3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
Attack Prevention and Packet Statistics Configuration Example 173
[secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24
[secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust
[secblade-zone-trust] add interface GigabitEthernet 0/0.1
[secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust
[secblade-zone-untrust] add interface GigabitEthernet 0/0.2
[secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ
[secblade-zone-DMZ] add interface GigabitEthernet 0/0.3
[secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Enable the outbound IP statistics function in the untrust zone.
[secblade] firewall zone untrust
[secblade-zone-untrust] statistics enable ip outzone
[secblade-zone-untrust] quit
# Enable the address scanning attack prevention, set the maximum scanning rate
to 1,000 packets per second and the valid time of the blacklist to 5 minutes, and
enable the blacklist function.
[secblade] firewall defend ip-sweep max-rate 1000 blacklist-timeout 5
[secblade] firewall blacklist enable
Enabling the Zone-Based
Connection Count
Monitoring Function
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and
GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ
respectively. You are required to configure restriction on the number of
connections to or from the trust zone respectively.
Network diagram
Refer to Figure 31.
Configuration procedure
Switch 8807 (SecBlade)
# Divide VLANs.
<SW8800> system-view
[SW8800] vlan 10
[3Com-vlan10] quit