counters+翻译
作者:独猎鹏
2、保护内部网络安全性
(1)设备命名、接口启用IP地址
NGFW:
#
sysname NGFW 设备命名为NGFW
#
interface GigabitEthernet1/0/0 进入接口视图下,配置IP地址
ip address 202.0.0.1 255.255.255.248
#
interface GigabitEthernet1/0/2 进入接口视图下,配置IP地址
ip address 10.0.0.1 255.255.255.252
#
SW1:
#
sysname SW1 设备命名为SW1
#
interface GigabitEthernet1/0/2 进入接口视图下
port link-mode route 修改接口为三层模式(缺省为bridge二层桥模式)
ip address 10.0.0.2 255.255.255.252 配置接口IP地址
#
Internet:
#
sysname internet 设备命名为internet
#
interface GigabitEthernet0/0 进入接口视图下
ip address 202.0.0.2 255.255.255.248 添加ip地址
#
interface LoopBack0 添加loopback接口,逻辑接口,用于模拟公网
description CS 接口添加描述,意思为:测试
ip address 200.1.1.1 255.255.255.255 接口配置ip地址
#
(2)DMZ区域配置(DHCP配置,绑定配置)、Untrust区域配置
A、安全区域划分
NGFW:
#
security-zone name DMZ 进入dmz安全区域
import interface GigabitEthernet1/0/2 将内网接口加入到dmz安全区域
#
security-zone name Untrust 进入untrust安全区域
import interface GigabitEthernet1/0/0 将公网接口加入到untrust安全区域
#
B、DHCP配置
分配指定IP地址给Server
1)获取IP地址
I、Server配置:
Server(通过交换机模拟):
#
sysname Server 设备命名为Server
#
vlan 10 创建vlan 10
#
interface GigabitEthernet1/0/1 进入接口视图下
port link-mode bridge 接口设置为桥模式
port access vlan 10 将接口属于vlan 10
#
interface Vlan-interface10 配置三层虚接口(逻辑接口)
#
II、查询server mac地址
[Server]display interface Vlan-interface 10 查询接口参数,目的是查看mac地址
Vlan-interface10
Current state: UP
Line protocol state: UP
Description: Vlan-interface10 Interface
Bandwidth: 100000 kbps
Maximum transmission unit: 1500
Internet address: 10.1.1.10/8 (DHCP-allocated)
IP packet frame type: Ethernet II, hardware address: 06db-1d10-0902
IPv6 packet frame type: Ethernet II, hardware address: 06db-1d10-0902
Last clearing of counters: Never
Last 300 seconds input rate: 4 bytes/sec, 32 bits/sec, 0 packets/sec
Last 300 seconds output rate: 3 bytes/sec, 24 bits/sec, 0 packets/sec
Input: 11 packets, 2046 bytes, 0 drops
Output: 30 packets, 4156 bytes, 0 drops
III、DHCP配置
SW1:
#
vlan 10 创建vlan10
#
interface GigabitEthernet1/0/1 进入接口视图下
port link-mode bridge 接口为二层接口,桥模式
port access vlan 10 接口属于vlan 10
#
interface Vlan-interface10 进入三层虚接口视图下
ip address 10.1.1.254 255.255.255.0 配置网关地址
#
dhcp enable 启用dhcp服务功能
#
dhcp server ip-pool server 创建地址池
gateway-list 10.1.1.254 配置网关地址
network 10.1.1.0 mask 255.255.255.0 添加可以分配地址段
forbidden-ip 10.1.1.254 保护起来ip地址不被分配
static-bind ip-address 10.1.1.10 mask 255.255.255.0 hardware-address 06db-1d10-0902
# 配置给server分配指定ip地址为10.1.1.10
Server(通过交换机模拟):
#
interface Vlan-interface10 进入三层虚接口视图下
ip address dhcp-alloc 动态获取ip地址(此命令用于接口启用dhcp客户端功能)
#
(3)安全策略,实现区域之间可以互相访问
NGFW:
#
object-group ip address dmz 添加dmz地址组
0 network subnet 10.1.1.0 255.255.255.0 添加地址段
#
object-group ip address untrust 添加untrust地址组
0 network subnet 0.0.0.0 0.0.0.0 访问公网允许所有,any
#
security-policy ip 添加安全策略
rule 0 name dmz-untrust 策略为dmz区域到untrust区域
action pass 动作为允许
source-zone dmz 源安全区域为dmz
destination-zone untrust 目的安全区域为untrust
source-ip dmz 源ip地址为dmz地址组
destination-ip untrust 目的IP地址为untrust地址组
#
(4)开启攻击防范
NGFW:
#
attack-defense policy attack 开启攻击防范功能
signature detect land action drop logging 启用land攻击防范,发现攻击丢包并记录日志
#
security-zone name Untrust 进入untrust安全区域
attack-defense apply policy attack 应该单包攻击防范功能。
#
注意:所有的单包攻击均如上配置。仔细看需求进行修改。
(5)配置NAT
NGFW:
#
nat address-group 1 添加nat地址池
address 202.0.0.3 202.0.0.6 地址池地址为202.0.0.3到202.0.0.6共4个地址
#
acl basic 2023 配置允许内网访问外网的acl
description nat 添加描述,意思是本acl给nat使用
rule 0 permit source 10.1.1.0 0.0.0.255 添加允许访问公网的内网地址段
#
ip route-static 0.0.0.0 0 202.0.0.2 配置到公网路由
#
ospf 1 启用ospf路由协议,进程号为1(默认进程为1)
default-route-advertise ospf生成默认路由(引入static生成的默认路由)
area 0.0.0.0 进入区域0(骨干区域)
network 10.0.0.0 0.0.0.3 发布互联业务网段
#
acl advanced 3000 配置acl,目的是实现防火墙和sw1之间能够允许ospf协议报文
rule 0 permit ip source 10.0.0.1 0 destination 10.0.0.2 0
rule 5 permit ospf
#
zone-pair security source Local destination DMZ 添加安全策略,实现local可以访问dmz
packet-filter 3000
#
acl advanced 3001 配置acl,目的是实现防火墙和sw1之间能够允许ospf协议报文
rule 0 permit ip source 10.0.0.2 0 destination 10.0.0.1 0
rule 5 permit ospf
#
zone-pair security source DMZ destination Local 添加安全策略,实现dmz可以访问local
packet-filter 3001
#
interface GigabitEthernet1/0/0
nat outbound 2023 address-group 1 公网接口应用nat功能,关联acl及地址池
#
SW1:
#
ospf 1 启用ospf路由协议,进程号为1(默认进程为1)
silent-interface Vlan-interface10 接口配置为静默端口(防止路由泄露给客户端)
area 0.0.0.0 进入区域0(骨干区域)
network 10.0.0.0 0.0.0.3 发布互联业务网段
network 10.1.1.0 0.0.0.255 发布业务网段
#
(6)测试
ping 200.1.1.1 测试公网可达,目的看nat配置是否正确
Ping 200.1.1.1 (200.1.1.1): 56 data bytes, press CTRL_C to break
56 bytes from 200.1.1.1: icmp_seq=0 ttl=253 time=3.000 ms
56 bytes from 200.1.1.1: icmp_seq=1 ttl=253 time=2.000 ms
56 bytes from 200.1.1.1: icmp_seq=2 ttl=253 time=2.000 ms
56 bytes from 200.1.1.1: icmp_seq=3 ttl=253 time=3.000 ms
56 bytes from 200.1.1.1: icmp_seq=4 ttl=253 time=2.000 ms
--- Ping statistics for 200.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms
%Dec 1 17:28:31:038 2023 Server PING/6/PING_STATISTICS: Ping statistics for 200.1.1.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 2.000/2.400/3.000/0.490 ms.
[NGFW]display nat session 查看nat会话表
Slot 1:
Initiator:
Source IP/port: 10.1.1.10/218
Destination IP/port: 200.1.1.1/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DMZ
Total sessions found: 1
查看文章精彩评论,请前往什么值得买进行阅读互动
","gnid":"9a8a94753b5517c41","img_data":[{"flag":2,"img":[{"desc":"","height":"200","title":"","url":"https://p0.ssl.img.360kuai.com/t01b329a67db6b86281.jpg","width":"554"}]}],"original":0,"pat":"art_src_1,fts0,sts0","powerby":"pika","pub_time":1701475051000,"pure":"","rawurl":"http://zm.news.so.com/2cc518ed06dabcc22d7e6d56f304ba6d","redirect":0,"rptid":"bea3a440d167a166","rss_ext":[],"s":"t","src":"什么值得买","tag":[],"title":"H3CNE-Secutity笔记 (仅实验)
宁王录4552求大神翻译信用证条款 -
官具征15811987060 ______ 这两个条款都是针对银行的,第一个条款的主要意思是,开证行如果收到与信用证不符的单据,可以交给开证申请人,对此,开证行不承担责任. 第二个条款的主要意思是,开证行一旦收到符合信用证的单据, 就会按照议付行的付款指示汇款.
宁王录4552求几篇电子技术类的英文文献及翻译 -
官具征15811987060 ______ http://zh.wikipedia.org/wiki/%E7%94%B5%E5%AD%90%E5%AD%A6 Electronics is the study of the flow of charge through various materials and devices such as semiconductors, resistors, inductors, capacitors, nano-structures and vacuum tubes. ...
宁王录4552数据库方面英语翻译 -
官具征15811987060 ______ DBC.NEXT表总是包含下一个被指派的值.你可以将这些列认为是ID值的计数器.
宁王录4552订单延船邮件英语翻译,很久没有翻译,大概意思可以翻译,自己翻得太罗嗦,而且外商是英国的,怕翻错意思 -
官具征15811987060 ______ Dear sirs S/C No.1*20' We must apologize for the delayed dilivery of the goods item No.1*20'.We have shipped your order No.40' due to the shipment and the order No.1*20' will follow in the next few days.We have been kept extremely busy over the ...
宁王录4552...payment has been received on the Seller's account and its amount shall be reduced pro - rata the value of shipments by simple presentation at our counters ... -
官具征15811987060 ______[答案] 本保函自预付款到达卖家账上之日起生效,请到我们的柜台出示发票和货运单据以即时扣取运费. 本保函在最后装船日之后... 不管此函的第一正本是否已退回我司,此函自我们收到索赔投诉之日起自动作废. 绝非机器翻译,希望能对你有所帮助.我再斟...
宁王录4552请教pay by irrevocable L/C 100% payable at sightirrevocable L/C 100% payable at sight什么意思?谢谢不好意思,把一句话连续copy了2遍:请大家帮我看看... -
官具征15811987060 ______[答案] 以全额"不可撤消即期信用证"方式付款
宁王录4552...(DHL,WORLD COURIER OR SIMILAR)TO THE FOLLOWING ADDRESS.3.UPON RECEIPT OF CREDIT CONFORM DOCUMENTS AT OUR COUNTERS,... -
官具征15811987060 ______[答案] 一.DESCRIPIN OF GOODS & OR SERVICES货物描述: 8688套 NO.MB280'HINARI'BRAND,MULTI BLENDER WITH 17 ... 4.产地证复印件,要敲商会章. 求助信用证的英文翻译 三,ADDITIONAL CONDITIONS 额外条款(通常只要眼睛扫扫看看有没...
宁王录4552...and completion of each and every shipment shall be deemed to take place when the letter of credit issued by the buyer has been drawn down at the counters ... -
官具征15811987060 ______[答案] 函中提到,作为买方,根据伪证处罚特此不可撤销地确认和不可撤销地接受支付中介费和持有人在同一时间和方式作为卖方正在支付的每一个交易本合同的成立为了完成合同,加上过渡和扩展,并根据银行的详细资料应在本合同的硬...
宁王录4552英语翻译47A:Additional Conditions+ EXCEPT AS OTHERWISE HEREIN INDICATED,ALL DOCUMENTS REQUIREDUNDER THIS DOCUMENTARY ... -
官具征15811987060 ______[答案] 47A:Additional Conditions+ EXCEPT AS OTHERWISE HEREIN INDICATED,ALL DOCUMENTS REQUIREDUNDER THIS DOCUMENTARY CREDIT MUST NOT INDICATE IN WHATEVERFORM (WHETHER TYPED OR STAMPED OR BY ...
宁王录4552英语翻译The AT89C52 provides the following standard features:8Kbytes of Flash,256 bytes of RAM,32 I/O lines,three 16 - bittimer/counters,a six - vector two - level ... -
官具征15811987060 ______[答案] 我用翻译工具翻的: 在AT89C52单片机提供以下标准功能:8K型 字节的闪存,256B的RAM ,32 I / O线,三个16位 定时器/计数器,6向量2级中断结构, 1全双工串行接口,片上振荡器和时钟电路. 此外,AT89C52单片机设计的静态逻辑 运行到零频...