H3C交换机日常安全配置

1、本地mac地址认证配置
local-user 54-ee-75-45-2c-75
 password simple 54-ee-75-45-2c-75
 service-type lan-access
#
 mac-authentication
 mac-authentication domain mac-auth
 mac-authentication user-name-format mac-address with-hyphen
mac-authentication interface  e1/0/1 to e1/0/24
#
domain mac-auth
 authentication lan-access local

2、查看mac地址认证结果
dis mac-authentication

3、配置RADIUS方案
radius scheme 2000 
primary authentication 10.1.1.1 1812
primary accounting 10.1.1.2 1813
key authentication abc key accounting abc 
user-name-format without-domain
quit 
# 配置ISP域的AAA方案。 
domain 2000 
authentication default radius-scheme 2000
authorization  default radius-scheme 2000 
accounting default radius-scheme 2000 
quit 
# 开启全局MAC地址认证特性。 
 mac-authentication 
# 开启端口GigabitEthernet1/1的MAC地址认证特性。 
mac-authentication interface gigabitethernet 1/1 
# 配置MAC地址认证用户所使用的ISP域。 
mac-authentication domain 2000 
# 配置MAC地址认证的定时器。 
mac-authentication timer offline-detect 180
mac-authentication timer quiet 180 
# 配置MAC地址认证使用固定用户名格式。 
mac-authentication user-name-format fixed account aaa password simple 123456 

4.配置拨号连接
#
interface Dialer1
 nat outbound
 nat outbound 2000 port-preserved
 link-protocol ppp
 ppp chap user [email protected]
 ppp chap password cipher $c$3$eosexm0TFqWeanw1HfXUH2VU3OTzspcAAu0o
 ppp pap local-user [email protected] password cipher $c$3$8pX3TjqxE3spDotqd1G/WxK6FpOHrpjlGPnI
 ppp ipcp dns request
 ip address ppp-negotiate
 dialer user [email protected]
 dialer-group 1
 dialer bundle 1
#
interface GigabitEthernet0/1
 port link-mode route
 description ADSL
 pppoe-client dial-bundle-number 1

5.DHCP池配置及IP绑定
#
dhcp server ip-pool vlan2
 network 10.86.57.0 mask 255.255.255.0
 network ip range 10.86.57.20 10.86.57.199   (address range 2.2.2.10 2.2.2.250 )
 gateway-list 10.86.57.253
 expired day 0 hour 2 设置租约
 dns-list 10.111.113.9
static-bind ip-address 2.2.2.100 mask 255.255.255.0 hardware-address    sdsd-sd23-sdsa绑定IP
#
dhcp server ip-pool wuhongming
 static-bind ip-address 10.86.56.156 mask 255.255.255.0
 static-bind mac-address c89c-dc53-4cd7
#
dhcp server ip-pool xingzhengzhuren
 static-bind ip-address 10.86.56.113 mask 255.255.255.0
 static-bind mac-address 3c97-0ea9-3c42

interface Vlan-interface5
 ip address 2.2.2.1 255.255.255.0
 ip address 3.3.3.1 255.255.255.0 sub
 dhcp server apply ip-pool vlan3

5.堆叠
 irf member 2 renumber 1

6.起子接口
interface GigabitEthernet0/0.105
 description TO-PBC
 ip address 9.75.210.105 255.255.255.252
 vlan-type dot1q vid 105

7。路由重发布
ospf 1
 import-route direct cost 20 route-policy direct_ospf
 import-route static cost 20 route-policy static_ospf
#
route-policy direct_ospf permit node 10
 if-match acl 3003
route-policy static_ospf permit node 10
 if-match acl 3002

8.配置时区
clock timezone Beijing add  08:00:00

9.开启ttl
ip ttl-expires enable
ip unreachables enable

10. 环路测试
loopback-detection 用来测试环路测试是否开启

当交换机开启了 DHCP-Snooping后,会对DHCP报文进行侦听,并可以从接收到的DHCPRequest或DHCP Ack报文中提取并记录IP地址和MAC地址信息。另外,DHCP-Snooping允许将某个物理端口设置为信任端口或不信任端口。信任端口可以正常接收并转发DHCP Offer报文,而不信任端口会将接收到的DHCPOffer报文丢弃。这样,可以完成交换机对假冒DHCPServer的屏蔽作用,确保客户端从合法的DHCP Server获取IP地址。

 stp保护
 stp bpdu-protection
 stp enable

 清除端口包统计
 reset counters interface g2/0/5

 查看端口收发光功率
 display transceiver diagnosis interface GigabitEthernet 0/0/3

 display session table source-ip 10.118.187.16 count

静态路由重发布
route-policy import-rt permit node 1
 if-match tag 100

ospf 100
 import-route static route-policy import-rt matrice20 type2
 area 0.0.0.0
  network 10.111.126.152 0.0.0.3
  network 10.111.126.164 0.0.0.3

NAT
interface GigabitEthernet0/2
port link-mode route
description IPsec_-uc
nat outbound 3021 address-group 5
nat outbound 3006 address-group 2
nat outbound 3004 address-group 1
nat server protocol any global 172.16.100.3 inside 10.111.168.33
nat server protocol any global 172.16.100.4 inside 10.111.168.34
nat server protocol any global 172.16.100.5 inside 10.111.168.35
nat server protocol any global 172.16.100.6 inside 10.111.168.36
nat server protocol any global 84.238.4.109 inside 172.16.40.253


nat address-group 1
 address 3.3.3.3 3.3.3.3
acl basic 2000
 rule 0 permit source 1.1.1.1 0

interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 2.2.2.254 255.255.255.0
 nat outbound 2000 address-group 1
#
interface GigabitEthernet0/1
 port link-mode route
 combo enable copper
 ip address 1.1.1.254 255.255.255.0
 nat server protocol icmp global 4.4.4.4 inside 2.2.2.2




配置GRE-VPN
interface Tunnel1 mode gre
 ip address 192.168.1.1 255.255.255.0
 source 30.30.30.2
 destination 10.1.1.1

配置NQA+TRACK
nqa entry admin test
 type icmp-echo
  destination ip 218.17.224.7 //防火墙公网网关
  frequency 100
  next-hop  10.52.195.251
  reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
nqa schedule admin test start-time now lifetime forever
track 1 nqa entry admin test reaction 1

 ip route-static 0.0.0.0 0.0.0.0 10.55.216.251 track 1
 ip route-static 0.0.0.0 0.0.0.0 10.55.216.254 preference 80


BFD echo+TRACK
 bfd echo-source-ip 1.1.1.2
 bfd multi-hop authentication-mode md5 1 cipher $c$3$t/NeEDbhbYOYLxn4sxRG2hEMfI1YDp/xVXsykw==
 track 1 bfd echo interface GigabitEthernet0/0 remote ip 1.1.1.1 local ip 1.1.1.2

BFD contorl-packet 
interface GigabitEthernet0/0
 port link-mode route
 combo enable copper
 ip address 8.8.8.2 255.255.255.0
 bfd min-transmit-interval 450
 bfd min-receive-interval 450
 bfd detect-multiplier 3
 bfd authentication-mode md5 1 cipher $c$3$y2iImYFlcS39hiH0KP2DP44uLTe3/0rHWn8=
 bfd detect-interface source-ip 5.5.5.2
ip route-static 200.2.2.0 24 8.8.8.1


配置策略路由
acl number 3009 name proute //匹配3009的走路由表
rule 2 permit ip destination 10.0.0.0 0.255.255.255
acl number 3010 name wanproute  //其他的走策略
rule 5 permit ip source 10.97.2.188 0
rule 6 permit ip source 10.97.2.185 0
rule 7 permit ip source 10.97.2.186 0
rule 8 permit ip source 10.97.2.187 0
rule 9 permit ip source 10.97.2.100 0
policy-based-route liansoft permit node 5
   if-match acl 3009
policy-based-route liansoft permit node 10
   if-match acl 3010
   apply ip-address next-hop 10.97.0.251

应用在接口上
interface Vlan-interface2
description "IT"
ip address 10.97.2.253 255.255.255.0
dhcp select relay
dhcp relay server-select 3
ip policy-based-route liansoft

acl number 3009 name proute//匹配3009的走路由表
rule 2 permit ip destination 10.0.0.0 0.255.255.255
acl number 3010 name wanproute  //其他的走策略
 rule 5 permit ip source 10.43.10.178 0
policy-based-route liansoft permit node 5
   if-match acl 3009
policy-based-route liansoft permit node 10
   if-match acl 3010
   apply ip-address next-hop 10.43.20.251
应用在接口上:
interface Vlan-interface 10
ip policy-based-route  liansoft


acl number 3009 name internal
 rule 2 permit ip source 10.0.123.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
acl number 3010 name internet
 rule 5 permit ip source 10.0.123.0 0.0.0.255
policy-based-route wangkang permit node 1
   if-match acl 3009
policy-based-route wangkang permit node 2
   if-match acl 3010
   apply ip-address next-hop 10.0.7.200
interface Vlan-interface123
 ip address 10.0.123.1 255.255.255.0
 dhcp select relay
 dhcp relay server-select 3
 ip policy-based-route wangkang


ACL过滤
acl number 3100 name AP-ACL
 rule 1 deny ip source 10.118.120.189 0 destination 10.0.217.251 0

interface Vlan-interface120
 description ARUBA-AP-MGT
 ip address 10.118.120.1 255.255.255.0
 dhcp select relay
 dhcp relay server-select 1
 packet-filter 3100 inbound


开通tftp自动识别
alg tftp

链路速率与端口路径开销值的对应关系表
链路速率
端口类型
端口的路径开销值


0
-
65535
200,000,000
200,000
10Mbps
单个端口
100
2,000,000
2,000


聚合接口(含两个选中端口)
1,000,000
1,800


聚合接口(含三个选中端口)
666,666
1,600


聚合接口(含四个选中端口)
500,000
1,400


100Mbps
单个端口
19
200,000
200


聚合接口(含两个选中端口)
100,000
180


聚合接口(含三个选中端口)
66,666
160


聚合接口(含四个选中端口)
50,000
140


1000Mbps
单个端口
4
20,000
20


聚合接口(含两个选中端口)
10,000
18


聚合接口(含三个选中端口)
6,666
16


聚合接口(含四个选中端口)
5,000
14


10Gbps
单个端口
2
2,000
2


聚合接口(含两个选中端口)
1,000
1


聚合接口(含三个选中端口)
666
1


聚合接口(含四个选中端口)
500
1


 

风扇改方向
fan prefer-direction slot 1 port-to-power

version 5
 
V5 NPS
汇聚、接入层交换机都刷(除核心两台)
Radius
radius scheme cams
 primary authentication 10.116.219.43
 key authentication simple 123456
 nas-ip 10.118.0.158
 server-type extended
 user-name-format without-domain
 quit
domain sf
 authentication default radius-scheme cams local
 authorization default radius-scheme cams local
 accounting default none
 quit
domain default enable sf
NPS域
radius scheme nps
 server-type extended
 primary authentication 10.118.88.32 key 123456
 primary accounting 10.118.88.32 key 123456
 user-name-format without-domain
 nas-ip 10.118.0.13
domain nps
 authentication default radius-scheme nps local
 authorization default radius-scheme nps local
 accounting default none
 authentication lan-access radius-scheme nps local
 authorization lan-access radius-scheme nps local
 accounting lan-access radius-scheme nps local
SSH远程
public-key local create rsa
输入:1024
ssh server enable
MAC认证
mac-authentication
mac-authentication domain nps
NTP
 ntp-service unicast-server 10.116.48.104
端口配置
interface GigabitEthernet1/0/16
 mac-authentication
Console
user-interface aux 0
 authentication-mode password
 set authentication password cipher OAadmin@147
 idle-timeout 5 0
 quit


接入层IDLE时间
时间为60,仅适用于接入
user-interface vty 0 4                    
  authentication-mode scheme
  protocol inbound all
  idle-timeout 60 0


汇聚层IDLE时间
 
user-interface vty 0 4                    
  authentication-mode scheme
  idle-timeout 15 0


 




 




version 3
 
V3 NPS
汇聚、接入层交换机都刷(除核心两台)
Radius
radius scheme cams
 primary authentication 10.116.219.43
 key authentication simple 123456
 nas-ip 10.118.0.158
 server-type extended
 user-name-format without-domain
 quit
domain sf
 authentication default radius-scheme cams local
 accounting none
 quit
domain default enable sf
NPS 域
radius scheme nps
 server-type extended
 primary authentication 10.118.88.32
 primary accounting 10.118.88.32
 key authentication 123456
 key accounting 123456
 user-name-format without-domain
 nas-ip 10.118.0.130
domain nps
 scheme radius-scheme nps local
 quit
SSH远程
public-key local create rsa
输入:1024
ssh authentication-type default all  
MAC认证
mac-authentication
mac-authentication domain nps
mac-authentication user-name-format mac-address without-hyphen lowercase
NTP
 ntp-service unicast-server 10.116.48.104
端口配置
int e1/0/*
mac-authentication interface Ethernet 1/0/31  
Console
user-interface aux 0
 authentication-mode password
 set authentication password cipher OAadmin@147
 idle-timeout 5 0
 quit


接入层IDLE时间
时间为60,仅适用于接入
user-interface vty 0 4                    
  authentication-mode scheme
  protocol inbound all
  idle-timeout 60 0


汇聚层IDLE时间
 
user-interface vty 0 4                    
  authentication-mode scheme
  idle-timeout 15 0





你可能感兴趣的:(H3C交换机日常安全配置)