/categories/%E7%BD%91%E7%BB%9C/ Recent content in 网络 on AIHugoBlog Hugo zh-cn Sun, 28 Apr 2024 14:17:28 +0800 /posts/hua-wei-jiao-huan-ji-tong-guo-ftp-bei-fen-pei-zhi-wen-jian/ Sun, 28 Apr 2024 14:17:28 +0800 /posts/hua-wei-jiao-huan-ji-tong-guo-ftp-bei-fen-pei-zhi-wen-jian/ <ol> <li>ftp服务开启及账号建立sysftp server enableaaalocal-user jgsteelftp password cipher xxxxxxxxlocal-user jgsteelftp privilege level 3local-user jgsteelftp servi</li> </ol> /posts/hua-wei-ap-xiu-gai-fat-he-fit-mo-shi/ Fri, 01 Dec 2023 15:00:33 +0800 /posts/hua-wei-ap-xiu-gai-fat-he-fit-mo-shi/ <h3 id="远程进入ap配置默认是开启stelnet的">远程进入AP配置，默认是开启Stelnet的。</h3> <pre tabindex="0"><code>stelnet IP # 登录会创建账号密码 </code></pre><h3 id="查看当前ap模式">查看当前AP模式</h3> <pre tabindex="0"><code>display version </code></pre><h3 id="设置ap模式">设置AP模式</h3> <pre tabindex="0"><code>ap-mode-switch fit </code></pre><h3 id="ac中查看ap连接状态">AC中查看ap连接状态</h3> <pre tabindex="0"><code>dis ap all dis arp | include mac地址 </code></pre> /posts/ipv4-nei-wang-bao-liu-wang-duan/ Fri, 13 Jan 2023 16:05:01 +0800 /posts/ipv4-nei-wang-bao-liu-wang-duan/ <h3 id="a类地址">A类地址</h3> <pre tabindex="0"><code>10.0.0.0/8 10.0.0.0 - 10.255.255.255 </code></pre><h3 id="b类地址">B类地址</h3> <pre tabindex="0"><code>172.16.0.0/12 172.16.0.0 - 172.31.255.255 </code></pre><h3 id="c类地址">C类地址</h3> <pre tabindex="0"><code>192.168.0.0/16 192.168.0.0 - 192.168.255.255 </code></pre> /posts/hua-wei-jiao-huan-ji-qing-kong-suo-you-pei-zhi/ Fri, 13 Jan 2023 16:03:55 +0800 /posts/hua-wei-jiao-huan-ji-qing-kong-suo-you-pei-zhi/ <h3 id="1-首先通过串口线与交换机的console连接登陆该交换机">1. 首先通过串口线与交换机的console连接登陆该交换机</h3> <h3 id="2不需要进入sys可以直接在现有的状态下输入命令然后选择y">2.不需要进入sys，可以直接在现有的状态下输入命令,然后选择Y</h3> <pre tabindex="0"><code>reset saved-configuration </code></pre><h3 id="3此时配置已经清空现在进行重启操作输入reboot并在接下来的第一个询问中选择n第二个询问中选择y等待交换机重启">3.此时配置已经清空，现在进行重启操作。输入reboot，并在接下来的第一个询问中选择“N”，第二个询问中选择“Y”等待交换机重启。</h3> /posts/hua-wei-jiao-huan-ji-kai-qi-3a-ren-zheng-ssh/ Fri, 13 Jan 2023 16:02:56 +0800 /posts/hua-wei-jiao-huan-ji-kai-qi-3a-ren-zheng-ssh/ <h3 id="创建一个账户为is密码为xxx">创建一个账户为is，密码为xxx</h3> <pre tabindex="0"><code> #创建用户 aaa local-user is password cipher xxx local-user is privilege level 15 #最高权限 local-user is service-type ssh #走ssh协议 quit </code></pre><pre tabindex="0"><code> #创建ssh user ssh user is authentication-type password #is用户的认证方式为密码认证 ssh user is service-type stelnet #stelnet实际上就是ssh </code></pre><pre tabindex="0"><code> #创建本地秘钥对 rsa local-key-pair create </code></pre><pre tabindex="0"><code> #启用ssh服务 stelnet server enable </code></pre><pre tabindex="0"><code> #配置vty界面支持的登录协议 user-interface vty 0 4 authentication-mode aaa #认证方式为3a protocol inbound ssh #允许ssh登录 </code></pre> /posts/hua-wei-she-bei-pei-zhi-console-kou-can-shu/ Fri, 13 Jan 2023 16:02:13 +0800 /posts/hua-wei-she-bei-pei-zhi-console-kou-can-shu/ <pre tabindex="0"><code>user-interface console 0 authentication-mode password set authentication password cipher idle-timeout 20 0 #设置空闲超时时间为20分钟，默认10分钟 display this #查看配置结果 </code></pre> /posts/h3c-xin-jian-yong-hu-bing-she-zhi-xi-tong-zui-gao-quan-xian/ Fri, 13 Jan 2023 16:00:48 +0800 /posts/h3c-xin-jian-yong-hu-bing-she-zhi-xi-tong-zui-gao-quan-xian/ <h3 id="1配置登录管理的用户名认证级别口令">1.配置登录管理的用户名、认证级别、口令</h3> <pre tabindex="0"><code>local-user admin password simple satelit service-type telnet level 3 save </code></pre><h3 id="2h3c提权">2.H3C提权</h3> <p>超级终端（基础密码system）</p> <pre tabindex="0"><code>super 3 sys local-user admin password simple system #设置密码为system level 3 service-type telnet save </code></pre><h3 id="3修改h3c的默认密码">3.修改H3C的默认密码</h3> <pre tabindex="0"><code>telnet 172.21.100.1 password: #输入原密码 super 3 system user-int vty 0 4 #改telnet密码 user-int console 0 #改console口密码 user-int aux 0 #改aux口密码 set aut pass cip abcde #设置密码 </code></pre> /posts/hua-wei-fang-huo-qiang-pei-zhi-kua-san-ceng-mac-shi-bie/ Fri, 13 Jan 2023 14:34:20 +0800 /posts/hua-wei-fang-huo-qiang-pei-zhi-kua-san-ceng-mac-shi-bie/ <h1 id="华为防火墙配置跨三层mac识别">华为防火墙配置跨三层MAC识别</h1> <h3 id="1需求">1.需求</h3> <ul> <li> <p>FW作为企业的出口网关，内网用户通过三层交换机与FW相连，并通过FW访问Internet。FW需要以MAC地址为匹配条件配置安全策略、策略路由、带宽策略等来控制内网流量。</p> </li> <li> <p>拓扑图 <img alt="image-1673591649298" loading="lazy" src="/upload/2023/01/image-1673591649298.png"></p> </li> </ul> <h3 id="2-s5700交换机为例">2. S5700交换机为例</h3> <ul> <li>开启snmp</li> </ul> <pre tabindex="0"><code>[Switch] snmp-agent [Switch] snmp-agent sys-info version v2c [Switch] snmp-agent community read Public@123 </code></pre><h3 id="3-防护墙配置">3. 防护墙配置</h3> <ul> <li>配置FW的接口IP地址。</li> </ul> <pre tabindex="0"><code>[FW] interface GigabitEthernet 1/0/2 [FW-GigabitEthernet1/0/2] ip address 192.168.2.100 24 [FW-GigabitEthernet1/0/2] quit [FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 1/0/2 </code></pre><ul> <li>配置Local到Trust区域的安全策略，允许防火墙向交换机发送SNMP报文。</li> </ul> <pre tabindex="0"><code>[FW] security-policy [FW-policy-security] rule name policy_sec [FW-policy-security-rule-policy_sec] source-zone local [FW-policy-security-rule-policy_sec] destination-zone trust [FW-policy-security-rule-policy_sec] destination-address 192.168.2.110 32 [FW-policy-security-rule-policy_sec] action permit </code></pre><ul> <li>配置跨三层MAC识别。</li> </ul> <pre tabindex="0"><code>[FW] snmp-server arp-sync enable [FW] snmp-server target-host arp-sync address 192.168.2.110 community Public@123 v2c [FW] snmp-server arp-sync interval 5 timeout 3 </code></pre> /posts/hua-wei-fang-huo-qiang-he-san-ceng-jiao-huan-ji-dui-jie-shang-wang-pei-zhi/ Fri, 13 Jan 2023 11:59:57 +0800 /posts/hua-wei-fang-huo-qiang-he-san-ceng-jiao-huan-ji-dui-jie-shang-wang-pei-zhi/ <h3 id="1需求">1.需求</h3> <p>公司拥有多个部门且位于不同网段，各部门均有访问Internet需求。现要求用户通过三层交换机和防火墙访问外部网络，且要求三层交换机作为用户的网关。 拓扑图 <img alt="image-1673582386613" loading="lazy" src="/upload/2023/01/image-1673582386613.png"></p> <h3 id="2-配置交换机">2. 配置交换机</h3> <ul> <li>配置连接用户的接口和对应的VLANIF接口。</li> </ul> <pre tabindex="0"><code>&lt;HUAWEI&gt; system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 3 [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access //配置接口接入类型为access [Switch-GigabitEthernet0/0/2] port default vlan 2 //配置接口加入VLAN 2 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 3 [Switch-GigabitEthernet0/0/3] quit [Switch] interface vlanif 2 [Switch-Vlanif2] ip address 192.168.1.1 24 [Switch-Vlanif2] quit [Switch] interface vlanif 3 [Switch-Vlanif3] ip address 192.168.2.1 24 </code></pre><ul> <li>配置连接防火墙的接口和对应的VLANIF接口。</li> </ul> <pre tabindex="0"><code>[Switch] vlan batch 100 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 100 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 192.168.100.2 24 </code></pre><ul> <li>配置缺省路由。</li> </ul> <pre tabindex="0"><code>[Switch] ip route-static 0.0.0.0 0.0.0.0 192.168.100.1 //缺省路由的下一跳是防火墙接口的IP地址192.168.100.1 </code></pre><ul> <li>配置DHCP服务器。</li> </ul> <pre tabindex="0"><code>[Switch] dhcp enable [Switch] interface vlanif 2 [Switch-Vlanif2] dhcp select interface //DHCP使用接口地址池的方式为用户分配IP地址 [Switch-Vlanif2] dhcp server dns-list 114.114.114.114 223.5.5.5 //配置的DNS-List 114.114.114.114是公用的DNS服务器地址，是不区分运营商的。在实际应用中，请根据运营商分配的DNS进行配置 [Switch-Vlanif2] quit [Switch] interface vlanif 3 [Switch-Vlanif3] dhcp select interface [Switch-Vlanif3] dhcp server dns-list 114.114.114.114 223.5.5.5 [Switch-Vlanif3] quit </code></pre><h3 id="3配置防火墙">3.配置防火墙</h3> <ul> <li>配置连接交换机的接口对应的IP地址。</li> </ul> <pre tabindex="0"><code>&lt;USG6600&gt; system-view [USG6600] interface gigabitethernet 1/0/1 [USG6600-GigabitEthernet1/0/1] ip address 192.168.100.1 255.255.255.0 </code></pre><ul> <li>配置连接公网的接口对应的IP地址。</li> </ul> <pre tabindex="0"><code>[USG6600] interface gigabitethernet 1/0/2 [USG6600-GigabitEthernet1/0/2] ip address 1.1.1.2 255.255.255.0 //配置连接公网接口的IP地址和公网的IP地址在同一网段 </code></pre><ul> <li>配置缺省路由和回程路由。</li> </ul> <pre tabindex="0"><code>[USG6600] ip route-static 0.0.0.0 0.0.0.0 1.1.1.1 //配置静态缺省路由的下一跳指向公网提供的IP地址1.1.1.1 [USG6600] ip route-static 192.168.0.0 255.255.0.0 192.168.100.2 //配置回程路由的下一跳就指向交换机上行接口的IP地址192.168.100.2 </code></pre><ul> <li>配置安全策略</li> </ul> <pre tabindex="0"><code>[USG6600] firewall zone trust //配置trust域 [USG6600-zone-trust] add interface gigabitethernet 1/0/1 [USG6600-zone-trust] quit [USG6600] firewall zone untrust //配置untrust域 [USG6600-zone-untrust] add interface gigabitethernet 1/0/2 [USG6600-zone-untrust] quit </code></pre><ul> <li>配置安全策略，允许域间互访。</li> </ul> <pre tabindex="0"><code>[USG6600] security-policy [USG6600-policy-security] rule name policy1 [USG6600-policy-security-rule-policy1] source-zone trust [USG6600-policy-security-rule-policy1] destination-zone untrust [USG6600-policy-security-rule-policy1] source-address 192.168.0.0 mask 255.255.0.0 [USG6600-policy-security-rule-policy1] action permit [USG6600-policy-security-rule-policy1] quit [USG6600-policy-security] quit </code></pre><ul> <li>配置PAT地址池，开启允许端口地址转换。</li> </ul> <pre tabindex="0"><code>[USG6600] nat address-group addressgroup1 [USG6600-address-group-addressgroup1] mode pat [USG6600-address-group-addressgroup1] route enable [USG6600-address-group-addressgroup1] section 0 1.1.1.2 1.1.1.2 //转换的公网IP地址 [USG6600-address-group-addressgroup1] quit </code></pre><ul> <li>配置源PAT策略，实现私网指定网段访问公网时自动进行源地址转换。</li> </ul> <pre tabindex="0"><code>[USG6600] nat-policy [USG6600-policy-nat] rule name policy_nat1 [USG6600-policy-nat-rule-policy_nat1] source-zone trust [USG6600-policy-nat-rule-policy_nat1] destination-zone untrust [USG6600-policy-nat-rule-policy_nat1] source-address 192.168.0.0 mask 255.255.0.0 //允许进行PAT转换的源IP地址 [USG6600-policy-nat-rule-policy_nat1] action nat address-group addressgroup1 [USG6600-policy-nat-rule-policy_nat1] quit </code></pre>