H3C's ER3000 series routers enable small and medium-sized enterprises to access the Internet

H3C's ER3000 series routers enable small and medium-sized enterprises to access the Internet

I. Networking requirements:

An enterprise needs to meet the following requirements:

1) China Telecom and China Netcom each access m optical fiber, and achieve the "China Telecom, China Netcom, China Netcom" requirement only

ER3260/ER3200 ).

2) Prevent ARP attacks in the LAN.

3) prevent some computers from occupying Network Resources excessively using software such as BT and thunder.

4) Some computers are prohibited from using QQ and MSN.

Ii. networking configuration scheme:

To meet the preceding typical requirements, use the ER3000 series to build a LAN, and configure the network of the following masks

For example:

1) The WAN port access mode adopts the static IP address access mode.

2) connect to the China Telecom and China Netcom lines through optical fiber transceiver. The WAN port mode adopts manual load balancing.

To achieve "China Telecom, China Netcom" only ER3260/ER3200 ).

3) disable the DHCP server function and manually assign a static IP address to each computer in the LAN.

4) Enable IP/MAC binding to prevent ARP attacks.

5) Enable the ARP anti-spoofing function.

6) set IP traffic limits and NAT table restrictions to prevent BT, thunder, and other software from occupying excessive network resources.

7) set business control to prohibit some computers from launching QQ and MSN only for ER3200/ER3100 ).

3. network topology:

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "src =" http://www.bkjia.com/uploads/allimg/131227/03531J541-0.jpg "" 557 "height =" 378 "/>

Iv. configuration steps:

1) set it by connecting to the computer of the ER3000 series LAN port. Address in the computer Web browser

Enter http: // 192.168.1.1. Press enter to display the logon dialog box. In the Login Dialog Box, enter the default administrator username: admin, password: admin. If the password has been changed, enter a new password.) Click <OK> to enter

Web configuration page. Perform the following Configuration:

1. connect to the Internet

(1) skip this step to set the multi-WAN connection mode to ER3100 ). Set path: WAN settings

Set → connect to the Internet.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image004 "border =" 0 "alt =" clip_image004 "src =" http://www.bkjia.com/uploads/allimg/131227/03531H607-1.jpg "" 557 "height =" 284 "/>

(2) set the Internet access mode. Set path: WAN settings → connect to the Internet, as shown in the following figure.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image006 "border =" 0 "alt =" clip_image006 "src =" http://www.bkjia.com/uploads/allimg/131227/03531I3A-2.jpg "" 557 "height =" 503 "/>

(3) skip this step to set a balanced routing policy for ER3100 ). Set path: WAN settings →

Connect to the Internet and click the <import> button in the lower-right corner of the page to import the China Netcom routing policy table directly

Download from the H3C website ). H3C ER3000 series enterprise vro user manual 9 typical configuration Cases

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image008 "border =" 0 "alt =" clip_image008 "src =" http://www.bkjia.com/uploads/allimg/131227/03531HJ4-3.jpg "" 557 "height =" 472 "/>

Note:

Because the default link is set to WAN 1 and the ISP of WAN 1 is Telecom, you only need to import

.

In this example, the WAN2 port is connected to China Netcom. Before importing the China Netcom routing policy table, pay attention to the outbound

The port number should be WAN2.

If the China Netcom policy route table cannot completely overwrite the required policy, manually add it.

2. Set LAN

(1) disable DHCP servers of the ER3000 series. Set path: LAN Settings → LAN Settings, as shown in figure

.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image010 "border =" 0 "alt =" clip_image010 "src =" http://www.bkjia.com/uploads/allimg/131227/03531H642-4.jpg "" 557 "height =" 161 "/>

(2) statically designate IP addresses and subnet masks for computers in the LAN.

3. Set anti-ARP attack and Spoofing

(1) set IP/MAC Address binding. Set path: Access Control → IP/MAC binding, click <ARP Column

Table import> button.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image012 "border =" 0 "alt =" clip_image012 "src =" http://www.bkjia.com/uploads/allimg/131227/03531I105-5.jpg "" 557 "height =" 216 "/>

(2) Select the "select all" check box and click <import to IP/MAC binding table> to import the IP/MAC binding relationship.

To the IP/MAC binding table.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image014 "border =" 0 "alt =" clip_image014 "src =" http://www.bkjia.com/uploads/allimg/131227/03531Hb0-6.jpg "" 560 "height =" 167 "/>

(3) Select "allow only clients bound to IP/MAC to access the Internet" and click <OK>.

The attack takes effect.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image016 "border =" 0 "alt =" clip_image016 "src =" http://www.bkjia.com/uploads/allimg/131227/03531K3K-7.jpg "" 505 "height =" 209 "/>

(4) set ARP anti-spoofing. Set path: Security Settings → ARP attack prevention, select "enable ARP attack prevention"

Spoofing function, select "actively send free ARP packets", and send "Free ARP packets"

The time interval is set to 1 second. Click <OK> to complete the configuration.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image018 "border =" 0 "alt =" clip_image018 "src =" http://www.bkjia.com/uploads/allimg/131227/03531M144-8.jpg "" 428 "height =" 124 "/>

4. Set IP traffic limit and NAT table item limit

(1) set IP traffic limits. Set path: QoS settings → IP traffic limit. Enable IP traffic restriction,

Set the IP address range and traffic limit. After setting, click <add> to add traffic to IP Address

Limit table.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image020 "border =" 0 "alt =" clip_image020 "src =" http://www.bkjia.com/uploads/allimg/131227/03531G2L-9.jpg "" 558 "height =" 322 "/>

(2) Set NAT table item restrictions. Set path: QoS settings → NAT table item restrictions. Enable NAT table items

The restriction function sets the IP address range and the maximum NAT table entries. After setting, click <add>,

Add to the NAT table entry restriction table.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image022 "border =" 0 "alt =" clip_image022 "src =" http://www.bkjia.com/uploads/allimg/131227/03531IZ0-10.jpg "" 476 "height =" 235 "/>

5. Set business control

Skip this step to set business control to ER3260 ). Set path: Access Control → business control.

Disable the QQ/MSN online permissions of all computers in the LAN, and then set the privileged IP address for them to have

Click <add> to add QQ./MSN online permissions to the business control table.

650) this. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image024 "border =" 0 "alt =" clip_image024 "src =" http://www.bkjia.com/uploads/allimg/131227/03531M1S-11.jpg "" 502 "height =" 259 "/>

After completing all the settings, you can access the Internet with confidence through the ER3000 series.