作者:BSXY_19计科_陈永跃
BSXY_信息学院
注:未经允许禁止转发任何内容
基于eNSP加防火墙的千人中型校园/企业网络规划与设计
前言及资源下载说明( 未经允许禁止转发任何内容 )
有什么问题可以在评论区说明自己遇到的情况,博主看到会第一时间回复,希望其他人也可以回复别人的问题,。
可根据以下所提供的设计与实现步骤过程一步一步自行实现(每一条命令都是关键的命令);但是如果有需要的也可以根据以下地址进行下载完整的topo图和完整的配置进行参考与借鉴,如若拿到topo图可多display查看配置,查看相应的命令,配套资源连接如下:
基于eNSP加防火墙的千人中型校园/企业网络规划与设计topo图(有线+无线).rar + 所有配置命令(order.txt)
(注:order.txt, 以下加红色标记及注释的图片 是为了照顾一下拿到topo及配置不display查看topo配置的人加的(当然以上基于eNSP加防火墙的千人中型校园/企业网络规划与设计topo图及其配置是全的))
一、设计topo图与设计要求(15个要求)
拓扑图1:
拓扑图2:
设计要求:
01、完成服务器、防火墙、路由器等接口地址的配置
02、配置Eth-Trunk 链路捆绑实现链路冗余
03、企业内部划分多个vlan,减小广播域大小,提高网络的可靠性
04、配置MSTP+VRRP实现流量负载分担,同时实现冗余,并配置相应的stp优化技术stp收敛,减少stp震荡
05、所有用户均为自动获取IP地址
06、配置相应的DHCP snooping隔绝非法DHCP server
07、配置OSPF和静态路由实现三层路由互通
08、防火墙配置安全策略,放行内网区域到dmz区的流量
09、防火墙配置NAT策略和安全策略,使得用户可以访问外网百度
10、防火墙配置服务器映射和安全策略,允许外网用户Client通过公网地址100.100.100.100访问web服务器
11、防火墙配置相应策略,允许外网用户Client通过公网http://100.100.100.100访问登录web服务器
12、用户能够通过域名(www.baidu.com)访问外网百度
13、内部财务服务器只允许vlan 50用户访问
14、LSW1-LSW12交换机都能被telnet(huawei 5555)
15、无线WLAN配置,且业务vlan 101 102也可以通过域名(www.baidu.com)访问外网百度
二、改造前topo无防火墙(插曲:可看可不看)
插曲部分:改造前的冗余型的网络设计,改造前基于eNSP的千人规模 冗余型 中型校园/企业网络设计与规划 如下图所示(但是并不在该篇文章中做详细介绍和说明,如查看可点击连接自行查看阅读):
三、配置全过程
1、VLAN Trunk配置
HX_SW1:<Huawei>sy
[Huawei]un in en
[Huawei]sysname HX_SW1
[HX_SW1]intEth-Trunk1[HX_SW1-Eth-Trunk1]mode lacp-static[HX_SW1-Eth-Trunk1]trunkport g0/0/7[HX_SW1-Eth-Trunk1]trunkport g0/0/8[HX_SW1-Eth-Trunk1]q
------------------------------------
HX_SW2:<Huawei>sys
[Huawei]un in en
[Huawei]sysname HX_SW2
[HX_SW2]intEth-Trunk1[HX_SW2-Eth-Trunk1]mode lacp-static[HX_SW2-Eth-Trunk1]trunkport g0/0/7[HX_SW2-Eth-Trunk1]trunkport g0/0/8[HX_SW2-Eth-Trunk1]q
------------------------------------
HJ_SW4:<Huawei>sy
[Huawei]sysname HJ_SW4
[HJ_SW4]intEth-Trunk2[HJ_SW4-Eth-Trunk2]mode lacp-static[HJ_SW4-Eth-Trunk2]trunkport g0/0/4[HJ_SW4-Eth-Trunk2]trunkport g0/0/5[HJ_SW4-Eth-Trunk2]q
------------------------------------
JR_SW9:<Huawei>sy
[Huawei]un in en
[Huawei]sysname JR_SW9
[JR_SW9]intEth-Trunk2[JR_SW9-Eth-Trunk2]mode lacp-static[JR_SW9-Eth-Trunk2]trunkport g0/0/4[JR_SW9-Eth-Trunk2]trunkport g0/0/5[JR_SW9-Eth-Trunk2]dis eth-trunk//查看eth-trunk的配置
2、VLAN底层配置
JR_SW6:<Huawei>SY
[Huawei]un in en
[Huawei]sysname JR_SW6
[JR_SW6]vlan batch 20304050607080200900[JR_SW6]int g0/0/1[JR_SW6-GigabitEthernet0/0/1]port link-type trunk
[JR_SW6-GigabitEthernet0/0/1]port trunk allow-pass vlan 2030900[JR_SW6-GigabitEthernet0/0/1]int g0/0/2[JR_SW6-GigabitEthernet0/0/2]port link-type access
[JR_SW6-GigabitEthernet0/0/2]port default vlan 20[JR_SW6-GigabitEthernet0/0/2]int g0/0/3[JR_SW6-GigabitEthernet0/0/3]port link-type access
[JR_SW6-GigabitEthernet0/0/3]port default vlan 30[JR_SW6-GigabitEthernet0/0/3]------------------------------------
JR_SW7:<Huawei>SYS
[Huawei]un in en
[Huawei]sysname JR_SW7
[JR_SW7]vlan batch 20304050607080200900[JR_SW7]int g0/0/1[JR_SW7-GigabitEthernet0/0/1]port link-type trunk
[JR_SW7-GigabitEthernet0/0/1]port trunk allow-pass vlan 40900[JR_SW7-GigabitEthernet0/0/1]int g0/0/2[JR_SW7-GigabitEthernet0/0/2]port link-type access
[JR_SW7-GigabitEthernet0/0/2]port default vlan 40[JR_SW7-GigabitEthernet0/0/2]qui
------------------------------------
HJ_SW3:<Huawei>system-view
[Huawei]un in en
[Huawei]sysname HJ_SW3
[HJ_SW3]vlan batch 20304050607080200900[HJ_SW3]int g0/0/1[HJ_SW3-GigabitEthernet0/0/1]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 203040900[HJ_SW3-GigabitEthernet0/0/1]int g0/0/2[HJ_SW3-GigabitEthernet0/0/2]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 203040900[HJ_SW3-GigabitEthernet0/0/2]int g0/0/3[HJ_SW3-GigabitEthernet0/0/3]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/3]port trunk allow-pass vlan 2030900[HJ_SW3-GigabitEthernet0/0/3]int g0/0/4[HJ_SW3-GigabitEthernet0/0/4]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/4]port trunk allow-pass vlan 40900------------------------------------
JR_SW8:<Huawei>SYS
[Huawei]sys
[Huawei]sysname JR_SW8
[JR_SW8]vlan batch 20304050607080200900[JR_SW8]int g0/0/1[JR_SW8-GigabitEthernet0/0/1]port link-type trunk
[JR_SW8-GigabitEthernet0/0/1]port trunk allow-pass vlan 50900[JR_SW8-GigabitEthernet0/0/1]int g0/0/2[JR_SW8-GigabitEthernet0/0/2]port link-type access
[JR_SW8-GigabitEthernet0/0/2]port default vlan 50------------------------------------
JR_SW9:<JR_SW9>SYS
[JR_SW9]vlan batch 20304050607080200900[JR_SW9]int g0/0/3[JR_SW9-GigabitEthernet0/0/3]port link-type access
[JR_SW9-GigabitEthernet0/0/3]port default vlan 60[JR_SW9-GigabitEthernet0/0/3]qui
[JR_SW9]intEth-Trunk2[JR_SW9-Eth-Trunk2]port link-type trunk
[JR_SW9-Eth-Trunk2]port trunk allow-pass vlan 60900[JR_SW9-Eth-Trunk2]qui
------------------------------------
HJ_SW4:<HJ_SW4>sys
[HJ_SW4]vlan batch 20304050607080200900[HJ_SW4]int g0/0/1[HJ_SW4-GigabitEthernet0/0/1]port link-type trunk
[HJ_SW4-GigabitEthernet0/0/1]port trunk allow-pass vlan 5060900[HJ_SW4-GigabitEthernet0/0/1]int g0/0/2[HJ_SW4-GigabitEthernet0/0/2]port link-type trunk
[HJ_SW4-GigabitEthernet0/0/2]port trunk allow-pass vlan 5060900[HJ_SW4-GigabitEthernet0/0/2]int g0/0/3[HJ_SW4-GigabitEthernet0/0/3]port link-type trunk
[HJ_SW4-GigabitEthernet0/0/3]port trunk allow-pass vlan 50900[HJ_SW4-GigabitEthernet0/0/3]qui
[HJ_SW4]intEth-Trunk2[HJ_SW4-Eth-Trunk2]port link-type trunk
[HJ_SW4-Eth-Trunk2]port trunk allow-pass vlan 60900[HJ_SW4-Eth-Trunk2]qui
[HJ_SW4]------------------------------------
JR_SW10:<Huawei>sys
[Huawei]un in en
[Huawei]sysname JR_SW10
[JR_SW10]vlan batch 20304050607080200900[JR_SW10]int g0/0/1[JR_SW10-GigabitEthernet0/0/1]port link-type trunk
[JR_SW10-GigabitEthernet0/0/1]port trunk allow-pass vlan 70900[JR_SW10-GigabitEthernet0/0/1]int g0/0/2[JR_SW10-GigabitEthernet0/0/2]port link-type access
[JR_SW10-GigabitEthernet0/0/2]port default vlan 70[JR_SW10-GigabitEthernet0/0/2]qui
------------------------------------
JR_SW11:<JR_SW11>sys
[JR_SW11]vlan batch 20304050607080200900[JR_SW11]int g0/0/1[JR_SW11-GigabitEthernet0/0/1]port link-type trunk
[JR_SW11-GigabitEthernet0/0/1]port trunk allow-pass vlan 80900[JR_SW11-GigabitEthernet0/0/1]int g0/0/2[JR_SW11-GigabitEthernet0/0/2]port link-type access
[JR_SW11-GigabitEthernet0/0/2]port default vlan 80[JR_SW11-GigabitEthernet0/0/2]int g0/0/3[JR_SW11-GigabitEthernet0/0/3]port link-type access
[JR_SW11-GigabitEthernet0/0/3]port default vlan 80------------------------------------
HJ_SW5:<Huawei>system-view
[Huawei]un in en
[Huawei]sysname HJ_SW5
[HJ_SW5]vlan batch 20304050607080200900[HJ_SW5]int g0/0/1[HJ_SW5-GigabitEthernet0/0/1]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/1]port trunk allow-pass vlan 7080900[HJ_SW5-GigabitEthernet0/0/1]int g0/0/2[HJ_SW5-GigabitEthernet0/0/2]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 7080900[HJ_SW5-GigabitEthernet0/0/2]int g0/0/3[HJ_SW5-GigabitEthernet0/0/3]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/3]port trunk allow-pass vlan 70900[HJ_SW5-GigabitEthernet0/0/3]int g0/0/4[HJ_SW5-GigabitEthernet0/0/4]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/4]port trunk allow-pass vlan 80900[HJ_SW5-GigabitEthernet0/0/4]qui
------------------------------------
JR_SW12:<Huawei>sy
[Huawei]un in en
[Huawei]sysname JR_SW12
[JR_SW12]vlan batch 20304050607080200900[JR_SW12]int g0/0/1[JR_SW12-GigabitEthernet0/0/1]port link-type trunk
[JR_SW12-GigabitEthernet0/0/1]port trunk allow-pass vlan 200900[JR_SW12-GigabitEthernet0/0/1]int g0/0/2[JR_SW12-GigabitEthernet0/0/2]port link-type trunk
[JR_SW12-GigabitEthernet0/0/2]port trunk allow-pass vlan 200900[JR_SW12-GigabitEthernet0/0/2]int g0/0/3[JR_SW12-GigabitEthernet0/0/3]port link-type access
[JR_SW12-GigabitEthernet0/0/3]port default vlan 200[JR_SW12-GigabitEthernet0/0/3]int g0/0/4[JR_SW12-GigabitEthernet0/0/4]port link-type access
[JR_SW12-GigabitEthernet0/0/4]port default vlan 200[JR_SW12-GigabitEthernet0/0/4]qui
------------------------------------
XH_SW1:<HX_SW1>SY
[HX_SW1]vlan batch 2030405060708020090010[HX_SW1]vlan batch 4[HX_SW1]int g0/0/6[HX_SW1-GigabitEthernet0/0/6]port link-type trunk
[HX_SW1-GigabitEthernet0/0/6]port trunk allow-pass vlan 200900[HX_SW1-GigabitEthernet0/0/6]int g0/0/1[HX_SW1-GigabitEthernet0/0/1]port link-type access
[HX_SW1-GigabitEthernet0/0/1]port default vlan 10[HX_SW1-GigabitEthernet0/0/1]int g0/0/2[HX_SW1-GigabitEthernet0/0/2]port link-type access
[HX_SW1-GigabitEthernet0/0/2]port default vlan 4[HX_SW1-GigabitEthernet0/0/2]int g0/0/3[HX_SW1-GigabitEthernet0/0/3]port link-type trunk
[HX_SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 203040900[HX_SW1-GigabitEthernet0/0/3]int g0/0/4[HX_SW1-GigabitEthernet0/0/4]port link-type trunk
[HX_SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 5060900[HX_SW1-GigabitEthernet0/0/4]int g0/0/5[HX_SW1-GigabitEthernet0/0/5]port link-type trunk
[HX_SW1-GigabitEthernet0/0/5]port trunk allow-pass vlan 7080900[HX_SW1-GigabitEthernet0/0/5]qui
[HX_SW1]intEth-Trunk1[HX_SW1-Eth-Trunk1]port link-type trunk
[HX_SW1-Eth-Trunk1]port trunk allow-pass vlan 20304050607080200900[HX_SW1-Eth-Trunk1]dis this[HX_SW1-Eth-Trunk1]------------------------------------
HX_SW2:<HX_SW2>sys
[HX_SW2]vlan batch 20304050607080200900[HX_SW2]vlan batch 25[HX_SW2]int g0/0/1[HX_SW2-GigabitEthernet0/0/1]port link-type access
[HX_SW2-GigabitEthernet0/0/1]port default vlan 2[HX_SW2-GigabitEthernet0/0/1]int g0/0/2[HX_SW2-GigabitEthernet0/0/2]port link-type access
[HX_SW2-GigabitEthernet0/0/2]port default vlan 5[HX_SW2-GigabitEthernet0/0/2]int g0/0/3[HX_SW2-GigabitEthernet0/0/3]port link-type trunk
[HX_SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 203040900[HX_SW2-GigabitEthernet0/0/3]int g0/0/4[HX_SW2-GigabitEthernet0/0/4]port link-type trunk
[HX_SW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 5060900[HX_SW2-GigabitEthernet0/0/4]int g0/0/5[HX_SW2-GigabitEthernet0/0/5]port link-type trunk
[HX_SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 7080900[HX_SW2-GigabitEthernet0/0/5]int g0/0/6[HX_SW2-GigabitEthernet0/0/6]port link-type trunk
[HX_SW2-GigabitEthernet0/0/6]port trunk allow-pass vlan 200900[HX_SW2-GigabitEthernet0/0/6]qui
[HX_SW2]intEth-Trunk1[HX_SW2-Eth-Trunk1]port link-type trunk
[HX_SW2-Eth-Trunk1]port trunk allow-pass vlan 20304050607080200900[HX_SW2-Eth-Trunk1]dis this
3、MSTP配置
HX_SW1:<HX_SW1>sy
[HX_SW1]stp region-configuration
[HX_SW1-mst-region]instance 1 vlan 203040200[HX_SW1-mst-region]region-name aa
[HX_SW1-mst-region]revision-level 1[HX_SW1-mst-region]instance 2 vlan 50607080[HX_SW1-mst-region]active region-configuration
[HX_SW1-mst-region]dis this/*#所有汇聚层交换机和服务器组交换机都需要配置以下命令
stp region-configuration
region-name aa
revision-level 1
instance 1 vlan 20 30 40 50 60 200
instance 2 vlan 70 80
active region-configuration
#*/[HX_SW1-mst-region]qui
[HX_SW1]stp instance 1 root primary
[HX_SW1]stp instance 2 root secondary
[HX_SW1]dis this//查看配置------------------------------------
HX_SW2:<HX_SW2>sys
[HX_SW2]stp region-configuration
[HX_SW2-mst-region]region-name aa
[HX_SW2-mst-region]revision-level 1[HX_SW2-mst-region]instance 1 vlan 203040200[HX_SW2-mst-region]instance 2 vlan 50607080[HX_SW2-mst-region]active region-configuration
[HX_SW2-mst-region]qui
[HX_SW2]stp instance 2 root primary
[HX_SW2]stp instance 1 root secondary
[HX_SW2]dis this------------------------------------
JR_SW12:<JR_SW12>sy
[JR_SW12]stp region-configuration
[JR_SW12-mst-region]region-name aa
[JR_SW12-mst-region]revision-level 1[JR_SW12-mst-region]instance 1 vlan 203040200[JR_SW12-mst-region]instance 2 vlan 50607080[JR_SW12-mst-region]active region-configuration
[JR_SW12-mst-region]qui
------------------------------------
HJ_SW3:[HJ_SW3]stp region-configuration
[HJ_SW3-mst-region]region-name aa
[HJ_SW3-mst-region]revision-level 1[HJ_SW3-mst-region]instance 1 vlan 203040200[HJ_SW3-mst-region]instance 2 vlan 50607080[HJ_SW3-mst-region]active region-configuration
[HJ_SW3-mst-region]qui
[HJ_SW3]dis stp br
/* MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 ROOT FORWARDING NONE
0 GigabitEthernet0/0/2 ALTE DISCARDING NONE
发现这是g0/0/2处于堵塞状态即可
*/------------------------------------
HJ_SW4:<HJ_SW4>sy
[HJ_SW4]stp region-configuration
[HJ_SW4-mst-region]region-name aa
[HJ_SW4-mst-region]revision-level 1[HJ_SW4-mst-region]instance 1 vlan 203040200[HJ_SW4-mst-region]instance 2 vlan 50607080[HJ_SW4-mst-region]active region-configuration
[HJ_SW4-mst-region]qui
[HJ_SW4]dis stp br
/* MSTID Port Role STP State Protection
2 GigabitEthernet0/0/1 ALTE DISCARDING NONE
2 GigabitEthernet0/0/2 ROOT FORWARDING NONE
此时g0/0/1堵塞即可*/------------------------------------
HJ_SW5:[HJ_SW5]stp region-configuration
[HJ_SW5-mst-region] region-name aa
[HJ_SW5-mst-region] revision-level 1[HJ_SW5-mst-region] instance 1 vlan 203040200[HJ_SW5-mst-region] instance 2 vlan 50607080[HJ_SW5-mst-region] active region-configuration
[HJ_SW5-mst-region]qui
[HJ_SW5]dis stp br
/*MSTID Port Role STP State Protection
1 GigabitEthernet0/0/2 ALTE DISCARDING NONE
1 GigabitEthernet0/0/1 ROOT FORWARDING NONE
此时g0/0/1堵塞即可*/
4、VRRP网关冗余
HX_SW1:[HX_SW1]int vlan 20[HX_SW1-Vlanif20]ip add 192.168.20.25424[HX_SW1-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1[HX_SW1-Vlanif20]vrrp vrid 20 priority 105[HX_SW1-Vlanif20]dis this[HX_SW1-Vlanif20]qui
[HX_SW1]int vlan 30[HX_SW1-Vlanif30]ip add 192.168.30.25424[HX_SW1-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1[HX_SW1-Vlanif30]vrrp vrid 30 priority 105[HX_SW1-Vlanif30]qui
[HX_SW1]int vlan 40[HX_SW1-Vlanif40]ip add 192.168.40.25424[HX_SW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1[HX_SW1-Vlanif40]vrrp vrid 40 priority 105[HX_SW1-Vlanif40]int vlan 50[HX_SW1-Vlanif50]ip add 192.168.50.25424[HX_SW1-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1[HX_SW1-Vlanif50]int vlan 60[HX_SW1-Vlanif60]ip add 192.168.60.25424[HX_SW1-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.1[HX_SW1-Vlanif60]int vlan 200[HX_SW1-Vlanif200]ip add 192.168.200.25424[HX_SW1-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1[HX_SW1-Vlanif200]vrrp vrid 200 priority 105[HX_SW1-Vlanif200]int vlan 70[HX_SW1-Vlanif70]ip add 192.168.70.25424[HX_SW1-Vlanif70]vrrp vrid 70 virtual-ip 192.168.70.1[HX_SW1-Vlanif70]int vlan 80[HX_SW1-Vlanif80]ip add 192.168.80.25424[HX_SW1-Vlanif80]vrrp vrid 80 virtual-ip 192.168.80.1[HX_SW1-Vlanif80]int vlan 10[HX_SW1-Vlanif10]ip add 192.168.10.224[HX_SW1-Vlanif10]int vlan 4[HX_SW1-Vlanif4]ip add 192.168.4.124[HX_SW1-Vlanif4]qui
[HX_SW1]------------------------------------
HX_SW2
[HX_SW2]int vlan 70[HX_SW2-Vlanif70]ip add 192.168.70.25324[HX_SW2-Vlanif70]vrrp vrid 70 virtual-ip 192.168.70.1[HX_SW2-Vlanif70]vrrp vrid 70 priority 105[HX_SW2-Vlanif70]int vlan 80[HX_SW2-Vlanif80]ip add 192.168.80.25324[HX_SW2-Vlanif80]vrrp vrid 80 virtual-ip 192.168.80.1[HX_SW2-Vlanif80]vrrp vrid 80 priority 105[HX_SW2-Vlanif80]int vlan 200[HX_SW2-Vlanif200]ip add 192.168.200.25324[HX_SW2-Vlanif200]vrrp vrid 200 virtual-ip 192.168.200.1[HX_SW2-Vlanif200]int vlan 20[HX_SW2-Vlanif20]ip add 192.168.20.25324[HX_SW2-Vlanif20]vrrp vrid 20 virtual-ip 192.168.20.1[HX_SW2-Vlanif20]int vlan 30[HX_SW2-Vlanif30]ip add 192.168.30.25324[HX_SW2-Vlanif30]vrrp vrid 30 virtual-ip 192.168.30.1[HX_SW2-Vlanif30]int vlan 40[HX_SW2-Vlanif40]ip add 192.168.40.25324[HX_SW2-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.1[HX_SW2-Vlanif40]int vlan 50[HX_SW2-Vlanif50]ip add 192.168.50.25324[HX_SW2-Vlanif50]vrrp vrid 50 virtual-ip 192.168.50.1[HX_SW2-Vlanif50]vrrp vrid 50 priority 105[HX_SW2-Vlanif50]int vlan 60[HX_SW2-Vlanif60]ip add 192.168.60.25324[HX_SW2-Vlanif60]vrrp vrid 60 virtual-ip 192.168.60.1[HX_SW2-Vlanif60]vrrp vrid 60 priority 105[HX_SW2-Vlanif60]int vlan 2[HX_SW2-Vlanif2]ip add 192.168.2.224[HX_SW2-Vlanif2]int vlan 5[HX_SW2-Vlanif5]ip add 192.168.5.124[HX_SW2-Vlanif5]qui
5、验证VRRP网关冗余
[HX_SW1]dis vrrp br
VRID StateInterfaceTypeVirtual IP
----------------------------------------------------------------20MasterVlanif20Normal192.168.20.130MasterVlanif30Normal192.168.30.140MasterVlanif40Normal192.168.40.150BackupVlanif50Normal192.168.50.160BackupVlanif60Normal192.168.60.170BackupVlanif70Normal192.168.70.180BackupVlanif80Normal192.168.80.1200MasterVlanif200Normal192.168.200.1[HX_SW1]------------------------------------<HX_SW2>dis vrrp br
VRID StateInterfaceTypeVirtual IP
----------------------------------------------------------------20BackupVlanif20Normal192.168.20.130BackupVlanif30Normal192.168.30.140BackupVlanif40Normal192.168.40.150MasterVlanif50Normal192.168.50.160MasterVlanif60Normal192.168.60.170MasterVlanif70Normal192.168.70.180MasterVlanif80Normal192.168.80.1200BackupVlanif200Normal192.168.200.1<HX_SW2>
6、测试PC通网关
/*手动给PC配置IP地址访问网关,如给vlan3下的PC配置
IP:192.168.30.3
GW:192.168.30.1 测试访问网关,ping 192.168.30.1通了即可*//*手动给PC配置IP地址访问网关,如给vlan3下的PC配置
IP:192.168.70.7
GW:192.168.70.1 测试访问网关,ping 192.168.70.1通了即可*/
7、BFD路由联动
[HX_SW1]bfd
[HX_SW1-bfd]qui //进去再退出来即可[HX_SW1]int vlan 20[HX_SW1-Vlanif20]vrrp vrid 20 track interface g0/0/1[HX_SW1-Vlanif20]vrrp vrid 20 track interface g0/0/2[HX_SW1-Vlanif20]int vlan 30[HX_SW1-Vlanif30]vrrp vrid 30 track interface g0/0/1[HX_SW1-Vlanif30]vrrp vrid 30 track interface g0/0/2[HX_SW1-Vlanif30]int vlan 40[HX_SW1-Vlanif40]vrrp vrid 40 track interface g0/0/1[HX_SW1-Vlanif40]vrrp vrid 40 track interface g0/0/2[HX_SW1-Vlanif40]int vlan 50[HX_SW1-Vlanif50]vrrp vrid 50 track interface g0/0/1[HX_SW1-Vlanif50]vrrp vrid 50 track interface g0/0/2[HX_SW1-Vlanif50]int vlan 60[HX_SW1-Vlanif60]vrrp vrid 60 track interface g0/0/1[HX_SW1-Vlanif60]vrrp vrid 60 track interface g0/0/2[HX_SW1-Vlanif60]int vlan 70[HX_SW1-Vlanif70]vrrp vrid 70 track interface g0/0/1[HX_SW1-Vlanif70]vrrp vrid 70 track interface g0/0/2[HX_SW1-Vlanif70]int vlan 80[HX_SW1-Vlanif80]vrrp vrid 80 track interface g0/0/1[HX_SW1-Vlanif80]vrrp vrid 80 track interface g0/0/2[HX_SW1-Vlanif80]int vlan 200[HX_SW1-Vlanif200]vrrp vrid 200 track interface g0/0/1[HX_SW1-Vlanif200]vrrp vrid 200 track interface g0/0/2[HX_SW1-Vlanif200]dis this------------------------------------
HX_SW2:[HX_SW1]bfd
qui
int vlan 20
vrrp vrid 20 track interface g0/0/1
vrrp vrid 20 track interface g0/0/2int vlan 30
vrrp vrid 30 track interface g0/0/1
vrrp vrid 30 track interface g0/0/2int vlan 40
vrrp vrid 40 track interface g0/0/1
vrrp vrid 40 track interface g0/0/2int vlan 50
vrrp vrid 50 track interface g0/0/1
vrrp vrid 50 track interface g0/0/2int vlan 60
vrrp vrid 60 track interface g0/0/1
vrrp vrid 60 track interface g0/0/2int vlan 70
vrrp vrid 70 track interface g0/0/1
vrrp vrid 70 track interface g0/0/2int vlan 80
vrrp vrid 80 track interface g0/0/1
vrrp vrid 80 track interface g0/0/2int vlan 200
vrrp vrid 200 track interface g0/0/1
vrrp vrid 200 track interface g0/0/2[HX_SW1-Vlanif200]dis this
8、核心层路由器地址配置
R1:<Huawei>sys
[Huawei]un in en
[Huawei]sysname R1
[R1]int g0/0/0[R1-GigabitEthernet0/0/0]ip add 192.168.6.124[R1-GigabitEthernet0/0/0]int g0/0/1[R1-GigabitEthernet0/0/1]ip add 192.168.10.124[R1-GigabitEthernet0/0/1]int g0/0/2[R1-GigabitEthernet0/0/2]ip add 192.168.2.124[R1-GigabitEthernet0/0/2]int g4/0/0[R1-GigabitEthernet4/0/0]ip add 192.168.3.124[R1-GigabitEthernet4/0/0]qui
[R1]------------------------------------
R2:<Huawei>sys
[Huawei]un in en
[Huawei]sysname R2
[R2]int g0/0/0[R2-GigabitEthernet0/0/0]ip add 192.168.7.124[R2-GigabitEthernet0/0/0]int g0/0/1[R2-GigabitEthernet0/0/1]ip add 192.168.4.224[R2-GigabitEthernet0/0/1]int g0/0/2[R2-GigabitEthernet0/0/2]ip add 192.168.5.224[R2-GigabitEthernet0/0/2]int g4/0/0[R2-GigabitEthernet4/0/0]ip add 192.168.3.224[R2-GigabitEthernet4/0/0]qui
[R2]
9、防火墙基本配置
IP地址配置和区域划分
<USG6000V1>sys
[USG6000V1]un in en
[USG6000V1]sysname FW
[FW]int g1/0/0[FW-GigabitEthernet1/0/0]ip add 192.168.8.130[FW-GigabitEthernet1/0/0]service-manage all permit
[FW-GigabitEthernet1/0/0]int g1/0/1[FW-GigabitEthernet1/0/1]ip add 192.168.6.224[FW-GigabitEthernet1/0/1]service-manage all permit
[FW-GigabitEthernet1/0/1]int g1/0/2[FW-GigabitEthernet1/0/2]ip add 192.168.7.224[FW-GigabitEthernet1/0/2]service-manage all permit
[FW-GigabitEthernet1/0/2]int g1/0/3[FW-GigabitEthernet1/0/3]ip add 192.168.111.124[FW-GigabitEthernet1/0/3]service-manage all permit
[FW-GigabitEthernet1/0/3]quit
[FW]firewall zone untrust
[FW-zone-untrust]add int g1/0/0[FW-zone-untrust]qui
[FW]firewall zone dmz
[FW-zone-dmz]add int g1/0/3[FW-zone-dmz]quit
[FW]firewall zone trust
[FW-zone-trust]add int g1/0/1[FW-zone-trust]add int g1/0/2[FW-zone-trust]qui
10、OSPF配置
HX_SW1:[HX_SW1]ospf 1[HX_SW1-ospf-1]area 0[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.4.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.10.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.20.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.30.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.40.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.50.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.60.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.70.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.80.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]net 192.168.200.00.0.0.255[HX_SW1-ospf-1-area-0.0.0.0]qui
[HX_SW1-ospf-1]qui
[HX_SW1]------------------------------------
HX_SW2:[HX_SW2]ospf 1[HX_SW2-ospf-1]area 0[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.2.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.5.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.20.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.30.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.40.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.50.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.60.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.70.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.80.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.200.00.0.0.255[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.100.00.0.0.255//无线管理vlan[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.101.00.0.0.255//无线业务vlan[HX_SW2-ospf-1-area-0.0.0.0]net 192.168.102.00.0.0.255//无线业务vlan[HX_SW2-ospf-1-area-0.0.0.0]qui
[HX_SW2-ospf-1]qui
[HX_SW2]------------------------------------
R1:[R1]ospf 1[R1-ospf-1]area 0[R1-ospf-1-area-0.0.0.0]net 192.168.2.00.0.0.255[R1-ospf-1-area-0.0.0.0]net 192.168.10.00.0.0.255[R1-ospf-1-area-0.0.0.0]net 192.168.3.00.0.0.255[R1-ospf-1-area-0.0.0.0]qui
[R1-ospf-1]qui
[R1]------------------------------------
R2:[R2]ospf 1[R2-ospf-1]area 0[R2-ospf-1-area-0.0.0.0]net 192.168.5.00.0.0.255[R2-ospf-1-area-0.0.0.0]net 192.168.3.00.0.0.255[R2-ospf-1-area-0.0.0.0]net 192.168.4.00.0.0.255[R2-ospf-1-area-0.0.0.0]quit
[R2-ospf-1]quit
[R2]
11、防火墙策略配置
//放行trust->dmz流量[FW]security-policy
[FW-policy-security]rule name trust_to_dmz
[FW-policy-security-rule-trust_to_dmz]source-zone trust
[FW-policy-security-rule-trust_to_dmz]destination-zone dmz
[FW-policy-security-rule-trust_to_dmz]action permit
[FW-policy-security-rule-trust_to_dmz]qui
[FW-policy-security]qui
//防火墙可以访问任何区域 [FW]security-policy
[FW-policy-security]rule name local_to_any
[FW-policy-security-rule-local_to_any]source-zone local
[FW-policy-security-rule-local_to_any]destination-zone any
[FW-policy-security-rule-local_to_any]action permit
[FW-policy-security-rule-local_to_any]qui
[FW-policy-security]qui
//trust->untrust[FW]security-policy
[FW-policy-security]rule name trust_to_untrust
[FW-policy-security-rule-trust_to_untrust]source-zone trust
[FW-policy-security-rule-trust_to_untrust]destination-zone untrust
[FW-policy-security-rule-trust_to_untrust]action permit
[FW-policy-security-rule-trust_to_untrust]quit
[FW-policy-security]quit
[FW]nat-policy
[FW-policy-nat]rule name trust_nat_untrsut
[FW-policy-nat-rule-trust_nat_untrsut]source-zone trust
[FW-policy-nat-rule-trust_nat_untrsut]destination-zone untrust
[FW-policy-nat-rule-trust_nat_untrsut]action source-nat easy-ip
[FW-policy-nat-rule-trust_nat_untrsut]dis this[FW-policy-nat-rule-trust_nat_untrsut]quit
//untrust->dmz[FW-policy-security]rule name untrust_to_dmz
[FW-policy-security-rule-untrust_to_dmz]source-zone untrust
[FW-policy-security-rule-untrust_to_dmz]destination-zone dmz
[FW-policy-security-rule-untrust_to_dmz]action permit
[FW-policy-security-rule-untrust_to_dmz]qui
//dmz->untrust[FW-policy-security]rule name dmz_to_untrust
[FW-policy-security-rule-dmz_to_untrust]source-zone dmz
[FW-policy-security-rule-dmz_to_untrust]destination-zone untrust
[FW-policy-security-rule-dmz_to_untrust]action permit
[FW-policy-security-rule-dmz_to_untrust]qui
[FW-policy-security]
12、外网路由器基本配置
ISP_R:<Huawei>sys
[Huawei]un in en
[Huawei]sysname ISP_R
[ISP_R]int g0/0/1[ISP_R-GigabitEthernet0/0/1]ip add 192.168.8.230[ISP_R-GigabitEthernet0/0/1]int g0/0/0[ISP_R-GigabitEthernet0/0/0]ip add 10.10.10.124[ISP_R-GigabitEthernet0/0/0]qui
[ISP_R]------------------------------------
13、静态路由配置
FW:[FW]ip route-static0.0.0.00192.168.8.2[FW]ip route-static192.168.0.0255.255.0.0192.168.6.1//默认优先级为60,越小越优先[FW]ip route-static192.168.0.0255.255.0.0192.168.7.1 preference 70------------------------------------
R1:[R1]ip route-static0.0.0.00.0.0.0192.168.6.2[R1]ip route-static0.0.0.00192.168.3.2 preference 70------------------------------------
R2:[R2]ip route-static0.0.0.00192.168.7.2[R2]ip route-static0.0.0.00192.168.3.1 preference 70------------------------------------
HX_SW1:[HX_SW1]ip route-static0.0.0.00.0.0.0192.168.10.1[HX_SW1]ip route-static0.0.0.00.0.0.0192.168.4.2 preference 70------------------------------------
HX_SW2:[HX_SW2]ip route-static0.0.0.00.0.0.0192.168.5.2[HX_SW2]ip route-static0.0.0.00.0.0.0192.168.2.1 preference 70------------------------------------
ISP:[ISP]ip route-static0.0.0.00.0.0.0192.168.8.1
14、Server地址映射
[FW]nat server untrust_dmz zone untrust protocol icmp global 100.100.100.100 inside 192.168.111.2 no-reverse //让外网可以通过ping 100.100.100.100访问web服务器[FW]nat server untust_dmz_web protocol tcp global 100.100.100.10080 inside 192.168.111.280 no-reverse //让外网用户可以通过http://100.100.100.100 登录我们的web服务器
15、DHCP中继
DHCP:
<Huawei>sys
[Huawei]un in en
[Huawei]sysname DHCP
[DHCP]dhcp enable
[DHCP]ip pool vlan20
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan20]network 192.168.20.0 mask 24[DHCP-ip-pool-vlan20]gateway-list 192.168.20.1[DHCP-ip-pool-vlan20]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan20]excluded-ip-address 192.168.20.250192.168.20.254[DHCP-ip-pool-vlan20]q
[DHCP]ip pool vlan30
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan30]gateway-list 192.168.30.1[DHCP-ip-pool-vlan30]network 192.168.30.0 mask 255.255.255.0[DHCP-ip-pool-vlan30]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan30]excluded-ip-address 192.168.30.250192.168.30.254[DHCP-ip-pool-vlan30]q
[DHCP]ip pool vlan40
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan40]gateway-list 192.168.40.1[DHCP-ip-pool-vlan40]network 192.168.40.0 mask 255.255.255.0[DHCP-ip-pool-vlan40]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan40]excluded-ip-address 192.168.40.250192.168.40.254[DHCP-ip-pool-vlan40]q
[DHCP]ip pool vlan50
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan50]gateway-list 192.168.50.1[DHCP-ip-pool-vlan50]network 192.168.50.0 mask 255.255.255.0[DHCP-ip-pool-vlan50]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan50]excluded-ip-address 192.168.50.250192.168.50.254[DHCP-ip-pool-vlan50]q
[DHCP]ip pool vlan60
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan60]network 192.168.60.0 mask 24[DHCP-ip-pool-vlan60]gateway-list 192.168.60.1[DHCP-ip-pool-vlan60]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan60]excluded-ip-address 192.168.60.250192.168.60.254[DHCP-ip-pool-vlan60]q
[DHCP]ip pool vlan70
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan70]gateway-list 192.168.70.1[DHCP-ip-pool-vlan70]network 192.168.70.0 mask 255.255.255.0[DHCP-ip-pool-vlan70]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan70]excluded-ip-address 192.168.70.250192.168.70.254[DHCP-ip-pool-vlan70]q
[DHCP]ip pool vlan80
Info:It's successful tocreate an IP address pool.[DHCP-ip-pool-vlan80]gateway-list 192.168.80.1[DHCP-ip-pool-vlan80]network 192.168.80.0 mask 255.255.255.0[DHCP-ip-pool-vlan80]dns-list 192.168.111.38.8.8.8[DHCP-ip-pool-vlan80]excluded-ip-address 192.168.80.250192.168.80.254[DHCP-ip-pool-vlan80]q
[DHCP]int g0/0/0[DHCP-GigabitEthernet0/0/0]ip add 192.168.200.324[DHCP-GigabitEthernet0/0/0]dhcp select global
[DHCP-GigabitEthernet0/0/0]qui
------------------------------------
HX_SW1:<HX_SW1>sy
[HX_SW1]dhcp enable
[HX_SW1]int vlanif20
[HX_SW1-Vlanif20]dhcp select relay
[HX_SW1-Vlanif20]dhcp relay server-ip 192.168.200.3[HX_SW1-Vlanif20]int vlanif30
[HX_SW1-Vlanif30]dhcp select relay
[HX_SW1-Vlanif30]dhcp select relay
[HX_SW1-Vlanif30]dhcp relay server-ip 192.168.200.3[HX_SW1-Vlanif30]int vlanif40
[HX_SW1-Vlanif40]dhcp select relay
[HX_SW1-Vlanif40]dhcp relay server-ip 192.168.200.3.......................[HX_SW1]------------------------------------
HX_SW2:<HX_SW2>SYS
[HX_SW2]dhcp enable
[HX_SW2]int vlanif20
[HX_SW2-Vlanif20]dhcp select relay
[HX_SW2-Vlanif20]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif20]dis this
#
interfaceVlanif20
ip address 192.168.20.254255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.1
vrrp vrid 20 priority 105
vrrp vrid 20 track interfaceGigabitEthernet0/0/1
vrrp vrid 20 track interfaceGigabitEthernet0/0/2
dhcp select relay
dhcp relay server-ip 192.168.200.3
#
return[HX_SW2-Vlanif20]int vlanif30
[HX_SW2-Vlanif30]dhcp select relay
[HX_SW2-Vlanif30]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif30]int vlanif40
[HX_SW2-Vlanif40]dhcp select relay
[HX_SW2-Vlanif40]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif40]int vlanif50
[HX_SW2-Vlanif50]dhcp select relay
[HX_SW2-Vlanif50]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif50]int vlanif60
[HX_SW2-Vlanif60]dhcp select relay
[HX_SW2-Vlanif60]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif60]int vlanif70
[HX_SW2-Vlanif70]dhcp select relay
[HX_SW2-Vlanif70]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif70]int vlanif80
[HX_SW2-Vlanif80]dhcp select relay
[HX_SW2-Vlanif80]dhcp relay server-ip 192.168.200.3[HX_SW2-Vlanif80]
16、Snooping配置
JR_SW6:[JR_SW6]dhcp enable
[JR_SW6]dhcp snooping enable
[JR_SW6]vlan 20[JR_SW6-vlan20]dhcp snooping en
[JR_SW6-vlan20]vlan 30[JR_SW6-vlan30]dhcp snooping enable
[JR_SW6-vlan30]qui
[JR_SW6]int g0/0/1[JR_SW6-GigabitEthernet0/0/1]dhcp snooping trusted
[JR_SW6-GigabitEthernet0/0/1]dis this------------------------------------
JR_SW7:<JR_SW7>sys
[JR_SW7]dhcp enable
[JR_SW7]dhcp snooping enable
[JR_SW7]vlan 40[JR_SW7-vlan40]dhcp snooping enable
[JR_SW7-vlan40]qui
[JR_SW7]int g0/0/1[JR_SW7-GigabitEthernet0/0/1]dhcp snooping trusted
[JR_SW7-GigabitEthernet0/0/1]qui
------------------------------------
JR_SW8:略
------------------------------------
JR_SW9:略
能获取得到地址即可,这里PC1获取得到的地址应该是30.254(配图只是为了演示)
16、Telnet远程配置
HX_SW1:[HX_SW1]aaa
[HX_SW1-aaa]local-user huawei privilege level 3 password cipher 5555[HX_SW1-aaa]local-user huawei service-type telnet
[HX_SW1-aaa]quit
[HX_SW1]user-interface vty 04[HX_SW1-ui-vty0-4]authentication-mode aaa
[HX_SW1-ui-vty0-4]protocol inbound telnet
[HX_SW1-ui-vty0-4]qui
[HX_SW1]int vlanif 900[HX_SW1-Vlanif900]ip add 192.168.255.25424[HX_SW1-Vlanif900]vrrp vrid 255 virtual-ip 192.168.255.1[HX_SW1-Vlanif900]dis this
#
interfaceVlanif900
ip address 192.168.255.254255.255.255.0
vrrp vrid 255 virtual-ip 192.168.255.1
#
return[HX_SW1-Vlanif900]q
------------------------------------
HX_SW2:[HX_SW2]aaa
[HX_SW2-aaa]local-user huawei privilege level 3 password cipher 5555Info:Add a new user.[HX_SW2-aaa]local-user huawei service-type telnet
[HX_SW2-aaa]quit
[HX_SW2]user-interface vty 04[HX_SW2-ui-vty0-4]authentication-mode aaa
[HX_SW2-ui-vty0-4]protocol inbound telnet
[HX_SW2-ui-vty0-4]qui
[HX_SW2]int vlanif 900[HX_SW2-Vlanif900]ip add 192.168.255.25324[HX_SW2-Vlanif900]vrrp vrid 255 virtual-ip 192.168.255.1[HX_SW2-Vlanif900]dis this
#
interfaceVlanif900
ip address 192.168.255.253255.255.255.0
vrrp vrid 255 virtual-ip 192.168.255.1
#
return[HX_SW2-Vlanif900]q
------------------------------------
HJ_SW3:[HJ_SW3]aaa
[HJ_SW3-aaa]local-user huawei privilege level 3 password cipher 5555[HJ_SW3-aaa]local-user huawei service-type telnet
[HJ_SW3-aaa]quit
[HJ_SW3]user-interface vty 04[HJ_SW3-ui-vty0-4]authentication-mode aaa
[HJ_SW3-ui-vty0-4]protocol inbound telnet
[HJ_SW3-ui-vty0-4]qui
[HJ_SW3]int vlanif 900[HJ_SW3-Vlanif900]ip add 192.168.255.324[HJ_SW3-Vlanif900]q
[HJ_SW3]ip route-static0.0.0.00192.168.255.1[HJ_SW3]
HJ_SW4:[HJ_SW4]aaa
[HJ_SW4-aaa]local-user huawei privilege level 3 password cipher 5555[HJ_SW4-aaa]local-user huawei service-type telnet
[HJ_SW4-aaa]quit
[HJ_SW4]user-interface vty 04[HJ_SW4-ui-vty0-4]authentication-mode aaa
[HJ_SW4-ui-vty0-4]protocol inbound telnet
[HJ_SW4-ui-vty0-4]qui
[HJ_SW4]int vlanif 900[HJ_SW4-Vlanif900]ip add 192.168.255.424[HJ_SW4-Vlanif900]q
[HJ_SW4]ip route-static0.0.0.00192.168.255.1[HJ_SW4]qui
/*...................剩余的交换机也是一样的配置SW1-SW12*///这个时候接可以telnet了192.168.255.3-8 254 253、和相应的路由器接口地址/*<PC>telnet 192.168.255.7
Trying 192.168.255.7 ...
Press CTRL+K to abort
Connected to 192.168.255.7 ...
Username:huawei
Password:5555
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
The current login time is 2022-04-19 17:27:13.
<JR_SW7>*/
17、ACL策略
[HX_SW1]acl 3001[HX_SW1-acl-adv-3001]rule permit ip source 192.168.50.00.0.0.255 destination 192.168.200.20[HX_SW1-acl-adv-3001]rule deny ip source any destination 192.168.200.20[HX_SW1-acl-adv-3001]dis this
#
acl number 3001
rule 5 permit ip source 192.168.50.00.0.0.255 destination 192.168.200.20
rule 10 deny ip destination 192.168.200.20
#
return[HX_SW1-acl-adv-3001]qui
[HX_SW1]int g0/0/6[HX_SW1-GigabitEthernet0/0/6]traffic-filter outbound acl 3001[HX_SW1-GigabitEthernet0/0/6]qui
------------------------------------
HX_SW2:[HX_SW2]acl 3001[HX_SW2-acl-adv-3001]rule permit ip source 192.168.50.00.0.0.255 destination 192.168.200.20[HX_SW2-acl-adv-3001]rule deny ip source any destination 192.168.200.20[HX_SW2-acl-adv-3001]dis this
#
acl number 3001
rule 5 permit ip source 192.168.50.00.0.0.255 destination 192.168.200.20
rule 10 deny ip destination 192.168.200.20
#
return[HX_SW2-acl-adv-3001]qui
[HX_SW2][HX_SW2]int g0/0/6[HX_SW2-GigabitEthernet0/0/6]traffic-filter outbound acl 3001[HX_SW2-GigabitEthernet0/0/6]qui
18、无线WLAN配置
HX_SW2:<HX_SW2>sy
[HX_SW2]vlan batch 100101102[HX_SW2]int g0/0/9[HX_SW2-GigabitEthernet0/0/9]port link-type trunk
[HX_SW2-GigabitEthernet0/0/9]port trunk allow-pass vlan all
[HX_SW2-GigabitEthernet0/0/9]int g0/0/3[HX_SW2-GigabitEthernet0/0/3]port trunk allow-pass vlan 100101102[HX_SW2-GigabitEthernet0/0/3]int g0/0/5[HX_SW2-GigabitEthernet0/0/5]port trunk allow-pass vlan 100101102[HX_SW2-GigabitEthernet0/0/5]qui
[HX_SW2]int vlan 100[HX_SW2-Vlanif100]ip add 192.168.100.124[HX_SW2-Vlanif100]int vlan 101[HX_SW2-Vlanif101]ip add 192.168.101.124[HX_SW2-Vlanif101]int vlan 102[HX_SW2-Vlanif102]ip add 192.168.102.124[HX_SW2-Vlanif102]qui
[HX_SW2]dhcp enable
[HX_SW2]ip pool ap_pool
Info:It's successful tocreate an IP address pool.[HX_SW2-ip-pool-ap_pool]gateway-list 192.168.100.1[HX_SW2-ip-pool-ap_pool]network 192.168.100.0 mask 24[HX_SW2-ip-pool-ap_pool]excluded-ip-address 192.168.100.100[HX_SW2-ip-pool-ap_pool]dns-list 192.168.111.3[HX_SW2-ip-pool-ap_pool]qui
[HX_SW2]ip pool hua_1
Info:It's successful tocreate an IP address pool.[HX_SW2-ip-pool-hua_1]gateway-list 192.168.101.1[HX_SW2-ip-pool-hua_1]network 192.168.101.0 mask 24[HX_SW2-ip-pool-hua_1]dns-list 192.168.111.3[HX_SW2-ip-pool-hua_1]qui
[HX_SW2]ip pool hua_2
Info:It's successful tocreate an IP address pool.[HX_SW2-ip-pool-hua_2]gateway-list 192.168.102.1[HX_SW2-ip-pool-hua_2]network 192.168.102.0 mask 24[HX_SW2-ip-pool-hua_2]dns-list 192.168.111.3[HX_SW2-ip-pool-hua_2]qui
[HX_SW2]int vlan 100[HX_SW2-Vlanif100]dhcp select global
[HX_SW2-Vlanif100]int vlan 101[HX_SW2-Vlanif101]dhcp select global
[HX_SW2-Vlanif101]int vlan 102[HX_SW2-Vlanif102]dhcp select global
[HX_SW2-Vlanif102]qui
[HX_SW2]qui
<HX_SW2>save
-------------------------------------
HJ_SW3:<HJ_SW3>sy
[HJ_SW3]vlan batch 100101102[HJ_SW3]int g0/0/2[HJ_SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 100101102[HJ_SW3-GigabitEthernet0/0/2]int g0/0/5[HJ_SW3-GigabitEthernet0/0/5]port link-type trunk
[HJ_SW3-GigabitEthernet0/0/5]port trunk pvid vlan 100[HJ_SW3-GigabitEthernet0/0/5]port trunk allow-pass vlan 100101[HJ_SW3-GigabitEthernet0/0/5]qui
[HJ_SW3]qui
---------------------------------
HJ_SW5:[HJ_SW5]vlan batch 100101102[HJ_SW5]int g0/0/2[HJ_SW5-GigabitEthernet0/0/2]port trunk allow-pass vlan 100101102[HJ_SW5-GigabitEthernet0/0/2]int g0/0/5[HJ_SW5-GigabitEthernet0/0/5]port link-type trunk
[HJ_SW5-GigabitEthernet0/0/5]port trunk pvid vlan 100[HJ_SW5-GigabitEthernet0/0/5]port trunk allow-pass vlan 100102[HJ_SW5-GigabitEthernet0/0/5]qui
[HJ_SW5]qu
---------------------------------
AC:<AC6605>sy
[AC6605]un in en
[AC6605]sysname AC1
[AC1]vlan batch 100to103[AC1]int g0/0/1[AC1-GigabitEthernet0/0/1]port link-type trunk
[AC1-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC1-GigabitEthernet0/0/1]qui
[AC1]int vlan 100[AC1-Vlanif100]ip add 192.168.100.10024[AC1-Vlanif100]qui
[AC1]capwap source int vlanif100
[AC1]wlan
[AC1-wlan-view]ap-group name CYY
[AC1-wlan-ap-group-CYY]q
[AC1-wlan-view]regulatory-domain-profile name domain1
[AC1-wlan-regulate-domain-domain1]country-code cn
[AC1-wlan-regulate-domain-domain1]q
[AC1-wlan-view]ap-group name CYY
[AC1-wlan-ap-group-CYY]regulatory-domain-profile domain1
Warning:Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-CYY]qui
[AC1-wlan-view]qui
[AC1]wlan
[AC1-wlan-view]ap-group name YYC
[AC1-wlan-ap-group-YYC]q
[AC1-wlan-view]regulatory-domain-profile name domain2
[AC1-wlan-regulate-domain-domain2]country-code cn
Info:The current country code is same withthe input country code.[AC1-wlan-regulate-domain-domain2]q
[AC1-wlan-view]ap-group name YYC
[AC1-wlan-ap-group-YYC]regulatory-domain-profile domain2
Warning:Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC1-wlan-ap-group-YYC]qui
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 0 ap-mac 00e0-fc82-0a90
[AC1-wlan-ap-0]ap-name area_0
[AC1-wlan-ap-0]ap-group CYY
Warning:This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio,Whethertoc
ontinue?[Y/N]:y
[AC1-wlan-ap-0]qui
[AC1-wlan-view]ap auth-mode mac-auth
[AC1-wlan-view]ap-id 1 ap-mac 00e0-fc2d-1bd0
[AC1-wlan-ap-1]ap-name area_1
[AC1-wlan-ap-1]ap-group YYC
Warning:This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio,Whethertoc
ontinue?[Y/N]:y
Info:This operation may take a few seconds. Please wait for a moment.. done.[AC1-wlan-ap-1]qui
[AC1-wlan-view]qui
[AC1]wlan
[AC1-wlan-view]security-profile name A[AC1-wlan-sec-prof-A]security wpa2 psk pass-phrase a1234567 aes
[AC1-wlan-sec-prof-A]q
[AC1-wlan-view]security-profile name X[AC1-wlan-sec-prof-X]security wpa2 psk pass-phrase huawei@123 aes
[AC1-wlan-sec-prof-X]qui
[AC1-wlan-view]ssid-profile name B[AC1-wlan-ssid-prof-B]ssid CYY-CY
Info:This operation may take a few seconds, please wait.done.[AC1-wlan-ssid-prof-B]q
[AC1-wlan-view]ssid-profile name Y[AC1-wlan-ssid-prof-Y]ssid YYC-YC
Info:This operation may take a few seconds, please wait.done.[AC1-wlan-ssid-prof-Y]q
[AC1-wlan-view]vap-profile name C[AC1-wlan-vap-prof-C]forward-mode tunnel
Info:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-C]service-vlan vlan-id 101Info:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-C]security-profile AInfo:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-C]ssid-profile BInfo:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-C]qui
[AC1-wlan-view]vap-profile name Z[AC1-wlan-vap-prof-Z]forward-mode tunnel
Info:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-Z]service-vlan vlan-id 102Info:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-Z]security-profile XInfo:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-Z]ssid-profile YInfo:This operation may take a few seconds, please wait.done.[AC1-wlan-vap-prof-Z]qui
[AC1-wlan-view]ap-group name CYY
[AC1-wlan-ap-group-CYY]vap-profile C wlan 1 radio 0Info:This operation may take a few seconds, please wait...done.[AC1-wlan-ap-group-CYY]vap-profile C wlan 1 radio 1Info:This operation may take a few seconds, please wait...done.[AC1-wlan-ap-group-CYY]qui
[AC1-wlan-view]ap-group name YYC
[AC1-wlan-ap-group-YYC]vap-profile Z wlan 1 radio 0Info:This operation may take a few seconds, please wait...done.[AC1-wlan-ap-group-YYC]vap-profile Z wlan 1 radio 1
本文转载自: https://blog.csdn.net/m0_46179473/article/details/125121176
版权归原作者 小猿网 所有, 如有侵权,请联系我们删除。
版权归原作者 小猿网 所有, 如有侵权,请联系我们删除。