Note: This article is directly quoted from the world wide web. used at your own risk.
1. Guard的连接和初始配置
对Guard的起始配置是需要通过串行线连接的,使用admin用户名,缺省口令为rhadmin.
Console8 ,N , 1 , Flow control: None ) Properties Settings
Insert the following values and click OK:
Emulation: VT100
Telnet terminal ID: VT100
Backscroll buffer lines: 500
login prompt: admin/rhadmin
2. Guard命令行配置网络部分
连接物理端口:
Interfaces: Eth0(百兆带外)-常用, Eth1 (千兆带外)
Giga0 与 Giga1 ( 首选带内 copper / fiber )
配置管理端口,带内GE端口的相关地址.
user@GUARD # Config terminal
user@GUARD-conf#interface giga1 ( 网络端口,可配置子接口)
user@GUARD-conf-if-giga1# ip address 61.55.134.243 255.255.255.248
user@GUARD-conf-if-giga1# no shutdown
user@GUARD-conf-if-giga1# exit
user@GUARD-conf#interface eth0 ( 管理端口 ,注意接对端口)
user@GUARD-conf-if-eth0# ip address 221.192.133.111 255.255.254.0
user@GUARD-conf-if-eth0# no shutdown
user@GUARD-conf-if-eth0# exit
启动SSH和WBM服务,并标明允许SSH, WEB访问的源地址.
WBM (https)管理
user@GUARD-conf # service wbm
user@GUARD-conf # permit wbm 192.168.30.32(* 表示任何地址)
SSH(缺省启动)
user@GUARD-conf# permit ssh *
SSH Key管理:
user@GUARD-conf# key add ssh-rsa 14513797528175730. . user@Guard.com(添加SSH key)
user@GUARD-conf# show keys Lilac
ssh-rsa 2352345234523456... user@Guard.com
user@GUARD-conf# key remove Lilac 2352345234523456...
配置缺省路由,proxy的地址等:
user@GUARD-conf# Default-gateway 221.192.133.254
user@GUARD-conf# Proxy 61.55.134.244 (最大10个作源地址校验)
配置日期:
user@GUARD-conf# date 1008171003.17
Wed Oct 8 17:10:17 EDT 2003
同步NTP
user@GUARD-conf# date 1008171003.17
user@GUARD-conf# timezone Africa/Timbuktu
user@GUARD-conf# service ntp
user@GUARD-conf# permit ntp 192.165.200.224
user@GUARD-conf# ntp server 192.165.200.224
进入路由模块,配置带内BGP路由和相关静态路由.
user@GUARD# Config terminal
user@GUARD-conf # Router ( 进入路由模块)
Router # Enable
Router #Config t
Router-conf# Router bgp 65000
见下面路由配置部分
在这些工作做完后,就可以在网络上通过HTTPS GUI或SSH做保护Zone和策略的配置了.
-CISCO GUARD配置注解
Guard与Detector互联通讯:
permit ssh * (允许任何地址通过ssh方式telnet到设备上)
permit wbm * (允许任何地址通过Web方式访问该设备)
!
interface eth0
ip address 221.192.133.111 255.255.254.0 (配置网络管理地址)
no shu
!
interface giga1
ip address 61.55.134.243 255.255.255.248 (配置guard同省网gsr互联地址)
no shu
speed aotu (配置光纤口速率模式)
!
default-gateway 221.192.133.254 (配置网关地址)
!
proxy 61.55.134.244 (配置代理地址需同gsr互联地址在同一网段)
!
Guard与GSR建立Neighbor
router bgp 65400 ( 自治域号 , 65私有号 )
bgp router-id 61.55.134.243 ( loop back )
redistribute guard ( 路由回注Guard管理Shell )
neighbor 61.55.134.242 remote-as 64630 ( EBGP自治域号 一个运营商)
neighbor 61.55.134.242 soft in
neighbor 61.55.134.242 description GSR
neighbor 61.55.134.242 distribute-list nothing-in in ( access-list )
neighbor 61.55.134.242 route-map Guard-out out ( route-map)
!
access-list nothing-in deny any
!
route-map Guard-out permit 10
set community no-export no-advertise ( AS 内部有效,不再传)
!
ip route 0.0.0.0/0 61.55.134.242 (6509同GSR互联的VLAN地址)
- CISCO DETECTOR的相关的配置
Detector与Guard互联:
permit ssh * (允许任何地址通过ssh方式telnet到设备上)
permit wbm * (允许任何地址通过Web方式访问该设备)
!
remote-guard 221.192.133.111 (建立同guard连接通道)
!
key generate (为同guard连接的通道加密)
!
default-gateway 221.192.133.254 (配置网关地址)
!
interface eth0
ip address 221.192.133.112 255.255.254.0 (配置网络管理地址)
no shu
!
interface giga1
speed aotu (配置光纤口速率模式)
!
interface giga0
– speed aotu (配置光纤口速率模式)