14-H3C MER系列路由器上网行为管理典型配置举例
本章节下载 (1.04 MB)
H3C MER系列路由器上网行为管理典型配置举例
Copyright © 2022 新华三技术有限公司 版权所有,保留一切权利。
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。
除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
本文档中的信息可能变动,恕不另行通知。
目 录
本文档介绍MER系列路由器上网行为管理功能的典型配置举例。
上网行为管理是指对用户的上网行为进行管理,即通过应用控制、网址过滤和Web安全几种方式控制内网用户的上网行为。
本文档不严格与具体软、硬件版本对应,如果使用过程中与产品实际情况有差异,请以设备实际情况为准。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文档假设您已了解上网行为管理特性。
仅支持对基于HTTP协议的网址进行过滤。
本举例是在Version 7.1.064,Release 0809P07版本上进行配置和验证的。
如图1所示,内网用户通过Device连接到网络,需要对内网用户的上网行为进行管理,具体需求如下:
· 禁止内网用户访问微信,并生成日志信息。
· 对内网用户访问某视频网站进行限速,流量的上/下行最大带宽均为100kbps,并生成日志信息。
· 为保护内网用户地址安全,需要开启NAT地址转换功能。
(1) 配置WAN口
# 选择“网络设置 > 外网配置 > 场景定义”,进入场景定义配置页面,在单WAN场景中,设置WAN出接口为WAN0(GE0/0)。单击<应用>按钮。完成场景配置。在WAN配置页面,选择WAN0(GE0/0),单击<修改>按钮,配置如下。
¡ 连接模式:固定地址
¡ IP地址:200.1.1.1
¡ 子网掩码:255.255.255.0
¡ 开启NAT地址转换功能
# 单击<保存配置>按钮,完成配置。
# 选择“网络设置 > LAN配置”,选择接口Vlan-interface1,单击<修改>按钮,进入修改LAN配置页面,配置如下。
¡ IP地址:192.168.200.30
¡ 子网掩码:255.255.255.0
¡ 开启DHCP服务
¡ 其它配置项均保持默认情况即可
# 单击<确定>按钮,完成LAN配置。
(3) 配置应用控制策略
# 选择“上网行为管理 > 上网行为管理 > 全局控制”,进入“全局控制”配置页面,勾选<开启上网行为管理>按钮,单击<应用>按钮,待页面弹出“设置成功”提示框后即可完成功能开启。
# 选择“上网行为管理 > 上网行为管理 >上网行为管理策略”,进入上网行为管理策略页面。
# 在上网行为管理策略页面,单击<添加>按钮,进入“新建上网行为管理策略”页面,配置如下。
¡ 策略名:test
¡ 在页面下方的“应用控制”选择网络应用分类右侧,单击<详情>按钮,进入选择网络应用页面
¡ 在“即时通信”应用分类右侧,单击<详情>按钮,在弹出的“即时通信”页面中勾选“微信”,单击<确定>按钮。配置动作为“阻断”,并勾选“记录”
¡ 在“P2P”应用分类右侧,单击<详情>按钮,在弹出的“P2P”页面中勾选“爱奇艺”,单击<确定>按钮。配置动作为“限速”,单击右侧的<编辑>按钮,设置上/下行最大带宽均为100kbps,并勾选“记录”
¡ 其它配置项均保持默认情况即可
# 单击<确定>按钮,完成新建上网行为管理策略的配置。
图2 选择微信应用
图3 选择爱奇艺应用
图4 配置爱奇艺限速
图5 添加应用控制策略
完成上述配置后,可以对内网用户访问的应用进行控制。
(1) 当用户使用微信时,设备将对该行为进行阻断,并生成日志信息。
(2) 内网用户访问爱奇艺应用,流量的上/下行最大带宽限制在100kbps左右(12.718KB/s约为101.7Kb/s),并生成日志信息。可通过display traffic-policy statistics bandwidth all命令查看限速信息。
#
version 7.1.064, Release 0809P07
#
sysname H3C
#
clock protocol ntp
#
telnet server enable
#
security-zone intra-zone default permit
#
ip load-sharing mode per-flow src-ip global
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool lan1
gateway-list 192.168.200.30
network 192.168.200.0 mask 255.255.255.0
address range 192.168.200.0 192.168.200.255
dns-list 192.168.200.30
forbidden-ip-range 192.168.200.30 192.168.200.30
#
controller Cellular0/0
#
interface NULL0
#
interface Vlan-interface1
description LAN-interface
ip address 192.168.200.30 255.255.255.0
tcp mss 1280
#
interface GigabitEthernet0/0
port link-mode route
description Single_Line1
combo enable copper
ip address 200.1.1.1 255.255.255.0
tcp mss 1280
nat outbound
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
object-policy ip Any-Any
rule 0 drop app-group test_1 logging
rule 1 pass app-group test_13 logging
rule 2 inspect test
rule 65533 inspect 8048_url_profile_global disable
rule 65534 pass
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet0/0
#
security-zone name Management
#
zone-pair security source Any destination Any
object-policy apply ip Any-Any
#
zone-pair security source Local destination Trust
packet-filter name SWXWSGL
#
zone-pair security source Local destination Untrust
packet-filter name SWXWSGL
#
zone-pair security source Trust destination Local
packet-filter name SWXWSGL
#
zone-pair security source Untrust destination Local
packet-filter name SWXWSGL
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode none
user-role network-admin
#
ip route-static 192.168.100.0 24 192.168.200.1
#
ntp-service enable
ntp-service unicast-server time.nist.gov
ntp-service unicast-server s2g.time.edu.cn
ntp-service unicast-server time-a.nist.gov
ntp-service unicast-server s2f.time.edu.cn
ntp-service unicast-server s1d.time.edu.cn
ntp-service unicast-server time-b.nist.gov
ntp-service unicast-server s2c.time.edu.cn
#
acl advanced name SWXWSGL
rule 1 permit ip
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
password-control complexity user-name check
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type telnet http https
authorization-attribute user-role network-admin
#
app-group test_1
description "User-defined application group"
include application WeChat
#
app-group test_13
description "User-defined application group"
include application iQiYiPPS
#
ip http enable
ip https enable
#
url-filter policy test
default-action permit
#
url-filter category custom severity 65535
#
app-profile test
url-filter apply policy test
#
traffic-policy
rule 1 name test_13
action qos profile test_13
source-zone Trust
destination-zone Untrust
application app-group test_13
profile name test_13
bandwidth downstream maximum 100
bandwidth upstream maximum 100
#
cloud-management server domain oasis.h3c.com
#
return
如图6所示,内网用户通过Device连接外网,需要对内网用户访问的网站进行管理,具体需求如下:
· 阻断内网用户访问广告类的网址,并记录日志。
· 通过配置自定义网址类型:126*.com,阻断Host用户访问126邮箱,并记录日志。配置白名单,允许访问腾讯新闻(www.info.3g.qq.com)。
(1) 配置WAN口(具体配置步骤请参见5.2 (1)配置WAN口)
(2) 配置LAN口(具体配置步骤请参见5.2 (2)配置LAN口)
(3) 配置网址过滤策略
# 选择“上网行为管理 > 上网行为管理 > 自定义网址”,进入“自定义网址”配置页面。
¡ “设置网址关键字”页面中配置网址关键字为:126*.com,单击右侧的<+>按钮
图7 配置网址过滤策略阻断访问自定义类型网址
# 选择“上网行为管理 > 上网行为管理 >上网行为管理策略”,进入上网行为管理策略页面。
# 在上网行为管理策略页面,单击<添加>按钮,进入“新建上网行为管理策略”页面,配置如下:
¡ 策略名:test
¡ 在页面中的“网址控制”选择网址分类右侧,单击<详情>按钮,进入“选择网址分类”页面
¡ 在“选择网址分类”页面中勾选“自定义-126*.com”与“广告”类,单击<确定>按钮。在网址控制动作中配置动作为“阻断”,并勾选“记录”
¡ 其它配置项均保持默认情况即可
# 单击<确定>按钮,完成新建上网行为管理策略的配置。
图8 勾选“自定义-126*.com”与“广告”类网址
图9 配置网址过滤策略阻断访问“自定义-126*.com”与“广告”类网址并记录
# 选择“上网行为管理 > 上网行为管理 > 网址黑白名单”,进入网址黑白名单配置页面。
# 单击<启用Web白名单>按钮,在URL列表项下配置“网址关键字”为:www.info.3g.qq.com,单击右侧的<+>按钮,完成Web白名单的配置。单击<应用>按钮,激活Web白名单功能。
图10 配置白名单
完成上述配置后,可以对内网用户访问的网址进行控制。
(1) 内网用户访问广告类的网站将被阻断。
(2) 内网用户访问126邮箱将被阻断。
(3) 内网用户可以访问腾讯新闻。
version 7.1.064, Release 0809P07
#
sysname H3C
#
clock protocol ntp
#
telnet server enable
#
security-zone intra-zone default permit
#
ip load-sharing mode per-flow src-ip global
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool lan1
gateway-list 192.168.200.30
network 192.168.200.0 mask 255.255.255.0
address range 192.168.200.0 192.168.200.255
dns-list 192.168.200.30
forbidden-ip-range 192.168.200.30 192.168.200.30
#
controller Cellular0/0
#
interface NULL0
#
interface Vlan-interface1
description LAN-interface
ip address 192.168.200.30 255.255.255.0
tcp mss 1280
#
interface GigabitEthernet0/0
port link-mode route
description Single_Line1
combo enable copper
ip address 200.1.1.1 255.255.255.0
tcp mss 1280
nat outbound
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
object-policy ip Any-Any
rule 0 inspect test
rule 65533 inspect 8048_url_profile_global
rule 65534 pass
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet0/0
#
security-zone name Management
#
zone-pair security source Any destination Any
object-policy apply ip Any-Any
#
zone-pair security source Local destination Trust
packet-filter name SWXWSGL
#
zone-pair security source Local destination Untrust
packet-filter name SWXWSGL
#
zone-pair security source Trust destination Local
packet-filter name SWXWSGL
#
zone-pair security source Untrust destination Local
packet-filter name SWXWSGL
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode none
user-role network-admin
#
ip route-static 192.168.100.0 24 192.168.200.1
#
ntp-service enable
ntp-service unicast-server time.nist.gov
ntp-service unicast-server s2g.time.edu.cn
ntp-service unicast-server time-a.nist.gov
ntp-service unicast-server s2f.time.edu.cn
ntp-service unicast-server s1d.time.edu.cn
ntp-service unicast-server time-b.nist.gov
ntp-service unicast-server s2c.time.edu.cn
#
acl advanced name SWXWSGL
rule 1 permit ip
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
password-control complexity user-name check
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
service-type telnet http https
authorization-attribute user-role network-admin
#
ip http enable
ip https enable
#
url-filter policy 8048_url_profile_global
default-action drop
category Pre-3C action drop
category Pre-Abortion action drop
category Pre-AdultPlace action drop
category Pre-AdultSuppliers action drop
category Pre-Advertisement action drop
category Pre-Airplanes action drop
category Pre-Alcohol action drop
category Pre-Anime action drop
category Pre-Arts action drop
category Pre-Automobiles action drop
category Pre-Bank action drop
category Pre-BooksDownload action drop
category Pre-Botnet action drop
category Pre-Business action drop
category Pre-CharityAndPublicInterest action drop
category Pre-ChildAbuse action drop
category Pre-Clothes action drop
category Pre-Community action drop
category Pre-CriminalActivity action drop
category Pre-Cult action drop
category Pre-Discrimination action drop
category Pre-Divining action drop
category Pre-DomainAndIDCServices action drop
category Pre-Drugs action drop
category Pre-EcologyAndDevelopmentAndEnergy action drop
category Pre-EducationInformation action drop
category Pre-Email action drop
category Pre-EmigrationAndGoingAbroad action drop
category Pre-Entertainment action drop
category Pre-EnvironmentalProtection action drop
category Pre-ExpressageAndLogistics action drop
category Pre-FilmAndMusicDownload action drop
category Pre-Food action drop
category Pre-Forum action drop
category Pre-Gamble action drop
category Pre-Game action drop
category Pre-GeneralWebsite action drop
category Pre-GovernmentalDepartments action drop
category Pre-Greetingcards action drop
category Pre-GuideAndTravelNotes action drop
category Pre-Hacking action drop
category Pre-HealthCare action drop
category Pre-HigherEducation action drop
category Pre-HistoryAndCulture action drop
category Pre-Hobby action drop
category Pre-Homosexual action drop
category Pre-HouseholdDecoration action drop
category Pre-Housekeeping action drop
category Pre-HttpProxy action drop
category Pre-HumanRightsAndDemocracyIssue action drop
category Pre-IllegalSoftware action drop
category Pre-IndustryAndAgriculture action drop
category Pre-InformationSecurity action drop
category Pre-Insurance action drop
category Pre-Jewelry action drop
category Pre-Job action drop
category Pre-Laws action drop
category Pre-LearningResources action drop
category Pre-Lingerie action drop
category Pre-Literature action drop
category Pre-LiveShow action drop
category Pre-Lottery action drop
category Pre-Make-upAndCosmetics action drop
category Pre-MaliciousURL action drop
category Pre-ManageFinances action drop
category Pre-MarriageAndDating action drop
category Pre-MaterialAndFurniture action drop
category Pre-MedicalCare action drop
category Pre-Medicine action drop
category Pre-MentalHealth action drop
category Pre-MicroBlog action drop
category Pre-Military action drop
category Pre-MotorcyclesAndBicycles action drop
category Pre-Move action drop
category Pre-Music action drop
category Pre-NavigationWebsite action drop
category Pre-NetLoan action drop
category Pre-NetworkCommunication action drop
category Pre-News action drop
category Pre-Nudity action drop
category Pre-OnlineBroadcast action drop
category Pre-OnlineChat action drop
category Pre-OnlineMusic action drop
category Pre-OnlinePayment action drop
category Pre-OnlineShopping action drop
category Pre-OnlineStorage action drop
category Pre-OnlineVideo action drop
category Pre-OrdinaryPlace action drop
category Pre-Other action drop
category Pre-OtherAdult action drop
category Pre-OtherDownload action drop
category Pre-OtherFashion action drop
category Pre-OtherFinance action drop
category Pre-OthersLife action drop
category Pre-P2PApp action drop
category Pre-ParkedDomain action drop
category Pre-PersonalSites action drop
category Pre-PetAndAnimal action drop
category Pre-Phishing action drop
category Pre-PictureDownload action drop
category Pre-PictureShare action drop
category Pre-Politics action drop
category Pre-Pornography action drop
category Pre-PregnancyAndParenting action drop
category Pre-PreSchoolEducation action drop
category Pre-PrimaryAndMiddleEducation action drop
category Pre-PropertyDeveloper action drop
category Pre-RealEstateInformation action drop
category Pre-Religion action drop
category Pre-SchoolCheating action drop
category Pre-ScientificResearch action drop
category Pre-SearchEngineAndPortal action drop
category Pre-Service action drop
category Pre-SexualHealth action drop
category Pre-Ships action drop
category Pre-ShoppingGuide action drop
category Pre-SocialIssue action drop
category Pre-SoftwareDownload action drop
category Pre-SoftwareTechnologies action drop
category Pre-SoftwareUpdate action drop
category Pre-Spam action drop
category Pre-SpecialFieldOrganization action drop
category Pre-SpecialIndustries action drop
category Pre-Sports action drop
category Pre-Suicide action drop
category Pre-Tattoos action drop
category Pre-TeenagersAndChildren action drop
category Pre-Ticket action drop
category Pre-TicketAndHotel action drop
category Pre-Tobacco action drop
category Pre-Toys action drop
category Pre-TrainingInstitutions action drop
category Pre-TranslationBypass action drop
category Pre-TravelGuide action drop
category Pre-VehicleRent action drop
category Pre-VideoConference action drop
category Pre-Violence action drop
category Pre-VOIP action drop
category Pre-Vulgar action drop
category Pre-Weapons action drop
add whitelist 2 host text www.info.3g.qq.com
#
url-filter policy test
default-action permit logging
category 126*.com action drop logging
category Pre-Advertisement action drop logging
add whitelist 2 host text www.info.3g.qq.com
#
url-filter category 126*.com severity 65533
#
url-filter category custom severity 65535
rule 1 host regex 126*.com
#
app-profile 8048_url_profile_global
url-filter apply policy 8048_url_profile_global
#
app-profile test
url-filter apply policy test
#
uapp-control
policy name AuditLog audit
source-zone trust
destination-zone untrust
rule 1 any behavior any bhcontent any keyword equal any action permit audit-logging
#
dac storage service audit limit hold-time 1
#
cloud-management server domain oasis.h3c.com
#
return
· 《H3C MER 系列路由器 配置指导(V7)》中的“DPI深度安全配置指导”
· 《H3C MER 系列路由器 命令参考(V7)》中的“DPI深度安全命令参考”
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!