|
华为企业网经典综合配置
要求:
1、SW1/SW2/R1开启Telnet使用aaa认证,分别创建LoopBack做为管理地址; R2模拟ISP链路。 2、SW2是instance 1/3 对应vlan10 /30的根,vlanif10/30是vrrp backup;vlanif20是vrrp master SW3是instance 2 对应vlan20的根,vlanif10/30是vrrp master;vlanif20是vvrp backup 3、SW3到SW4 之间配置Eth-Trunk,最大活动链路阈值2,GE0/0/5链路实现冗余备份。 4、SW2 SW3 R1配置osfp协议,需要认证,使用md5 加密模式。 5、SW2 SW3 配置vrrp协议,需要认证,使用md5 加密模式
简单安全: 1、CLIENT1不允许访问internet 2、其他CLIENT允许访问internet 3、LAN SERVE只为局域网提供HTTP服务和FTP服务 4、CLIENT4、6、7可以访问SERVER2的HTTP和FTP 5、internet用户可以访问WAN SERVER的HTTP 6、WAN SERVER被访问的地址是200.1.1.3 7、局域网用户上网使用EasyIP方式完成
地址列表: vlan 10192.168.10.0/24 vlan 20192.168.20.0/24 vlan 30192.168.30.0/24 vlanif100 10.10.13.3/24 vlanif200 10.10.14.4/24 SW3vlanif 10 192.168.10.253/24 SW3vlanif 20 192.168.20.253/24 SW3vlanif 30 192.168.30.253/24 SW4 vlanif10 192.168.10.254/24 SW4vlanif 20 192.168.20.254/24 SW4vlanif 30 192.168.30.254/24 vlanif10 vrrp 192.168.10.1/24 vlanif20 vrrp 192.168.20.1/24 vlanif 30vrrp 192.168.30.1/24
配置如下:
SW1(汇聚交换机) <Huawei>system-view [Huawei]sysnamesw1 [sw1]vlanbatch 10 20 30 [sw1]port-groupgroup-member Ethernet 0/0/1 to Ethernet 0/0/3 [sw1-port-group]portlink-type access [sw1-port-group]quit [sw1]interfaceEthernet0/0/1 [sw1-Ethernet0/0/1]portdefault vlan 10 [sw1-Ethernet0/0/1]quit [sw1]interfaceEthernet0/0/2 [sw1-Ethernet0/0/2]portdefault vlan 20 [sw1-Ethernet0/0/2]quit [sw1]interfaceEthernet0/0/3 [sw1-Ethernet0/0/3]portdefault vlan 30 [sw1-Ethernet0/0/3]quit [sw1]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2 [sw1-port-group]portlink-type trunk [sw1-port-group]porttrunk allow-pass vlan all [sw1-port-group]quit [sw1]stpmode mstp [sw1]stpregion-configuration [sw1-mst-region]region-namezurkj [sw1-mst-region]revision-level1 [sw1-mst-region]instance1 vlan 10 [sw1-mst-region]instance2 vlan 20 [sw1-mst-region]instance3 vlan 30 [sw1-mst-region]activeregion-configuration [sw1]displayport vlan active [sw1]quit <sw1>save
Sw2(汇聚交换机) <Huawei>system-view [Huawei]sysnamesw2 [sw2]vlanbatch 10 20 [sw2]interfaceEthernet0/0/1 [sw2-Ethernet0/0/1]portlink-type access [sw2-Ethernet0/0/1]portdefault vlan 20 [sw2-Ethernet0/0/1]quit [sw2]interfaceEthernet0/0/2 [sw2-Ethernet0/0/2]portlink-type access [sw2-Ethernet0/0/2]portdefault vlan 10 [sw2-Ethernet0/0/2]quit [sw2]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2 [sw2-port-group]portlink-type trunk [sw2-port-group]porttrunk allow-pass vlan all [sw2-port-group]quit [sw2]stpmode mstp [sw2]stpregion-configuration [sw2-mst-region]region-namezurkj [sw2-mst-region]revision-level1 [sw2-mst-region]instance1 vlan 10 [sw2-mst-region]instance2 vlan 20 [sw2-mst-region]instance3 vlan 30 [sw2-mst-region]activeregion-configuration [sw2-mst-region]quit <sw2>save
Sw3(核心交换机) 基本配置 <Huawei>system-view [Huawei]sysnamesw3 [sw3]routerid 192.168.3.1 //创建路由ID [sw3]interfaceloopback 0 //创建环回口 [sw3-LoopBack0]ipaddress 192.168.3.1 32 [sw3-LoopBack0]quit [sw3]user-interfacevty 0 4 //用户界面 VTY 0-4 [sw3-ui-vty0-4]authentication-modeaaa //认证模式 AAA [sw3-ui-vty0-4]quit [sw3]aaa [sw3-aaa]local-userzurkj password cipher admin1234 //本地用户 密码 [sw3-aaa]local-userzurkj service-type telnet //本地用户 服务类型TELNET [sw3-aaa]local-userzurkj privilege level 15 //本地用户 权限等级 15 [sw3-aaa]quit 配置VLAN [sw3]vlanbatch 10 20 30 [sw3]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2 [sw3-port-group]portlink-type trunk [sw3-port-group]porttrunk allow-pass vlan all [sw3-port-group]quit 配置链路聚合 [sw3]interfaceEth-Trunk 1 //全局开启链路聚合 [sw3-Eth-Trunk1]modelacp-static //模式为静态LACP [sw3-Eth-Trunk1]maxactive-linknumber 2 //允许最大活动链路阈值为2 [sw3-Eth-Trunk1]portlink-type trunk [sw3-Eth-Trunk1]porttrunk allow-pass vlan all [sw3]lacppriority 100 //交换机LACP优先级为100 [sw3]interfaceGigabitEthernet 0/0/3 [sw3-GigabitEthernet0/0/3]eth-trunk1 [sw3-GigabitEthernet0/0/3]lacppriority 100 //接口LACP优先级为100 [sw3]interfaceGigabitEthernet 0/0/4 [sw3-GigabitEthernet0/0/4]eth-trunk1 [sw3-GigabitEthernet0/0/4]lacppriority 100 [sw3-GigabitEthernet0/0/4]quit [sw3]interfaceGigabitEthernet 0/0/5 [sw3-GigabitEthernet0/0/5]eth-trunk1 [sw3-GigabitEthernet0/0/5]quit [sw3]displayeth-trunk 1 //显示链路聚合 Eth-Trunk1'sstate information is: Local: LAG ID:1 WorkingMode: STATIC PreemptDelay: Disabled Hash arithmetic:According to SIP-XOR-DIP SystemPriority: 100 System ID: 4c1f-cc03-02df LeastActive-linknumber: 1 Max Active-linknumber: 2 Operatestatus: down Number Of Up Port InTrunk: 0 -------------------------------------------------------------------------------- ActorPortName Status PortType PortPri PortNo PortKey PortStateWeight GigabitEthernet0/0/3 Unselect 1GE 100 4 305 10100010 1 GigabitEthernet0/0/4 Unselect 1GE 100 5 305 10100010 1 GigabitEthernet0/0/5 Unselect 1GE 32768 6 305 10100010 1 Partner: -------------------------------------------------------------------------------- ActorPortName SysPri SystemID PortPri PortNo PortKey PortState GigabitEthernet0/0/3 0 0000-0000-0000 0 0 0 10100011 GigabitEthernet0/0/4 0 0000-0000-0000 0 0 0 10100011 GigabitEthernet0/0/5 0 0000-0000-0000 0 0 0 10100011 配置生成树 [sw3]stpmode mstp //生成树模式多生成树(一般华为默认为MSTP) [sw3]stpregion-configuration //生成树域配置 [sw3-mst-region]region-namezurkj //域名称:zurkj [sw3-mst-region]revision-level1 //修订级别:1 [sw3-mst-region]instance1 vlan 10 //vlan10 参与实例1 [sw3-mst-region]instance2 vlan 20 [sw3-mst-region]instance3 vlan 30 [sw3-mst-region]activeregion-configuration //激活域配置 [sw3-mst-region]quit [sw3]stpinstance 1 root primary //生成树实例1为主根 [sw3]stpinstance 3 root primary //生成树实例3为主根 [sw3]stpinstance 2 root secondary //生成树实例2为备根 [sw3]displaystp region-configuration //显示生成树域配置 配置VLAN100,用于GE0/0/6的VLANIF100通信接口。 [sw3]vlan100 [sw3-vlan100]quit [sw3-Vlanif100]ipaddress 10.10.13.3 24 [sw3]interfaceGigabitEthernet 0/0/6 [sw3-GigabitEthernet0/0/6]portlink-type access [sw3-GigabitEthernet0/0/6]portdefault vlan 100 [sw3-GigabitEthernet0/0/6]quit 配置VLANIF接口及VRRP,三个VLAN对应三个VLANIF接口,配置三组VRRP [sw3]interfacevlanif 10 //创建VLANIF 10接口 [sw3-Vlanif10]vrrpvrid 1 virtual-ip 192.168.10.1 //创建VRRP备份组组号为1 虚拟IP为… [sw3-Vlanif10]vrrpvrid 1 priority 150 //优先级为150 [sw3-Vlanif10]vrrpvrid 1 authentication-mode md5 admin123 //配置认证密码模式为MD5 [sw3-Vlanif10]displaythis [sw3-Vlanif10]quit [sw3]interfacevlanif 20 [sw3-Vlanif20]ipaddress 192.168.20.253 24 [sw3-Vlanif20]vrrpvrid 2 virtual-ip 192.168.20.1 [sw3-Vlanif20]vrrpvrid 2 priority 200 [sw3-Vlanif20]vrrpvrid 2 track interface GigabitEthernet 0/0/6 reduced 150 //配置上行接口追踪当GE0/0/6接口断线时 优先级裁减150 [sw3-Vlanif20]vrrpvrid 2 authentication-mode md5 admin123 [sw3-Vlanif20]displaythis [sw3-Vlanif20]quit [sw3]interfacevlanif 30 [sw3-Vlanif30]ipaddress 192.168.30.253 24 [sw3-Vlanif30]vrrpvrid 3 virtual-ip 192.168.30.1 [sw3-Vlanif30]vrrpvrid 3 priority 150 [sw3-Vlanif30]vrrpvrid 3 authentication-mode md5 admin123 [sw3-Vlanif30]displaythis [sw3-Vlanif30]quit [sw3]displayip interface brief 配置OSPF [sw3]ospf1 //创建OSPF协议 进程为1 [sw3-ospf-1]area0 //创建骨干区域 0 [sw3-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234 [sw3-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255 //宣告参与网段 通配符掩码 [sw3-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255 [sw3-ospf-1-area-0.0.0.0]network192.168.30.0 0.0.0.255 [sw3-ospf-1-area-0.0.0.0]network192.168.3.0 0.0.0.255 [sw3-ospf-1-area-0.0.0.0]network10.10.13.0 0.0.0.255 [sw3-ospf-1-area-0.0.0.0]displaythis
S4(核心交换机) <Huawei>system-view [Huawei]sysnamesw4 [sw4]routerid 192.168.4.1 [sw4]interfaceLoopBack 0 [sw4-LoopBack0]ipaddress 192.168.4.1 32 [sw4-LoopBack0]quit [sw4]user-interfacevty 0 4 [sw4-ui-vty0-4]authentication-modeaaa [sw4-ui-vty0-4]quit [sw4]aaa [sw4-aaa]local-userzurkj password cipher admin1234 [sw4-aaa]local-userzurkj service-type telnet [sw4-aaa]local-userzurkj privilege level 15 [sw4-aaa]quit [sw4]vlanbatch 10 20 30 [sw4]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2 [sw4-port-group]portlink-type trunk [sw4-port-group]porttrunk allow-pass vlan all [sw4-Eth-Trunk1]modelacp-static [sw4-Eth-Trunk1]maxactive-linknumber 2 [sw4-Eth-Trunk1]displaythis [sw4-Eth-Trunk1]quit [sw4]interfaceGigabitEthernet 0/0/3 [sw4-GigabitEthernet0/0/3]eth-trunk1 [sw4-GigabitEthernet0/0/3]quit [sw4]interfaceGigabitEthernet 0/0/4 [sw4-GigabitEthernet0/0/4]eth-trunk1 [sw4-GigabitEthernet0/0/4]quit [sw4]interfaceGigabitEthernet 0/0/5 [sw4-GigabitEthernet0/0/5]eth-trunk1 [sw4-GigabitEthernet0/0/5]quit [sw4]displayeth-trunk 1 [sw4]stpmode mstp [sw4]stpregion-configuration [sw4-mst-region]region-namezurkj [sw4-mst-region]revision-level1 [sw4-mst-region]instance1 vlan 10 [sw4-mst-region]instance2 vlan 20 [sw4-mst-region]instance3 vlan 30 [sw4-mst-region]activeregion-configuration [sw4-mst-region]quit [sw4]stpinstance 1 root secondary [sw4]stpinstance 2 root primary [sw4]stpinstance 3 root secondary [sw4]displaystp instance 1 [sw4]displaystp instance 2 [sw4]displaystp instance 2 [sw4]vlan200 [sw4-vlan200]quit [sw4]interfacevlanif 200 [sw4-Vlanif200]ipaddress 10.10.14.4 24 [sw4-Vlanif200]quit [sw4]interfaceGigabitEthernet 0/0/6 [sw4-GigabitEthernet0/0/6]portlink-type access [sw4-GigabitEthernet0/0/6]portdefault vlan 200 [sw4-GigabitEthernet0/0/6]quit [sw4]interfacevlanif 10 [sw4-Vlanif10]vrrpvrid 1 virtual-ip 192.168.10.1 [sw4-Vlanif10]vrrpvrid 1 priority 200 [sw4-Vlanif10]vrrpvrid 1 track interface GigabitEthernet 0/0/6 reduced 150 [sw4-Vlanif10]vrrpvrid 1 authentication-mode md5 admin123 [sw4-Vlanif10]displaythis [sw4-Vlanif10]quit [sw4]interfacevlanif 20 [sw4-Vlanif20]ipaddress 192.168.20.254 24 [sw4-Vlanif20]vrrpvrid 2 virtual-ip 192.168.20.1 [sw4-Vlanif20]vrrpvrid 2 priority 150 [sw4-Vlanif20]vrrpvrid 2 authentication-mode md5 admin123 [sw4-Vlanif20]displaythis [sw4-Vlanif20]quit [sw4]interfacevlanif 30 [sw4-Vlanif30]ipaddress 192.168.30.254 24 [sw4-Vlanif30]vrrpvrid 3 virtual-ip 192.168.30.1 [sw4-Vlanif30]vrrpvrid 3 priority 200 [sw4-Vlanif30]vrrpvrid 3 authentication-mode md5 admin123 [sw4-Vlanif30]vrrpvrid 3 track interface GigabitEthernet 0/0/6 reduced 150 [sw4-Vlanif30]displaythis [sw4-Vlanif30]quit [sw4]ospf1 [sw4-ospf-1]area0 [sw4-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234 [sw4-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255 [sw4-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255 [sw4-ospf-1-area-0.0.0.0]network192.168.30.0 0.0.0.255 [sw4-ospf-1-area-0.0.0.0]network192.168.4.1 0.0.0.255 [sw4-ospf-1-area-0.0.0.0]network10.10.14.0 0.0.0.255 [sw4-ospf-1-area-0.0.0.0]displaythis [sw4-ospf-1-area-0.0.0.0]quit [sw4-ospf-1]quit [sw4]dispospf lsdb [sw4]displayospf brief [sw4]displayip routing-table protocol ospf [sw4]displayip routing-table
ISP(运营商) <Huawei>system-view [Huawei]sysnameISP [ISP]interfaceGigabitEthernet 0/0/0 [ISP-GigabitEthernet0/0/0]ipaddress 200.1.1.2 29 [ISP-GigabitEthernet0/0/0]quit [ISP]interfaceGigabitEthernet 0/0/1 [ISP-GigabitEthernet0/0/1]ipaddress 100.1.1.1 24 [ISP-GigabitEthernet0/0/1]quit [ISP]displayip interface brief
Gateway(出口网关) 基本配置 <Huawei>system-view [Huawei]sysnameGateway [Gateway]routerid 192.168.1.1 [Gateway]interfaceloopback 0 [Gateway-LoopBack0]ipaddress 192.168.1.1 32 [Gateway-LoopBack0]quit [Gateway]user-interfacevty 0 4 [Gateway-ui-vty0-4]authentication-modeaaa [Gateway-ui-vty0-4]quit [Gateway]aaa [Gateway-aaa]local-userzurkj password cipher admin1234 [Gateway-aaa]local-userzurkj service-type telnet [Gateway-aaa]local-userzurkj privilege level 15 [Gateway-aaa]quit [Gateway]interfaceGigabitEthernet 0/0/0 [Gateway-GigabitEthernet0/0/0]ipaddress 200.1.1.1 29 [Gateway-GigabitEthernet0/0/0]quit [Gateway]interfaceGigabitEthernet 0/0/1 [Gateway-GigabitEthernet0/0/1]ipaddress 10.10.13.1 24 [Gateway-GigabitEthernet0/0/1]quit [Gateway]interfaceGigabitEthernet 0/0/2 [Gateway-GigabitEthernet0/0/2]quit [Gateway-GigabitEthernet0/0/2]ipaddress 10.10.14.1 24 [Gateyway]interfaceEthernet 1/0/0 [Gateyway-Ethernet1/0/0]ipaddress 192.168.100.1 24 [Gateyway-Ethernet1/0/0]quit [Gateway]displayip interface brief 配置OSPF [Gateway]ospf1 //创建OSPF 进程为1 [Gateway-ospf-1]area0 //骨干区域 0 [Gateway-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234 // 认证模式 MD5 密码 [Gateway-ospf-1-area-0.0.0.0]network10.10.13.0 0.0.0.255 //宣告参与网段 [Gateway-ospf-1-area-0.0.0.0]network10.10.14.0 0.0.0.255 [Gateway-ospf-1-area-0.0.0.0]network192.168.1.0 0.0.0.255 [Gateway-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255 [Gateway-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255 [Gateway-ospf-1-area-0.0.0.0]network192.168.30.0 0.0.0.255 [Gateway-ospf-1-area-0.0.0.0]displaythis [Gateway-ospf-1-area-0.0.0.0]quit [Gateway-ospf-1]quit [Gateway]displayospf peer //显示OSPF邻居状态 [Gateway]displayospf lsdb //显示OSPF链路状态数据库信息 [Gateway]displayip routing-table //显示路由表 配置默认路由 [Gateway]iproute-static 0.0.0.0 0 200.1.1.2 //配置默认路由,下一跳地址 配置NAT转换(easyip) [Gateway]acl2000 //创建访问控制列表 [Gateway-acl-basic-2000]rulepermit source any //规则 放通所有IP [Gateway-acl-basic-2000]quit [Gateway]interfaceGigabitEthernet 0/0/0 [Gateway-GigabitEthernet0/0/0]natoutbound 2000 //接口出口调用ACL 2000 [Gateway-GigabitEthernet0/0/0]quit [Gateway]displaynat outbound
配置OSPF默认中由引用 [Gateway]ospf1 [Gateway-ospf-1]default-route-advertisealways //OSPF 引入默认路由 [Gateway-ospf-1]displaythis [Gateway-ospf-1]quit Gateway 配置ACL简单过滤 <Gateyway>system-view [Gateyway]acl2000 //进入ACL 2000 访问控制列表 [Gateyway-acl-basic-2000]rule3 deny source 192.168.10.100 0.0.0.0 //插入规则3 拒绝源IP 通配符精确匹配 [Gateyway-acl-basic-2000]displaythis [Gateyway]interfaceGigabitEthernet 0/0/0 [Gateyway-GigabitEthernet0/0/0]natserver protocol tcp global 200.1.1.3 80 inside 192.168.100.100 80 //
创建NAT服务 TCP协议 公网地址 私网地址 进行内网地址映射到外网地址 端口号为80 [Gateyway-GigabitEthernet0/0/0]return <Gateyway>save | 
|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区!
( 沪ICP备16021636号-2 )
发表于 2021-2-5 18:22:37
