星期三, 九月 27, 2006

华为18-20路由配置手记

前段时间公司买了华为18-20路由,由于不支持web配置,因此只能硬着头皮在终端配置了,一行行的代码看得头晕,不过还好,命令不是太复杂,拿着说明书一顿狂啃,并通过华为工程师的协助,终于搞定了,下面是个人配置过程。

注:配置中<>为待命状态,[ ]为配置状态。

sys[Quidway]int eth 1/0 //对内网进行配置
[Quidway-Ethernet1/0]ip add 192.168.1.1 24 //添加内网IP
[Quidway-Ethernet1/0]tcp mss 1024
[Quidway-Ethernet1/0]int eth 2/0 //对公网进行配置
[Quidway-Ethernet2/0]ip add (IP)xx.xx.xx.xx (掩码)xx.xx.xx.xx //添加公网IP及掩码
[Quidway-Ethernet2/0]tcp mss 1024
[Quidway-Ethernet2/0]qu
[Quidway]acl num 2000 //NAT 转换时ACL
[Quidway-acl-basic-2000]rule per sou 192.168.1.0 0.0.0.255
[Quidway-acl-basic-2000]rule deny sou any
[Quidway-acl-basic-2000]qu
[Quidway]acl num 3000 //防病毒ACL
下面是依次添加防火墙:加这段很累 -_-!
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq tftp
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 135
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 135
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq netbios-ns
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq netbios-dgm
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 139
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq netbios-ssn
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 445
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 445
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 539
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 539
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 593
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 593
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 1434
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 1433
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 4444
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 9996
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 5554
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 9996
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 5554
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 137
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 138
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 1025
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 1025
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 9995
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 9995
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 1068
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 1068
[Quidway-acl-adv-3000]rule deny tcp sou any dest any destination-port eq 1023
[Quidway-acl-adv-3000]rule deny udp sou any dest any destination-port eq 1023
[Quidway-acl-adv-3000]qu
[Quidway]int eth 1/0
[Quidway-Ethernet1/0]fi pack 3000 in
[Quidway-Ethernet1/0]int eth 2/0
[Quidway-Ethernet2/0]nat out 2000
[Quidway-Ethernet1/0]qu
[Quidway]ip rou 0.0.0.0 0.0.0.0 192.168.1.1 //缺省路由
下面是添加路由用户及密码,其中添加了telnet访问,以便日后通过网络控制路由:
[Quidway]local-user admin password simple 123456
[Quidway]local-user admin service-type telnet
[Quidway]local-user admin level 3 //用户等级
[Quidway]qusaThe configuration will be written to the device. Are you sure?[Y/N]y
Please input the file name(*.cfg)[flash:/config.cfg]:
Now saving current configuration to the device.
Saving configuration flash:/config.cfg. Please wait...

至此,基本配置完毕!如果用户想增加ssh登陆的话。可以在下面状态配置:
[Quidway]rsa local-key-pair create //生成本地密匙对
[Quidway]user-interface vty 0 4 //进入vty视图
[Quidway-ui-vty0-4]authentication-modee scheme //设置scheme认证
[Quidway-ui-vty0-4]qu
[Quidway]local-user admin
[Quidway-user-admin]service-type ssh //设置服务类型为ssh
[Quidway-user-admin]level 3
[Quidway-user-admin]qu
[Quidway]ssh user admin authentication-type pssword //设置SSH用户验证方式为password
[Quidway]domain system
[Quidway-isp-system]scheme local //使用本地认证方案
[Quidway-isp-system]qu
[Quidway]qu
sa //保存配置

如果用户想映射某台电脑的80端口,可以使用下列方法(假设IP为192.168.1.123):
[quidway-ethernet2/0]nat server protocol global (公网IP) 80 inside 192.168.1.123 80

如果要删除某条配置,使用undo命令,后面跟配置就OK。

总结:
相对于TP-LINK等支持web配置的路由而言,18-20端口配置明显的更底层化,能够更有效随意地根据个人要求定制路由功能。而且通过telnet在客户端配置也比较方便。华为AR18-20路由,支持基于时间段的访问控制列表,可以控制内部主机对外部资源的访问,提高了访问效率。强大的地址转换协议(NAT),还能支持内部服务器,内网和外网用户都可以轻松的访问企业内部架设的各种服务器。不过我们现在还没用到那么多功能 -_-!!

发帖者 dawncy 时间: 9/27/2006

分类

没有评论:

发表评论

Subscribe to: 博文评论 (Atom)