beautypg.com

H3C Technologies H3C SecBlade IPS Cards User Manual

Page 40

background image

33

[Sysname]interface Vlan-interface 30

[Sysname-Vlan-interface30] ip address 30.0.0.1 255.0.0.0

[Sysname-Vlan-interface30] quit

# Configure the link type of the 10GE interfaces connected to the SecBlade IPS cards as trunk, and
disable MAC address learning on the interfaces.

[Sysname] interface GigabitEthernet3/1/1

[Sysname-GigabitEthernet3/1/1] port link-type trunk

[Sysname-GigabitEthernet3/1/1] port trunk permit vlan all

[Sysname-GigabitEthernet3/1/1] max-address max-mac-count 0

[Sysname] interface GigabitEthernet4/1/1

[Sysname-GigabitEthernet4/1/1] port link-type trunk

[Sysname-GigabitEthernet4/1/1] port trunk permit vlan all

[Sysname-GigabitEthernet4/1/1] max-address max-mac-count 0

# Configure advanced ACLs.

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 permit ip packet-level route

[Sysname-acl-adv-3000] quit

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule 0 permit ip packet-level route destination 10.0.0.0

0.255.255.255

[Sysname-acl-adv-3001] quit

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule 0 permit ip packet-level route destination 20.0.0.0

0.255.255.255

[Sysname-acl-adv-3002] quit

# Configure a Layer 2 ACL.

[Sysname] acl number 4000

[Sysname-acl-ethernetframe-4000] rule 0 deny arp

[Sysname-acl-ethernetframe-4000] rule 1 deny packet-level bridge

[Sysname-acl-ethernetframe-4000] quit

# Configure traffic redirection on the internal and external network interfaces.

[Sysname] interface Ethernet 5/1/1

[Sysname-Ethernet5/1/1] traffic-redirect inbound ip-group 3000 interface

GigabitEthernet3/1/1 10

[Sysname-Ethernet5/1/1] quit

[Sysname] interface Ethernet 5/1/2

[Sysname-Ethernet5/1/2] traffic-redirect inbound ip-group 3000 interface

GigabitEthernet4/1/1 20

[Sysname-Ethernet5/1/2] quit

[Sysname] interface Ethernet 5/1/3

[Sysname-Ethernet5/1/3] traffic-redirect inbound ip-group 3001 interface

GigabitEthernet3/1/1 30

[Sysname-Ethernet5/1/3] traffic-redirect inbound ip-group 3002 interface

GigabitEthernet4/1/1 30

[Sysname-Ethernet5/1/3] quit

# Configure the 10GE interfaces to deny ARP and Layer 2 packets forwarding.

[Sysname] interface GigabitEthernet3/1/1

[Sysname-GigabitEthernet3/1/1] packet-filter inbound link-group 4000

See also other documents in the category H3C Technologies Safety: