3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

171

172

173

174

175

176

177

178

179

180

Attack Prevention and Packet Statistics Configuration Example 175

[secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24

[secblade-GigabitEthernet0/0.2] quit

[secblade] interface GigabitEthernet 0/0.3

[secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60

[secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24

[secblade-GigabitEthernet0/0.3] quit

# Add the sub-interface of the internal network to the trust zone.

[secblade] firewall zone trust

[secblade-zone-trust] add interface GigabitEthernet 0/0.1

[secblade-zone-trust] quit

# Add the sub-interface of the external network to the untrust zone.

[secblade] firewall zone untrust

[secblade-zone-untrust] add interface GigabitEthernet 0/0.2

[secblade-zone-untrust] quit

# Add GigabitEthernet0/0.3 sub-interface to the DMZ.

[secblade] firewall zone DMZ

[secblade-zone-DMZ] add interface GigabitEthernet 0/0.3

[secblade-zone-DMZ] quit

# Configure the static route.

[secblade] ip route-static 10.0.0.0 24 30.0.0.1

# Enable the outbound packet statistics function in the trust zone.

[secblade] firewall zone trust

[secblade-zone-trust] statistics enable zone outzone

# Enable the inbound packet statistics function in the trust zone.

[secblade-zone-trust] statistics enable zone inzone

# Configure the upper limit of the number for the inbound TCP connections in the

trust zone as 120,000.

[secblade-zone-trust] statistics enable zone inzone tcp high 120000 low 10000

# Configure the upper limit of the number for the outbound TCP connections in

the trust zone as 200,000.

[secblade-zone-trust] statistics enable zone inzone tcp high 200000 low 10000

Monitoring the Number

of the IP-Based

Connections Matching

with the ACL Rule

Network requirements

On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and

GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ

respectively. You are required to configure restriction on the number of

connections from the host whose IP address is 10.0.0.1 in the trust zone.

Network diagram

Refer to Figure 31.