书签分享收藏举报版权申诉 / 33

立即下载

当前位置：首页 > 应用文书 > 解决方案 > H3C S9500E 系列路由交换机IRF与FW ACG IPS插卡典型配置指导.docx

H3C S9500E 系列路由交换机IRF与FW ACG IPS插卡典型配置指导.docx

上传人：太**

文档编号：86523353

上传时间：2023-04-14

格式：DOCX

页数：33

大小：519.93KB

( 4.5 )

《H3C S9500E 系列路由交换机IRF与FW ACG IPS插卡典型配置指导.docx》由会员分享，可在线阅读，更多相关《H3C S9500E 系列路由交换机IRF与FW ACG IPS插卡典型配置指导.docx（33页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、H3C S9500E系歹U路由交换机IRF与FW ACG IPS插卡典型配置指导关键词：IPS、ACG、FW、典型配置指导摘要：介绍在95E堆叠下，FW&ACG&IPS插卡的推荐组网应用方案及典型配置指导。缩略语：缩略语英文全名中文解释IPSIntrusion Prevention System入侵防御系统OAAOpen Application Architecture开放应用架构ACGApplication Control Gateway应用控制网关FWFireWall防火墙Comware Software, Version 5.20, Release 3102P13Comware Pla

2、tform Software Version COMWAREV500R002B51D010H3C SecBlade FW Software Version V300R001B01D126Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.Compiled Jun 24 2009 14:13:17, RELEASE SOFTWAREH3C SecBlade FW uptime is 0 week, 0 day, 0 hour, 1 minute4.4配置步骤酉已置 S9500E1.配置步骤95E上acl

3、的配置：105dis acl allAdvanced ACL 3000, named -none-, 1 rule, 用来匹配源IP为奇数的流量ACLs step is 5Advanced ACL 3001, named -none-, 1 rule, 用来匹配目的IP为奇数的流量ACUs step is 5Advanced ACL 3100, named -none-, 1 rule, 用来匹配所有IP流量ACUs step is 5rule 0 permit IPAdvanced ACL 3200, named -none-, 2 rules,用来匹配各服务区内部互访流量ACUs step

4、 is 5rule 0 permit IP destination 10.1.1.0 0.0.0.255 Ethernet frame ACL 4000, named -none-, 1 rule,用来匹配ARP流量ACLs step is 5rule 0 deny type 0806 ffffEthernet frame ACL 4001, named -none-, 1 rule, 用来匹配所有流量ACLs step is 5rule 0 permit95E上端口0112的配置105dis cur int g2/6/0/15#interface GigabitEthernet2/6/0/1

5、5port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 10qos apply policy 1 inbound#return105dis qos policy in g 2/6/0/15Interface: GigabitEthernet2/6/0/15Direction: InboundPolicy: 1Classifier: local服务区内部互访流量不上OAA插卡Operator: ANDRule(s) : If-match acl 3200Behavior: localFilter Enabl

6、e: permitClassifier: 1vlantag为10,三层流量，源IP为奇数的流量走IPS1Operator: ANDRule(s) : lf-match acl 3000If-match service-vlan-id 10lf-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/1Classifier: 2 vlan tag为10,三层流量，IPS1插卡在位时，源IP为偶数的流量走

7、IPS2；Operator: ANDIPS1插卡不在位时，所有流量都走IPS2,负载分担和备份；Rule(s) : If-match acl 3100If-match service-vlan-id 10If-match forwarding-layer routeBehavior: 2Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1 /4/0/1Classifier: 21vlan tag为10,三层流量，IPS2插卡不在位时，所有流量都走IPS1Operates: ANDRu

8、le(s) : If-match acl 3100If-match service-vlan-id 10If-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/195E上与IPS1插卡相连的接口配置105 dis cur int te2/5/0/1#interface T en-GigabitEthernet2/5/0/1port link-type trunkport trunk permit

9、 vlan 1 10 20 to 21qos apply policy 2 inboundmac-address max-mac-count 0#return105dis qos policy int t2/5/0/1Interface: Ten-GigabitEthernet2/5/0/1Direction: InboundPolicy: 2Classifier: 1 vlan tag为10,三层流量，源IP为奇数的流量走ACG1Operator: ANDRule(s) : If-match acl 3000If-match service-vlan-id 10If-match forwar

10、ding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/4/0/1Class币er:2vlan tag为10,三层流量，ACG1插卡在位时，源IP为偶数的流量走ACG2；Operator: AND ACG1插卡不在位时，所有流量都走ACG2,负载分担和备份；Rule(s) : If-match acl 3100If-match service-vlan-id 10If-match forwarding-layer routeBeha

11、vior: 4Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1 /3/0/1Classifier: 21 vlan tag为10,三层流量，ACG2插卡不在位时，所有流量都走ACG1Operator: ANDRule(s) : If-match acl 3100If-match service-vlan-id 10If-match forwarding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRe

12、direct destination: Ten-GigabitEthernet2/4/0/1Classifier: arpClassifier: arp过滤二层报文Operator: ANDRule(s) : If-match forwarding-layer bridgeIf-match acl 4001Behavior: arpFilter Enable: denyClassifier: arp1过滤arp报文Operator: ANDRule(s) : If-match acl 4000Behavior: arp1Filter Enable: deny95E上与IPS2插卡相连的接口配置

13、，与IPS1插卡的QoS配置完全一样105dis cur int te 1/4/0/1#interface T en-GigabitEthernet1 /4/0/1port link-type trunkport trunk permit vlan 1 10 20 to 21qos apply policy 2 inboundmac-address max-mac-count 0#return105dis qos policy int t1/4/0/1Interface: Ten-GigabitEthernet1 /4/0/1Direction: InboundPolicy: 2vlan ta

14、g为10,三层流量，源IP为奇数的流量走ACG1Classifier: 1Operator: ANDRule(s) : If-match acl 3000If-match service-vlan-id 10If-match forwarding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/4/0/1Classifier: 2vlan tag为10,三层流量，ACG1插卡在位时，源IP为偶数的流量走ACG2；Operator: A

15、NDACG1插卡不在位时，所有流量都走ACG2,负载分担和备份；Rule(s) : If-match acl 3100If-match service-vlan-id 10If-match forwarding-layer routeBehavior: 4Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1 /3/0/1Classifier: 21 一一vlan tag为10,三层流量，ACG2插卡不在位时，所有流量都走ACG1Operator: ANDRule(s) : If-m

16、atch acl 3100If-match service-vlan-id 10If-match forwarding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/4/0/1Classifier: arp过滤二层报文Operator*: ANDRule(s) : If-match forwarding-layer bridgeIf-match acl 4001Behavior: arpFilter Enable: denyClas

17、sifier: arp1过滤arp报文Operator: ANDRule(s) : If-match acl 4000Behavior: arp1Filter Enable: deny95E上与ACG1相连的接口配置105dis cur int te2/4/0/1#interface Ten-GigabitEthernet2/4/0/1port link-type trunkport trunk permit vlan 1 10 20 to 21qos apply policy 5 inboundmac-address max-mac-count 0return105dis qos polic

18、y int t2/4/0/1Interface: Ten-GigabitEthernet2/4/0/1Direction: InboundPolicy: 5Classifier: a vlantag为20,三层流量，目的IP为奇数的流量走IPS1Operator: ANDRule(s) : lf-match acl 3001If-match service-vlan-id 20lf-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-Gi

19、gabitEthernet2/5/0/1Classifier: c vlan tag为21,三层流量，目的IP为奇数的流量走IPS1Operator: ANDRule(s) : If-match acl 3001If-match service-vlan-id 21If-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/1Classifier: b vlantag为20,三层流量，IPS1插卡在

20、位时，目的IP为偶数的流量走IPS2；Operator: AND IPS1插卡不在位时，所有流量都走IPS2,负载分担和备份；Rule(s) : lf-match acl 3100lf-match service-vlan-id 20lf-match forwarding-layer routeBehavior: 2Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1 /4/0/1Classifier: d vlantag为21,三层流量，IPS1插卡在位时，目的IP为偶数的流量走I

21、PS2；Operator: AND IPS1插卡不在位时，所有流量都走IPS2,负载分担和备份；Rule(s) : lf-match acl 3100lf-match service-vlan-id 21lf-match forwarding-layer routeBehavior: 2Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1 /4/0/1Classifier: b1 vlan tag为20,三层流量，IPS2插卡不在位时，所有流量都走IPS1Operator: ANDR

22、ule(s) : lf-match acl 3100lf-match service-vlan-id 20lf-match forwarding-layer routeBehavior: 11特性简介32应用场合53注意事项54配置举例54.1 组网需求54.2 配置思路84.3 软件版本84.4 配置步骤10配置 S9500E104.4.1 配置FW29配置IPS/ACG304.4.2 OAA定位参考31445验证结果325相关资料375.1 相关协议和标准375.2 其它相关资料37Redirect enable:Redirect type: interfaceRedirect desti

23、nation: Ten-GigabitEthernet2/5/0/1Classifier: d1 vlan tag为21,三层流量，IPS2插卡不在位时，所有流量都走IPS1Operator: ANDRule(s) : lf-match acl 3100If-match service-vlan-id 21lf-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/1Classifier: arp过

24、滤二层报文Operates: ANDRule(s) : If-match forwarding-layer bridgeIf-match acl 4001Behavior: arpFilter Enable: denyClassifier: arp1过滤arp报文Operator: ANDRule(s) : If-match acl 4000Behavior: arp1Filter Enable: deny95E上与ACG2插卡相连的接口配置，与ACG1插卡的QoS配置完全一样105dis curint te1/3/0/1#interface T en-GigabitEthernet1 /3/

25、0/1port link-type trunkport trunk permit vlan 1 10 20 to 21qos apply policy 5 inboundmac-address max-mac-count 0#return105dis qos policy int t1/3/0/1Interface: Ten-GigabitEthernet1 /3/0/1Direction: InboundPolicy: 5Class由e匚a vlan tag为20,三层流量，目的IP为奇数的流量走IPS1Operate”: ANDRule(s) : lf-match acl 3001If-m

26、atch service-vlan-id 20lf-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/1Classifier: cClassifier: c vlan tag为21,三层流量，目的IP为奇数的流量走IPS1Operator: ANDRule(s) : If-match acl 3001If-match service-vlan-id 21If-match forwarding-l

27、ayer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/1Classifier: b vlantag为20,三层流量，IPS1插卡在位时，目的IP为偶数的流量走IPS2；Operator: AND IPS1插卡不在位时，所有流量都走IPS2,负载分担和备份；Rule(s) : If-match acl 3100If-match service-vlan-id 20If-match forwarding-layer routeBehavi

28、or: 2Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1/4/0/1Classifier: d vlantag为21,三层流量，IPS1插卡在位时，目的IP为偶数的流量走IPS2；Operator: AND IPS1插卡不在位时，所有流量都走IPS2,负载分担和备份；Rule(s) : If-match acl 3100If-match service-vlan-id 21If-match forwarding-layer routeBehavior: 2Redirect en

29、able:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1/4/0/1Classifier: b1vlantag为20,三层流量，IPS2插卡不在位时，所有流量都走IPS1Operator: ANDRule(s) : lf-match acl 3100If-match service-vlan-id 20lf-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: T

30、en-GigabitEthernet2/5/0/1Classifier: d1 vlan tag为21,三层流量，IPS2插卡不在位时，所有流量都走IPS1Operator: ANDRule(s) : If-match acl 3100If-match service-vlan-id 21If-match forwarding-layer routeBehavior: 1Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/5/0/1Class由e匚arp过滤二层报文Operates

31、: ANDRule(s) : If-match forwarding-layer bridgeIf-match acl 4001Behavior: arpFilter Enable: denyClassifier: arp1过滤arp报文Operator: ANDRule(s) : If-match acl 4000Behavior: arp1Filter Enable: deny95E上与FW1插卡连接的接口配置105dis cur int te2/2/0/1#interface T en-GigabitEthernet2/2/0/1port link-type trunkundo port

32、 trunk permit vlan 1port trunk permit vlan 20 30qos apply policy 3 inbound#return105dis qos policy int t2/2/0/1Interface: Ten-GigabitEthernet2/2/0/1Direction: InboundPolicy: 3Classifier: a 一一vlan tag为20,三层流量，目的IP为奇数的流量走ACG1Operator: ANDRule(s) : If-match acl 3001If-match service-vlan-id 20If-match

33、forwarding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/4/0/1Class由er: bvlan tag为20,三层流量，ACG1插卡在位时，目的IP为偶数的流量走ACG2；Operator: AND ACG1插卡不在位时，所有流量都走ACG2,负载分担和备份；Rule(s) : If-match acl 3100If-match service-vlan-id 20If-match forwarding-layer r

34、outeBehavior: 4Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1 /3/0/1Classifier: b1 vlan tag为20,三层流量，ACG2插卡不在位时，所有流量都走ACG1Operator: ANDRule(s) : If-match acl 3100If-match service-vlan-id 20If-match forwarding-layer routeBehavior: 3Redirect enable:Redirect type: int

35、erfaceRedirect destination: Ten-GigabitEthernet2/4/0/195E上与FW2插卡相连的接口配置105dis curintt1/2/0/1#interface T en-GigabitEthernet1 /2/0/1port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 21 31qos apply policy 4 inbound# return105dis qos policy int t1/2/0/1Interface: Ten-GigabitEthern

36、et1/2/0/1Direction: InboundPolicy: 4Classifier: c vlan tag为21,三层流量，目的IP为奇数的流量走ACG1Operator: ANDRule(s) : lf-match acl 3001If-match service-vlan-id 21lf-match forwarding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/4/0/1Class币er: dvlan tag为2

37、1,三层流量，ACG1插卡在位时，目的IP为偶数的流量走ACG2；Operator: AND ACG1插卡不在位时，所有流量都走ACG2,负载分担和备份；Rule(s) : lf-match acl 3100lf-match service-vlan-id 21lf-match forwarding-layer routeBehavior: 4Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet1/3/0/1Classifier: d1 一一vlan tag为21,三层流量，ACG2插

38、卡不在位时，所有流量都走ACG1Operator: ANDRule(s) : lf-match acl 3100lf-match service-vlan-id 21lf-match forwarding-layer routeBehavior: 3Redirect enable:Redirect type: interfaceRedirect destination: Ten-GigabitEthernet2/4/0/195EPort 1的配置105dis cur int g2/6/0/17# interface GigabitEthernet2/6/0/17 port link-type

39、trunkundo port trunk permit vlan 1port trunk permit vlan 30 to 31 40这里trunk vlan 40,是为了验证vlan 10和40#互访流量不上OAA插卡return95E上的堆叠配置105dis cur | in irfirf mac-address persistent alwaysirf auto-update enableundo irf link-delayirf member 2 priority 32irf-port 1/2irf-port 2/1105irf-port 1/2105-irf-port1/2dis

40、th#irf-port 1/2port group interlace GigabitEthernetl/6/0/7port group interface GigabitEthernetl/6/0/8port group interface GigabitEthernetl/6/0/9port group interface GigabitEthernetl /6/0/10 # return105-irf-port1 /2irf-port 2/1105-irf-port2/1dis th#irf-port 2/1port group interface GigabitEthernet2/6/

41、0/7port group interface GigabitEthernet2/6/0/8port group interface GigabitEthernet2/6/0/9port group interface GigabitEthernet2/6/0/10#return95E上的路由配置2.配置文件4.4.2 配置FW1 .配置步骤FW的配置FW1的WEB配置1特性简介当今网络世界，对网络设备的要求不再仅仅是传统的路由器和交换机提供的数据转发能力，更要求网络设备支持各种各样的应用。而任何一家独立的技术厂商都很难同时提供客户所要求的所有服务。所以，一种开放的架构一一OAA,能够让众

42、多不同厂商生产的设备和软件集成在一起，像一台设备那样工作，为客户提供一体化的解决方案。基于这种理念，我司提出了OAA体系规范，H3cs9500E产品正是基于OAA规范开发了一系列应用业务方面的插卡，如无线插卡、安全插卡、防火墙插卡等。OAA基本的体系结构如图1所示。图1 OAA体系结构不意图从图中我们看到，OAA体系中，从硬件结构上看，可以分成三部分：路由交换部件、独立业务部件、接口连接部件。其中，路由交换部件就是路由器和交换机的主体部分，这部分有着完整的路由器或交换机的功能，也是用户管理控制的核心；独立业务部件则是可以开放给第三方合作开发的主体，主要用来提供各种独特的业务服务功能

43、；接口连接部件则是路由交换接部件和独立业务部件的接口连接体，通过这个部件将两个不同厂商的设备连接在一起，以形成一个统一的产品。对于不同体系结构的产品，路由交换部件本身是存在差异的，如集中式的设备和分布式设备，体系结构上存在差异。但由于定义接口连接部件的开放性和统一性，完全可以做到在不同体系结构上，对业务部件屏蔽路由交换部件的差异性。用户可以直接使用该默认信息登录防火墙的Web界面， o默认的Web登录信息包括：用户名：“h3c”密码：“h3c” FW 的 g0/1 口 IP 地址：192.168.0.1上述两块FW插卡的g0/1 口 IP地址都是修改过的，分别为和 Wvlan 21,

44、 31, t0/0都加入到trust域,这个只是本地验证，非实际应用配置。系统管理安全域管理T设备概览T配置向导系统管理日期和时间-软件升级T3配置维护设备重启T设备概览T配置向导系统管理日期和时间-软件升级T3配置维护设备重启安全域ID安全域名优先级共享虚拟设备2Trust85noRoot接口VLANVlan-interface21Vlan-interface31Ten-GigabitEthernetO/O1-4094返回0会话管理接口管理安全域管理0点拟设电管理FW2的WEB配置将vlan20, 30, t0/0都加入至Utrust域，这个只是本地验证，非实际应用配置。-a设备概览七配置

45、向导-a系统管理-日期和时间软件升级0配置维护设备重启LI会话管理接口管理9 v + H I- W虚拟设备管理系统管理安全域管理d fwRoot安全域ID安全域名优先级共享虚拟设备2Trust85noRoot接口VLANVlan-interface20Vlan-interTace30Ten-GigabitEthernetO/O1-4094返回4.4.3 配置IPS/ACG1.配置步骤Console登录到IPS/ACG插卡，配置管理口IPSysnameinterface methO/2 Sysname-ifip ad 192.168.0.63 255.255.255.0 Sysname-

46、ifundo shutdownSysname-ifquit登录IPS/ACG插卡WEB网管，,用户名密码都是admin。两块ACG插卡，两块IPS插卡的WEB配置完全相同，下面的配置也都只是本地验证，非实际应用配置。(1)去使能OAA ACFP Client。在本方案中，不使用acfp功能。系统管理设备管理设置(H3CLEVEL3卜系统管理卜设备管理卜系统状态-系统信息-系统时间-系统监控-配置维护-特征库升级软件升级一 License-工作模式系统重启立用户管理(2)安全域接口都选择为XethO-O (内联口)，内部域vlan选择10,外部域vlan选择20,21。系统管理网络管理安全区域，H3CLEVEL3系妖告起电设备苫理T3用9省理施

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

15 金币

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: H3C S9500E 系列路由交换机IRF与FW ACG IPS插卡典型配置指导系列路由交换机 IRF FW IPS 插卡典型配置指导

淘文阁 - 分享文档赚钱的网站所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

限制150内

关于本文

本文标题：H3C S9500E 系列路由交换机IRF与FW ACG IPS插卡典型配置指导.docx
链接地址：https://www.taowenge.com/p-86523353.html