祖瑞科技 全国计算机 网络IT运维社区!

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
热搜: 活动 交友 discuz
查看: 7964|回复: 0

华为企业网经典综合配置

[复制链接]

205

主题

218

帖子

1286

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
1286
发表于 2021-2-5 18:22:37 | 显示全部楼层 |阅读模式
华为企业网经典综合配置

要求:   
1、SW1/SW2/R1开启Telnet使用aaa认证,分别创建LoopBack做为管理地址; R2模拟ISP链路。
2、SW2是instance 1/3 对应vlan10 /30的根,vlanif10/30是vrrp backup;vlanif20是vrrp master
SW3是instance 2 对应vlan20的根,vlanif10/30是vrrp master;vlanif20是vvrp backup   
3、SW3到SW4 之间配置Eth-Trunk,最大活动链路阈值2,GE0/0/5链路实现冗余备份。
4、SW2 SW3 R1配置osfp协议,需要认证,使用md5 加密模式。
5、SW2 SW3 配置vrrp协议,需要认证,使用md5 加密模式

简单安全:
1、CLIENT1不允许访问internet
2、其他CLIENT允许访问internet
3、LAN SERVE只为局域网提供HTTP服务和FTP服务
4、CLIENT4、6、7可以访问SERVER2的HTTP和FTP
5、internet用户可以访问WAN SERVER的HTTP
6、WAN SERVER被访问的地址是200.1.1.3
7、局域网用户上网使用EasyIP方式完成

地址列表:
vlan 10192.168.10.0/24
vlan 20192.168.20.0/24
vlan 30192.168.30.0/24
vlanif100 10.10.13.3/24
vlanif200 10.10.14.4/24
SW3vlanif 10 192.168.10.253/24
SW3vlanif 20 192.168.20.253/24
SW3vlanif 30 192.168.30.253/24
SW4 vlanif10 192.168.10.254/24
SW4vlanif 20 192.168.20.254/24
SW4vlanif 30 192.168.30.254/24
vlanif10 vrrp 192.168.10.1/24
vlanif20 vrrp 192.168.20.1/24
vlanif 30vrrp 192.168.30.1/24


配置如下:
SW1(汇聚交换机)
<Huawei>system-view
[Huawei]sysnamesw1
[sw1]vlanbatch 10 20 30
[sw1]port-groupgroup-member Ethernet 0/0/1 to Ethernet 0/0/3
[sw1-port-group]portlink-type access
[sw1-port-group]quit
[sw1]interfaceEthernet0/0/1
[sw1-Ethernet0/0/1]portdefault vlan 10
[sw1-Ethernet0/0/1]quit
[sw1]interfaceEthernet0/0/2
[sw1-Ethernet0/0/2]portdefault vlan 20
[sw1-Ethernet0/0/2]quit
[sw1]interfaceEthernet0/0/3
[sw1-Ethernet0/0/3]portdefault vlan 30
[sw1-Ethernet0/0/3]quit
[sw1]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[sw1-port-group]portlink-type trunk
[sw1-port-group]porttrunk allow-pass vlan all
[sw1-port-group]quit
[sw1]stpmode mstp
[sw1]stpregion-configuration
[sw1-mst-region]region-namezurkj
[sw1-mst-region]revision-level1
[sw1-mst-region]instance1 vlan 10
[sw1-mst-region]instance2 vlan 20
[sw1-mst-region]instance3 vlan 30
[sw1-mst-region]activeregion-configuration
[sw1]displayport vlan active
[sw1]quit
<sw1>save

Sw2(汇聚交换机)
<Huawei>system-view
[Huawei]sysnamesw2
[sw2]vlanbatch 10 20
[sw2]interfaceEthernet0/0/1
[sw2-Ethernet0/0/1]portlink-type access
[sw2-Ethernet0/0/1]portdefault vlan 20
[sw2-Ethernet0/0/1]quit
[sw2]interfaceEthernet0/0/2
[sw2-Ethernet0/0/2]portlink-type access
[sw2-Ethernet0/0/2]portdefault vlan 10
[sw2-Ethernet0/0/2]quit
[sw2]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[sw2-port-group]portlink-type trunk
[sw2-port-group]porttrunk allow-pass vlan all
[sw2-port-group]quit
[sw2]stpmode mstp
[sw2]stpregion-configuration
[sw2-mst-region]region-namezurkj
[sw2-mst-region]revision-level1
[sw2-mst-region]instance1 vlan 10
[sw2-mst-region]instance2 vlan 20
[sw2-mst-region]instance3 vlan 30
[sw2-mst-region]activeregion-configuration
[sw2-mst-region]quit
<sw2>save

Sw3(核心交换机)
基本配置
<Huawei>system-view
[Huawei]sysnamesw3
[sw3]routerid 192.168.3.1  //创建路由ID
[sw3]interfaceloopback 0  //创建环回口
[sw3-LoopBack0]ipaddress 192.168.3.1 32
[sw3-LoopBack0]quit
[sw3]user-interfacevty 0 4  //用户界面 VTY 0-4
[sw3-ui-vty0-4]authentication-modeaaa  //认证模式 AAA
[sw3-ui-vty0-4]quit
[sw3]aaa
[sw3-aaa]local-userzurkj password cipher admin1234  //本地用户 密码
[sw3-aaa]local-userzurkj service-type telnet  //本地用户 服务类型TELNET
[sw3-aaa]local-userzurkj privilege level 15  //本地用户 权限等级 15
[sw3-aaa]quit
配置VLAN
[sw3]vlanbatch 10 20 30
[sw3]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[sw3-port-group]portlink-type trunk
[sw3-port-group]porttrunk allow-pass vlan all
[sw3-port-group]quit
配置链路聚合
[sw3]interfaceEth-Trunk 1  //全局开启链路聚合
[sw3-Eth-Trunk1]modelacp-static  //模式为静态LACP
[sw3-Eth-Trunk1]maxactive-linknumber 2  //允许最大活动链路阈值为2
[sw3-Eth-Trunk1]portlink-type trunk
[sw3-Eth-Trunk1]porttrunk allow-pass vlan all
[sw3]lacppriority 100  //交换机LACP优先级为100
[sw3]interfaceGigabitEthernet 0/0/3
[sw3-GigabitEthernet0/0/3]eth-trunk1
[sw3-GigabitEthernet0/0/3]lacppriority 100  //接口LACP优先级为100
[sw3]interfaceGigabitEthernet 0/0/4
[sw3-GigabitEthernet0/0/4]eth-trunk1
[sw3-GigabitEthernet0/0/4]lacppriority 100
[sw3-GigabitEthernet0/0/4]quit
[sw3]interfaceGigabitEthernet 0/0/5
[sw3-GigabitEthernet0/0/5]eth-trunk1
[sw3-GigabitEthernet0/0/5]quit
[sw3]displayeth-trunk 1  //显示链路聚合
Eth-Trunk1'sstate information is:
Local:
LAG ID:1                   WorkingMode: STATIC                              
PreemptDelay: Disabled     Hash arithmetic:According to SIP-XOR-DIP         
SystemPriority: 100        System ID: 4c1f-cc03-02df                        
LeastActive-linknumber: 1  Max Active-linknumber: 2                          
Operatestatus: down        Number Of Up Port InTrunk: 0                     
--------------------------------------------------------------------------------
ActorPortName          Status   PortType PortPri PortNo PortKey PortStateWeight
GigabitEthernet0/0/3   Unselect 1GE      100     4     305     10100010  1     
GigabitEthernet0/0/4   Unselect 1GE      100     5     305     10100010  1     
GigabitEthernet0/0/5   Unselect 1GE      32768  6      305     10100010 1     
Partner:
--------------------------------------------------------------------------------
ActorPortName          SysPri   SystemID        PortPri PortNo PortKey PortState
GigabitEthernet0/0/3   0       0000-0000-0000  0       0     0       10100011
GigabitEthernet0/0/4   0       0000-0000-0000  0       0     0       10100011
GigabitEthernet0/0/5   0       0000-0000-0000  0       0     0       10100011
配置生成树
[sw3]stpmode mstp  //生成树模式多生成树(一般华为默认为MSTP)
[sw3]stpregion-configuration  //生成树域配置
[sw3-mst-region]region-namezurkj  //域名称:zurkj
[sw3-mst-region]revision-level1  //修订级别:1
[sw3-mst-region]instance1 vlan 10  //vlan10 参与实例1
[sw3-mst-region]instance2 vlan 20
[sw3-mst-region]instance3 vlan 30
[sw3-mst-region]activeregion-configuration  //激活域配置
[sw3-mst-region]quit
[sw3]stpinstance 1 root primary  //生成树实例1为主根
[sw3]stpinstance 3 root primary  //生成树实例3为主根
[sw3]stpinstance 2 root secondary  //生成树实例2为备根
[sw3]displaystp region-configuration  //显示生成树域配置
配置VLAN100,用于GE0/0/6的VLANIF100通信接口。
[sw3]vlan100  
[sw3-vlan100]quit
[sw3-Vlanif100]ipaddress 10.10.13.3 24
[sw3]interfaceGigabitEthernet 0/0/6
[sw3-GigabitEthernet0/0/6]portlink-type access
[sw3-GigabitEthernet0/0/6]portdefault vlan 100
[sw3-GigabitEthernet0/0/6]quit
配置VLANIF接口及VRRP,三个VLAN对应三个VLANIF接口,配置三组VRRP
[sw3]interfacevlanif 10  //创建VLANIF 10接口
[sw3-Vlanif10]vrrpvrid 1 virtual-ip 192.168.10.1  //创建VRRP备份组组号为1 虚拟IP为…
[sw3-Vlanif10]vrrpvrid 1 priority 150  //优先级为150
[sw3-Vlanif10]vrrpvrid 1 authentication-mode md5 admin123  //配置认证密码模式为MD5
[sw3-Vlanif10]displaythis
[sw3-Vlanif10]quit
[sw3]interfacevlanif 20
[sw3-Vlanif20]ipaddress 192.168.20.253 24
[sw3-Vlanif20]vrrpvrid 2 virtual-ip 192.168.20.1
[sw3-Vlanif20]vrrpvrid 2 priority 200
[sw3-Vlanif20]vrrpvrid 2 track interface GigabitEthernet 0/0/6 reduced 150
//配置上行接口追踪当GE0/0/6接口断线时 优先级裁减150
[sw3-Vlanif20]vrrpvrid 2 authentication-mode md5 admin123
[sw3-Vlanif20]displaythis
[sw3-Vlanif20]quit
[sw3]interfacevlanif 30
[sw3-Vlanif30]ipaddress 192.168.30.253 24
[sw3-Vlanif30]vrrpvrid 3 virtual-ip 192.168.30.1
[sw3-Vlanif30]vrrpvrid 3 priority 150
[sw3-Vlanif30]vrrpvrid 3 authentication-mode md5 admin123
[sw3-Vlanif30]displaythis
[sw3-Vlanif30]quit
[sw3]displayip interface brief
配置OSPF
[sw3]ospf1  //创建OSPF协议 进程为1
[sw3-ospf-1]area0  //创建骨干区域 0
[sw3-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234
[sw3-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255  //宣告参与网段 通配符掩码
[sw3-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255
[sw3-ospf-1-area-0.0.0.0]network192.168.30.0 0.0.0.255
[sw3-ospf-1-area-0.0.0.0]network192.168.3.0 0.0.0.255
[sw3-ospf-1-area-0.0.0.0]network10.10.13.0 0.0.0.255
[sw3-ospf-1-area-0.0.0.0]displaythis

S4(核心交换机)
<Huawei>system-view
[Huawei]sysnamesw4
[sw4]routerid 192.168.4.1
[sw4]interfaceLoopBack 0
[sw4-LoopBack0]ipaddress 192.168.4.1 32
[sw4-LoopBack0]quit
[sw4]user-interfacevty 0 4
[sw4-ui-vty0-4]authentication-modeaaa
[sw4-ui-vty0-4]quit
[sw4]aaa
[sw4-aaa]local-userzurkj password cipher admin1234
[sw4-aaa]local-userzurkj service-type telnet
[sw4-aaa]local-userzurkj privilege level 15
[sw4-aaa]quit
[sw4]vlanbatch 10 20 30
[sw4]port-groupgroup-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/2
[sw4-port-group]portlink-type trunk
[sw4-port-group]porttrunk allow-pass vlan all
[sw4-Eth-Trunk1]modelacp-static
[sw4-Eth-Trunk1]maxactive-linknumber 2
[sw4-Eth-Trunk1]displaythis
[sw4-Eth-Trunk1]quit
[sw4]interfaceGigabitEthernet 0/0/3
[sw4-GigabitEthernet0/0/3]eth-trunk1
[sw4-GigabitEthernet0/0/3]quit
[sw4]interfaceGigabitEthernet 0/0/4
[sw4-GigabitEthernet0/0/4]eth-trunk1
[sw4-GigabitEthernet0/0/4]quit
[sw4]interfaceGigabitEthernet 0/0/5
[sw4-GigabitEthernet0/0/5]eth-trunk1
[sw4-GigabitEthernet0/0/5]quit
[sw4]displayeth-trunk 1
[sw4]stpmode mstp
[sw4]stpregion-configuration
[sw4-mst-region]region-namezurkj
[sw4-mst-region]revision-level1
[sw4-mst-region]instance1 vlan 10
[sw4-mst-region]instance2 vlan 20
[sw4-mst-region]instance3 vlan 30
[sw4-mst-region]activeregion-configuration
[sw4-mst-region]quit
[sw4]stpinstance 1 root secondary
[sw4]stpinstance 2 root primary
[sw4]stpinstance 3 root secondary
[sw4]displaystp instance 1
[sw4]displaystp instance 2
[sw4]displaystp instance 2
[sw4]vlan200
[sw4-vlan200]quit
[sw4]interfacevlanif 200
[sw4-Vlanif200]ipaddress 10.10.14.4 24
[sw4-Vlanif200]quit
[sw4]interfaceGigabitEthernet 0/0/6
[sw4-GigabitEthernet0/0/6]portlink-type access
[sw4-GigabitEthernet0/0/6]portdefault vlan 200
[sw4-GigabitEthernet0/0/6]quit
[sw4]interfacevlanif 10
[sw4-Vlanif10]vrrpvrid 1 virtual-ip 192.168.10.1
[sw4-Vlanif10]vrrpvrid 1 priority 200
[sw4-Vlanif10]vrrpvrid 1 track interface GigabitEthernet 0/0/6 reduced 150
[sw4-Vlanif10]vrrpvrid 1 authentication-mode md5 admin123
[sw4-Vlanif10]displaythis
[sw4-Vlanif10]quit
[sw4]interfacevlanif 20
[sw4-Vlanif20]ipaddress 192.168.20.254 24
[sw4-Vlanif20]vrrpvrid 2 virtual-ip 192.168.20.1
[sw4-Vlanif20]vrrpvrid 2 priority 150
[sw4-Vlanif20]vrrpvrid 2 authentication-mode md5 admin123
[sw4-Vlanif20]displaythis
[sw4-Vlanif20]quit
[sw4]interfacevlanif 30
[sw4-Vlanif30]ipaddress 192.168.30.254 24
[sw4-Vlanif30]vrrpvrid 3 virtual-ip 192.168.30.1
[sw4-Vlanif30]vrrpvrid 3 priority 200
[sw4-Vlanif30]vrrpvrid 3 authentication-mode md5 admin123
[sw4-Vlanif30]vrrpvrid 3 track interface GigabitEthernet 0/0/6 reduced 150
[sw4-Vlanif30]displaythis
[sw4-Vlanif30]quit
[sw4]ospf1
[sw4-ospf-1]area0
[sw4-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234
[sw4-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255
[sw4-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255
[sw4-ospf-1-area-0.0.0.0]network192.168.30.0 0.0.0.255
[sw4-ospf-1-area-0.0.0.0]network192.168.4.1 0.0.0.255
[sw4-ospf-1-area-0.0.0.0]network10.10.14.0 0.0.0.255
[sw4-ospf-1-area-0.0.0.0]displaythis
[sw4-ospf-1-area-0.0.0.0]quit
[sw4-ospf-1]quit
[sw4]dispospf lsdb
[sw4]displayospf brief
[sw4]displayip routing-table protocol ospf
[sw4]displayip routing-table

ISP(运营商)
<Huawei>system-view
[Huawei]sysnameISP
[ISP]interfaceGigabitEthernet 0/0/0
[ISP-GigabitEthernet0/0/0]ipaddress 200.1.1.2 29
[ISP-GigabitEthernet0/0/0]quit
[ISP]interfaceGigabitEthernet 0/0/1
[ISP-GigabitEthernet0/0/1]ipaddress 100.1.1.1 24
[ISP-GigabitEthernet0/0/1]quit
[ISP]displayip interface brief

Gateway(出口网关)
基本配置
<Huawei>system-view
[Huawei]sysnameGateway
[Gateway]routerid 192.168.1.1
[Gateway]interfaceloopback 0
[Gateway-LoopBack0]ipaddress 192.168.1.1 32
[Gateway-LoopBack0]quit
[Gateway]user-interfacevty 0 4
[Gateway-ui-vty0-4]authentication-modeaaa
[Gateway-ui-vty0-4]quit
[Gateway]aaa
[Gateway-aaa]local-userzurkj password cipher admin1234
[Gateway-aaa]local-userzurkj service-type telnet
[Gateway-aaa]local-userzurkj privilege level 15
[Gateway-aaa]quit
[Gateway]interfaceGigabitEthernet 0/0/0
[Gateway-GigabitEthernet0/0/0]ipaddress 200.1.1.1 29
[Gateway-GigabitEthernet0/0/0]quit
[Gateway]interfaceGigabitEthernet 0/0/1
[Gateway-GigabitEthernet0/0/1]ipaddress 10.10.13.1 24
[Gateway-GigabitEthernet0/0/1]quit
[Gateway]interfaceGigabitEthernet 0/0/2
[Gateway-GigabitEthernet0/0/2]quit
[Gateway-GigabitEthernet0/0/2]ipaddress 10.10.14.1 24
[Gateyway]interfaceEthernet 1/0/0
[Gateyway-Ethernet1/0/0]ipaddress 192.168.100.1 24
[Gateyway-Ethernet1/0/0]quit
[Gateway]displayip interface brief
配置OSPF
[Gateway]ospf1  //创建OSPF 进程为1
[Gateway-ospf-1]area0  //骨干区域 0
[Gateway-ospf-1-area-0.0.0.0]authentication-modemd5 1 cipher admin1234  //
认证模式 MD5 密码
[Gateway-ospf-1-area-0.0.0.0]network10.10.13.0 0.0.0.255  //宣告参与网段
[Gateway-ospf-1-area-0.0.0.0]network10.10.14.0 0.0.0.255
[Gateway-ospf-1-area-0.0.0.0]network192.168.1.0 0.0.0.255
[Gateway-ospf-1-area-0.0.0.0]network192.168.10.0 0.0.0.255
[Gateway-ospf-1-area-0.0.0.0]network192.168.20.0 0.0.0.255
[Gateway-ospf-1-area-0.0.0.0]network192.168.30.0 0.0.0.255
[Gateway-ospf-1-area-0.0.0.0]displaythis
[Gateway-ospf-1-area-0.0.0.0]quit
[Gateway-ospf-1]quit
[Gateway]displayospf peer  //显示OSPF邻居状态
[Gateway]displayospf lsdb  //显示OSPF链路状态数据库信息
[Gateway]displayip routing-table  //显示路由表
配置默认路由
[Gateway]iproute-static 0.0.0.0 0 200.1.1.2  //配置默认路由,下一跳地址
配置NAT转换(easyip)
[Gateway]acl2000  //创建访问控制列表
[Gateway-acl-basic-2000]rulepermit source any  //规则 放通所有IP
[Gateway-acl-basic-2000]quit
[Gateway]interfaceGigabitEthernet 0/0/0
[Gateway-GigabitEthernet0/0/0]natoutbound 2000  //接口出口调用ACL 2000
[Gateway-GigabitEthernet0/0/0]quit
[Gateway]displaynat outbound

配置OSPF默认中由引用
[Gateway]ospf1
[Gateway-ospf-1]default-route-advertisealways  //OSPF 引入默认路由
[Gateway-ospf-1]displaythis
[Gateway-ospf-1]quit
Gateway
配置ACL简单过滤
<Gateyway>system-view
[Gateyway]acl2000  //进入ACL 2000 访问控制列表
[Gateyway-acl-basic-2000]rule3 deny source 192.168.10.100 0.0.0.0  //插入规则3 拒绝源IP 通配符精确匹配
[Gateyway-acl-basic-2000]displaythis
[Gateyway]interfaceGigabitEthernet 0/0/0
[Gateyway-GigabitEthernet0/0/0]natserver protocol tcp global 200.1.1.3 80 inside 192.168.100.100 80  //
创建NAT服务 TCP协议 公网地址 私网地址 进行内网地址映射到外网地址 端口号为80
[Gateyway-GigabitEthernet0/0/0]return
<Gateyway>save

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
祖瑞(上海)网络科技有限公司
我们在全国范围提供企业IT运维、网络工程、弱电安装、监控安防、计算机产品收售、办公设备耗材等服务!
期待与您的合作!
邮箱:sanne@zurkj.com
电话:021-51850021 18918292296
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

公司网站

QQ|Archiver|手机版|小黑屋|祖瑞科技 全国计算机 网络IT运维社区! ( 沪ICP备16021636号-2 )

GMT+8, 2024-11-26 01:54 , Processed in 0.038853 second(s), 19 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表