美文网首页
华为防火墙实验9「配置基于IP地址带宽管理」

华为防火墙实验9「配置基于IP地址带宽管理」

作者: 炖冬瓜 | 来源:发表于2019-06-10 10:46 被阅读0次

    (一)实验简介

    如拓朴图所示,为防止 FTP 服务器受攻击,在防火墙上限制从服务器受攻击,在防火墙上限制从 Trust区域和 Untrust区域 到 FTP 端口的连接数上限为 20 ,并且限制其上传 ,并且限制其上传 /下载带宽为: 5Mbps/10Mbps。限制trust域内每个 PC 到Internet的上传 /下载带宽为:400kbps/600kbps。

    网络拓朴结构

    (二)实验目的

    1. 掌握网关对网关的组网;
    2. 掌握手工方式配置两个网络的IPSecVPN;

    (三)实验条件

    1. 一台CPU支持VT技术,内存4GB以上的计算机;
    2. 安装eNSP模拟器B510版,导入USG6000V镜像;
    3. 终端工具:SecuretyCRT,Putty,Psftp,XShell等。

    (四)网络拓朴图

    打开ENSP软件,按如下拓朴图创建实验环境,设置地址:

    1. LAN地址:192.168.10.0/24;
    2. WAN地址:10.9.9.0/24;
    3. DMZ地址:10.10.10.0/24;
    实验9拓朴

    (五)配置思路

    1. 配置LAN/DMZ/WAN网络;
    2. 配置防火墙接口,安全域,安全策略;
    3. 配置IP带宽通道,配置带宽策略;

    (六)配置步骤

    (1)配置LAN网络

    先设置Client1的IP地址

    Client1的网络信息

    配置LAN交换机:

    The device is running!

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW1
[LSW1]interface Vlanif 1
[LSW1-Vlanif1]ip address 192.168.10.254 24
[LSW1-Vlanif1]quit
[LSW1]
[LSW1]ospf 1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]quit
[LSW1-ospf-1]quit
[LSW1]
[LSW1]quit
<LSW1>

    (2)配置DMZ网络

    先设置Server1的IP地址

    Server1的网络信息

    配置DMZ交换机:

    The device is running!

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname LSW2
[LSW2]interface Vlanif 1
[LSW2-Vlanif1]ip address 10.10.10.254 24
[LSW2-Vlanif1]quit
[LSW2]
[LSW2]ospf 1
[LSW2-ospf-1]area 0
[LSW2-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[LSW2-ospf-1-area-0.0.0.0]quit
[LSW2-ospf-1]quit
[LSW2]
[LSW2]quit
<LSW2>
<LSW2>

    (3)配置WAN网络

    配置AR1路由器

    The device is running!

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]sysname AR2
[AR2]interface GigabitEthernet 0/0/0
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]ip address 10.9.9.2 24
[AR2-GigabitEthernet0/0/0]
[AR2-GigabitEthernet0/0/0]quit
[AR2]ospf 1
[AR2-ospf-1]
[AR2-ospf-1]area 0
[AR2-ospf-1-area-0.0.0.0]
[AR2-ospf-1-area-0.0.0.0]network 10.9.9.0 0.0.0.255
[AR2-ospf-1-area-0.0.0.0]
[AR2-ospf-1-area-0.0.0.0]quit
[AR2-ospf-1]
[AR2-ospf-1]quit
[AR2]quit
<AR2>

    (4)配置FW的网络及策略

    The device is running!
An initial password is required for the first login via the console.
Set a password and keep it safe. Otherwise you will not be able to login via the
console.
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Warning: The authentication mode was changed to password authentication and the
user level was changed to 15 on con0 at the first user login.
Warning: There is a risk on the user-interface which you login through. Please c
hange the configuration of the user-interface as soon as possible.

*************************************************************************
* Copyright (C) 2014-2015 Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************

<USG6000V1>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V1]undo info en
Info: Information center is disabled.
[USG6000V1]sysname FW1
[FW1]
[FW1]int g 1/0/1
[FW1-GigabitEthernet1/0/1]ip addr 192.168.10.1 24
[FW1-GigabitEthernet1/0/1]service-manage ping permit
[FW1-GigabitEthernet1/0/1]service-manage http permit
[FW1-GigabitEthernet1/0/1]quit
[FW1]
[FW1]int g 1/0/2
[FW1-GigabitEthernet1/0/2]ip addr 10.10.10.1 24
[FW1-GigabitEthernet1/0/2]service-manage ping permit
[FW1-GigabitEthernet1/0/2]service-manage http permit
[FW1-GigabitEthernet1/0/2]quit
[FW1]
[FW1]int g 1/0/3
[FW1-GigabitEthernet1/0/3]ip addr 10.9.9.1 24
[FW1-GigabitEthernet1/0/3]service-manage ping permit
[FW1-GigabitEthernet1/0/3]service-manage http permit
[FW1-GigabitEthernet1/0/3]quit
[FW1]
[FW1]firewall zone trust
[FW1-zone-trust]add int g 1/0/1
[FW1-zone-trust]quit
[FW1]
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g 1/0/2
[FW1-zone-dmz]quit
[FW1]
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g 1/0/3
[FW1-zone-untrust]quit
[FW1]
[FW1]ospf 1
[FW1-ospf-1]area 0
[FW1-ospf-1-area-0.0.0.0]network 10.10.10.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 10.9.9.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]network 192.168.10.0 0.0.0.255
[FW1-ospf-1-area-0.0.0.0]quit
[FW1-ospf-1]quit
[FW1]
[FW1]security-policy
[FW1-policy-security]rule name trust_dmz
[FW1-policy-security-rule-trust_dmz]source-zone trust local
[FW1-policy-security-rule-trust_dmz]destination-zone dmz local
[FW1-policy-security-rule-trust_dmz]action permit
[FW1-policy-security-rule-trust_dmz]quit
[FW1-policy-security]
[FW1-policy-security]rule name trust_untrust
[FW1-policy-security-rule-trust_untrust]source-zone trust local
[FW1-policy-security-rule-trust_untrust]destination-zone untrust local
[FW1-policy-security-rule-trust_untrust]action permit
[FW1-policy-security-rule-trust_untrust]quit
[FW1-policy-security]
[FW1-policy-security]security-policy
[FW1-policy-security]rule name untrust_dmz
[FW1-policy-security-rule-untrust_dmz]source-zone untrust local
[FW1-policy-security-rule-untrust_dmz]destination-zone dmz local
[FW1-policy-security-rule-untrust_dmz]action permit
[FW1-policy-security-rule-untrust_dmz]quit
[FW1-policy-security]quit
[FW1]
[FW1]traffic-policy //配置带宽通道及带宽策略
[FW1-policy-traffic]profile profile_traffic_1 //配置带宽通道1
[FW1-policy-traffic-profile-profile_traffic_1]bandwidth maximum-bandwidth whole
upstream 5000
[FW1-policy-traffic-profile-profile_traffic_1]bandwidth maximum-bandwidth whole
downstream 10000
[FW1-policy-traffic-profile-profile_traffic_1]bandwidth connection-limit whole b
oth 20
[FW1-policy-traffic-profile-profile_traffic_1]quit
[FW1-policy-traffic]
[FW1-policy-traffic]profile profile_traffic_2 //配置带宽通道2
[FW1-policy-traffic-profile-profile_traffic_2]bandwidth maximum-bandwidth whole
upstream 400
[FW1-policy-traffic-profile-profile_traffic_2]bandwidth maximum-bandwidth whole
downstream 600
[FW1-policy-traffic-profile-profile_traffic_2]quit
[FW1-policy-traffic]
[FW1-policy-traffic]rule name policy_traffic_1 //配置带宽策略1,引用带宽通道1
[FW1-policy-traffic-rule-policy_traffic_1]source-zone trust
[FW1-policy-traffic-rule-policy_traffic_1]source-zone untrust
[FW1-policy-traffic-rule-policy_traffic_1]destination-zone dmz
[FW1-policy-traffic-rule-policy_traffic_1]action qos profile profile_traffic_1
[FW1-policy-traffic-rule-policy_traffic_1]quit
[FW1-policy-traffic]
[FW1-policy-traffic]rule name policy_traffic_2 //配置带宽策略2,引用带宽通道2
[FW1-policy-traffic-rule-policy_traffic_2]source-zone trust
[FW1-policy-traffic-rule-policy_traffic_2]destination-zone untrust
[FW1-policy-traffic-rule-policy_traffic_2]action qos profile profile_traffic_2
[FW1-policy-traffic-rule-policy_traffic_2]quit
[FW1-policy-traffic]
[FW1-policy-traffic]quit
[FW1]

    (5)测试

    服务器启动FTP服务,并用FTP客户端登录,但因ENSP是模拟器,无法测试使用traffic-policy前后的速度变化:

    启动FTP服务

    (七)参考资料

    华为模拟器eNSP软件
    华为模拟器eNSP社区
    HCNA-Security 华为认证网络安全工程师
    HCNP-Security 华为认证网络安全资深工程师
    HUAWEI USG6000V V500R001C10SPC100 典型配置案例
    HUAWEI USG6000V V500R001C10SPC100 管理员指南
    HUAWEI USG6000V V500R001C10SPC100 命令参考
    华为ICT相关的英文简称

    相关文章

      网友评论

          本文标题:华为防火墙实验9「配置基于IP地址带宽管理」

          本文链接:https://www.haomeiwen.com/subject/zleaxctx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|华为防火墙实验9「配置基于IP地址带宽管理」|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!