ÊÕ²ØСվ
Öм¶ÍøÂ繤³Ìʦ2016ÉÏ°ëÄêÉÏÎçÊÔÌâÓë´ð°¸½âÎöÈ«½â ÏÂÔر¾ÎÄ

ÄÚÈÝ·¢²¼¸üÐÂʱ¼ä : 2026/5/15 6:40:00ÐÇÆÚÒ» ÏÂÃæÊÇÎÄÕµÄÈ«²¿ÄÚÈÝÇëÈÏÕæÔĶÁ¡£

2016ÄêÉÏ°ëÄêÈí¿¼ÍøÂ繤³Ìʦ¿¼ÊÔÕæÌ⣨ÉÏÎç¡¢ÏÂÎçÊÔÌ⣩

ÒÔÏÂÊÇ AR2220 µÄ²¿·ÖÅäÖá£

[AR2220]acl 2000

[AR2220-acl-2000]rule normal pemut source 192.168.0.0 0.0.255.255 [AR2220-acl-2000]rule normal deny source any [AR2220-acl-2000]quit

[AR2220]interface Ethemet0

[AR2220-Ethemet0]ip address 192.168.0.1 255.255.255.0 [AR2220-Ethemet0]quit

[AR2220]mterface Ethemet1

[AR2220-Ethemet1]ip address 59.41.221.100

255.255.255.0 [AR2220-Ethemet1]nat outbound 2000 mterface [AR2220-Ethernet1]quit

[AR2220]ip route-static 0.0.0.0 0.0.0.0 59.74221.254

É豸 AR2220 Ó²Ó㨠£©½Ó¿ÚʵÏÖ NAT ¹¦ÄÜ£¬¸Ã½Ó¿ÚµØÖ·ÔÏÍø¹ØÊÇ£¨

£©¡£

¡¾ÎÊÌâ 3¡¿£¨Ã¿¿Õ 2 ·Ö£¬¹² 6 ·Ö£©

ÈôÖ»ÔÊÐíÄÚÍø·¢Æð ftp¡¢http Á¬½Ó,²¢ÇҾܾøÀ´×ÔÕ¾µã 2.2.2.11 µÄ Java Applets ±¨ÎÄ¡£ÔÚ

USG3000 É豸ÖÐÓÐÈçÏÂÅäÖã¬Çë²¹³äÍêÕû¡£

[USG3000]acl number 3000

[USG3000-acl-adv-3000] rule permit tcp destination-port eq www [USG3000-acl-adv-3000] rule permit tcp destination-port eq ftp [USG3000-acl-adv-3000] rule permit tcp destination-port eq ftp-data [USG3000]acl number 2010

21 / 30

2016ÄêÉÏ°ëÄêÈí¿¼ÍøÂ繤³Ìʦ¿¼ÊÔÕæÌ⣨ÉÏÎç¡¢ÏÂÎçÊÔÌ⣩

[USG3000-acl-basic-2010] rule£¨ £©source 2.2.2.11.0.0.0.0 [USG3000-acl-basic-2010] rule permit source any [USG3000]£¨ £© interzone trust untrust [USG3000-interzone-ttust-untrust] packet-filter 3000 £¨ £© [USG3000-interzone-ttust-untrust] detect ftp [USG3000-interzone-ttust-untrust] detect http [USG3000-interzone-ttust-untrust] detect java-blocking 2010 £¨ £©~£¨ £©±¸Ñ¡´ð°¸£º

A£®Firewall B£®trust C£®deny D£®permit E£®outbound F£®inbound

¡¾ÎÊÌ⣴¡¿£¨Ã¿¿Õ 2 ·Ö£¬¹² 6 ·Ö£© PC-1¡¢PC-2¡¢PC-3¡¢ÍøÂçÉèÖÃÈç±í 1-2¡£ ±í 1-2 É豸Ãû ÍøÂçµØÖ· Íø¹Ø VLAN VLAN100 PC-1 192.1682.2/24 192.168.2.1 192.168.3.1 PC-2 192.168.3.2/24 192.168.4.2/24 VLAN200 VLAN300 PC-3 192.168.4.1

ͨ¹ýÅäÖà RIP£¬Ê¹µÃ PC-1¡¢PC-2¡¢PC-3 ÄÜÏ໥·ÃÎÊ£¬Çë²¹³äÉ豸 E ÉϵÄÅäÖ㬻ò½â ÊÍÏà¹ØÃüÁî¡£

// ÅäÖà E ÉÏ vlan ·ÓɽӿڵØÖ· interface vlanif 300

ip address£¨ £©255.255.255.0 interface vlanif 1000

//»¥Í¨ VLAN

22 / 30

2016ÄêÉÏ°ëÄêÈí¿¼ÍøÂ繤³Ìʦ¿¼ÊÔÕæÌ⣨ÉÏÎç¡¢ÏÂÎçÊÔÌ⣩

ip address 192.168.100.1 255.255.255.0 //ÅäÖà E É쵀 rip ЭÒé rip

network 192.168.4.0 networkr £¨ £©

//ÅäÖà E É쵀 trunk // £¨ £© int e0/1

Port link-type trunk

//£¨ £©

port trunk permit vlan all

ÊÔÌâ¶þ£¨¹² 20 ·Ö£© ÔĶÁÒÔÏÂ˵Ã÷£¬»Ø´ðÎÊÌâ 1 ÖÁÎÊÌâ 3£¬½«½â´ðÌîÈë´ðÌâÖ½¶ÔÓ¦µÄ½â´ðÀ¸ÄÚ¡£ ¡¾ËµÃ÷¡¿ ijѧУµÄÍøÂçÍØÆ˽ṹͼÈçͼ 2-1 Ëùʾ¡£

¡¾ÎÊÌâ 1¡¿£¨Ã¿¿Õ 1 ·Ö£¬¹² 7 ·Ö£©

³£ÓÃµÄ IP ·ÃÎÊ¿ØÖÆÁбíÓÐÁ½ÖÖ£¬ËüÃÇÊDZàºÅΪ£¨ £©ºÍ 1300~1399 µÄ±ê×¼·ÃÎÊ¿ØÖÆÁÐ ±íºÍ±àΪ£¨ £©ºÍ 2000~2699 µÄÀ©Õ¹·ÃÎÊ¿ØÖÆÁÐ±í¡¢ÆäÖУ¬±ê×¼·ÃÎÊ¿ØÖÆÁбíÊǸù¾Ý IP

±¨µÄ£¨ £©À´¶Ô IP ±¨ÎĽøÐйýÂË£¬À©Õ¹·ÃÎÊ¿ØÖÆÁбíÊǸù¾Ý IP ±¨Îĵģ¨ £©¡¢£¨ £©¡¢Éϲã ЭÒéºÍʱ¼äµÈÀ´¶Ô IP ±¨ÎĽøÐйýÂË¡£Ò»°ãµØ£¬±ê×¼·ÃÎÊ¿ØÖÆÁбí·ÅÖÃÔÚ¿¿½ü£¨ £©µÄλÖ㬠À©Õ¹·ÃÎÊ¿ØÖÆÁбí·ÅÖÃÔÚ¿¿½ü£¨ £©µÄλÖá£

¡¾ÎÊÌâ 2¡¿£¨Ã¿¿Õ 1 ·Ö£¬¹² 1 0 ·Ö£©

Ϊ±£ÕÏ°²È«£¬Ê¹Óà ACL ¶ÔÍøÂçÖеķÃÎʽøÐпØÖÆ¡£·ÃÎÊ¿ØÖƵÄÒªÇóÈçÏ£º

23 / 30

2016ÄêÉÏ°ëÄêÈí¿¼ÍøÂ繤³Ìʦ¿¼ÊÔÕæÌ⣨ÉÏÎç¡¢ÏÂÎçÊÔÌ⣩

(1)¼ÒÊôÇø²»ÄÜ·ÃÎʲÆÎñ·þÎñÆ÷£¬µ«¿ÉÒÔ·ÃÎÊ»¥ÁªÍø£»

(2)ѧÉúËÞÉáÇø²»ÄÜ·ÃÎʲÆÎñ·þÎñÆ÷£¬ÇÒÔÚÿÌìÍíÉÏ 18:00¡«24:00 ½ûÖ¹·ÃÎÊ»¥ÁªÍø£» (3)°ì¹«Çø¿ÉÒÔ·ÃÎʲÆÎñ·þÎñÆ÷ºÍ»¥ÁªÍø£»

(4)½ÌѧÇø½ûÖ¹·ÃÎʲÆÎñ·þÎñÆ÷£¬ÇÒÿÌì 8:00¡«18:00 ½ûÖ¹·ÃÎÊ»¥ÁªÍø¡£

1£®Ê¹Óà ACL ¶Ô²ÆÎñ·þÎñÆ÷½øÐзÃÎÊ¿ØÖÆ£¬Ç뽫ÏÂÃæÅäÖò¹³äÍêÕû¡£

R1(config)#access-list 1 £¨ £©£¨ £© 0.0.0.255 R1(config)#access-Iist 1 deny 172.16.10.0 0.0.0.255

R1(config)#access-list 1 deny 172.16.20.0 0.0.0.255 R1(config)#access-Iist 1 deny £¨ £©0.0.0.255 Rl(config)#mterface £¨ £©

R1(config-if)#ip access-group 1 £¨ £©

2£®Ê¹Óà ACL ¶Ô Internt ½øÐзÃÎÊ¿ØÖÆ£¬Ç뽫ÏÂÃæÅäÖò¹³äÍêÕû¡£ Route-Switch(config)#time-range jxq Route-Switch(config)#time-range xsssq Route-Switch(config-time-range)#exit

Route-Switch(config)#access-list 100 permit ip 172.16.10.0 0.0.0.255 any Route-Switch(config)#access-list 100 permit ip 172.16.40.0 0.0.0.255 any Route-Switch(config)#access-list 100 deny ip£¨ £©0.0.0.255 time-range jxq Route-Switch(corffig)#access-list 100 deny ip£¨ £©0.0.0.255 time-range xsssq Route-Switch (config)#interface£¨ £©

Route-Switch(config-if)#ip access-group 100out

¡Î¶¨Òå½ÌѧÇøʱ¼ä·¶Î§

Route-Switch(config-tune-range)# periodic daily £¨ £©

£¯£¯¶¨ÒåѧÉúËÞÉáÇøʱ¼ä·¶Î§

Route-Switch(config-time-range)#periodic £¨ £© 18:00 t0 24:00

¡¾ÎÊÌâ 3¡¿£¨Ã¿¿Õ 1 ·Ö£¬¹² 3 ·Ö£© ÍøÂçÔÚÔËÐйý³ÌÖз¢ÏÖ£¬¼ÒÊôÇøÍøÂç¾­³£Êܵ½Ñ§ÉúËÞÉáÇøÍøÂçµÄ DDoS ¹¥»÷£¬ÏÖ¶Ô¼ÒÊôÇø ÍøÂçºÍѧÉúËÞÉáÇøÍøÂçÖ®¼äµÄÁ÷Á¿½øÐйýÂË£¬ÒªÇó¼ÒÊôÇøÍøÂç¿É·ÃÎÊѧÉúËÞÉáÇøÍøÂ磬µ«Ñ§ ÉúËÞÉáÇøÍøÂç½ûÖ¹·ÃÎʼÒÊôÇøÍøÂç¡£

²ÉÓÃ×Ô·´·ÃÎÊÁбíʵÏÖ·ÃÎÊ¿ØÖÆ£¬Çë½âÊÍÅäÖôúÂë¡£ Route-Switch(config)#ip access-hst extended infilter

Route-Switch(config-ext-nacl)#permit ipany 172.16.20.0 0.0.0.255 refiect jsq £¨ £© Route-Switch(config-ext-nacl)#exit

Route-Switch(config)#ip access-list extended outfilter Route-Switch(config-ext-nacl)# evaluate jsq£¨ £© Route-Switch(config-ext-nacl)#exit Route-Switch(config)#interface fastethernet 0/1 Route-Switch(config-if)#ip access-group infilter in Route-Switch(config-if)#ip access-group outfilter out //£¨ £©

24 / 30

WordÎĵµÏÂÔØ£ºÖм¶ÍøÂ繤³Ìʦ2016ÉÏ°ëÄêÉÏÎçÊÔÌâÓë´ð°¸½âÎöÈ«½â.doc
ËÑË÷¸ü¶à:Öм¶ÍøÂ繤³Ìʦ2016ÉÏ°ëÄêÉÏÎçÊÔÌâÓë´ð°¸½âÎöÈ«½â


×îÐÂä¯ÀÀ


ÈÈÃÅä¯ÀÀ
All rights reserved Powered by ÄϾ©Áλª´ð°¸Íø¡¡
×ÊÁÏÀ´×Ô»¥ÁªÍø£¬ ÓÐÈκÎÒÉÎÊ£¬ÇëÁªÏµ¿Í·þ£º779662525☒qq.com ËÕICP±¸20003344ºÅ-4