评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
配置应用高级ACL防攻击示例
本举例介绍应用基本ACL管理设备访问权限的配置过程。
配置思路
采用如下的思路配置接入路由器的安全策略:
设置以NMS和CLI方式登录设备时使用的密码,提高用户登录设备的安全性。
记录所有未成功登录的信息到日志文件并输出到控制台,便于网络管理员查看设备登录信息。
在DeviceA上配置高级ACL,并配置QoS业务引用该ACL,防止受到ICPM报文的攻击。
操作步骤
- 配置各接口的IP地址(略),具体请参考配置文件。
- 设置NMS和CLI方式登录设备时使用的密码。
<HUAWEI> system-view[~HUAWEI] sysname DeviceA
[*HUAWEI] commit
[~DeviceA] user-interface console 0 [*DeviceA-ui-con0] shell [*DeviceA-ui-con0] authentication-mode password [*DeviceA-ui-con0] set authentication password cipher Huawei-123 [*DeviceA-ui-con0] idle-timeout 30 0 [*DeviceA-ui-con0] commit [~DeviceA-ui-con0] quit [~DeviceA] user-interface maximum-vty 15 [*DeviceA] user-interface vty 5 14 [*DeviceA-ui-vty5-14] shell [*DeviceA-ui-vty5-14] authentication-mode password [*DeviceA-ui-vty5-14] set authentication password cipher Huawei-123 [*DeviceA-ui-vty5-14] idle-timeout 30 0 [*DeviceA-ui-vty5-14] commit [~DeviceA-ui-vty5-14] quit
接入路由器的配置类似,此处以DeviceA为例。
- 记录所有未成功登录的信息到日志文件并输出到控制台
[~DeviceA] info-center enable [*DeviceA] info-center source default channel 9 log level warnings [*DeviceA] info-center logfile channel channel9 [*DeviceA] commit [~DeviceA] quit <DeviceA> terminal logging
- 在DeviceA上配置高级ACL,并配置QoS业务引用该ACL,防止受到ICPM报文的攻击。
<DeviceA> system-view[~DeviceA] acl number 3001
[*DeviceA-acl4-advance-3001] description anti-virus
[*DeviceA-acl4-advance-3001] rule 5 deny icmp
[*DeviceA-acl4-advance-3001] commit
[~DeviceA-acl4-advance-3001] quit
[~DeviceA] traffic classifier anti-virus
[*DeviceA-classifier-anti-virus] if-match acl 3001
[*DeviceA-classifier-anti-virus] commit
[~DeviceA-classifier-anti-virus] quit
[~DeviceA] traffic behavior anti-virus
[*DeviceA-behavior-anti-virus] commit
[~DeviceA-behavior-anti-virus] quit
[~DeviceA] traffic policy anti-virus
[*DeviceA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus
[*DeviceA-trafficpolicy-anti-virus] commit
[~DeviceA-trafficpolicy-anti-virus] quit
[~DeviceA] interface gigabitethernet 0/2/0
[*DeviceA-GigabitEthernet0/2/0] traffic-policy anti-virus inbound
[*DeviceA-GigabitEthernet0/2/0] commit
[~DeviceA-GigabitEthernet0/2/0] traffic-policy anti-virus outbound
[*DeviceA-GigabitEthernet0/2/0] commit
- 检查配置结果
# 从PC上PingDeviceA的IP地址,无法Ping通。
c:\>ping 172.16.1.1 Pinging 172.16.1.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 172.16.1.1: Pacets: Sent = 4, Received = 0, Lost = 4 <100% loss>,# 在DeviceA删除ACL后,则可以Ping通。
c:\>ping 172.16.1.1 Pinging 172.16.1.1 with 32 bytes of data: Reply from 172.16.1.1: bytes=32 time<1ms TTL=128 Reply from 172.16.1.1: bytes=32 time<1ms TTL=128 Reply from 172.16.1.1: bytes=32 time<1ms TTL=128 Reply from 172.16.1.1: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.1.1: Pacets: Sent = 4, Received = 4, Lost = 0 <0% loss>, Approximate round trip times in mill-seconds: Minimum = 0ms, Maximum = 0 ms, Average = 0ms
配置文件
以下仅给出DeviceA的配置文件。
DeviceA的配置文件
# sysname DeviceA # info-center source default channel 9 log level warning # acl number 3001 description anti-virus rule 5 deny icmp # traffic classifier anti-virus if-match acl 3001 # traffic behavior anti-virus # traffic policy anti-virus classifier anti-virus behavior anti-virus # interface GigabitEthernet0/2/0 undo shutdown traffic-policy anti-virus inbound traffic-policy anti-virus outbound # user-interface maximum-vty 15 user-interface con 0 authentication-mode password set authentication password cipher $1c$+ml_E.a0;2${3#YMMJkS;|55pT,![V6_S;%Ch53r1+)m;UL('kC$ idle-timeout 30 0 user-interface vty 0 4 user-interface vty 5 14 set authentication password cipher $1c$]%!4MA^MCZ$#Mh<#-{x^)j)~&Mu-fK*)<+7,pC2|,F.b80W`V`H$ idle-timeout 30 0 user-interface vty 16 20 # return
