华为企业网经典综合配置
华为企业网经典综合配置要求:
1、SW1/SW2/R1开启Telnet使用aaa认证,分别创建LoopBack做为管理地址; R2模拟ISP链路。2、SW2是instance 1/3 对应vlan10 /30的根,vlanif10/30是vrrp backup;vlanif20是vrrp masterSW3是instance 2 对应vlan20的根,vlanif10/30是vrrp master;vlanif20是vvrp backup 3、SW3到SW4 之间配置Eth-Trunk,最大活动链路阈值2,GE0/0/5链路实现冗余备份。4、SW2 SW3 R1配置osfp协议,需要认证,使用md5 加密模式。5、SW2 SW3 配置vrrp协议,需要认证,使用md5 加密模式
简单安全:1、CLIENT1不允许访问internet2、其他CLIENT允许访问internet3、LAN SERVE只为局域网提供HTTP服务和FTP服务4、CLIENT4、6、7可以访问SERVER2的HTTP和FTP5、internet用户可以访问WAN SERVER的HTTP6、WAN SERVER被访问的地址是200.1.1.37、局域网用户上网使用EasyIP方式完成
地址列表:vlan 10192.168.10.0/24vlan 20192.168.20.0/24vlan 30192.168.30.0/24vlanif100 10.10.13.3/24vlanif200 10.10.14.4/24SW3vlanif 10 192.168.10.253/24SW3vlanif 20 192.168.20.253/24SW3vlanif 30 192.168.30.253/24SW4 vlanif10 192.168.10.254/24SW4vlanif 20 192.168.20.254/24SW4vlanif 30 192.168.30.254/24vlanif10 vrrp 192.168.10.1/24vlanif20 vrrp 192.168.20.1/24vlanif 30vrrp 192.168.30.1/24
配置如下:
SW1(汇聚交换机)<Huawei>system-viewsysnamesw1vlanbatch 10 20 30port-groupgroup-member Ethernet 0/0/1 to Ethernet 0/0/3portlink-type accessquitinterfaceEthernet0/0/1portdefault vlan 10quitinterfaceEthernet0/0/2portdefault vlan 20quitinterfaceEthernet0/0/3portdefault vlan 30quitport-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2portlink-type trunkporttrunk allow-pass vlan allquitstpmode mstpstpregion-configuration region-namezurkjrevision-level1instance1 vlan 10instance2 vlan 20instance3 vlan 30 activeregion-configurationdisplayport vlan activequit<sw1>save
Sw2(汇聚交换机)<Huawei>system-viewsysnamesw2vlanbatch 10 20interfaceEthernet0/0/1portlink-type accessportdefault vlan 20quitinterfaceEthernet0/0/2portlink-type accessportdefault vlan 10quitport-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2portlink-type trunkporttrunk allow-pass vlan allquitstpmode mstpstpregion-configurationregion-namezurkjrevision-level1instance1 vlan 10instance2 vlan 20instance3 vlan 30activeregion-configurationquit<sw2>save
Sw3(核心交换机)基本配置<Huawei>system-viewsysnamesw3routerid 192.168.3.1//创建路由IDinterfaceloopback 0//创建环回口ipaddress 192.168.3.1 32quituser-interfacevty 0 4//用户界面 VTY 0-4authentication-modeaaa//认证模式 AAAquitaaalocal-userzurkj password cipher admin1234//本地用户 密码local-userzurkj service-type telnet//本地用户 服务类型TELNETlocal-userzurkj privilege level 15//本地用户 权限等级 15quit配置VLANvlanbatch 10 20 30port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2portlink-type trunkporttrunk allow-pass vlan allquit配置链路聚合interfaceEth-Trunk 1//全局开启链路聚合modelacp-static//模式为静态LACPmaxactive-linknumber 2//允许最大活动链路阈值为2portlink-type trunkporttrunk allow-pass vlan alllacppriority 100//交换机LACP优先级为100interfaceGigabitEthernet 0/0/3eth-trunk1lacppriority 100//接口LACP优先级为100interfaceGigabitEthernet 0/0/4eth-trunk1lacppriority 100quitinterfaceGigabitEthernet 0/0/5eth-trunk1quitdisplayeth-trunk 1//显示链路聚合Eth-Trunk1'sstate information is:Local:LAG ID:1 WorkingMode: STATIC PreemptDelay: Disabled Hash arithmetic:According to SIP-XOR-DIP SystemPriority: 100 System ID: 4c1f-cc03-02df LeastActive-linknumber: 1Max Active-linknumber: 2 Operatestatus: down Number Of Up Port InTrunk: 0 --------------------------------------------------------------------------------ActorPortName Status PortType PortPri PortNo PortKey PortStateWeightGigabitEthernet0/0/3 Unselect 1GE 100 4 305 101000101 GigabitEthernet0/0/4 Unselect 1GE 100 5 305 101000101 GigabitEthernet0/0/5 Unselect 1GE 327686 305 10100010 1 Partner:--------------------------------------------------------------------------------ActorPortName SysPri SystemID PortPri PortNo PortKey PortStateGigabitEthernet0/0/3 0 0000-0000-00000 0 0 10100011GigabitEthernet0/0/4 0 0000-0000-00000 0 0 10100011GigabitEthernet0/0/5 0 0000-0000-00000 0 0 10100011配置生成树stpmode mstp//生成树模式多生成树(一般华为默认为MSTP)stpregion-configuration//生成树域配置region-namezurkj//域名称:zurkjrevision-level1//修订级别:1instance1 vlan 10//vlan10 参与实例1instance2 vlan 20instance3 vlan 30activeregion-configuration//激活域配置quitstpinstance 1 root primary//生成树实例1为主根stpinstance 3 root primary//生成树实例3为主根stpinstance 2 root secondary//生成树实例2为备根displaystp region-configuration//显示生成树域配置配置VLAN100,用于GE0/0/6的VLANIF100通信接口。vlan100quitipaddress 10.10.13.3 24interfaceGigabitEthernet 0/0/6portlink-type access portdefault vlan 100quit配置VLANIF接口及VRRP,三个VLAN对应三个VLANIF接口,配置三组VRRPinterfacevlanif 10//创建VLANIF 10接口vrrpvrid 1 virtual-ip 192.168.10.1//创建VRRP备份组组号为1 虚拟IP为…vrrpvrid 1 priority 150//优先级为150 vrrpvrid 1 authentication-mode md5 admin123//配置认证密码模式为MD5 displaythis quitinterfacevlanif 20ipaddress 192.168.20.253 24vrrpvrid 2 virtual-ip 192.168.20.1vrrpvrid 2 priority 200vrrpvrid 2 track interface GigabitEthernet 0/0/6 reduced 150//配置上行接口追踪当GE0/0/6接口断线时 优先级裁减150vrrpvrid 2 authentication-mode md5 admin123displaythisquitinterfacevlanif 30ipaddress 192.168.30.253 24vrrpvrid 3 virtual-ip 192.168.30.1vrrpvrid 3 priority 150vrrpvrid 3 authentication-mode md5 admin123displaythisquitdisplayip interface brief配置OSPFospf1//创建OSPF协议 进程为1area0//创建骨干区域 0authentication-modemd5 1 cipher admin1234network192.168.10.0 0.0.0.255//宣告参与网段 通配符掩码network192.168.20.0 0.0.0.255network192.168.30.0 0.0.0.255network192.168.3.0 0.0.0.255network10.10.13.0 0.0.0.255displaythis
S4(核心交换机)<Huawei>system-viewsysnamesw4routerid 192.168.4.1interfaceLoopBack 0ipaddress 192.168.4.1 32quituser-interfacevty 0 4authentication-modeaaaquitaaalocal-userzurkj password cipher admin1234 local-userzurkj service-type telnetlocal-userzurkj privilege level 15quitvlanbatch 10 20 30port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2portlink-type trunkporttrunk allow-pass vlan allmodelacp-staticmaxactive-linknumber 2displaythisquitinterfaceGigabitEthernet 0/0/3eth-trunk1quitinterfaceGigabitEthernet 0/0/4eth-trunk1quitinterfaceGigabitEthernet 0/0/5eth-trunk1quitdisplayeth-trunk 1stpmode mstpstpregion-configurationregion-namezurkjrevision-level1instance1 vlan 10instance2 vlan 20instance3 vlan 30activeregion-configurationquitstpinstance 1 root secondarystpinstance 2 root primarystpinstance 3 root secondarydisplaystp instance 1displaystp instance 2displaystp instance 2vlan200quitinterfacevlanif 200ipaddress 10.10.14.4 24quitinterfaceGigabitEthernet 0/0/6portlink-type accessportdefault vlan 200quitinterfacevlanif 10vrrpvrid 1 virtual-ip 192.168.10.1vrrpvrid 1 priority 200vrrpvrid 1 track interface GigabitEthernet 0/0/6 reduced 150vrrpvrid 1 authentication-mode md5 admin123displaythisquitinterfacevlanif 20ipaddress 192.168.20.254 24vrrpvrid 2 virtual-ip 192.168.20.1vrrpvrid 2 priority 150vrrpvrid 2 authentication-mode md5 admin123displaythisquitinterfacevlanif 30ipaddress 192.168.30.254 24vrrpvrid 3 virtual-ip 192.168.30.1vrrpvrid 3 priority 200vrrpvrid 3 authentication-mode md5 admin123vrrpvrid 3 track interface GigabitEthernet 0/0/6 reduced 150displaythisquitospf1area0authentication-modemd5 1 cipher admin1234network192.168.10.0 0.0.0.255network192.168.20.0 0.0.0.255network192.168.30.0 0.0.0.255network192.168.4.1 0.0.0.255network10.10.14.0 0.0.0.255displaythisquitquitdispospf lsdbdisplayospf briefdisplayip routing-table protocol ospfdisplayip routing-table
ISP(运营商)<Huawei>system-viewsysnameISPinterfaceGigabitEthernet 0/0/0ipaddress 200.1.1.2 29quitinterfaceGigabitEthernet 0/0/1ipaddress 100.1.1.1 24quitdisplayip interface brief
Gateway(出口网关)基本配置<Huawei>system-viewsysnameGatewayrouterid 192.168.1.1interfaceloopback 0ipaddress 192.168.1.1 32quituser-interfacevty 0 4authentication-modeaaaquitaaalocal-userzurkj password cipher admin1234local-userzurkj service-type telnetlocal-userzurkj privilege level 15quitinterfaceGigabitEthernet 0/0/0ipaddress 200.1.1.1 29quitinterfaceGigabitEthernet 0/0/1ipaddress 10.10.13.1 24quitinterfaceGigabitEthernet 0/0/2quitipaddress 10.10.14.1 24interfaceEthernet 1/0/0ipaddress 192.168.100.1 24quitdisplayip interface brief配置OSPFospf1//创建OSPF 进程为1area0//骨干区域 0authentication-modemd5 1 cipher admin1234//认证模式 MD5 密码network10.10.13.0 0.0.0.255//宣告参与网段network10.10.14.0 0.0.0.255network192.168.1.0 0.0.0.255network192.168.10.0 0.0.0.255network192.168.20.0 0.0.0.255network192.168.30.0 0.0.0.255displaythisquitquitdisplayospf peer//显示OSPF邻居状态displayospf lsdb//显示OSPF链路状态数据库信息displayip routing-table//显示路由表配置默认路由iproute-static 0.0.0.0 0 200.1.1.2//配置默认路由,下一跳地址 配置NAT转换(easyip)acl2000//创建访问控制列表rulepermit source any//规则 放通所有IPquitinterfaceGigabitEthernet 0/0/0natoutbound 2000//接口出口调用ACL 2000quitdisplaynat outbound
配置OSPF默认中由引用ospf1default-route-advertisealways//OSPF 引入默认路由displaythisquit Gateway配置ACL简单过滤<Gateyway>system-viewacl2000//进入ACL 2000 访问控制列表rule3 deny source 192.168.10.100 0.0.0.0//插入规则3 拒绝源IP 通配符精确匹配displaythisinterfaceGigabitEthernet 0/0/0natserver protocol tcp global 200.1.1.3 80 inside 192.168.100.100 80//
创建NAT服务 TCP协议 公网地址 私网地址 进行内网地址映射到外网地址 端口号为80return<Gateyway>save
页:
[1]
