作者:BSXY_陈永跃
BSXY_信息学院
注:未经允许禁止转发任何内容
可根据以下所提供的设计与实现步骤过程一步一步自行实现(每一条命令都是关键的命令);但是如果有需要的也可以根据以下地址进行下载完整的topo图和完整的配置进行参考与借鉴 基于eNSP加防火墙的千人中型校园/企业网络规划与设计topo图(有线+无线).rar + 所有配置命令(order.txt)
基于eNSP加防火墙的千人中型校园/企业网络规划与设计
前言及资源下载说明( 未经允许禁止转发任何内容 )
有什么问题可以在评论区说明自己遇到的情况,博主看到会第一时间回复,希望其他人也可以回复别人的问题,。 可根据以下所提供的设计与实现步骤过程一步一步自行实现(每一条命令都是关键的命令);但是如果有需要的也可以根据以下地址进行下载完整的topo图和完整的配置进行参考与借鉴,如若拿到topo图可多display查看配置,查看相应的命令,配套资源连接如下 基于eNSP加防火墙的千人中型校园/企业网络规划与设计topo图(有线+无线).rar + 所有配置命令(order.txt)
一、设计topo图与设计要求(15个要求)
拓扑图1: 拓扑图2: 设计要求:
01、完成服务器、防火墙、路由器等接口地址的配置 02、配置Eth-Trunk 链路捆绑实现链路冗余 03、企业内部划分多个vlan,减小广播域大小,提高网络的可靠性 04、配置MSTP+VRRP实现流量负载分担,同时实现冗余,并配置相应的stp优化技术stp收敛,减少stp震荡 05、所有用户均为自动获取IP地址 06、配置相应的DHCP snooping隔绝非法DHCP server 07、配置OSPF和静态路由实现三层路由互通 08、防火墙配置安全策略,放行内网区域到dmz区的流量 09、防火墙配置NAT策略和安全策略,使得用户可以访问外网百度 10、防火墙配置服务器映射和安全策略,允许外网用户Client通过公网地址100.100.100.100访问web服务器 11、防火墙配置相应策略,允许外网用户Client通过公网http://100.100.100.100访问登录web服务器 12、用户能够通过域名(www.baidu.com)访问外网百度 13、内部财务服务器只允许vlan 50用户访问 14、LSW1-LSW12交换机都能被telent(huawei 5555) 15、无线WLAN配置,且业务vlan 101 102也可以通过域名(www.baidu.com)访问外网百度
二、改造前topo无防火墙(插曲:可看可不看)
插曲部分:改造前的冗余型的网络设计,改造前基于eNSP的千人规模?冗余型?中型校园/企业网络设计与规划 如下图所示(但是并不在该篇文章中做详细介绍和说明,如查看可点击连接自行查看阅读):
三、配置全过程
1、VLAN Trunk配置
HX_SW1:
<Huawei>sy
[Huawei]un in en
[Huawei]sysname HX_SW1
[HX_SW1]int Eth-Trunk 1
[HX_SW1-Eth-Trunk1]mode lacp-static
[HX_SW1-Eth-Trunk1]trunkport g0/0/7
[HX_SW1-Eth-Trunk1]trunkport g0/0/8
[HX_SW1-Eth-Trunk1]q
------------------------------------
HX_SW2:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname HX_SW2
[HX_SW2]int Eth-Trunk 1
[HX_SW2-Eth-Trunk1]mode lacp-static
[HX_SW2-Eth-Trunk1]trunkport g0/0/7
[HX_SW2-Eth-Trunk1]trunkport g0/0/8
[HX_SW2-Eth-Trunk1]q
------------------------------------
HJ_SW4:
<Huawei>sy
[Huawei]sysname HJ_SW4
[HJ_SW4]int Eth-Trunk 2
[HJ_SW4-Eth-Trunk2]mode lacp-static
[HJ_SW4-Eth-Trunk2]trunkport g0/0/4
[HJ_SW4-Eth-Trunk2]trunkport g0/0/5
[HJ_SW4-Eth-Trunk2]q
------------------------------------
JR_SW9:
<Huawei>sy
[Huawei]un in en
[Huawei]sysname JR_SW9
[JR_SW9]int Eth-Trunk 2
[JR_SW9-Eth-Trunk2]mode lacp-static
[JR_SW9-Eth-Trunk2]trunkport g0/0/4
[JR_SW9-Eth-Trunk2]trunkport g0/0/5
[JR_SW9-Eth-Trunk2]dis eth-trunk
2、VLAN底层配置
JR_SW6:
<Huawei>SY
[Huawei]un in en
[Huawei]sysname JR_SW6
[JR_SW6]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW6]int g0/0/1
[JR_SW6-GigabitEthernet0/0/1]port link-type trunk
[JR_SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 30 900
[JR_SW6-GigabitEthernet0/0/1]int g0/0/2
[JR_SW6-GigabitEthernet0/0/2]port link-type access
[JR_SW6-GigabitEthernet0/0/2]port default vlan 20
[JR_SW6-GigabitEthernet0/0/2]int g0/0/3
[JR_SW6-GigabitEthernet0/0/3]port link-type access
[JR_SW6-GigabitEthernet0/0/3]port default vlan 30
[JR_SW6-GigabitEthernet0/0/3]
------------------------------------
JR_SW7:
<Huawei>SYS
[Huawei]un in en
[Huawei]sysname JR_SW7
[JR_SW7]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW7]int g0/0/1
[JR_SW7-GigabitEthernet0/0/1]port link-type trunk
[JR_SW7-GigabitEthernet0/0/1]port trunk allow-pass vlan 40 900
[JR_SW7-GigabitEthernet0/0/1]int g0/0/2
[JR_SW7-GigabitEthernet0/0/2]port link-type access
[JR_SW7-GigabitEthernet0/0/2]port default vlan 40
[JR_SW7-GigabitEthernet0/0/2]qui
------------------------------------
HJ_SW3:
<Huawei>system-view
[Huawei]un in en
[Huawei]sysname HJ_SW3
[HJ_SW3]vlan batch 20 30 40 50 60 70 80 200 900
[HJ_SW3]int g0/0/1
[HJ_SW3-GigabitEthernet0/0/1]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 30 40 900
[HJ_SW3-GigabitEthernet0/0/1]int g0/0/2
[HJ_SW3-GigabitEthernet0/0/2]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 20 30 40 900
[HJ_SW3-GigabitEthernet0/0/2]int g0/0/3
[HJ_SW3-GigabitEthernet0/0/3]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 30 900
[HJ_SW3-GigabitEthernet0/0/3]int g0/0/4
[HJ_SW3-GigabitEthernet0/0/4]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 40 900
------------------------------------
JR_SW8:
<Huawei>SYS
[Huawei]sys
[Huawei]sysname JR_SW8
[JR_SW8]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW8]int g0/0/1
[JR_SW8-GigabitEthernet0/0/1]port link-type trunk
[JR_SW8-GigabitEthernet0/0/1]port trunk allow-pass vlan 50 900
[JR_SW8-GigabitEthernet0/0/1]int g0/0/2
[JR_SW8-GigabitEthernet0/0/2]port link-type access
[JR_SW8-GigabitEthernet0/0/2]port default vlan 50
------------------------------------
JR_SW9:
<JR_SW9>SYS
[JR_SW9]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW9]int g0/0/3
[JR_SW9-GigabitEthernet0/0/3]port link-type access
[JR_SW9-GigabitEthernet0/0/3]port default vlan 60
[JR_SW9-GigabitEthernet0/0/3]qui
[JR_SW9]int Eth-Trunk 2
[JR_SW9-Eth-Trunk2]port link-type trunk
[JR_SW9-Eth-Trunk2]port trunk allow-pass vlan 60 900
[JR_SW9-Eth-Trunk2]qui
------------------------------------
HJ_SW4:
<HJ_SW4>sys
[HJ_SW4]vlan batch 20 30 40 50 60 70 80 200 900
[HJ_SW4]int g0/0/1
[HJ_SW4-GigabitEthernet0/0/1]port link-type trunk
[HJ_SW4-GigabitEthernet0/0/1]port trunk allow-pass vlan 50 60 900
[HJ_SW4-GigabitEthernet0/0/1]int g0/0/2
[HJ_SW4-GigabitEthernet0/0/2]port link-type trunk
[HJ_SW4-GigabitEthernet0/0/2]port trunk allow-pass vlan 50 60 900
[HJ_SW4-GigabitEthernet0/0/2]int g0/0/3
[HJ_SW4-GigabitEthernet0/0/3]port link-type trunk
[HJ_SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 50 900
[HJ_SW4-GigabitEthernet0/0/3]qui
[HJ_SW4]int Eth-Trunk 2
[HJ_SW4-Eth-Trunk2]port link-type trunk
[HJ_SW4-Eth-Trunk2]port trunk allow-pass vlan 60 900
[HJ_SW4-Eth-Trunk2]qui
[HJ_SW4]
------------------------------------
JR_SW10:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname JR_SW10
[JR_SW10]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW10]int g0/0/1
[JR_SW10-GigabitEthernet0/0/1]port link-type trunk
[JR_SW10-GigabitEthernet0/0/1]port trunk allow-pass vlan 70 900
[JR_SW10-GigabitEthernet0/0/1]int g0/0/2
[JR_SW10-GigabitEthernet0/0/2]port link-type access
[JR_SW10-GigabitEthernet0/0/2]port default vlan 70
[JR_SW10-GigabitEthernet0/0/2]qui
------------------------------------
JR_SW11:
<JR_SW11>sys
[JR_SW11]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW11]int g0/0/1
[JR_SW11-GigabitEthernet0/0/1]port link-type trunk
[JR_SW11-GigabitEthernet0/0/1]port trunk allow-pass vlan 80 900
[JR_SW11-GigabitEthernet0/0/1]int g0/0/2
[JR_SW11-GigabitEthernet0/0/2]port link-type access
[JR_SW11-GigabitEthernet0/0/2]port default vlan 80
[JR_SW11-GigabitEthernet0/0/2]int g0/0/3
[JR_SW11-GigabitEthernet0/0/3]port link-type access
[JR_SW11-GigabitEthernet0/0/3]port default vlan 80
------------------------------------
HJ_SW5:
<Huawei>system-view
[Huawei]un in en
[Huawei]sysname HJ_SW5
[HJ_SW5]vlan batch 20 30 40 50 60 70 80 200 900
[HJ_SW5]int g0/0/1
[HJ_SW5-GigabitEthernet0/0/1]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 70 80 900
[HJ_SW5-GigabitEthernet0/0/1]int g0/0/2
[HJ_SW5-GigabitEthernet0/0/2]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 70 80 900
[HJ_SW5-GigabitEthernet0/0/2]int g0/0/3
[HJ_SW5-GigabitEthernet0/0/3]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/3]port trunk allow-pass vlan 70 900
[HJ_SW5-GigabitEthernet0/0/3]int g0/0/4
[HJ_SW5-GigabitEthernet0/0/4]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/4]port trunk allow-pass vlan 80 900
[HJ_SW5-GigabitEthernet0/0/4]qui
------------------------------------
JR_SW12:
<Huawei>sy
[Huawei]un in en
[Huawei]sysname JR_SW12
[JR_SW12]vlan batch 20 30 40 50 60 70 80 200 900
[JR_SW12]int g0/0/1
[JR_SW12-GigabitEthernet0/0/1]port link-type trunk
[JR_SW12-GigabitEthernet0/0/1]port trunk allow-pass vlan 200 900
[JR_SW12-GigabitEthernet0/0/1]int g0/0/2
[JR_SW12-GigabitEthernet0/0/2]port link-type trunk
[JR_SW12-GigabitEthernet0/0/2]port trunk allow-pass vlan 200 900
[JR_SW12-GigabitEthernet0/0/2]int g0/0/3
[JR_SW12-GigabitEthernet0/0/3]port link-type access
[JR_SW12-GigabitEthernet0/0/3]port default vlan 200
[JR_SW12-GigabitEthernet0/0/3]int g0/0/4
[JR_SW12-GigabitEthernet0/0/4]port link-type access
[JR_SW12-GigabitEthernet0/0/4]port default vlan 200
[JR_SW12-GigabitEthernet0/0/4]qui
------------------------------------
XH_SW1:
<HX_SW1>SY
[HX_SW1]vlan batch 20 30 40 50 60 70 80 200 900 10
[HX_SW1]vlan batch 4
[HX_SW1]int g0/0/6
[HX_SW1-GigabitEthernet0/0/6]port link-type trunk
[HX_SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan 200 900
[HX_SW1-GigabitEthernet0/0/6]int g0/0/1
[HX_SW1-GigabitEthernet0/0/1]port link-type access
[HX_SW1-GigabitEthernet0/0/1]port default vlan 10
[HX_SW1-GigabitEthernet0/0/1]int g0/0/2
[HX_SW1-GigabitEthernet0/0/2]port link-type access
[HX_SW1-GigabitEthernet0/0/2]port default vlan 4
[HX_SW1-GigabitEthernet0/0/2]int g0/0/3
[HX_SW1-GigabitEthernet0/0/3]port link-type trunk
[HX_SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 30 40 900
[HX_SW1-GigabitEthernet0/0/3]int g0/0/4
[HX_SW1-GigabitEthernet0/0/4]port link-type trunk
[HX_SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 50 60 900
[HX_SW1-GigabitEthernet0/0/4]int g0/0/5
[HX_SW1-GigabitEthernet0/0/5]port link-type trunk
[HX_SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 70 80 900
[HX_SW1-GigabitEthernet0/0/5]qui
[HX_SW1]int Eth-Trunk 1
[HX_SW1-Eth-Trunk1]port link-type trunk
[HX_SW1-Eth-Trunk1]port trunk allow-pass vlan 20 30 40 50 60 70 80 200 900
[HX_SW1-Eth-Trunk1]dis this
[HX_SW1-Eth-Trunk1]
------------------------------------
HX_SW2:
<HX_SW2>sys
[HX_SW2]vlan batch 20 30 40 50 60 70 80 200 900
[HX_SW2]vlan batch 2 5
[HX_SW2]int g0/0/1
[HX_SW2-GigabitEthernet0/0/1]port link-type access
[HX_SW2-GigabitEthernet0/0/1]port default vlan 2
[HX_SW2-GigabitEthernet0/0/1]int g0/0/2
[HX_SW2-GigabitEthernet0/0/2]port link-type access
[HX_SW2-GigabitEthernet0/0/2]port default vlan 5
[HX_SW2-GigabitEthernet0/0/2]int g0/0/3
[HX_SW2-GigabitEthernet0/0/3]port link-type trunk
[HX_SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 20 30 40 900
[HX_SW2-GigabitEthernet0/0/3]int g0/0/4
[HX_SW2-GigabitEthernet0/0/4]port link-type trunk
[HX_SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 50 60 900
[HX_SW2-GigabitEthernet0/0/4]int g0/0/5
[HX_SW2-GigabitEthernet0/0/5]port link-type trunk
[HX_SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 70 80 900
[HX_SW2-GigabitEthernet0/0/5]int g0/0/6
[HX_SW2-GigabitEthernet0/0/6]port link-type trunk
[HX_SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan 200 900
[HX_SW2-GigabitEthernet0/0/6]qui
[HX_SW2]int Eth-Trunk 1
[HX_SW2-Eth-Trunk1]port link-type trunk
[HX_SW2-Eth-Trunk1]port trunk allow-pass vlan 20 30 40 50 60 70 80 200 900
[HX_SW2-Eth-Trunk1]dis this
3、MSTP配置
HX_SW1:
<HX_SW1>sy
[HX_SW1]stp region-configuration
[HX_SW1-mst-region]instance 1 vlan 20 30 40 200
[HX_SW1-mst-region]region-name aa
[HX_SW1-mst-region]revision-level 1
[HX_SW1-mst-region]instance 2 vlan 50 60 70 80
[HX_SW1-mst-region]active region-configuration
[HX_SW1-mst-region]dis this
[HX_SW1-mst-region]qui
[HX_SW1]stp instance 1 root primary
[HX_SW1]stp instance 2 root secondary
[HX_SW1]dis this
------------------------------------
HX_SW2:
<HX_SW2>sys
[HX_SW2]stp region-configuration
[HX_SW2-mst-region]region-name aa
[HX_SW2-mst-region]revision-level 1
[HX_SW2-mst-region]instance 1 vlan 20 30 40 200
[HX_SW2-mst-region]instance 2 vlan 50 60 70 80
[HX_SW2-mst-region]active region-configuration
[HX_SW2-mst-region]qui
[HX_SW2]stp instance 2 root primary
[HX_SW2]stp instance 1 root secondary
[HX_SW2]dis this
------------------------------------
JR_SW12:
<JR_SW12>sy
[JR_SW12]stp region-configuration
[JR_SW12-mst-region]region-name aa
[JR_SW12-mst-region]revision-level 1
[JR_SW12-mst-region]instance 1 vlan 20 30 40 200
[JR_SW12-mst-region]instance 2 vlan 50 60 70 80
[JR_SW12-mst-region]active region-configuration
[JR_SW12-mst-region]qui
------------------------------------
HJ_SW3:
[HJ_SW3]stp region-configuration
[HJ_SW3-mst-region]region-name aa
[HJ_SW3-mst-region]revision-level 1
[HJ_SW3-mst-region]instance 1 vlan 20 30 40 200
[HJ_SW3-mst-region]instance 2 vlan 50 60 70 80
[HJ_SW3-mst-region]active region-configuration
[HJ_SW3-mst-region]qui
[HJ_SW3]dis stp br
------------------------------------
HJ_SW4:
<HJ_SW4>sy
[HJ_SW4]stp region-configuration
[HJ_SW4-mst-region]region-name aa
[HJ_SW4-mst-region]revision-level 1
[HJ_SW4-mst-region]instance 1 vlan 20 30 40 200
[HJ_SW4-mst-region]instance 2 vlan 50 60 70 80
[HJ_SW4-mst-region]active region-configuration
[HJ_SW4-mst-region]qui
[HJ_SW4]dis stp br
------------------------------------
HJ_SW5:
[HJ_SW5]stp region-configuration
[HJ_SW5-mst-region] region-name aa
[HJ_SW5-mst-region] revision-level 1
[HJ_SW5-mst-region] instance 1 vlan 20 30 40 200
[HJ_SW5-mst-region] instance 2 vlan 50 60 70 80
[HJ_SW5-mst-region] active region-configuration
[HJ_SW5-mst-region]qui
[HJ_SW5]dis stp br
4、VRRP网关冗余
HX_SW1:
[HX_SW1]int vlan 20
[HX_SW1-Vlanif20]ip add 192.168.20.254 24
[HX_SW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[HX_SW1-Vlanif20]vrrp vrid 20 priority 105
[HX_SW1-Vlanif20]dis this
[HX_SW1-Vlanif20]qui
[HX_SW1]int vlan 30
[HX_SW1-Vlanif30]ip add 192.168.30.254 24
[HX_SW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[HX_SW1-Vlanif30]vrrp vrid 30 priority 105
[HX_SW1-Vlanif30]qui
[HX_SW1]int vlan 40
[HX_SW1-Vlanif40]ip add 192.168.40.254 24
[HX_SW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[HX_SW1-Vlanif40]vrrp vrid 40 priority 105
[HX_SW1-Vlanif40]int vlan 50
[HX_SW1-Vlanif50]ip add 192.168.50.254 24
[HX_SW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[HX_SW1-Vlanif50]int vlan 60
[HX_SW1-Vlanif60]ip add 192.168.60.254 24
[HX_SW1-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.1
[HX_SW1-Vlanif60]int vlan 200
[HX_SW1-Vlanif200]ip add 192.168.200.254 24
[HX_SW1-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1
[HX_SW1-Vlanif200]vrrp vrid 200 priority 105
[HX_SW1-Vlanif200]int vlan 70
[HX_SW1-Vlanif70]ip add 192.168.70.254 24
[HX_SW1-Vlanif70]vrrp vrid 70 virtual-ip 192.168.70.1
[HX_SW1-Vlanif70]int vlan 80
[HX_SW1-Vlanif80]ip add 192.168.80.254 24
[HX_SW1-Vlanif80]vrrp vrid 80 virtual-ip 192.168.80.1
[HX_SW1-Vlanif80]int vlan 10
[HX_SW1-Vlanif10]ip add 192.168.10.2 24
[HX_SW1-Vlanif10]int vlan 4
[HX_SW1-Vlanif4]ip add 192.168.4.1 24
[HX_SW1-Vlanif4]qui
[HX_SW1]
------------------------------------
HX_SW2
[HX_SW2]int vlan 70
[HX_SW2-Vlanif70]ip add 192.168.70.253 24
[HX_SW2-Vlanif70]vrrp vrid 70 virtual-ip 192.168.70.1
[HX_SW2-Vlanif70]vrrp vrid 70 priority 105
[HX_SW2-Vlanif70]int vlan 80
[HX_SW2-Vlanif80]ip add 192.168.80.253 24
[HX_SW2-Vlanif80]vrrp vrid 80 virtual-ip 192.168.80.1
[HX_SW2-Vlanif80]vrrp vrid 80 priority 105
[HX_SW2-Vlanif80]int vlan 200
[HX_SW2-Vlanif200]ip add 192.168.200.253 24
[HX_SW2-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1
[HX_SW2-Vlanif200]int vlan 20
[HX_SW2-Vlanif20]ip add 192.168.20.253 24
[HX_SW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1
[HX_SW2-Vlanif20]int vlan 30
[HX_SW2-Vlanif30]ip add 192.168.30.253 24
[HX_SW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1
[HX_SW2-Vlanif30]int vlan 40
[HX_SW2-Vlanif40]ip add 192.168.40.253 24
[HX_SW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1
[HX_SW2-Vlanif40]int vlan 50
[HX_SW2-Vlanif50]ip add 192.168.50.253 24
[HX_SW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1
[HX_SW2-Vlanif50]vrrp vrid 50 priority 105
[HX_SW2-Vlanif50]int vlan 60
[HX_SW2-Vlanif60]ip add 192.168.60.253 24
[HX_SW2-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.1
[HX_SW2-Vlanif60]vrrp vrid 60 priority 105
[HX_SW2-Vlanif60]int vlan 2
[HX_SW2-Vlanif2]ip add 192.168.2.2 24
[HX_SW2-Vlanif2]int vlan 5
[HX_SW2-Vlanif5]ip add 192.168.5.1 24
[HX_SW2-Vlanif5]qui
5、验证VRRP网关冗余
[HX_SW1]dis vrrp br
VRID State Interface Type Virtual IP
----------------------------------------------------------------
20 Master Vlanif20 Normal 192.168.20.1
30 Master Vlanif30 Normal 192.168.30.1
40 Master Vlanif40 Normal 192.168.40.1
50 Backup Vlanif50 Normal 192.168.50.1
60 Backup Vlanif60 Normal 192.168.60.1
70 Backup Vlanif70 Normal 192.168.70.1
80 Backup Vlanif80 Normal 192.168.80.1
200 Master Vlanif200 Normal 192.168.200.1
[HX_SW1]
------------------------------------
<HX_SW2>dis vrrp br
VRID State Interface Type Virtual IP
----------------------------------------------------------------
20 Backup Vlanif20 Normal 192.168.20.1
30 Backup Vlanif30 Normal 192.168.30.1
40 Backup Vlanif40 Normal 192.168.40.1
50 Master Vlanif50 Normal 192.168.50.1
60 Master Vlanif60 Normal 192.168.60.1
70 Master Vlanif70 Normal 192.168.70.1
80 Master Vlanif80 Normal 192.168.80.1
200 Backup Vlanif200 Normal 192.168.200.1
<HX_SW2>
6、测试PC通网关
7、BFD路由联动
[HX_SW1]bfd
[HX_SW1-bfd]qui
[HX_SW1]int vlan 20
[HX_SW1-Vlanif20]vrrp vrid 20 track interface g0/0/1
[HX_SW1-Vlanif20]vrrp vrid 20 track interface g0/0/2
[HX_SW1-Vlanif20]int vlan 30
[HX_SW1-Vlanif30]vrrp vrid 30 track interface g0/0/1
[HX_SW1-Vlanif30]vrrp vrid 30 track interface g0/0/2
[HX_SW1-Vlanif30]int vlan 40
[HX_SW1-Vlanif40]vrrp vrid 40 track interface g0/0/1
[HX_SW1-Vlanif40]vrrp vrid 40 track interface g0/0/2
[HX_SW1-Vlanif40]int vlan 50
[HX_SW1-Vlanif50]vrrp vrid 50 track interface g0/0/1
[HX_SW1-Vlanif50]vrrp vrid 50 track interface g0/0/2
[HX_SW1-Vlanif50]int vlan 60
[HX_SW1-Vlanif60]vrrp vrid 60 track interface g0/0/1
[HX_SW1-Vlanif60]vrrp vrid 60 track interface g0/0/2
[HX_SW1-Vlanif60]int vlan 70
[HX_SW1-Vlanif70]vrrp vrid 70 track interface g0/0/1
[HX_SW1-Vlanif70]vrrp vrid 70 track interface g0/0/2
[HX_SW1-Vlanif70]int vlan 80
[HX_SW1-Vlanif80]vrrp vrid 80 track interface g0/0/1
[HX_SW1-Vlanif80]vrrp vrid 80 track interface g0/0/2
[HX_SW1-Vlanif80]int vlan 200
[HX_SW1-Vlanif200]vrrp vrid 200 track interface g0/0/1
[HX_SW1-Vlanif200]vrrp vrid 200 track interface g0/0/2
[HX_SW1-Vlanif200]dis this
------------------------------------
HX_SW2:
[HX_SW1]bfd
qui
int vlan 20
vrrp vrid 20 track interface g0/0/1
vrrp vrid 20 track interface g0/0/2
int vlan 30
vrrp vrid 30 track interface g0/0/1
vrrp vrid 30 track interface g0/0/2
int vlan 40
vrrp vrid 40 track interface g0/0/1
vrrp vrid 40 track interface g0/0/2
int vlan 50
vrrp vrid 50 track interface g0/0/1
vrrp vrid 50 track interface g0/0/2
int vlan 60
vrrp vrid 60 track interface g0/0/1
vrrp vrid 60 track interface g0/0/2
int vlan 70
vrrp vrid 70 track interface g0/0/1
vrrp vrid 70 track interface g0/0/2
int vlan 80
vrrp vrid 80 track interface g0/0/1
vrrp vrid 80 track interface g0/0/2
int vlan 200
vrrp vrid 200 track interface g0/0/1
vrrp vrid 200 track interface g0/0/2
[HX_SW1-Vlanif200]dis this
8、核心层路由器地址配置
R1:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 192.168.6.1 24
[R1-GigabitEthernet0/0/0]int g0/0/1
[R1-GigabitEthernet0/0/1]ip add 192.168.10.1 24
[R1-GigabitEthernet0/0/1]int g0/0/2
[R1-GigabitEthernet0/0/2]ip add 192.168.2.1 24
[R1-GigabitEthernet0/0/2]int g4/0/0
[R1-GigabitEthernet4/0/0]ip add 192.168.3.1 24
[R1-GigabitEthernet4/0/0]qui
[R1]
------------------------------------
R2:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 192.168.7.1 24
[R2-GigabitEthernet0/0/0]int g0/0/1
[R2-GigabitEthernet0/0/1]ip add 192.168.4.2 24
[R2-GigabitEthernet0/0/1]int g0/0/2
[R2-GigabitEthernet0/0/2]ip add 192.168.5.2 24
[R2-GigabitEthernet0/0/2]int g4/0/0
[R2-GigabitEthernet4/0/0]ip add 192.168.3.2 24
[R2-GigabitEthernet4/0/0]qui
[R2]
9、防火墙基本配置
IP地址配置和区域划分
<USG6000V1>sys
[USG6000V1]un in en
[USG6000V1]sysname FW
[FW]int g1/0/0
[FW-GigabitEthernet1/0/0]ip add 192.168.8.1 30
[FW-GigabitEthernet1/0/0]service-manage all permit
[FW-GigabitEthernet1/0/0]int g1/0/1
[FW-GigabitEthernet1/0/1]ip add 192.168.6.2 24
[FW-GigabitEthernet1/0/1]service-manage all permit
[FW-GigabitEthernet1/0/1]int g1/0/2
[FW-GigabitEthernet1/0/2]ip add 192.168.7.2 24
[FW-GigabitEthernet1/0/2]service-manage all permit
[FW-GigabitEthernet1/0/2]int g1/0/3
[FW-GigabitEthernet1/0/3]ip add 192.168.111.1 24
[FW-GigabitEthernet1/0/3]service-manage all permit
[FW-GigabitEthernet1/0/3]quit
[FW]firewall zone untrust
[FW-zone-untrust]add int g1/0/0
[FW-zone-untrust]qui
[FW]firewall zone dmz
[FW-zone-dmz]add int g1/0/3
[FW-zone-dmz]quit
[FW]firewall zone trust
[FW-zone-trust]add int g1/0/1
[FW-zone-trust]add int g1/0/2
[FW-zone-trust]qui
10、OSPF配置
HX_SW1:
[HX_SW1]ospf 1
[HX_SW1-ospf-1]area 0
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.60.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.70.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.80.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[HX_SW1-ospf-1-area-0.0.0.0]qui
[HX_SW1-ospf-1]qui
[HX_SW1]
------------------------------------
HX_SW2:
[HX_SW2]ospf 1
[HX_SW2-ospf-1]area 0
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.20.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.30.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.40.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.50.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.60.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.70.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.80.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.200.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.100.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.101.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.102.0 0.0.0.255
[HX_SW2-ospf-1-area-0.0.0.0]qui
[HX_SW2-ospf-1]qui
[HX_SW2]
------------------------------------
R1:
[R1]ospf 1
[R1-ospf-1]area 0
[R1-ospf-1-area-0.0.0.0]net 192.168.2.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]net 192.168.10.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[R1-ospf-1-area-0.0.0.0]qui
[R1-ospf-1]qui
[R1]
------------------------------------
R2:
[R2]ospf 1
[R2-ospf-1]area 0
[R2-ospf-1-area-0.0.0.0]net 192.168.5.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]net 192.168.3.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]net 192.168.4.0 0.0.0.255
[R2-ospf-1-area-0.0.0.0]quit
[R2-ospf-1]quit
[R2]
11、防火墙策略配置
[FW]security-policy
[FW-policy-security]rule name trust_to_dmz
[FW-policy-security-rule-trust_to_dmz]source-zone trust
[FW-policy-security-rule-trust_to_dmz]destination-zone dmz
[FW-policy-security-rule-trust_to_dmz]action permit
[FW-policy-security-rule-trust_to_dmz]qui
[FW-policy-security]qui
[FW]security-policy
[FW-policy-security]rule name local_to_any
[FW-policy-security-rule-local_to_any]source-zone local
[FW-policy-security-rule-local_to_any]destination-zone any
[FW-policy-security-rule-local_to_any]action permit
[FW-policy-security-rule-local_to_any]qui
[FW-policy-security]qui
[FW]security-policy
[FW-policy-security]rule name trust_to_untrust
[FW-policy-security-rule-trust_to_untrust]source-zone trust
[FW-policy-security-rule-trust_to_untrust]destination-zone untrust
[FW-policy-security-rule-trust_to_untrust]action permit
[FW-policy-security-rule-trust_to_untrust]quit
[FW-policy-security]quit
[FW]nat-policy
[FW-policy-nat]rule name trust_nat_untrsut
[FW-policy-nat-rule-trust_nat_untrsut]source-zone trust
[FW-policy-nat-rule-trust_nat_untrsut]destination-zone untrust
[FW-policy-nat-rule-trust_nat_untrsut]action source-nat easy-ip
[FW-policy-nat-rule-trust_nat_untrsut]dis this
[FW-policy-nat-rule-trust_nat_untrsut]quit
[FW-policy-security]rule name untrust_to_dmz
[FW-policy-security-rule-untrust_to_dmz]source-zone untrust
[FW-policy-security-rule-untrust_to_dmz]destination-zone dmz
[FW-policy-security-rule-untrust_to_dmz]action permit
[FW-policy-security-rule-untrust_to_dmz]qui
[FW-policy-security]rule name dmz_to_untrust
[FW-policy-security-rule-dmz_to_untrust]source-zone dmz
[FW-policy-security-rule-dmz_to_untrust]destination-zone untrust
[FW-policy-security-rule-dmz_to_untrust]action permit
[FW-policy-security-rule-dmz_to_untrust]qui
[FW-policy-security]
12、外网路由器基本配置
ISP_R:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname ISP_R
[ISP_R]int g0/0/1
[ISP_R-GigabitEthernet0/0/1]ip add 192.168.8.2 30
[ISP_R-GigabitEthernet0/0/1]int g0/0/0
[ISP_R-GigabitEthernet0/0/0]ip add 10.10.10.1 24
[ISP_R-GigabitEthernet0/0/0]qui
[ISP_R]
------------------------------------
13、静态路由配置
FW:
[FW]ip route-static 0.0.0.0 0 192.168.8.2
[FW]ip route-static 192.168.0.0 255.255.0.0 192.168.6.1
[FW]ip route-static 192.168.0.0 255.255.0.0 192.168.7.1 preference 70
------------------------------------
R1:
[R1]ip route-static 0.0.0.0 0.0.0.0 192.168.6.2
[R1]ip route-static 0.0.0.0 0 192.168.3.2 preference 70
------------------------------------
R2:
[R2]ip route-static 0.0.0.0 0 192.168.7.2
[R2]ip route-static 0.0.0.0 0 192.168.3.1 preference 70
------------------------------------
HX_SW1:
[HX_SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
[HX_SW1]ip route-static 0.0.0.0 0.0.0.0 192.168.4.2 preference 70
------------------------------------
HX_SW2:
[HX_SW2]ip route-static 0.0.0.0 0.0.0.0 192.168.5.2
[HX_SW2]ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 preference 70
------------------------------------
ISP:
[ISP]ip route-static 0.0.0.0 0.0.0.0 192.168.8.1
14、Server地址映射
[FW]nat server untrust_dmz zone untrust protocol icmp global 100.100.100.100 inside 192.168.111.2 no-reverse
[FW]nat server untust_dmz_web protocol tcp global 100.100.100.100 80 inside 192.168.111.2 80 no-reverse
15、DHCP中继
DHCP:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname DHCP
[DHCP]dhcp enable
[DHCP]ip pool vlan20
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24
[DHCP-ip-pool-vlan20]gateway-list 192.168.20.1
[DHCP-ip-pool-vlan20]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.250 192.168.20.254
[DHCP-ip-pool-vlan20]q
[DHCP]ip pool vlan30
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan30]gateway-list 192.168.30.1
[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0
[DHCP-ip-pool-vlan30]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.250 192.168.30.254
[DHCP-ip-pool-vlan30]q
[DHCP]ip pool vlan40
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan40]gateway-list 192.168.40.1
[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0
[DHCP-ip-pool-vlan40]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.250 192.168.40.254
[DHCP-ip-pool-vlan40]q
[DHCP]ip pool vlan50
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan50]gateway-list 192.168.50.1
[DHCP-ip-pool-vlan50]network 192.168.50.0 mask 255.255.255.0
[DHCP-ip-pool-vlan50]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan50]excluded-ip-address 192.168.50.250 192.168.50.254
[DHCP-ip-pool-vlan50]q
[DHCP]ip pool vlan60
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan60]network 192.168.60.0 mask 24
[DHCP-ip-pool-vlan60]gateway-list 192.168.60.1
[DHCP-ip-pool-vlan60]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan60]excluded-ip-address 192.168.60.250 192.168.60.254
[DHCP-ip-pool-vlan60]q
[DHCP]ip pool vlan70
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan70]gateway-list 192.168.70.1
[DHCP-ip-pool-vlan70]network 192.168.70.0 mask 255.255.255.0
[DHCP-ip-pool-vlan70]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan70]excluded-ip-address 192.168.70.250 192.168.70.254
[DHCP-ip-pool-vlan70]q
[DHCP]ip pool vlan80
Info: It's successful to create an IP address pool.
[DHCP-ip-pool-vlan80]gateway-list 192.168.80.1
[DHCP-ip-pool-vlan80]network 192.168.80.0 mask 255.255.255.0
[DHCP-ip-pool-vlan80]dns-list 192.168.111.3 8.8.8.8
[DHCP-ip-pool-vlan80]excluded-ip-address 192.168.80.250 192.168.80.254
[DHCP-ip-pool-vlan80]q
[DHCP]int g0/0/0
[DHCP-GigabitEthernet0/0/0]dhcp select global
[DHCP-GigabitEthernet0/0/0]qui
------------------------------------
HX_SW1:
<HX_SW1>sy
[HX_SW1]dhcp enable
[HX_SW1]int vlanif20
[HX_SW1-Vlanif20]dhcp select relay
[HX_SW1-Vlanif20]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif20]int vlanif30
[HX_SW1-Vlanif30]dhcp select relay
[HX_SW1-Vlanif30]dhcp select relay
[HX_SW1-Vlanif30]dhcp relay server-ip 192.168.200.3
[HX_SW1-Vlanif30]int vlanif40
[HX_SW1-Vlanif40]dhcp select relay
[HX_SW1-Vlanif40]dhcp relay server-ip 192.168.200.3
............
...........
[HX_SW1]
------------------------------------
HX_SW2:
<HX_SW2>SYS
[HX_SW2]dhcp enable
[HX_SW2]int vlanif20
[HX_SW2-Vlanif20]dhcp select relay
[HX_SW2-Vlanif20]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif20]dis this
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.1
vrrp vrid 20 priority 105
vrrp vrid 20 track interface GigabitEthernet0/0/1
vrrp vrid 20 track interface GigabitEthernet0/0/2
dhcp select relay
dhcp relay server-ip 192.168.200.3
#
return
[HX_SW2-Vlanif20]int vlanif30
[HX_SW2-Vlanif30]dhcp select relay
[HX_SW2-Vlanif30]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif30]int vlanif40
[HX_SW2-Vlanif40]dhcp select relay
[HX_SW2-Vlanif40]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif40]int vlanif50
[HX_SW2-Vlanif50]dhcp select relay
[HX_SW2-Vlanif50]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif50]int vlanif60
[HX_SW2-Vlanif60]dhcp select relay
[HX_SW2-Vlanif60]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif60]int vlanif70
[HX_SW2-Vlanif70]dhcp select relay
[HX_SW2-Vlanif70]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif70]int vlanif80
[HX_SW2-Vlanif80]dhcp select relay
[HX_SW2-Vlanif80]dhcp relay server-ip 192.168.200.3
[HX_SW2-Vlanif80]
16、Snooping配置
JR_SW6:
[JR_SW6]dhcp enable
[JR_SW6]dhcp snooping enable
[JR_SW6]vlan 20
[JR_SW6-vlan20]dhcp snooping en
[JR_SW6-vlan20]vlan 30
[JR_SW6-vlan30]dhcp snooping enable
[JR_SW6-vlan30]qui
[JR_SW6]int g0/0/1
[JR_SW6-GigabitEthernet0/0/1]dhcp snooping trusted
[JR_SW6-GigabitEthernet0/0/1]dis this
------------------------------------
JR_SW7:
<JR_SW7>sys
[JR_SW7]dhcp enable
[JR_SW7]dhcp snooping enable
[JR_SW7]vlan 40
[JR_SW7-vlan40]dhcp snooping enable
[JR_SW7-vlan40]qui
[JR_SW7]int g0/0/1
[JR_SW7-GigabitEthernet0/0/1]dhcp snooping trusted
[JR_SW7-GigabitEthernet0/0/1]qui
------------------------------------
JR_SW8:略
------------------------------------
JR_SW9:略
能获取得到地址即可,这里PC1获取得到的地址应该是30.254(配图只是为了演示)
16、Telnet远程配置
HX_SW1:
[HX_SW1]aaa
[HX_SW1-aaa]local-user huawei privilege level 3 password cipher 5555
[HX_SW1-aaa]local-user huawei service-type telnet
[HX_SW1-aaa]quit
[HX_SW1]user-interface vty 0 4
[HX_SW1-ui-vty0-4]authentication-mode aaa
[HX_SW1-ui-vty0-4]protocol inbound telnet
[HX_SW1-ui-vty0-4]qui
[HX_SW1]int vlanif 900
[HX_SW1-Vlanif900]ip add 192.168.255.254 24
[HX_SW1-Vlanif900]vrrp vrid 255 virtual-ip 192.168.255.1
[HX_SW1-Vlanif900]dis this
#
interface Vlanif900
ip address 192.168.255.254 255.255.255.0
vrrp vrid 255 virtual-ip 192.168.255.1
#
return
[HX_SW1-Vlanif900]q
------------------------------------
HX_SW2:
[HX_SW2]aaa
[HX_SW2-aaa]local-user huawei privilege level 3 password cipher 5555
Info: Add a new user.
[HX_SW2-aaa]local-user huawei service-type telnet
[HX_SW2-aaa]quit
[HX_SW2]user-interface vty 0 4
[HX_SW2-ui-vty0-4]authentication-mode aaa
[HX_SW2-ui-vty0-4]protocol inbound telnet
[HX_SW2-ui-vty0-4]qui
[HX_SW2]int vlanif 900
[HX_SW2-Vlanif900]ip add 192.168.255.253 24
[HX_SW2-Vlanif900]vrrp vrid 255 virtual-ip 192.168.255.1
[HX_SW2-Vlanif900]dis this
#
interface Vlanif900
ip address 192.168.255.253 255.255.255.0
vrrp vrid 255 virtual-ip 192.168.255.1
#
return
[HX_SW2-Vlanif900]q
------------------------------------
HJ_SW3:
[HJ_SW3]aaa
[HJ_SW3-aaa]local-user huawei privilege level 3 password cipher 5555
[HJ_SW3-aaa]local-user huawei service-type telnet
[HJ_SW3-aaa]quit
[HJ_SW3]user-interface vty 0 4
[HJ_SW3-ui-vty0-4]authentication-mode aaa
[HJ_SW3-ui-vty0-4]protocol inbound telnet
[HJ_SW3-ui-vty0-4]qui
[HJ_SW3]int vlanif 900
[HJ_SW3-Vlanif900]ip add 192.168.255.3 24
[HJ_SW3-Vlanif900]q
[HJ_SW3]ip route-static 0.0.0.0 0 192.168.255.1
[HJ_SW3]
HJ_SW4:
[HJ_SW4]aaa
[HJ_SW4-aaa]local-user huawei privilege level 3 password cipher 5555
[HJ_SW4-aaa]local-user huawei service-type telnet
[HJ_SW4-aaa]quit
[HJ_SW4]user-interface vty 0 4
[HJ_SW4-ui-vty0-4]authentication-mode aaa
[HJ_SW4-ui-vty0-4]protocol inbound telnet
[HJ_SW4-ui-vty0-4]qui
[HJ_SW4]int vlanif 900
[HJ_SW4-Vlanif900]ip add 192.168.255.4 24
[HJ_SW4-Vlanif900]q
[HJ_SW4]ip route-static 0.0.0.0 0 192.168.255.1
[HJ_SW4]qui
17、ACL策略
[HX_SW1]acl 3001
[HX_SW1-acl-adv-3001]rule permit ip source 192.168.50.0 0.0.0.255 destination 192.168.200.2 0
[HX_SW1-acl-adv-3001]rule deny ip source any destination 192.168.200.2 0
[HX_SW1-acl-adv-3001]dis this
#
acl number 3001
rule 5 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.200.2 0
rule 10 deny ip destination 192.168.200.2 0
#
return
[HX_SW1-acl-adv-3001]qui
[HX_SW1]int g0/0/6
[HX_SW1-GigabitEthernet0/0/6]traffic-filter outbound acl 3001
[HX_SW1-GigabitEthernet0/0/6]qui
------------------------------------
HX_SW2:
[HX_SW2]acl 3001
[HX_SW2-acl-adv-3001]rule permit ip source 192.168.50.0 0.0.0.255 destination 192.168.200.2 0
[HX_SW2-acl-adv-3001]rule deny ip source any destination 192.168.200.2 0
[HX_SW2-acl-adv-3001]dis this
#
acl number 3001
rule 5 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.200.2 0
rule 10 deny ip destination 192.168.200.2 0
#
return
[HX_SW2-acl-adv-3001]qui
[HX_SW2]
[HX_SW2]int g0/0/6
[HX_SW2-GigabitEthernet0/0/6]traffic-filter outbound acl 3001
[HX_SW2-GigabitEthernet0/0/6]qui
18、无线WLAN配置
HX_SW2:
<HX_SW2>sy
[HX_SW2]vlan batch 100 101 102
[HX_SW2]int g0/0/9
[HX_SW2-GigabitEthernet0/0/9]port link-type trunk
[HX_SW2-GigabitEthernet0/0/9]port trunk allow-pass vlan all
[HX_SW2-GigabitEthernet0/0/9]int g0/0/3
[HX_SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 101 102
[HX_SW2-GigabitEthernet0/0/3]int g0/0/5
[HX_SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 100 101 102
[HX_SW2-GigabitEthernet0/0/5]qui
[HX_SW2]int vlan 100
[HX_SW2-Vlanif100]ip add 192.168.100.1 24
[HX_SW2-Vlanif100]int vlan 101
[HX_SW2-Vlanif101]ip add 192.168.101.1 24
[HX_SW2-Vlanif101]int vlan 102
[HX_SW2-Vlanif102]ip add 192.168.102.1 24
[HX_SW2-Vlanif102]qui
[HX_SW2]dhcp enable
[HX_SW2]ip pool ap_pool
Info:It's successful to create an IP address pool.
[HX_SW2-ip-pool-ap_pool]gateway-list 192.168.100.1
[HX_SW2-ip-pool-ap_pool]network 192.168.100.0 mask 24
[HX_SW2-ip-pool-ap_pool]excluded-ip-address 192.168.100.100
[HX_SW2-ip-pool-ap_pool]dns-list 192.168.111.3
[HX_SW2-ip-pool-ap_pool]qui
[HX_SW2]ip pool hua_1
Info:It's successful to create an IP address pool.
[HX_SW2-ip-pool-hua_1]gateway-list 192.168.101.1
[HX_SW2-ip-pool-hua_1]network 192.168.101.0 mask 24
[HX_SW2-ip-pool-hua_1]dns-list 192.168.111.3
[HX_SW2-ip-pool-hua_1]qui
[HX_SW2]ip pool hua_2
Info:It's successful to create an IP address pool.
[HX_SW2-ip-pool-hua_2]gateway-list 192.168.102.1
[HX_SW2-ip-pool-hua_2]network 192.168.102.0 mask 24
[HX_SW2-ip-pool-hua_2]dns-list 192.168.111.3
[HX_SW2-ip-pool-hua_2]qui
[HX_SW2]int vlan 100
[HX_SW2-Vlanif100]dhcp select global
[HX_SW2-Vlanif100]int vlan 101
[HX_SW2-Vlanif101]dhcp select global
[HX_SW2-Vlanif101]int vlan 102
[HX_SW2-Vlanif102]dhcp select global
[HX_SW2-Vlanif102]qui
[HX_SW2]qui
<HX_SW2>save
-------------------------------------
HJ_SW3:
<HJ_SW3>sy
[HJ_SW3]vlan batch 100 101 102
[HJ_SW3]int g0/0/2
[HJ_SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101 102
[HJ_SW3-GigabitEthernet0/0/2]int g0/0/5
[HJ_SW3-GigabitEthernet0/0/5]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/5]port trunk pvid vlan 100
[HJ_SW3-GigabitEthernet0/0/5]port trunk allow-pass vlan 100 101
[HJ_SW3-GigabitEthernet0/0/5]qui
[HJ_SW3]qui
---------------------------------
HJ_SW5:
[HJ_SW5]vlan batch 100 101 102
[HJ_SW5]int g0/0/2
[HJ_SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 101 102
[HJ_SW5-GigabitEthernet0/0/2]int g0/0/5
[HJ_SW5-GigabitEthernet0/0/5]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/5]port trunk pvid vlan 100
[HJ_SW5-GigabitEthernet0/0/5]port trunk allow-pass vlan 100 102
[HJ_SW5-GigabitEthernet0/0/5]qui
[HJ_SW5]qu
---------------------------------
AC:
<AC6605>sy
[AC6605]un in en
[AC6605]sysname AC1
[AC1]vlan batch 100 to 103
[AC1]int g0/0/1
[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC1-GigabitEthernet0/0/1]qui
[AC1]int vlan 100
[AC1-Vlanif100]ip add 192.168.100.100 24
[AC1-Vlanif100]qui
[AC1]capwap source int vlanif100
[AC1]wlan
[AC1-wlan-view]ap-group name CYY
[AC1-wlan-ap-group-CYY]q
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1]country-code cn
[AC1-wlan-regulate-domain-domain1]q
[AC1-wlan-view]ap-group name CYY
[AC1-wlan-ap-group-CYY]regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-CYY]qui
[AC1-wlan-view]qui
[AC1]wlan
[AC1-wlan-view]ap-group name YYC
[AC1-wlan-ap-group-YYC]q
[AC1-wlan-view]regulatory-domain-profile name domain2
[AC1-wlan-regulate-domain-domain2]country-code cn
Info: The current country code is same with the input country code.
[AC1-wlan-regulate-domain-domain2]q
[AC1-wlan-view]ap-group name YYC
[AC1-wlan-ap-group-YYC]regulatory-domain-profile domain2
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-YYC]qui
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc82-0a90
[AC1-wlan-ap-0]ap-name area_0
[AC1-wlan-ap-0]ap-group CYY
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
[AC1-wlan-ap-0]qui
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc2d-1bd0
[AC1-wlan-ap-1]ap-name area_1
[AC1-wlan-ap-1]ap-group YYC
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
Info: This operation may take a few seconds. Please wait for a moment.. done.
[AC1-wlan-ap-1]qui
[AC1-wlan-view]qui
[AC1]wlan
[AC1-wlan-view]security-profile name A
[AC1-wlan-sec-prof-A]security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-A]q
[AC1-wlan-view]security-profile name X
[AC1-wlan-sec-prof-X]security wpa2 psk pass-phrase huawei@123 aes
[AC1-wlan-sec-prof-X]qui
[AC1-wlan-view]ssid-profile name B
[AC1-wlan-ssid-prof-B]ssid CYY-CY
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-ssid-prof-B]q
[AC1-wlan-view]ssid-profile name Y
[AC1-wlan-ssid-prof-Y]ssid YYC-YC
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-ssid-prof-Y]q
[AC1-wlan-view]vap-profile name C
[AC1-wlan-vap-prof-C]forward-mode tunnel
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-C]service-vlan vlan-id 101
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-C]security-profile A
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-C]ssid-profile B
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-C]qui
[AC1-wlan-view]vap-profile name Z
[AC1-wlan-vap-prof-Z]forward-mode tunnel
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-Z]service-vlan vlan-id 102
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-Z]security-profile X
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-Z]ssid-profile Y
Info: This operation may take a few seconds, please wait.done.
[AC1-wlan-vap-prof-Z]qui
[AC1-wlan-view]ap-group name CYY
[AC1-wlan-ap-group-CYY]vap-profile C wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC1-wlan-ap-group-CYY]vap-profile C wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
[AC1-wlan-ap-group-CYY]qui
[AC1-wlan-view]ap-group name YYC
[AC1-wlan-ap-group-YYC]vap-profile Z wlan 1 radio 0
Info: This operation may take a few seconds, please wait...done.
[AC1-wlan-ap-group-YYC]vap-profile Z wlan 1 radio 1
|