3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
Attack Prevention and Packet Statistics Configuration Example 177
# Create the sub-interface.
[secblade] interface GigabitEthernet 0/0.1
[secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30
[secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24
[secblade-GigabitEthernet0/0.1] quit
[secblade] interface GigabitEthernet 0/0.2
[secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24
[secblade-GigabitEthernet0/0.2] quit
[secblade] interface GigabitEthernet 0/0.3
[secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60
[secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24
[secblade-GigabitEthernet0/0.3] quit
# Add the sub-interface of the internal network to the trust zone.
[secblade] firewall zone trust
[secblade-zone-trust] add interface GigabitEthernet 0/0.1
[secblade-zone-trust] quit
# Add the sub-interface of the external network to the untrust zone.
[secblade] firewall zone untrust
[secblade-zone-untrust] add interface GigabitEthernet 0/0.2
[secblade-zone-untrust] quit
# Add GigabitEthernet0/0.3 sub-interface to the DMZ.
[secblade] firewall zone DMZ
[secblade-zone-DMZ] add interface GigabitEthernet 0/0.3
[secblade-zone-DMZ] quit
# Configure the static route.
[secblade] ip route-static 10.0.0.0 24 30.0.0.1
# Configure the ACL rule.
[secblade] acl number 1
[secblade-acl-basic-1] rule permit source 10.0.0.1 0
# Enter zone view, and configure the upper limit of the number for TCP
connections initiated by the IP source address and matching ACL rule as 2,000.
[secblade] firewall zone trust
[secblade-zone-trust] statistic connect-number ip outzone tcp high 2000 low
512 acl 1
Displaying Statistics
Information of Specified
IP Address
Network requirements
On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and
GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ
respectively.
Network diagram
Refer to Figure 31.