Kayan Haber Alanı
Başlangıç / Huawei / IP Security Huawei

IP Security Huawei

Genel yapılandırma ayarları.

[Huawei]sysname Router1
[Huawei]sysname Router2
[Huawei]sysname Router3
[Huawei]sysname Switch1
[Switch1]vlan 4
[Switch1-vlan4]quit
[Switch1]interface vlanif 4
[Switch1-Vlanif4]ip address 10.0.4.254 24
[Huawei]sysname switch2

[switch2]

vlan 6

[switch2-vlan6]

quit

[switch2]

interface vlanif 6
[switch2-Vlanif6]ip address 10.0.6.254 24

İp address yapılandırması .
Şekilde gösterildiği gibi 10.0.13.0/24 , 10.0.4.0/24 ve 10.0.6.0/24 network aralıklarında ip adressler verelim.
[Router1]interface GigabitEthernet 0/0/0
[Router1-GigabitEthernet0/0/0]ip address 10.0.13.1 24
[Router2]interface GigabitEthernet 0/0/0
[Router2-GigabitEthernet0/0/0]ip address 10.0.13.2 24
[Router2-GigabitEthernet0/0/0]interface GigabitEthernet 0/0/1
[Router2-GigabitEthernet0/0/1]ip address 10.0.4.2 24
[Router2-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/2
[Router2-GigabitEthernet0/0/2]ip address 10.0.6.2 24
[Router3]interface GigabitEthernet 0/0/0
[Router3-GigabitEthernet0/0/0]ip address 10.0.13.3 24

Switch1 ve switch2 için Vlan trunk hattı oluşturmamız gerekir.
[Switch1]interface GigabitEthernet 0/0/2
[Switch1-GigabitEthernet0/0/2]port link-type trunk
[Switch1-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[Switch1-GigabitEthernet0/0/2]port trunk pvid vlan 4
[Switch1-GigabitEthernet0/0/2]quit

[switch2]

interface GigabitEthernet 0/0/2
[switch2-GigabitEthernet0/0/2]port link-type trunk
[switch2-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[switch2-GigabitEthernet0/0/2]port trunk pvid vlan 6
[switch2-GigabitEthernet0/0/2]quit

Network iletişimini etkinleştirmek için OSPF konfigürasyonunu yapılandıralım.
Router1,Router2 ve Router3 için OSPF’i kuralım.Cihazlara bağlı olan tüm networkleri anons edelim.
[Router1]ospf
[Router1-ospf-1]area 0
[Router1-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[Router2]ospf
[Router2-ospf-1]area 0
[Router2-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255
[Router2-ospf-1-area-0.0.0.0]network 10.0.4.0 0.0.0.255
[Router2-ospf-1-area-0.0.0.0]network 10.0.6.0 0.0.0.255
[Router3]ospf
[Router3-ospf-1]area 0
[Router3-ospf-1-area-0.0.0.0]network 10.0.13.0 0.0.0.255

Switch1 ve switch2, statik route yazalım ve private network gateway olarak bir sonraki nexthopu yazalım.
[Switch1]ip route-static 0.0.0.0 0.0.0.0 10.0.4.2

[switch2]

ip route-static 0.0.0.0 0.0.0.0 10.0.6.2

Vlan haberleşmeleri kontrol edelim.
ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=254 time=670 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=254 time=80 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=254 time=90 ms
— 10.0.4.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/208/670 ms
ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=254 time=110 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=254 time=80 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=254 time=110 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=254 time=100 ms
— 10.0.6.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/96/110 ms
ping 10.0.4.254
PING 10.0.4.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.4.254: bytes=56 Sequence=1 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 10.0.4.254: bytes=56 Sequence=3 ttl=254 time=100 ms
Reply from 10.0.4.254: bytes=56 Sequence=4 ttl=254 time=80 ms
Reply from 10.0.4.254: bytes=56 Sequence=5 ttl=254 time=100 ms
— 10.0.4.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/92/100 ms
ping 10.0.6.254
PING 10.0.6.254: 56 data bytes, press CTRL_C to break
Reply from 10.0.6.254: bytes=56 Sequence=1 ttl=254 time=70 ms
Reply from 10.0.6.254: bytes=56 Sequence=2 ttl=254 time=130 ms
Reply from 10.0.6.254: bytes=56 Sequence=3 ttl=254 time=90 ms
Reply from 10.0.6.254: bytes=56 Sequence=4 ttl=254 time=90 ms
Reply from 10.0.6.254: bytes=56 Sequence=5 ttl=254 time=100 ms
— 10.0.6.254 ping statistics —
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 70/96/130 ms

Access Control Lists kullanarak filtering yapılandırmak.
Switch1’i telnet server olarak yapılandıralım.
[Switch1]user-interface vty 0 4
[Switch1-ui-vty0-4]authentication-mode password
[Switch1-ui-vty0-4]set authentication password cipher huawei
switch2’yi FTP server olarak yapılandıralım

[switch2]

ftp server enable
Info: Succeeded in starting the FTP server.

[switch2]

aaa

[switch2-aaa]

local-user huawei password cipher huawei
Info: Add a new user.

[switch2-aaa]

local-user huawei service-type ftp

[switch2-aaa]

local-user huawei ftp-directory flash:

Router1 telnet server’ınden , Router3 FTP sunucusuna ulaşabilmek için Router2 üzerinde bir access kontrol listesi oluşturalım.
[Router2]acl 3000
[Router2-acl-adv-3000]rule 5 permit tcp source 10.0.13.1 0.0.0.0 destination 10.0.4.254 0.0.0.0 destination-port eq 23
[Router2-acl-adv-3000]rule 10 permit tcp source 10.0.13.3 0.0.0.0 destination 10.0.6.254 0.0.0.0 destination-port range 20 21
[Router2-acl-adv-3000]rule 15 deny ip source any
[Router2-acl-adv-3000]quit
Router2 Gigabit Ethernet 0/0/0 interface için ACL uygulayalım.
[Router2]interface GigabitEthernet 0/0/0
[Router2-GigabitEthernet 0/0/0]traffic-filter inbound acl 3000

Ağdaki access control lists doğrulugunu kontrol edelim.
telnet 10.0.4.254
Press CTRL+K to quit telnet mode
Trying 10.0.4.254 …
Connected to 10.0.4.254 …
Login authentication
Password:
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.

NOT:Telnet oturumundan çıkmak için quit komutunu kullanın.
ftp 10.0.6.254
Trying 10.0.6.254 …
Press CTRL+K to abort
Error:Failed to connect to the remote host.

FTP bağlantısı yanıt vermek için bi süre bekleyebilir(60 seconds)
telnet 10.0.4.254
Press CTRL+K to quit telnet mode
Trying 10.0.4.254 …
Error:Can’t connect to the remote host.
ftp 10.0.6.254
Trying 10.0.6.254 …
Press CTRL+K to abort
Connected to 10.0.6.254.
220 FTP service ready.
User(10.0.6.254:(none)):huawei
331 Password required for huawei.
Enter password:
530 Logged incorrect.
[Router3-ftp]

Not ;Bye komutu FTP bağlantısı kapatmak için kullanılır
Sonuç ..
display current-configuration
#
sysname Router1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher OOCM4m($F4ajUn1vMEIBNUw#
local-user admin service-type http
#
interface GigabitEthernet0/0/0
ip address 10.0.13.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return

display current-configuration
#
sysname Router2
#
acl number 3000
rule 5 permit tcp source 10.0.13.1 0 destination 10.0.4.254 0 destination-port e
q telnet
rule 10 permit tcp source 10.0.13.3 0 destination 10.0.6.254 0 destination-port
range ftp-data ftp
rule 15 deny ip
#
interface GigabitEthernet0/0/0
ip address 10.0.13.2 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.0.4.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.0.6.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
network 10.0.4.0 0.0.0.255
network 10.0.6.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return

display current-configuration
#
sysname Router3
#
interface GigabitEthernet0/0/0
ip address 10.0.13.3 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.0.13.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
Return

display current-configuration
#
sysname Switch1
#
vlan batch 4
#
interface Vlanif4
ip address 10.0.4.254 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 4
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.4.2
#
user-interface con 0
user-interface vty 0 4
set authentication password cipher A@Pc;6w5b@uqcXT}k’OI%9n#
#
Return

display current-configuration
#
sysname switch2
#
FTP server enable
#
vlan batch 6
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
local-user huawei password cipher $K&%QCXM$NYNZPO3JBXBHA!!
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
interface Vlanif6
ip address 10.0.6.254 255.255.255.0
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk pvid vlan 6
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.6.2
#
user-interface con 0
user-interface vty 0 4
#
return

Hakkında: Cem Kemal Erbaş

Kontrol Ediliyor

Next Generation Firewall (NGFW) Huawei

Next Generation Firewall (NGFW) üzerinden geçen trafiği, Application identification, User identification ve Content identification temellerine …

Bir cevap yazın