华为上网行为管理器操作手册
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
上网行为管理操作手册
2022年4月25日
一、网络拓扑图 (1)
二、网络规划 (1)
三、IP地址分配 (1)
四、账号分配表 (4)
五、主要设备账户及密码 (6)
1、上网行为管理路由器 (6)
2、核心交换机 (6)
3、研发交换机 (6)
4、综合交换机 (6)
5、硬盘录像机 (6)
6、无线AP (6)
六、主要配置 (7)
1、上网行为管理器配置 (7)
1、创建部门 (7)
2、给每个部门创建用户 (7)
3、创建用户组 (8)
4、给用户组添加部门 (9)
5、新建上网认证策略 (9)
6、配置认证选项 (9)
7、配置外网接口网络 (10)
8、配置内网接口网络 (11)
9、配置管理接口网络 (11)
10、配置静态路由 (12)
11、配置策略路由 (12)
12、配置带宽策略 (13)
13、配置源NAT (15)
14、配置虚拟服务器(端口映射) (16)
15、配置域间规则 (17)
16、配置本地策略 (17)
2、交换机 (18)
一、网络拓扑图
二、网络规划
三、IP地址分配
四、账号分配表
五、主要设备账户及密码
1、上网行为管理路由器
IP地址:1.1.1.1
2、核心交换机
3、研发交换机
4、综合交换机
5、硬盘录像机
6、无线AP
六、主要配置
1、上网行为管理器配置1、创建部门
2、给每个部门创建用户1)创建账号及密码
2)加入所属部门
3)加入所属用户组
3、创建用户组
4、给用户组添加部门
5、新建上网认证策略
1)填写局域网的所有网段
2)使用用户名密码认证
6、配置认证选项
1)启用radius单点登录
2)配置密码有效期
3)注销无流量的已认证用户时间
7、配置外网接口网络
8、配置内网接口网络
9、配置管理接口网络
10、配置静态路由
11、配置策略路由
1)内网口允许所有用户通过
2)外网口允许所有用户通过
3)管理口允许所有用户通过
12、配置带宽策略
1)WAN-LAN允许所有用户通过并且不限流
2)LAN-WAN允许所有用户通过并且不限流
13、配置源NAT
1)WAN->LAN
2)LAN->WAN
14、配置虚拟服务器(端口映射)
15、配置域间规则
WAN->LAN,LAN->WAN,DMZ->LAN,LAN->DMZ,WAN->DMZ,DMZ->WAN 所有动作都是放行(permit)
16、配置本地策略
1)源安全域LAN口所有原地址动作都放行(permit)
2)源安全域WAN口所有原地址动作都放行(permit)
3)源安全域DMZ口所有原地址动作都放行(permit)
2、交换机
核心交换机
#
!Software Version V100R005C01SPC100
sysname HeXin
#
vlan batch 30 40 50 100 to 102
#
dhcp enable
user-bind static ip-address 192.168.1.88 mac-address 0022-681c-eacf vlan 30
user-bind static ip-address 192.168.1.88 mac-address 0022-681c-eacf interface GigabitEthernet0/0/10
#
undo http server enable
#
drop illegal-mac alarm
#
ip pool vlan30
ip pool vlan40
ip pool vlan50
#
acl number 2000
rule 5 deny source 192.168.30.0 0.0.0.255
rule 10 permit
#
acl number 2001
#
acl number 2002
#
acl number 2003
#
ip pool vlan30
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
dns-list 221.228.255.1 114.114.114.114
#
ip pool vlan40
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
static-bind ip-address 192.168.30.27 mac-address 0022-681c-eacf
dns-list 221.228.255.1 114.114.114.114
#
ip pool vlan50
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
dns-list 221.228.255.1 114.114.114.114
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher 6)'^BYE(;F31<%AOH#3\4Q!! local-user admin privilege level 3
#
interface Vlanif1
#
interface Vlanif30
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
interface Vlanif40
ip address 192.168.30.254 255.255.255.0
dhcp select global
#
interface Vlanif50
ip address 192.168.40.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.1 255.255.255.0
#
interface Vlanif101
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif102
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/4
port default vlan 30
#
interface GigabitEthernet0/0/5 port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/6 port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/7 port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/8 port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/9 port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/10 port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/11 port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/12 port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/13 port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/14 port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/15
port default vlan 40
#
interface GigabitEthernet0/0/16
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/17
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/18
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/19
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/20
port link-type access
port default vlan 50
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/23
port link-type access
port default vlan 101
#
interface GigabitEthernet0/0/24
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 0.0.0.0 0.0.0.0 58.214.246.30 ip route-static 0.0.0.0 0.0.0.0 58.214.246.29
ip route-static 192.168.10.0 255.255.255.0 192.168.100.2 ip route-static 192.168.20.0 255.255.255.0 192.168.100.2 ip route-static 192.168.30.0 255.255.255.0 192.168.100.3 #
snmp-agent
snmp-agent local-engineid 000007DB7F000001000060DC snmp-agent sys-info version v3
#
user-interface con 0
idle-timeout 0 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
port-group 1
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
group-member GigabitEthernet0/0/5
group-member GigabitEthernet0/0/6
group-member GigabitEthernet0/0/7
group-member GigabitEthernet0/0/8
group-member GigabitEthernet0/0/9
group-member GigabitEthernet0/0/10
#
port-group 2
group-member GigabitEthernet0/0/11
group-member GigabitEthernet0/0/12
group-member GigabitEthernet0/0/13
group-member GigabitEthernet0/0/14
group-member GigabitEthernet0/0/15
group-member GigabitEthernet0/0/16
group-member GigabitEthernet0/0/17
group-member GigabitEthernet0/0/18
#
port-group 3
group-member GigabitEthernet0/0/19
group-member GigabitEthernet0/0/20
#
return
研发交换机
#
sysname YanFa
#
vlan batch 1 10 20 100 to 101
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Siemens phone
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
#
undo http server enable
#
acl number 2000
#
acl number 2001
rule 5 deny source 192.168.30.0 0.0.0.255
rule 10 permit
#
acl number 2002
#
acl number 2003
rule 5 deny source 192.168.40.0 0.0.0.255
rule 10 permit
#
dhcp server ip-pool vlan
#
dhcp server ip-pool vlan10
network 192.168.10.0 mask 255.255.255.0
gateway-list 192.168.10.254
dns-list 221.228.255.1 114.114.114.114
#
dhcp server ip-pool vlan20
network 192.168.20.0 mask 255.255.255.0 gateway-list 192.168.20.254
dns-list 221.228.255.1 114.114.114.114
#
interface Vlanif1
#
interface Vlanif10
description yanfa
ip address 192.168.10.254 255.255.255.0 #
interface Vlanif20
ip address 192.168.20.254 255.255.255.0 #
interface Vlanif100
ip address 192.168.100.2 255.255.255.0 #
interface Vlanif101
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/5 port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/6 port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/7 port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/8 port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/9 port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/10 port link-type access
port default vlan 10
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/11
port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/12
port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/13
port link-type access
port default vlan 20
user-bind static ip-address 192.168.20.20 vlan 20 bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/14
port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/15
port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/16
port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/17 port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/18 port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/19 port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/20 port link-type access
port default vlan 20
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/21 port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/22 port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/23 port link-type access
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/24
port default vlan 1
port trunk allow-pass vlan 1 to 4094
bpdu enable
ntdp enable
ndp enable
#
interface NULL0
#
traffic-filter vlan 10 inbound acl 2003 rule 5
traffic-filter vlan 10 inbound acl 2003 rule 10
traffic-filter vlan 10 outbound acl 2003 rule 5
traffic-filter vlan 10 outbound acl 2003 rule 10
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher E(/GLH9$P#'Q=^Q`MAF4<1!! local-user admin level 3
local-user admin ftp-directory flash:
#
dhcp server forbidden-ip 192.168.10.254
dhcp server forbidden-ip 192.168.20.254
dhcp enable
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
ip route-static 0.0.0.0 0.0.0.0 2.2.2.1
ip route-static 0.0.0.0 0.0.0.0 58.214.246.29
ip route-static 0.0.0.0 0.0.0.0 58.214.246.30
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
port-group 1
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
group-member GigabitEthernet0/0/3
group-member GigabitEthernet0/0/4
group-member GigabitEthernet0/0/5
group-member GigabitEthernet0/0/6
group-member GigabitEthernet0/0/7
group-member GigabitEthernet0/0/8
group-member GigabitEthernet0/0/9
group-member GigabitEthernet0/0/10
#
port-group 2
group-member GigabitEthernet0/0/11
group-member GigabitEthernet0/0/12
group-member GigabitEthernet0/0/13
group-member GigabitEthernet0/0/14
group-member GigabitEthernet0/0/15
group-member GigabitEthernet0/0/16
group-member GigabitEthernet0/0/17
group-member GigabitEthernet0/0/18
group-member GigabitEthernet0/0/19
group-member GigabitEthernet0/0/20
#
return
综合交换机
#
!Software Version V100R005C01SPC100
sysname YunYing
#
vlan batch 40 100
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
bpdu enable
#
dhcp enable
dhcp snooping enable
dhcp server detect
user-bind static ip-address 192.168.30.35 mac-address 50e5-49e6-a424 interface Ethernet0/0/1
#
undo http server enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user yunying password cipher 6)'^BYE(;F31<%AOH#3\4Q!! local-user yunying privilege level 3
#
interface Vlanif1
ip address dhcp-alloc
#
interface Vlanif40
ip address 192.168.30.254 255.255.255.0
#
interface Vlanif100
ip address 192.168.100.3 255.255.255.0
#
interface Ethernet0/0/1
port link-type access
port default vlan 40
ntdp enable
ndp enable
arp anti-attack check user-bind enable
ip source check user-bind enable
#
interface Ethernet0/0/2
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/3
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/4
port link-type access
port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/5 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/6 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/7 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/8 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/9 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/10 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/11 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/12 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/13 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/14 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/15 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/16 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/17 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/18 port link-type access port default vlan 40 ntdp enable
ndp enable
#
interface Ethernet0/0/19
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/20
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/21
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/22
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/23
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface Ethernet0/0/24
port link-type access
port default vlan 40
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094 ntdp enable
ndp enable
#
interface GigabitEthernet0/0/2
ntdp enable
ndp enable
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 0.0.0.0 0.0.0.0 1.1.1.9
ip route-static 0.0.0.0 0.0.0.0 58.214.246.30
ip route-static 0.0.0.0 0.0.0.0 58.214.246.29
#
snmp-agent
snmp-agent local-engineid 000007DB7F0000010000336F snmp-agent sys-info version v3
#
user-interface con 0
idle-timeout 0 0
user-interface vty 0 4
authentication-mode aaa
#
port-group 1
group-member Ethernet0/0/1
group-member Ethernet0/0/2
group-member Ethernet0/0/3
group-member Ethernet0/0/4
group-member Ethernet0/0/5
group-member Ethernet0/0/6
group-member Ethernet0/0/7
group-member Ethernet0/0/8
group-member Ethernet0/0/9
group-member Ethernet0/0/10
group-member Ethernet0/0/11
group-member Ethernet0/0/12
group-member Ethernet0/0/13
group-member Ethernet0/0/14
group-member Ethernet0/0/15
group-member Ethernet0/0/16
group-member Ethernet0/0/17
group-member Ethernet0/0/18
group-member Ethernet0/0/19
group-member Ethernet0/0/20
group-member Ethernet0/0/21
group-member Ethernet0/0/22
group-member Ethernet0/0/23
group-member Ethernet0/0/24
# return。