0.0.2550.0.0.255rule 5 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.60.0 0.0.0.255rule 6 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.70.0 0.0.0.255rule 7 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.80.0 0.0.0.255rule 8 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.130.0 0.0.0.255配置VLAN网关,实际为设置vlan间路由interface NULL0interface Vlan-interface 1ip address 192.168.1.1 255.255.255.0interface Vlan-interface 2ip address 192.168.2.2 255.255.255.0interface Vlan-interface 10ip address 192.168.10.1 255.255.255.0interface Vlan-interface 20ip address 192.168.20.1 255.255.255.0interface Vlan-interface 30ip address 192.168.30.1 255.255.255.0interface Vlan-interface 40ip address 192.168.40.1 255.255.255.0 interface Vlan-interface 50ip address 192.168.50.1 255.255.255.0 interface Vlan-interface 60ip address 192.168.60.1 255.255.255.0 interface Vlan-interface 70ip address 192.168.70.1 255.255.255.0 interface Vlan-interface 80ip address 192.168.80.1 255.255.255.0 interface Vlan-interface 90ip address 192.168.90.1 255.255.255.0 interface Vlan-interface 30ip address 192.168.130.1 255.255.255.0 将接口划入vlaninterface GigabitEthernet1/0/1port access vlan 10interface GigabitEthernet1/0/2port access vlan 10interface GigabitEthernet1/0/3port access vlan 10interface GigabitEthernet1/0/4port access vlan 90定义策略到接口qos apply policy t_vlan inboundinterface GigabitEthernet1/0/5port access vlan 20 interface GigabitEthernet1/0/6port access vlan 20 interface GigabitEthernet1/0/7port access vlan 30 interface GigabitEthernet1/0/8port access vlan 30 interface GigabitEthernet1/0/9port access vlan 40 interface GigabitEthernet1/0/10port access vlan 40 interface GigabitEthernet1/0/11port access vlan 50 定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/12port access vlan 50 定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/13port access vlan 60 interface GigabitEthernet1/0/14port access vlan 60 interface GigabitEthernet1/0/15port access vlan 70 interface GigabitEthernet1/0/16port access vlan 70 interface GigabitEthernet1/0/17port access vlan 80 定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/18port access vlan 80定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/19port access vlan 130定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/20 port access vlan 130定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/21 duplex full flow-control interface GigabitEthernet1/0/22interface GigabitEthernet1/0/23 port access vlan 2interface GigabitEthernet1/0/24 port access vlan 2interface GigabitEthernet1/0/25 shutdowninterface GigabitEthernet1/0/26 shutdowninterface GigabitEthernet1/0/27 shutdowninterface GigabitEthernet1/0/28 shutdown配置到防火墙的默认路由ip route-static 0.0.0.0 0.0.0.0 192.168.2.1简单网络管理协议的描述snmp-agentsnmp-agent local-engineid 800063A20300E0FC123456snmp-agent sys-info version v3load xml-configuration开启aux口和telnet访问的权限并设定串口访问密码user-interface aux 0authentication-mode passwordset authentication password simple abcd123456user-interface vty 0 4user privilege level 3set authentication password cipher ^BM!.M()1=%X)AG\U/NCA!! protocol inbound telnet华为路由器交换机配置命令:交换机命令[Quidway]dis curr;显示当前配置[Quidway]display interfaces;显示接口信息[Quidway]display vlanall;显示路由信息[Quidway]display version;显示版本信息[Quidway]super password;修改特权用户密码[Quidway]sysname;交换机命名[Quidway]interface ethernet0/1;进入接口视图[Quidway]interface vlanx;进入接口视图[Quidway-Vlan-interfacex]ip address 10.65.1.1 255.255.0.0;配置VLAN的IP 地址[Quidway]ip route-static 0.0.0.0 0.0.0.0 10.65.1.2;静态路由=网关[Quidway]rip;三层交换支持[Quidway]user-interface vty 0 4;进入虚拟终端[S3026-ui-vty0-4]authentication-mode password;设置口令模式[S3026-ui-vty0-4]set authentication-mode password simple222;设置口令[S3026-ui-vty0-4]user privilege level3;用户级别[Quidway]interface ethernet0/1;进入端口模式[Quidway]int e0/1;进入端口模式[Quidway-Ethernet0/1]duplex {half|full|auto};配置端口工作状态[Quidway-Ethernet0/1]speed{10|100|auto};配置端口工作速率[Quidway-Ethernet0/1]flow-control;配置端口流控[Quidway-Ethernet0/1]mdi{across|auto|normal};配置端口平接扭接[Quidway-Ethernet0/1]portlink-type{trunk|access|hybrid};设置端口工作模式[Quidway-Ethernet0/1]port access vlan3;当前端口加入到VLAN[Quidway-Ethernet0/2]port trunk permitvlan{ID|All};设trunk允许的VLAN [Quidway-Ethernet0/3]port trunk pvid vlan3;设置trunk端PVID [Quidway-Ethernet0/1]undoshutdown;激活端口[Quidway-Ethernet0/1]shutdown;关闭端口[Quidway-Ethernet0/1]quit;返回[Quidway]vlan3;创建VLAN[Quidway-vlan3]port ethernet0/1;在VLAN中增加端口[Quidway-vlan3]port e0/1;简写方式[Quidway-vlan3]port ethernet0/1 to ethernet0/4;在VLAN中增加端口[Quidway-vlan3]port e0/1 to e0/4;简写方式[Quidway]monitor-port;指定镜像端口[Quidway]port mirror;指定被镜像端口[Quidway]port mirror int_listobserving-portint_typeint_num;指定镜像和被镜像[Quidway]description string;指定VLAN描述字符[Quidway]description;删除VLAN描述字符[Quidway]display vlan[vlan_id];查看VLAN设置[Quidway]stp{enable|disable};设置生成树,默认关闭的口[Quidway]stp priority 4096;设置交换机的优先级[Quidway]stp root{primary|secondary};设置为根或根的备份[Quidway-Ethernet0/1]stpcost200;设置交换机端口的花费[Quidway]link-aggregatione0/1toe0/4ingress|both;端口的聚合[Quidway]undolink-aggregatione0/1|all;始端口为通道号[SwitchA-vlanx]isolate-user-vlanenable;设置主vlan[SwitchA]isolate-user-vlansecondary;设置主vlan包括的子vlan[Quidway-Ethernet0/2]porthybridpvidvlan;设置vlan的pvid[Quidway-Ethernet0/2]porthybridpvid;删除vlan的pvid[Quidway-Ethernet0/2]porthybridvlanvlan_id_listuntagged;设置无标识的vlan如果包的vlanid与PVId一致,则去掉vlan信息.默认PVID=1。

H3C S5500 V2基本配置及配置命令

H3C S5500 V2基本配置及配置命令

H3C S5500 V2 series基本配置一、配置交换的web界面<h3c>sys(进入系统模式)[h3c]int vlan 1(进入虚接口VLAN 1)[h3c-int-vlan 1]undo ip address(清除原地址)[h3c-int-vlan 1]ip add 2.10.3.1 255.255.255.0(配置web界面ip地址)[h3c-int-vlan 1]quit(返回上一级)[h3c]ip http enable(启用web服务)[h3c]local-user admin(设置本地用户名、此处用户名admin)[h3c-admin]password simple admin(设置本地密码、此处密码admin)[h3c-admin]service-type telnet level 3(设置服务等级为3级)[h3c-admin]quit(返回上一级)[h3c]loal-user admin[h3c-admin]service-type terminal telnet http https(安全防护措施、认证方式)[h3c-admin]quit(返回上一级)注:以上配置完成后接入服务器用IE访问IP地址2.10.3.1访问二、交换机划分vlan<h3c>sys(进入系统模式)[h3c]vlan 2(划分vlan 2)[h3c-vlan 2]quit(返回上一级)[h3c]vlan 3(划分vlan 3)[h3c-vlan 3]quit(返回上一级)[h3c]vlan 2(进入vlan 2)[h3c-vlan 2]port g/0/1 to g1/0/12(对vlan 2进行端口划分-此处vlan 2划分到1-12端口)[h3c-vlan 2]quit(返回上一级)[h3c]vlan 3(进入vlan 3)[h3c-vlan 3]port g/0/13 to g1/0/24(对vlan 3进行端口划分-此处vlan3划分到13-24端口)注:以上配置是根据现场要求24口交换机划分两个vlan平分所有端口三、交换机VLAN IP 互通[h3c]int vlan 2[h3c-vlan-interface 2]ip add 192.168.2.1 255.255.255.0[h3c-vlan-interface 2]quit[h3c]int vlan 3[h3c-vlan-interface 3]ip add 192.168.3.1 255.255.255.0[h3c-vlan-interface 3]quit注:以上配置完成后能通过vlan 2 的端口与vlan 3 的端口互通。

H3C S5500EI QOS Remark DSCP功能的典型配置0

H3C S5500EI QOS Remark DSCP功能的典型配置0

H3C S5500-EI QOS Remark DSCP功能的典型配置来源:作者:发布时间:2008-06-03 阅读次数418亚威岁末大优惠——所有Cisco培训课程7折一、组网需求:组网图如下所示,要求实现目的如下:(1)10.1.1.0 网段内的流量通过交换机S5500-EI正常转发(2)除此之外的其它流量通过交换机S5500-EI后重新标记QOS DSCP值为EF(图中以20.1.1.0网段代表)二、组网图:三、配置步骤:(1)配置相关VLAN (此处略)(2)配置acl 匹配10.1.1.0网段acl number 2000rule 5 deny source 10.1.1.0 0.0.0.255(3)配置acl 匹配除10.1.1.0网段之外的网段acl number 2001rule 5 permit(4)定义类traffic classifier permit operator andif-match acl 2000traffic classifier remark operator andif-match acl 2001(5)定义行为traffic behavior permitfilter permit //定义正常转发行为traffic behavior remarkremark dscp ef //定义Remark DSCP行为(6)定义策略qos policy testclassifier permit behavior permitclassifier remark behavior remark(7)下发到端口interface GigabitEthernet1/0/10qos apply policy test inbound //应用到10端口入方向interface GigabitEthernet1/0/20qos apply policy 1234 inbound //应用到20端口入方向四、配置关键点:需要将流量用两条acl进行区分,即permit和deny的分开。

H3C S5600 交换机 访问控制列表(ACL)的配置

H3C S5600 交换机 访问控制列表(ACL)的配置

H3C S5600 交换机访问控制列表(ACL)的配置1、组网图: 1 .公司企业网通过 Switch 的千兆端口实现各部门之间的互连。

管理部门由 GigabitEthernet1/0/1 端口接入,技术支援部门由GigabitEthernet1/0/2 端口接入,研发部门由 GigabitEthernet1/0/3 端口接入。

2 .工资查询服务器子网地址 129.110.1.2 , MAC 为 00e0-fc01-0303 ,技术支援部门 IP 为 10.1.1.0/24 ,研发部门主机 MAC 为 00e0-fc011、组网图:1.公司企业网通过Switch的千兆端口实现各部门之间的互连。

管理部门由GigabitEthernet1/0/1端口接入,技术支援部门由GigabitEthernet1/0/2端口接入,研发部门由GigabitEthernet1/0/3端口接入。

2.工资查询服务器子网地址129.110.1.2,MAC为00e0-fc01-0303,技术支援部门IP为10.1.1.0/24,研发部门主机MAC为00e0-fc01-0101。

2、组网需求:1.要求正确配置ACL,限制研发部门在上班时间8:00至18:00访问工资查询服务器。

2.通过基本访问控制列表,实现在每天8:00~18:00时间段内对源IP为10.1.1.1主机发出报文的过滤。

3.通过二层访问控制列表,实现在每天8:00~18:00时间段内对源MAC为00e0-fc01-0101目的MAC为00e0-fc01-0303报文的过滤。

3、配置步骤:1.定义时间段[Quidway] time-range huawei 8:00 to 18:00 working-day2.进入3000号的高级访问控制列表视图[Quidway] acl number 30003.定义访问规则[Quidway-acl-adv-3000] rule 1 deny ip source any destination 129.110.1.2 0.0.0.0 time-range huawei4.进入GigabitEthernet1/0/1接口[Quidway-acl-adv-3000] interface GigabitEthernet1/0/15.在接口上用3000号ACL[Quidway-GigabitEthernet1/0/1] packet-filter inbound ip-group 30006.进入2000号的基本访问控制列表视图[Quidway-GigabitEthernet1/0/1] acl number 20007.定义访问规则[Quidway-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range Huawei8.进入GigabitEthernet1/0/2接口[Quidway-acl-basic-2000] interface GigabitEthernet1/0/29.在接口上应用2000号ACL[Quidway-GigabitEthernet1/0/2] packet-filter inbound ip-group 200010.进入4000号的二层访问控制列表视图[Quidway-GigabitEthernet1/0/2] acl number 400011.定义访问规则[Quidway-acl-ethernetframe-4000] rule 1 deny source 00e0-fc01-0101 ffff-ffff-ffff dest 00e0-fc01-0303 ffff-ffff-ffff time-range Huawei12.进入GigabitEthernet1/0/3接口[Quidway-acl-ethernetframe-4000] interface GigabitEthernet1/0/313.在接口上应用4000号ACL[Quidway-GigabitEthernet1/0/3] packet-filter inbound link-group 40004、配置关键点:1.time-name 可以自由定义。

(2021年整理)H3C_S5500基本配置思路及实用命令

(2021年整理)H3C_S5500基本配置思路及实用命令

H3C_S5500基本配置思路及实用命令(推荐完整)编辑整理:尊敬的读者朋友们:这里是精品文档编辑中心,本文档内容是由我和我的同事精心编辑整理后发布的,发布之前我们对文中内容进行仔细校对,但是难免会有疏漏的地方,但是任然希望(H3C_S5500基本配置思路及实用命令(推荐完整))的内容能够给您的工作和学习带来便利。

同时也真诚的希望收到您的建议和反馈,这将是我们进步的源泉,前进的动力。

本文可编辑可修改,如果觉得对您有帮助请收藏以便随时查阅,最后祝您生活愉快业绩进步,以下为H3C_S5500基本配置思路及实用命令(推荐完整)的全部内容。

H3C_S5500基本配置思路及实用命令(推荐完整)编辑整理:张嬗雒老师尊敬的读者朋友们:这里是精品文档编辑中心,本文档内容是由我和我的同事精心编辑整理后发布到文库,发布之前我们对文中内容进行仔细校对,但是难免会有疏漏的地方,但是我们任然希望 H3C_S5500基本配置思路及实用命令(推荐完整)这篇文档能够给您的工作和学习带来便利。

同时我们也真诚的希望收到您的建议和反馈到下面的留言区,这将是我们进步的源泉,前进的动力。

本文可编辑可修改,如果觉得对您有帮助请下载收藏以便随时查阅,最后祝您生活愉快业绩进步,以下为 <H3C_S5500基本配置思路及实用命令(推荐完整)〉这篇文档的全部内容。

H3C S5500基本配置思路及实用命令1.总体配置思路:1)添加VLAN1,并将相应端口添加到该VLAN。

(在VLAN状态下才可一次将多个端口加入相应VLAN,interface e 1/0/1 to e 1/0/24)2)添加VLAN2,并将其置为管理VLAN(在#状态下management-vlan 2),才可设置其VLAN的IP地址。

3)添加静态路由。

4)配置端口TRUNK模式。

5)配置远程登录VTY认证。

6)配置本地用户。

2.进入特权模式System View〈H3C> System ViewSystem View: return to User View with Ctrl+Z.[H3C]dis[H3C]display cur3.配置交换机主机名sysnamesysname H3C4.添加VLANvlan 1或在此状态下直接将相应端口加入该VLAN (否则只能一个口一个口的添加)Interface e 1/0/1 to e 1/0/245.配置管理VLAN—— management-vlanmanagement—vlan 26.给管理VLAN添加IP地址interface Vlan-interface1 ip address 10。

相关主题
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
rule 2 permit ip source 10.9.71.0 0.0.0.255 destination 10.9.9.1 0
rule 3 permit ip source 10.9.71.0 0.0.0.255 destination 10.9.17.0 0.0.0.31
......
说明:
acl只是用来区分数据流,permit与deny由filter确定;
如果一个端口同时有permit和deny的数据流,需要分别定义流分类和流行为,并在同一QoS策略中进行关联;
QoS策略会按照配置顺序将报文和classifier相匹配,当报文和某一个classifier匹配后,执行该classifier所对应的behavior,然后策略执行就结束了,不会再匹配剩下的classifier;
if-match acl 3001
#
traffic behavior permit
filter permit
traffic behavior deny
filter deny
#
qos policy test
将QoS策略应用到端口后,系统不允许对应修改义流分类、流行为以及QoS策略,直至取消下发。
#
acl number 3000
rule 0 permit ip source 10.9.71.0 0.0.0.255 destination 10.9.71.0 0.0.0.255
rule 1 permit ip source 10.9.71.0 0.0.0.255 destination 10.9.12.0 0.0.0.255
classifier permit behavior permit
classifier deny behavior deny
#
interface g1/0/1
qos apply policy test inbound
interface g1/0/2
qos apply policy test inbou
rule 0 deny ip source 10.9.71.0 0.0.0.255
#
traffic classifier permit operator or
if-match acl 3000
traffic classifier deny operator or
相关文档
最新文档