- 论坛徽章:
- 0
|
1、配置终端:
在system-view下:
[huawei] user-interface vty 0 4
[huawei] authentication-mode password
[huawei] set authentication password cipher ******
[huawei] super password cipher ****** //设置超级用户密码
2、配置MAC地址过滤
在system-view 下:
[huawei] acl name macvir link match-order config
[huawei] rule deny ingress H-H-H 0000-0000-0000
[huawei] packet-filter link-group macvir in
3、升级软件版本
在用户模式下:
dir /all 查看所有文件,用[]括起来的文件都是放在回收站内的 可以用reset recycle-bin [ file-url ]命令清空
del /u 彻底删除文件
ftp 202.195.241.123
Trying ...
Press CTRL+K to abort
Connected.
220 Serv-U FTP Server v6.0 for WinSock ready...
User(none):luogf
331 User name okay, need password.
Password:
230 User logged in, proceed.
[ftp]get S3526EFC-VRP310-r0040-64-a.bin
[ftp]bye
boot boot-loader S3526EFC-VRP310-r0040-64-a.bin
4、防火墙设置
1、打开防火墙功能。
[Quidway]system-guard enable
Success to enable system-guard task
2、关闭防火墙功能,当关闭防火墙功能后,各个参数恢复到缺省值。
[Quidway]undo system-guard enable
Success to disable system-guard task
3、配置最大可检测的病毒主机数目,范围是1-100。
[Quidway]system-guard detect-maxnum ?
INTEGER Max num of detection
[Quidway]system-guard detect-maxnum 50
4、恢复最大可检测病毒主机数目,缺省值30。
[Quidway]undo system-guard detect-maxnum
5、配置门限值,包括:
detect-threshold,在指定时间内同一源IP的报文,目的IP变化多少次,即确定该IP具有病毒特征,缺省值为30;
Record-times,一个源IP几次被确定具有病毒特征后对它采取措施,缺省值为1;
Isolate Times,在对一个病毒IP采取措施后,等待几倍地址老化时间再对该IP进行恢复,缺省值为3。
这三个门限值在一个命令行中设置。各个门限值的范围如下:
[Quidway]system-guard detect-threshold ?
INTEGER IP-Record threshold
[Quidway]system-guard detect-threshold 40 ?
INTEGER Record-times threshold
[Quidway]system-guard detect-threshold 40 3 ?
INTEGER Isolate Times of Aging time
[Quidway]system-guard detect-threshold 40 3 5 ?
[Quidway]system-guard detect-threshold 40 3 5
6、恢复门限值。IP-Record的缺省门限值为30,Record-times的缺省门限值为1,Isolate Times的缺省门限值为3(地址老化时间的三倍)。
[Quidway]undo system-guard detect-threshold
7、显示系统运行防火墙的状态
[Quidway]display system-guard state
system-guard is closed!
Ip-Attack threshold: 30
Deny threshold: 1
Infected virus Host Number: 0
Isolated times of Aging time: 3
Max Num of detection support: 30
Disable dest IP addr learning from all ip addr in the list
[Quidway]system-guard enable
Success to enable system-guard task
[Quidway]display system-guard state
system-guard is running!
Ip-Attack threshold: 30
Deny threshold: 1
Infected virus Host Number: 0
Isolated times of Aging time: 3
Max Num of detection support: 30
Disable dest IP addr learning from all ip addr in the list
5、802.1X认证
在win XP上安装了从"802.1x客户端软件V2.10版本,支持防代理功能 "下的 HWDot1xCHNT.EXE客户端,并在其属性设置里把所有选项均打上勾。
在进行802.1x拨号认证时,交换机就自动重启了!
S3526配置
[Quidway]dis cu
#
sysname Quidway
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
idle-cut disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
local-user aa1
password simple 123
service-type lan-access
#
dot1x
dot1x authentication-method eap md5-challenge
#
vlan 1
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
#
interface Ethernet0/6
#
interface Ethernet0/7
dot1x
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/10890/showart_157791.html |
|