发布时间 : 2024/5/22 2:26:26 星期三 文章ISCOM系列交换机简明配置手册(v1.0)更新完毕开始阅读afffd101e87101f69e3195c5

ip-access-list 11 deny tcp any 6129 any ip-access-list 12 deny tcp any any 1801 ip-access-list 13 deny udp any any 1801 ip-access-list 14 deny udp any any 3527 ip-access-list 15 deny 53 any any ip-access-list 16 deny 55 any any ip-access-list 17 deny 77 any any ip-access-list 18 deny 135 any any

ip-access-list 19 deny tcp any any 445 ip-access-list 20 deny udp any any 445 ip-access-list 21 deny tcp any 445 any ip-access-list 22 deny udp any 445 any ip-access-list 23 deny tcp any any 137 ip-access-list 24 deny tcp any any 138 ip-access-list 25 deny tcp any any 139 ip-access-list 26 deny udp any any 1434 ip-access-list 27 deny udp any 1434 any ip-access-list 28 deny tcp any any 1434 ip-access-list 29 deny tcp any 1434 any ip-access-list 30 deny tcp any any 5554 ip-access-list 31 deny tcp any any 5900 ip-access-list 32 deny tcp any any 6667 ip-access-list 33 deny tcp any 5900 any ip-access-list 34 deny tcp any 6667 any ip-access-list 35 deny 255 any any ip-access-list 36 deny udp any any 22321 ip-access-list 37 deny udp any any 1900 ip-access-list 38 deny tcp any any 4444 ip-access-list 39 deny udp any any 34944 ip-access-list 40 deny udp any any 2191 14. 配置防ARP攻击

Raisecom(config)# access-list-map 0 deny (配置ACCESS列表0为拒绝功能)

Raisecom(config-cmap)# match arp Opcode reply （匹配ARP类型的Opcode为reply的包）

Raisecom(config-cmap)#exit

Raisecom(config)# access-list-map 1 deny (配置ACCESS列表1为拒绝功能)

Raisecom(config-cmap)# match arp Opcode request（匹配ARP类型的Opcode为request的包）

Raisecom(config-cmap)#exit

Raisecom(config)#filter access-list-map 0 ingress port-list 1-23 （将匹配arp的reply数据包的控制列表应用到所有的用户端口的入方向） Raisecom(config)#filter access-list-map 1 egress port-list 24

9

（将匹配arp的request数据包的控制列表应用到上连端口的入方向） Raisecom(config)#filter enable (启用过滤功能)

15、防用户私接DHCP服务器：

Raisecom(config)#ip-access-list 0 deny udp any any 67 （不能通过UDP协议访问，目的端口67，为DHCP的请求包） Raisecom(config)#ip-access-list 1 deny udp any any 68 （不能通过UDP协议访问，目的端口68，为DHCP的应答包）

Raisecom(config)#filter ip-access-list 0 egress port-list 1-23 (将IP过滤列表0应用到所有用户端口的出方向)

Raisecom(config)#filter ip-access-list 1 ingress port-list 1-23 (将IP过滤列表1应用到所有用户端口的入方向) Raisecom(config)#filter enable (启用过滤功能)

16 配置trap:（用于告警信息上传)

Raisecom(config)#snmp-server host 100.0.0.250 version 2c raisecom udpport 162 Raisecom(config)#snmp-server enable traps

17、远程访问控制

PC-1的IP地址为192.168.1.3；PC-2的IP地址为192.168.1.4，通过设置访问控制列表，只允许PC-2可以通过telnet访问PC-1（telnet协议端口为23）。其他终端（如PC-3）不能通过telnet访问PC-1。配置如下：

Raisecom # config

Raisecom (config)# ip-access-list 4 deny TCP any 192.168.1.3 255.255.255.255 23 Raisecom (config)# ip-access-list 5 permit TCP 192.168.1.4 255.255.255.255 23 192.168.1.3 255.255.255.255 23

Raisecom (config)# filter ip-access-list 4,5 Raisecom (config)# filter enable Raisecom (config)# exit

10

18、Q-in-Q的配置（网络结构如图所示） user Port1 port27 port28 port28 port27 port1 switchA Port2 port3 ISP1 ISP2 switchB Port2 port 3 p-vlan tag100 c-vlan tag10 c-vlan tag20 SwitchA(config)#create vlan 10,20 active SwitchA(config)# interface port 1

SwitchA(config-port)#switchport mode trunk

SwitchA(config-port)#switchport trunk allowed vlan all SwitchA(config)# interface port 2

SwitchA(config-port)# switchport access vlan 10 SwitchA(config)# interface port 3

SwitchA(config-port)# switchport access vlan 20

switchB的配置同switchA有可比性．

ISP1(config)# create vlan 100 active

ISP1(config)# interface port 27

ISP1(config-port)# switchport mode dot1q-tunnel ISP1(config-port)# switchport access vlan 100 ISP1(config)# interface port 28

ISP1(config-port)# switchport mode trunk double-tagging ISP1(config-port)# switchport trunk allowed vlan all

ISP2的配置同ISP1有可比性．

四、配置示例：

1. ISCOM2826E

/*端口24为上连口，设置为TRUNK模式，各用户端口划分到不同VLAN内，并做端口限速，启用病毒过滤及ARP攻击过滤。关闭生成树，在所有用户端口开启环路检测。起用广播风暴抑制，配置管理IP及默认网关*/ System current configuration:

11

user c-vlan tag10 c-vlan tag20 user user !ROS Version 3.1.680.ISCOM2826E.28.20061016

!command in view_mode !

!command in config_mode first-step

create vlan 1510-1517,1520,1522,1526-1528,1532,1538,1542,1544,1545,1549,1552,1553,2214 active

ip-access-list 1 deny tcp any any 135 ip-access-list 2 deny tcp any any 2745 ip-access-list 3 deny tcp any any 1035 ip-access-list 4 deny tcp any any 3127 ip-access-list 5 deny tcp any any 6129 ip-access-list 6 deny tcp any 135 any ip-access-list 7 deny tcp any 2745 any ip-access-list 8 deny tcp any 1035 any ip-access-list 9 deny tcp any 3127 any ip-access-list 10 deny tcp any 5554 any ip-access-list 11 deny tcp any 6129 any ip-access-list 12 deny tcp any any 1801 ip-access-list 13 deny udp any any 1801 ip-access-list 14 deny udp any any 3527 ip-access-list 15 deny 53 any any ip-access-list 16 deny 55 any any ip-access-list 17 deny 77 any any ip-access-list 18 deny 135 any any ip-access-list 19 deny tcp any any 445 ip-access-list 20 deny udp any any 445 ip-access-list 21 deny tcp any 445 any ip-access-list 22 deny udp any 445 any ip-access-list 23 deny tcp any any 137 ip-access-list 24 deny tcp any any 138 ip-access-list 25 deny tcp any any 139 ip-access-list 26 deny udp any any 1434 ip-access-list 27 deny udp any 1434 any ip-access-list 28 deny tcp any any 1434 ip-access-list 29 deny tcp any 1434 any ip-access-list 30 deny tcp any any 5554 ip-access-list 31 deny tcp any any 5900 ip-access-list 32 deny tcp any any 6667 ip-access-list 33 deny tcp any 5900 any ip-access-list 34 deny tcp any 6667 any ip-access-list 35 deny 255 any any ip-access-list 36 deny udp any any 22321 ip-access-list 37 deny udp any any 1900 ip-access-list 38 deny tcp any any 4444

12