security-zone name Trust import interface GigabitEthernet0/0 import interface Ten-GigabitEthernet0/11 import interface Ten-GigabitEthernet0/12 import interface Ten-GigabitEthernet0/13 # security-zone name DMZ # security-zone name Untrust import interface Dialer1 import interface Dialer2 import interface Dialer3 import interface Dialer4 import interface Dialer5 # 开启上网行为管理就会多出这些策略这是为啥呢,是不是删除这些配置就能解决问题,如果不手动删除有其他更好的方法吗。
这个导航位置是命令行配置上网行为管理
这个是WEB方式配置,你仔细看看,如果实在不行,你把配置贴出来
<H3C>display current-configuration # version 7.1.064, Release 6728P25 # sysname H3C # # undo resource-monitor output syslog snmp-notification netconf-event # security-zone intra-zone default permit # security-policy disable # dialer-group 2 rule ip permit dialer-group 3 rule ip permit dialer-group 4 rule ip permit dialer-group 5 rule ip permit dialer-group 6 rule ip permit # ip load-sharing mode per-flow src-ip global # dhcp enable dhcp server always-broadcast # dns proxy enable # system-working-mode standard password-recovery enable # vlan 1 # object-group ip address neiwang # dhcp server ip-pool lan1 gateway-list 192.168.0.1 network 192.168.0.0 mask 255.255.254.0 address range 192.168.1.2 192.168.1.254 dns-list 192.168.0.1 # policy-based-route 1 permit node 5 if-match acl 3000 apply output-interface Dialer2 # controller Cellular0/0 # interface Route-Aggregation1 description LAN-interface ip address 10.1.1.1 255.255.255.0 undo dhcp select server ip policy-based-route 1 # interface Dialer1 # interface Dialer2 # interface Dialer3 # interface Dialer4 # interface Dialer5 # interface NULL0 # interface GigabitEthernet0/0 port link-mode route description LAN-interface combo enable copper ip address 192.168.0.1 255.255.254.0 tcp mss 1280 # interface GigabitEthernet0/1 port link-mode route description Multiple_Line3 pppoe-client dial-bundle-number 1 # interface GigabitEthernet0/2 port link-mode route description Multiple_Line1 pppoe-client dial-bundle-number 2 # interface GigabitEthernet0/3 port link-mode route description Multiple_Line2 pppoe-client dial-bundle-number 3 # interface GigabitEthernet0/4 port link-mode route description Multiple_Line4 pppoe-client dial-bundle-number 4 # interface GigabitEthernet0/5 port link-mode route description Multiple_Line5 duplex full pppoe-client dial-bundle-number 5 # interface GigabitEthernet0/7 port link-mode route # interface GigabitEthernet0/8 port link-mode route # interface GigabitEthernet0/9 port link-mode route # interface GigabitEthernet0/10 port link-mode route # interface GigabitEthernet0/6 port link-mode bridge # interface Ten-GigabitEthernet0/11 port link-mode route description LAN-interface undo dhcp select server port link-aggregation group 1 # interface Ten-GigabitEthernet0/12 port link-mode route description LAN-interface undo dhcp select server port link-aggregation group 1 # interface Ten-GigabitEthernet0/13 port link-mode route description LAN-interface undo dhcp select server # object-policy ip Any-Any rule 65533 inspect 8048_url_profile_global disable rule 65534 pass # security-zone name Local # security-zone name Trust import interface GigabitEthernet0/0 import interface Ten-GigabitEthernet0/11 import interface Ten-GigabitEthernet0/12 import interface Ten-GigabitEthernet0/13 # security-zone name DMZ # security-zone name Untrust import interface Dialer1 import interface Dialer2 import interface Dialer3 import interface Dialer4 import interface Dialer5 # security-zone name Management # zone-pair security source Any destination Any object-policy apply ip Any-Any # zone-pair security source Local destination Trust packet-filter name SWXWSGL # zone-pair security source Local destination Untrust packet-filter name SWXWSGL # zone-pair security source Trust destination Local packet-filter name SWXWSGL # zone-pair security source Untrust destination Local packet-filter name SWXWSGL # scheduler logfile size 16 # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-operator # ip route-static 0.0.0.0 0 Dialer2 100.64.0.1 ip route-static 0.0.0.0 0 Dialer3 100.64.0.1 ip route-static 0.0.0.0 0 Dialer1 ip route-static 0.0.0.0 0 Dialer5 ip route-static 10.27.0.0 16 10.1.1.2 ip route-static 192.168.0.0 16 10.1.1.2 # undo info-center enable info-center loghost 127.0.0.1 port 3301 info-center source CFGLOG loghost level informational # performance-management # ssh server enable # ntp-service enable ntp-service unicast-server ***.*** # acl advanced 3000 rule 0 permit ip source 10.27.2.0 0.0.0.255 # acl advanced name SWXWSGL rule 1 permit ip # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control update-interval 0 password-control login idle-time 0 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # # user-group system # local-user admin class manage service-type ssh telnet http https authorization-attribute user-role network-admin # security-enhanced level 2 # connection-limit apply global policy 32 # ip http enable web new-style # url-filter category custom severity 65535 # wlan ap-group default-group vlan 1 # uapp-control policy name AuditLog audit source-zone trust destination-zone untrust rule 1 any behavior any bhcontent any keyword equal any action permit audit-logging # dac log-collect service dpi audit enable dac log-collect service dpi url-filter enable # dac storage service dpi audit limit hold-time 1 dac storage service audit limit hold-time 1 dac storage service dpi url-filter limit hold-time 1 dac storage service url-filter limit hold-time 1 # return <H3C> 这是开启上网行为管理之后的配置,我简化了下,其实也就比之前多了9行,就是我上面贴的trust和untrust域,只要开启上网行为管理之后网络立刻断开,关掉网络就恢复。
<H3C>display current-configuration # version 7.1.064, Release 6728P25 # sysname H3C # # undo resource-monitor output syslog snmp-notification netconf-event # security-zone intra-zone default permit # security-policy disable # dialer-group 2 rule ip permit dialer-group 3 rule ip permit dialer-group 4 rule ip permit dialer-group 5 rule ip permit dialer-group 6 rule ip permit # ip load-sharing mode per-flow src-ip global # dhcp enable dhcp server always-broadcast # dns proxy enable # system-working-mode standard password-recovery enable # vlan 1 # object-group ip address neiwang # dhcp server ip-pool lan1 gateway-list 192.168.0.1 network 192.168.0.0 mask 255.255.254.0 address range 192.168.1.2 192.168.1.254 dns-list 192.168.0.1 # policy-based-route 1 permit node 5 if-match acl 3000 apply output-interface Dialer2 # controller Cellular0/0 # interface Route-Aggregation1 description LAN-interface ip address 10.1.1.1 255.255.255.0 undo dhcp select server ip policy-based-route 1 # interface Dialer1 # interface Dialer2 # interface Dialer3 # interface Dialer4 # interface Dialer5 # interface NULL0 # interface GigabitEthernet0/0 port link-mode route description LAN-interface combo enable copper ip address 192.168.0.1 255.255.254.0 tcp mss 1280 # interface GigabitEthernet0/1 port link-mode route description Multiple_Line3 pppoe-client dial-bundle-number 1 # interface GigabitEthernet0/2 port link-mode route description Multiple_Line1 pppoe-client dial-bundle-number 2 # interface GigabitEthernet0/3 port link-mode route description Multiple_Line2 pppoe-client dial-bundle-number 3 # interface GigabitEthernet0/4 port link-mode route description Multiple_Line4 pppoe-client dial-bundle-number 4 # interface GigabitEthernet0/5 port link-mode route description Multiple_Line5 duplex full pppoe-client dial-bundle-number 5 # interface GigabitEthernet0/7 port link-mode route # interface GigabitEthernet0/8 port link-mode route # interface GigabitEthernet0/9 port link-mode route # interface GigabitEthernet0/10 port link-mode route # interface GigabitEthernet0/6 port link-mode bridge # interface Ten-GigabitEthernet0/11 port link-mode route description LAN-interface undo dhcp select server port link-aggregation group 1 # interface Ten-GigabitEthernet0/12 port link-mode route description LAN-interface undo dhcp select server port link-aggregation group 1 # interface Ten-GigabitEthernet0/13 port link-mode route description LAN-interface undo dhcp select server # object-policy ip Any-Any rule 65533 inspect 8048_url_profile_global disable rule 65534 pass # security-zone name Local # security-zone name Trust import interface GigabitEthernet0/0 import interface Ten-GigabitEthernet0/11 import interface Ten-GigabitEthernet0/12 import interface Ten-GigabitEthernet0/13 # security-zone name DMZ # security-zone name Untrust import interface Dialer1 import interface Dialer2 import interface Dialer3 import interface Dialer4 import interface Dialer5 # security-zone name Management # zone-pair security source Any destination Any object-policy apply ip Any-Any # zone-pair security source Local destination Trust packet-filter name SWXWSGL # zone-pair security source Local destination Untrust packet-filter name SWXWSGL # zone-pair security source Trust destination Local packet-filter name SWXWSGL # zone-pair security source Untrust destination Local packet-filter name SWXWSGL # scheduler logfile size 16 # line class console user-role network-admin # line class tty user-role network-operator # line class vty user-role network-operator # line con 0 user-role network-admin # line vty 0 63 authentication-mode scheme user-role network-operator # ip route-static 0.0.0.0 0 Dialer2 100.64.0.1 ip route-static 0.0.0.0 0 Dialer3 100.64.0.1 ip route-static 0.0.0.0 0 Dialer1 ip route-static 0.0.0.0 0 Dialer5 ip route-static 10.27.0.0 16 10.1.1.2 ip route-static 192.168.0.0 16 10.1.1.2 # undo info-center enable info-center loghost 127.0.0.1 port 3301 info-center source CFGLOG loghost level informational # performance-management # ssh server enable # ntp-service enable ntp-service unicast-server ***.*** # acl advanced 3000 rule 0 permit ip source 10.27.2.0 0.0.0.255 # acl advanced name SWXWSGL rule 1 permit ip # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control update-interval 0 password-control login idle-time 0 # domain system # domain default enable system # role name level-0 description Predefined level-0 role # # user-group system # local-user admin class manage service-type ssh telnet http https authorization-attribute user-role network-admin # security-enhanced level 2 # connection-limit apply global policy 32 # ip http enable web new-style # url-filter category custom severity 65535 # wlan ap-group default-group vlan 1 # uapp-control policy name AuditLog audit source-zone trust destination-zone untrust rule 1 any behavior any bhcontent any keyword equal any action permit audit-logging # dac log-collect service dpi audit enable dac log-collect service dpi url-filter enable # dac storage service dpi audit limit hold-time 1 dac storage service audit limit hold-time 1 dac storage service dpi url-filter limit hold-time 1 dac storage service url-filter limit hold-time 1 # return <H3C> 这是开启上网行为管理之后的配置,我简化了下,其实也就比之前多了9行,就是我上面贴的trust和untrust域,只要开启上网行为管理之后网络立刻断开,关掉网络就恢复。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
没有ipoe命令,开启上网行为管理之后就是多出了9行,是trust和untrust域的配置,就是我先面贴的那些,trust没把聚合端口加进去