概览
1、系统模块设备
2、网络数据通信
4、访问控制策略
5、设备具体命令
系统模块设备
整个网络系统分为三大部分,由左到右分别为主校区、公共网络、分校区。
主校区以出口防火墙为核心来划分区域,分为Trust、Untrust和DMZ区域。(1)Trust区域是主校区内网,采用三层交换的网络架构,由下至上分别为接入层、汇聚层、核心层。接入层有六台S3700交换机,分别对应主校区六部门;交换机下又分为有线和无线网络,有线网络由6台PC代表,无线网络由6台AP代表。汇聚层有两台S5700交换机,性能高,起到汇聚流量,管理流量的作用;核心层也有两台S5700交换机,做为网络骨干设备,起到路由选择、大流量传输的作用。(2)Untrust区域,外连公共网络。(3)DMZ区域,放置HTTP、FTP、DNS服务器,提供服务的同时和内网隔离。
公共网络有运营商路由器,互联局域网和广域网;有服务提供商设备,向局域网提供内容服务。
分校区做为小型局域网络,采用单臂路由架构。由下至上的主要设备分别为,接入层六台交换机、汇聚层两台交换机、路由器、防火墙。接入层六台交换机对应六个部门,每个部门下各有一台PC代表有线网络,另添加两台客户端设备验证服务器功能和访问控制策略。
网络数据通信
涉及技术
三层交换、单臂路由、VLAN、MSTP、VRRP、DHCP、OSPF、Firewall、IPSec VPN、NAT、aaa等
拓扑
拓扑文件下载:链接:https://pan.baidu.com/s/1nd1wXAByyRceT_9VGIi1pQ?pwd=wys1
提取码:wys1
--来自百度网盘超级会员V6的分享
图示:
总部
1、VLAN划分和IP规划
(1)主校区每个部门的有线网络划分一个vlan,从vlan10到vlan60;每个部门划分一个无线网络,分为管理vlan和业务vlan,业务vlan为100、300、500、700、900、1100,管理vlan为200、400、600、800、1000、1200,业务VLAN是AP发送无线信号用的,管理VLAN是AC给AP下发配置用的(WIFI名字密码、AP设备的IP等信息);因为核心交换机和防火墙是三层设备,它们之间通信需要IP地址,所以两台核心与防火墙之间设置VLAN70、80。
(2)分校区主校区每个部门的有线网络划分一个vlan,从vlan10到vlan60。
两地IP地址规划如下表所示。
| VLAN号 | VLAN名称 | IP/IP网段 | 默认网关 | 说明 |
|---|---|---|---|---|
| VLAN10 | A | 192.168.10.0/24 | 192.168.10.254 | 行政部门(主) |
| VLAN20 | B | 192.168.20.0/24 | 192.168.10.254 | 教务部门(主) |
| VLAN30 | C | 192.168.30.0/24 | 192.168.10.254 | 财务部门(主) |
| VLAN40 | D | 192.168.40.0/24 | 192.168.10.254 | 图书馆(主) |
| VLAN50 | E | 192.168.50.0/24 | 192.168.10.254 | 信息办公室(主) |
| VLAN60 | F | 192.168.60.0/24 | 192.168.10.254 | 学生宿舍(主) |
| VLAN70 | 核心1 | 192.168.70.0/30 | 左侧核心交换机与防火墙之间的VLAN | |
| VLAN80 | 核心2 | 192.168.80.0/30 | 右侧核心交换机与防火墙之间的VLAN | |
| VLAN100 | AWLAN1 | 192.168.100.0/24 | 192.168.100.254 | 行政部门(主)的无线业务vlan |
| VLAN200 | AWLAN2 | 192.168.200.0/24 | 192.168.200.254 | 行政部门(主)的无线管理vlan |
| VLAN300 | BWLAN1 | 192.168.300.0/24 | 192.168.201.254 | 教务部门(主)的无线业务vlan |
| VLAN400 | BWLAN2 | 192.168.400.0/24 | 192.168.202.254 | 教务部门(主)的无线管理vlan |
| VLAN500 | CWLAN1 | 192.168.500.0/24 | 192.168.203.254 | 财务部门(主)的无线业务vlan |
| VLAN600 | CWLAN2 | 192.168.600.0/24 | 192.168.204.254 | 财务部门(主)的无线管理vlan |
| VLAN700 | DWLAN1 | 192.168.700.0/24 | 192.168.205.254 | 图书馆(主)的无线业务vlan |
| VLAN800 | DWLAN2 | 192.168.800.0/24 | 192.168.206.254 | 图书馆(主)的无线管理vlan |
| VLAN900 | EWLAN1 | 192.168.900.0/24 | 192.168.207.254 | 信息办公室(主)的无线业务vlan |
| VLAN1000 | EWLAN2 | 192.168.1000.0/24 | 192.168.208.254 | 信息办公室(主)的无线管理vlan |
| VLAN1100 | FWLAN1 | 192.168.1100.0/24 | 192.168.209.254 | 学生宿舍(主)的无线业务vlan |
| VLAN1200 | FWLAN2 | 192.168.1200.0/24 | 192.168.210.254 | 学生宿舍(主)的无线管理vlan |
| VLAN10 | G | 172.16.10.0/24 | 192.168.10.254 | 学生宿舍(分) |
| VLAN20 | H | 172.16.20.0/24 | 192.168.20.254 | 教务处(分) |
| VLAN30 | I | 172.16.30.0/24 | 192.168.30.254 | 教师办公室(分) |
| VLAN40 | J | 172.16.40.0/24 | 192.168.40.254 | 食堂(分) |
| VLAN50 | K | 172.16.50.0/24 | 192.168.50.254 | 美食街(分) |
| VLAN60 | O | 172.16.60.0/24 | 192.168.60.254 | 机房(分) |
| 172.16.70.0/30 | 分校区路由器和防火墙之间 | |||
| 192.168.101.0/24 | 192.168.101.254 | 主校区防火墙DMZ区域,放置服务器 | ||
| 1.1.1.1 | 防火墙(主)出口公网IP | |||
| 1.1.1.2 | 运营商路由器与防火墙(主)连接的端口IP | |||
| 2.2.2.1 | 运营商路由器与防火墙(分)连接的端口IP | |||
| 2.2.2.2 | 防火墙(分)出口公网IP | |||
| 3.3.3.3 | 服务提供商IP |
2、端口链路状态
交换机与交换机、交换机与路由器、交换机与防火墙、交换机与AC、AP之间的所有端口都配置为trunk状态,放通对应的多个VLAN数据;交换机与PC间端口配置为access状态,只放通相关部门的VLAN数据。
3、配置MSTP(数据链路层)
实现数据链路层的负载分担,决定不同VLAN的流量走哪个核心交换机设备。但MSTP不能基于VLAN来进行区分,只能通过实例来进行分流。所以,需要将相关VLAN加入对应实例中。
MSTP需要在接入、汇聚、核心交换机上都进行配置,确保所有交换机在同一个mstp域中。vlan10、20、30加入mstp域的实例1,vlan40、50、60加入mstp域的实例2,LSW9作为实例1的主根桥和实例2的副根桥,LSW10作为实例2的主根桥和实例1的副根桥。
4、配置VRRP(网络层)
实现网络层的流量负载分担以及设备故障冗余,决定不同VLAN的主网关。
vlan10:
将LSW9的vlan10接口设为主网关,ip为192.168.10.252;vrrp的标识ID为1,虚拟网关设为192.168.10.254。
将LSW10的vlan10接口设为备份网关,ip为192.168.10.253;vrrp的标识ID为1,虚拟网关设为192.168.10.254。
主备选举通过比较优先级来实现,将LSW9优先级设置为120,LSW10为默认的100。再设置如果VLAN70断开连接,那么LSW9的优先级降低30,变为90。此时,自动选举LSW10成为新的主路由设备。
vlan20:
将LSW9的vlan20接口设为主网关,ip为192.168.20.252;vrrp的标识ID为2,虚拟网关设为192.168.20.254。
将LSW20的vlan20接口设为备份网关,ip为192.168.20.253;vrrp的标识ID为2,虚拟网关设为192.168.20.254。
主备选举通过比较优先级来实现,将LSW9优先级设置为120,LSW10为默认的100。再设置如果VLAN70断开连接,那么LSW9的优先级降低30,变为90。此时,自动选举LSW10成为新的主路由设备。
vlan30:同上
vlan40:
将LSW10的vlan40接口设为主网关,ip为192.168.40.252;vrrp的标识ID为4,虚拟网关设为192.168.40.254。
将LSW9的vlan40接口设为备份网关,ip为192.168.40.253;vrrp的标识ID为4,虚拟网关设为192.168.40.254。
主备选举通过比较优先级来实现,LSW9为默认的100,LSW10优先级设置为120。再设置如果VLAN80断开连接,那么LSW10的优先级降低30,变为90。此时,自动选举LSW9成为新的主路由设备。
vlan50:
将LSW10的vlan50接口设为主网关,ip为192.168.50.252;vrrp的标识ID为5,虚拟网关设为192.168.50.254。
将LSW9的vlan50接口设为备份网关,ip为192.168.50.253;vrrp的标识ID为5,虚拟网关设为192.168.50.254。
主备选举通过比较优先级来实现,LSW9为默认的100,LSW10优先级设置为120。再设置如果VLAN80断开连接,那么LSW10的优先级降低30,变为90。此时,自动选举LSW9成为新的主路由设备。
vlan60:同上
5、配置DHCP
LSW9上配置,全局开启DHCP;创建地址池,dhcp地址池的网关设为vrrp虚拟网关,dns服务器地址自己指定;在相关vlan接口开启全局dhcp。
6、配置OSPF
在防火墙FW1和LSW9、LSW10之间要运行路由协议,打通内网的三层路由,满足访问DMZ区域以及访问外网的需求。
FW1:ospf进程ID为1,路由标识为3.3.3.3。核心区域area0是192.168.70.2 0.0.0.0 和 192.168.80.2 0.0.0.0 ,都是精确宣告。stub区域area3是192.168.101.0 0.0.0.255 ,在DMZ区域宣告。
LSW9:ospf进程ID为1,路由标识为1.1.1.1。核心区域area0是192.168.70.1 0.0.0.0 ,精确宣告。stub区域area1是192.168.10.0 0.0.0.255 ,192.168.20.0 0.0.0.255,192.168.30.0 0.0.0.255等等。
LSW10;ospf进程ID为1,路由标识为2.2.2.2。核心区域area0是192.168.80.1 0.0.0.0 ,精确宣告。stub区域area2是192.168.10.0 0.0.0.255 ,192.168.20.0 0.0.0.255,192.168.30.0 0.0.0.255等等。
7、防火墙配置
(1)区域划分,将各个接口加入到对应的Trust、Untrust、DMZ区域中
(2)静态路由,默认路由的下一跳是1.1.1.2;去往172.16.0.0/16网段的路由下一跳是2.2.2.2。
(3)IPSec VPN
1)防火墙安全策略先全放通,允许所有数据流通(验证:放通Ping命令,Ping一下对面的防火墙)
2)先建立一个proposal(提议),通过IKE建立SA(安全联盟)
3)建立IPSec感兴趣流(ACL),在两端防火墙的出口端口上应用IPSec策略
(4)NAT
1)规则0:基于源IP(192.168.0.0/16)、目的IP的(172.16.0.0/16)不转换规则,为了匹配IPSec的感兴趣流,让内网流量走IPSec通道。
2)规则1:基于trust、untrust区域的转换规则,服务于访问外网的目的。
8、无线网络
以行政部门的WLAN为例:
AC:进入管理VLANIF,配置网关,开启DHCP(给AP下发地址),设置相关WLAN配置。
LSW9:ospf要在业务VLAN网络上宣告,在业务VLANIF上设置网关,开启DHCP(给连AP的设备发放地址)
LSW1:在接入AP的端口上配置PVID为200,放通AC下发的未标识报文到VLAN200。
分部
1、防火墙配置
区域划分、NAT、IPSec VPN、静态路由
2、路由器配置
各VLAN子接口配置:设置IP、设置dot1q标签、打开arp广播、开启dhcp
访问控制策略
需求一,主校区和分校区的学生宿舍禁止访问财务部门,反之则可以。
[Huawei]acl 3000 高级acl
[Huawei-acl-adv-3000]rule permit tcp source 192.168.60.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 tcp-flag syn ack #允许学生宿舍回应财务部门的TCP请求
[Huawei-acl-adv-3000]rule deny tcp source 192.168.60.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 tcp-flag syn
#拒绝学生宿舍向财务部门发起TCP请求
[Huawei-acl-adv-3000]rule deny icmp source 10.1.2.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 icmp-type echo
#拒绝学生宿舍向财务部门主动发起ping连通性测试
[SwitchC] traffic classifier tc1
[SwitchC-classifier-tc1] if-match acl 3000
[SwitchC] traffic behavior tb1
[SwitchC-behavior-tb1] permit
[SwitchC] traffic policy tp1 #注意没有短横杠-
[SwitchC-trafficpolicy-tp1] classifier tc1 behavior tb1
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] traffic-policy tp1 inbound需求二,主校区教务部门和财务部门不能互相访问。
rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.25需求三,网关路由器禁止学生宿舍访问特定服务提供商。允许分校区学生宿舍访问主校区的FTP服务,禁止访问HTTP服务。
rule 5 deny ip source 172.16.10.0 0.0.0.255 destination 3.3.3.3 0
rule 10 permit tcp source 172.16.10.0 0.0.0.255 destination 192.168.101.0 0.0.0.255 destination-port eq ftp
rule 15 deny tcp source 172.16.10.0 0.0.0.255 destination 192.168.101.0 0.0.0.255 destination-port eq www
rule 20 deny tcp source 172.16.10.0 0.0.0.255 destination 192.168.101.0 0.0.0.255 destination-port eq 443 需求四,分辨P2P大流量,实现在工作日时间段禁止分校区学生宿舍和主校区学生宿舍P2P流量传输,在休息日允许P2P流量传输。
time-range P2PTime
period-range 00:00:00 to 23:59:59 working-day
rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255
rule 10 deny ip destination 104.91.87.182 0 time-range P2PTime
rule 15 deny ip destination 35.202.21.90 0 time-range P2PTime
rule 20 deny tcp destination-port range 6881 6889 time-range P2PTime具体命令
AC1
给AP下发配置
[AC6605]vlan batch 100 200 300 400 500 600 700 800 900 1000
[AC6605]vlan batch 1100 1200
[AC6605]dhcp enable
[AC6605]int vlan200
[AC6605-Vlanif200]ip add 192.168.200.254 24
[AC6605-Vlanif200]dhcp select interface
[AC6605]capwap source interface Vlanif 200
[AC6605]int g0/0/1
[AC6605-GigabitEthernet0/0/1]port link-type trunk
[AC6605-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC6605]wlan
[AC6605-wlan-view]security-profile name 1
[AC6605-wlan-sec-prof-1]security wep
[AC6605-wlan-sec-prof-1]security wpa-wpa2 psk pass-phrase Huawei@123 aes
[AC6605]wlan
[AC6605-wlan-view]ssid-profile name 1
[AC6605-wlan-ssid-prof-1]ssid tiangong-wifi
[AC6605-wlan-view]vap-profile name 1
[AC6605-wlan-vap-prof-1]security-profile 1
[AC6605-wlan-vap-prof-1]ssid-profile 1
[AC6605-wlan-vap-prof-1]service-vlan vlan-id 100 指明业务vlanid为100
[AC6605-wlan-view]ap auth-mode no-auth 不认证,发现AP直接上线
[AC6605-wlan-view]ap-group name default
[AC6605-wlan-ap-group-default]radio 0 2.4G频率
[AC6605-wlan-group-radio-default/0]vap-profile 1 wlan 1
[AC6605-wlan-ap-group-default]radio 1 5G频率
[AC6605-wlan-group-radio-default/1]vap-profile 1 wlan 1AR1
运营商设备
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 1.1.1.2 30
[Huawei]int GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1]ip add 2.2.2.1 30
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip add 3.3.3.254 24 AR2
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 172.16.70.1 30
[Huawei]ip route-static 0.0.0.0 0 172.16.70.2 默认路由,流量给到防火墙
配置网关和DHCP(vlan10):
[Huawei]int g0/0/1.10 进入子接口
[Huawei-GigabitEthernet0/0/1.10]dot1q termination vid 10 配置子接口的dot1q标识,vid置为10,即标识中vid为10的以太帧走这个子接口
[Huawei-GigabitEthernet0/0/1.10]arp broadcast enable 开启arp广播,子接口默认不开启
[Huawei-GigabitEthernet0/0/1.10]ip add 172.16.10.254 24
[Huawei]dhcp enable
[Huawei]int g0/0/1.10
[Huawei-GigabitEthernet0/0/1.10]dhcp select interface 选择这个接口对应的IP地址段作为dhcp地址池
配置网关和DHCP(vlan20):
[Huawei]int g0/0/1.20 进入子接口
[Huawei-GigabitEthernet0/0/1.20]dot1q termination vid 20 配置子接口的dot1q标识,vid置为20,即标识中vid为20的以太帧走这个子接口
[Huawei-GigabitEthernet0/0/1.20]arp broadcast enable 开启arp广播
[Huawei-GigabitEthernet0/0/1.20]ip add 172.16.20.254 24
[Huawei]dhcp enable
[Huawei]int g0/0/1.20
[Huawei-GigabitEthernet0/0/1.20]dhcp select interface 选择这个接口对应的IP地址段作为dhcp地址池
配置网关和DHCP(vlan30):
[Huawei]int g0/0/1.30 进入子接口
[Huawei-GigabitEthernet0/0/1.30]dot1q termination vid 30 配置子接口的dot1q标识,vid置为30,即标识中vid为30的以太帧走这个子接口
[Huawei-GigabitEthernet0/0/1.30]arp broadcast enable 开启arp广播
[Huawei-GigabitEthernet0/0/1.30]ip add 172.16.30.254 24
[Huawei]dhcp enable
[Huawei]int g0/0/1.30
[Huawei-GigabitEthernet0/0/1.30]dhcp select interface 选择这个接口对应的IP地址段作为dhcp地址池
配置网关和DHCP(vlan40):
[Huawei]int g0/0/2.40 进入子接口
[Huawei-GigabitEthernet0/0/2.40]dot1q termination vid 40 配置子接口的dot1q标识,vid置为40,即标识中vid为40的以太帧走这个子接口
[Huawei-GigabitEthernet0/0/2.40]arp broadcast enable 开启arp广播
[Huawei-GigabitEthernet0/0/2.40]ip add 172.16.40.254 24
[Huawei]dhcp enable
[Huawei]int g0/0/2.40
[Huawei-GigabitEthernet0/0/2.40]dhcp select interface 选择这个接口对应的IP地址段作为dhcp地址池
配置网关和DHCP(vlan50):
[Huawei]int g0/0/2.50 进入子接口
[Huawei-GigabitEthernet0/0/2.50]dot1q termination vid 50 配置子接口的dot1q标识,vid置为50,即标识中vid为50的以太帧走这个子接口
[Huawei-GigabitEthernet0/0/2.50]arp broadcast enable 开启arp广播
[Huawei-GigabitEthernet0/0/2.50]ip add 172.16.50.254 24
[Huawei]dhcp enable
[Huawei]int g0/0/2.50
[Huawei-GigabitEthernet0/0/2.50]dhcp select interface 选择这个接口对应的IP地址段作为dhcp地址池
配置网关和DHCP(vlan60):
[Huawei]int g0/0/2.60 进入子接口
[Huawei-GigabitEthernet0/0/2.60]dot1q termination vid 60 配置子接口的dot1q标识,vid置为60,即标识中vid为60的以太帧走这个子接口
[Huawei-GigabitEthernet0/0/2.60]arp broadcast enable 开启arp广播
[Huawei-GigabitEthernet0/0/2.60]ip add 172.16.60.254 24
[Huawei]dhcp enable
[Huawei]int g0/0/2.60
[Huawei-GigabitEthernet0/0/2.60]dhcp select interface 选择这个接口对应的IP地址段作为dhcp地址池
建立认证账号用于登录FTP、telnet:
[Huawei]aaa
[Huawei-aaa]local-user wys password cipher 123456
[Huawei-aaa]local-user wys service-type ftp telnet
telnet:
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa 在这里开启telnet服务,LSW9验证telnet服务
ACL:
AR2(分校区的边界路由)配置:
[Huawei]acl name NotServer
[Huawei-acl-adv-NotServer]rule deny ip source 172.16.10.0 0.0.0.255 destination 3.3.3.3 0
[Huawei-acl-adv-NotServer]rule permit tcp source 172.16.10.0 0.0.0.255 destination 192.168.101.0 0.0.0.255 destination-port eq 21 允许FTP
[Huawei-acl-adv-NotServer]rule deny tcp source 172.16.10.0 0.0.0.255 destination 192.168.101.0 0.0.0.255 destination-port eq 80 禁止HTTP
[Huawei-acl-adv-NotServer]rule deny tcp source 172.16.10.0 0.0.0.255 destination 192.168.101.0 0.0.0.255 destination-port eq 443 禁止HTTPS
[Huaei]int g0/0/1.10 进入对应VLAN的节点
[Huawei-GigabitEthernet0/0/1.10]traffic-filter inbound acl 3999
需要注意的是,一个接口的出入方向只能应用一个ACL,所以此处在前面的ACL中添加规则。FW1
账密:
admin
Huawei@123
区域划分:
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface g1/0/3 将连接外网的端口加入不信任区域
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/1 将连接内网的端口加入信任区域
[USG6000V1]firewall zone dmz
[USG6000V1-zone-dmz]add interface GigabitEthernet 1/0/2 将连接服务器的端口加入DMZ区域
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 192.168.70.2 30
[USG6000V1]int g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 192.168.80.2 30
[USG6000V1]int g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip add 192.168.101.254 24
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip add 1.1.1.1 30 配置公网ip
ospf:
[USG6000V1]ospf 1 router-id 3.3.3.3
[USG6000V1-ospf-1]area 0
[USG6000V1-ospf-1-area-0.0.0.0]network 192.168.70.2 0.0.0.0
[USG6000V1-ospf-1-area-0.0.0.0]network 192.168.80.2 0.0.0.0
[USG6000V1-ospf-1]area 3
[USG6000V1-ospf-1]stub
[USG6000V1-ospf-1-area-0.0.0.3]network 192.168.101.0 0.0.0.255 宣告服务器所在的网络加入ospf
[USG6000V1]ip route-static 0.0.0.0 0 1.1.1.2 配置自己的默认路由
接口允许被ping(建好ipsec vpn后用于验证):
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]service-manage ping permit
安全策略(ipsec vpn前置):
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name 1
[USG6000V1-policy-security-rule-1]action permit 先全放通
ipsec vpn:
[USG6000V1]ike proposal 1 - 创建 IKE Proposal 1
[USG6000V1-ike-proposal-1]encryption-algorithm aes-256 - 设置加密算法为AES-256
[USG6000V1-ike-proposal-1]dh group14 - 设置Diffie-Hellman密钥交换组为Group 14
[USG6000V1-ike-proposal-1]authentication-algorithm sha2-256 - 设置认证算法为SHA2-256
[USG6000V1-ike-proposal-1]authentication-method pre-share - 设置身份验证方法为预共享密钥
[USG6000V1-ike-proposal-1]integrity-algorithm hmac-sha2-256 - 设置完整性算法为HMAC-SHA2-256
[USG6000V1-ike-proposal-1]prf hmac-sha2-256 - 设置伪随机函数算法为HMAC-SHA2-256
[USG6000V1-ike-proposal-1]ike peer 1 - 配置IKE对等体1
[USG6000V1-ike-peer-1]pre-shared-key Huawei@123 - 设置预共享密钥为"Huawei@123"
[USG6000V1-ike-peer-1]ike-proposal 1 - 关联IKE Proposal 1
[USG6000V1-ike-peer-1]remote-address 2.2.2.2 - 设置远程地址为2.2.2.2
[USG6000V1]dis ike peer brief - 查看IKE对等体的摘要信息
[USG6000V1]acl number 3000 - 创建ACL编号为3000的访问控制列表
[USG6000V1-acl-adv-3000]rule 5 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.0.0 0.0.255.255 - 添加规则5,允许源IP为192.168.0.0/16,目标IP为172.16.0.0/16的IP流量通过
[USG6000V1-acl-adv-3000]ipsec proposal huawei - 创建IPSec Proposal "huawei"
[USG6000V1-ipsec-proposal-huawei]esp authentication-algorithm sha1 - 设置ESP认证算法为SHA1
[USG6000V1-ipsec-proposal-huawei]esp encryption-algorithm aes-128 - 设置ESP加密算法为AES-128
[USG6000V1-ipsec-proposal-huawei]ipsec policy huawei 1 isakmp - 创建IPSec策略"huawei",优先级为1,使用ISAKMP协议
[USG6000V1-ipsec-policy-isakmp-huawei-1]security acl 3000 - 将ACL 3000与IPSec策略关联
[USG6000V1-ipsec-policy-isakmp-huawei-1]ike-peer 1 - 将IKE对等体1与IPSec策略关联
[USG6000V1-ipsec-policy-isakmp-huawei-1]proposal huawei - 将IPSec Proposal "huawei"与IPSec策略关联
[USG6000V1]int g1/0/3 - 进入接口GigabitEthernet1/0/3的配置模式
[USG6000V1-GigabitEthernet1/0/3]ipsec policy huawei - 在接口上应用IPSec策略"huawei"
配置去往172.16.0.0/16的路由:
[USG6000V1]ip route-static 172.16.0.0 16 g1/0/3 2.2.2.2 指定出接口,不然找不到2.2.2.2
NAT:
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name 1
[USG6000V1-policy-nat-rule-1]source-zone trust
[USG6000V1-policy-nat-rule-1]destination-zone untrust 基于源、目的区域
[USG6000V1-policy-nat-rule-1]action source-nat easy-ip 只有一个公网IP可供转换
导致一个问题:去往172.16.0.0/16的流量也被NAT转换,无法匹配前面的ACL规则走ipsec隧道,从而导致主校区内网访问不了软件园内网。
解决:
[USG6000V1-policy-nat]rule name 0
[USG6000V1-policy-nat-rule-0]source-address 192.168.0.0 16
[USG6000V1-policy-nat-rule-0]destination-address 172.16.0.0 16
[USG6000V1-policy-nat-rule-0]action no-nat 基于源、目的地址做一个不转化规则
[USG6000V1-policy-nat]rule move 0 top 将后配置的rule 0 调到最顶端先匹配
ACL:
[USG6000V1]time-range P2PTime
[USG6000V1-time-range-P2PTime]period-range 0:00:00 to 23:59:59 mon tue wed thu fri 创建一个周一到周五全天的时间集。
[USG6000V1]acl 3000
[USG6000V1-acl-adv-3000]rule deny ip source any destination 104.91.87.182 0 time-range P2PTime
[USG6000V1-acl-adv-3000]rule deny ip source any destination 35.202.21.90 0 time-range P2PTime
[USG6000V1-acl-adv-3000]rule deny tcp destination-port range 6881 6889 time-range P2PTimeFW2
[USG6000V1]firewall zone untrust
[USG6000V1-zone-untrust]add interface GigabitEthernet 1/0/3
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add interface GigabitEthernet 1/0/0
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]ip add 2.2.2.2 30
[USG6000V1]int g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 172.16.70.2 30
[USG6000V1]ip route-static 172.16.0.0 12 172.16.70.1 静态路由,将防火墙去往私网网段的流量给到路由器
[USG6000V1]ip route-static 0.0.0.0 0 2.2.2.1 默认路由,流量给到运营商路由器
接口允许被ping(建好ipsec vpn后用于验证):
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]service-manage ping permit
安全策略(ipsec vpn前置):
[USG6000V1]security-policy
[USG6000V1-policy-security]rule name 1
[USG6000V1-policy-security-rule-1]action permit 先全放通
ipsec vpn:
[USG6000V1]ike proposal 1
[USG6000V1-ike-proposal-1]encryption-algorithm aes-256
[USG6000V1-ike-proposal-1]dh group14
[USG6000V1-ike-proposal-1]authentication-algorithm sha2-256
[USG6000V1-ike-proposal-1]authentication-method pre-share
[USG6000V1-ike-proposal-1]integrity-algorithm hmac-sha2-256
[USG6000V1-ike-proposal-1]prf hmac-sha2-256
[USG6000V1-ike-proposal-1]ike peer 1
[USG6000V1-ike-peer-1]pre-shared-key Huawei@123
[USG6000V1-ike-peer-1]ike-proposal 1
[USG6000V1-ike-peer-1]remote-address 1.1.1.1
[USG6000V1]dis ike peer brief 查看
[USG6000V1]acl number 3000
[USG6000V1-acl-adv-3000]rule 5 permit ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
[USG6000V1-acl-adv-3000]ipsec proposal huawei
[USG6000V1-ipsec-proposal-huawei]esp authentication-algorithm sha1
[USG6000V1-ipsec-proposal-huawei]esp encryption-algorithm aes-128
[USG6000V1-ipsec-proposal-huawei]ipsec policy huawei 1 isakmp
[USG6000V1-ipsec-policy-isakmp-huawei-1]security acl 3000
[USG6000V1-ipsec-policy-isakmp-huawei-1]ike-peer 1
[USG6000V1-ipsec-policy-isakmp-huawei-1]proposal huawei
[USG6000V1]int g1/0/3
[USG6000V1-GigabitEthernet1/0/3]ipsec policy huawei 在接口上应用
配置去往192.168.0.0/16的路由:
[USG6000V1]ip route-static 192.168.0.0 16 g1/0/3 1.1.1.1
NAT:
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name 0
[USG6000V1-policy-nat-rule-0]source-address 172.16.0.0 16
[USG6000V1-policy-nat-rule-0]destination-address 192.168.0.0 16
[USG6000V1-policy-nat-rule-0]action no-nat 基于源、目的地址做一个不转化规则
[USG6000V1-policy-nat]rule name 1
[USG6000V1-policy-nat-rule-1]source-zone trust
[USG6000V1-policy-nat-rule-1]destination-zone untrust 基于源、目的区域
[USG6000V1-policy-nat-rule-1]action source-nat easy-ip 只有一个公网IP可供转换LSW1
<Huawei>system-view
[Huawei] vlan batch 10 100 200
[Huawei] int e0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 10 100 200
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 10 100 200
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 10
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region]region-name huawei_wys
[Huawei-mst-region]revision-level 1
[Huawei-mst-region]instance 1 vlan 10 20 30 将vlan加入到实例里实现负载分担
[Huawei-mst-region]instance 2 vlan 40 50 60
[Huawei-mst-region]active region-configuration 激活域配置
无线网络:
[Huawei]int e0/0/4
[Huawei-Ethernet0/0/4]port link-type trunk
[Huawei-Ethernet0/0/4]port trunk allow-pass vlan 100 200 vlan100是业务vlan,vlan200是管理vlan
[Huawei-Ethernet0/0/4]port trunk pvid vlan 200 将默认port vlan id设为200,未被标识的数据包(DHCP)被放行至vlan200LSW2
[Huawei]vlan batch 10 20 30 40 50 60
[Huawei]vlan batch 100 200 300 400 500 600
[Huawei]vlan batch 700 800 900 1000 1100 1200 不支持一次性创建过多vlan,分开创建。一次只能创建十个。
[Huawei]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/9 进入端口组,配置指定的多个端口
[Huawei-port-group]port link-type trunk
[Huawei-port-group]port trunk allow-pass vlan all 放通所用vlan
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configurationLSW3
[Huawei]vlan batch 10 20 30 40 50 60 100 200 300 400
[Huawei]vlan batch 500 600 700 800 900 1000 1100 1200
[Huawei]port-group group-member GigabitEthernet 0/0/1 to GigabitEthernet 0/0/9
[Huawei-port-group]port link-type trunk
[Huawei-port-group]port trunk allow-pass vlan all
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configurationLSW4
<Huawei>system-view
[Huawei] vlan batch 20 300 400
[Huawei] int e0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 20 300 400
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 20 300 400
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 20
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configurationLSW5
<Huawei>system-view
[Huawei] vlan batch 30 500 600
[Huawei] int e0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 30 500 600
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 30 500 600
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 30
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configurationLSW6
<Huawei>system-view
[Huawei] vlan batch 40 700 800
[Huawei] int e0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 40 700 800
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 40 700 800
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 40
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configurationLSW7
<Huawei>system-view
[Huawei] vlan batch 50 900 1000
[Huawei] int e0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 50 900 1000
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 50 900 1000
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 50
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configurationLSW8
<Huawei>system-view
[Huawei] vlan batch 60 1100 1200
[Huawei] int e0/0/2
[Huawei-Ethernet0/0/2] port link-type trunk
[Huawei-Ethernet0/0/2] port trunk allow-pass vlan 60 1100 1200
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type trunk
[Huawei-Ethernet0/0/3]port trunk allow-pass vlan 60 1100 1200
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type access
[Huawei-Ethernet0/0/1]port default vlan 60
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configuration
ACL:
不允许主校区和软件园的学生宿舍访问主校区的财务部门。
[Huawei]acl 3000 高级acl
[Huawei-acl-adv-3000]rule permit tcp source 192.168.60.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 tcp-flag syn ack #允许学生宿舍回应财务部门的TCP请求
[Huawei-acl-adv-3000]rule deny tcp source 192.168.60.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 tcp-flag syn
#拒绝学生宿舍向财务部门发起TCP请求
[Huawei-acl-adv-3000]rule deny icmp source 10.1.2.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 icmp-type echo
#拒绝学生宿舍向财务部门主动发起ping连通性测试
[SwitchC] traffic classifier tc1
[SwitchC-classifier-tc1] if-match acl 3000
[SwitchC-classifier-tc1] quit
[SwitchC] traffic behavior tb1
[SwitchC-behavior-tb1] permit
[SwitchC-behavior-tb1] quit
[SwitchC] traffic policy tp1 #注意没有短横杠-
[SwitchC-trafficpolicy-tp1] classifier tc1 behavior tb1
[SwitchC-trafficpolicy-tp1] quit
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] traffic-policy tp1 inbound
[SwitchC-GigabitEthernet1/0/1] quitLSW9
划分vlan:
[Huawei]vlan batch 10 20 30 40 50 60 100 200 300 400
[Huawei]vlan batch 500 600 700 800 900 1000 1100 1200
[Huawei]vlan 70 连接防火墙一侧
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[Huawei]int g0/0/5
[Huawei-GigabitEthernet0/0/5]port link-type access
[Huawei-GigabitEthernet0/0/5]port default vlan 70
[Huawei]int Vlanif 70
[Huawei-Vlanif70]ip add 192.168.70.1 30 只需要两个ip,所以使用30位掩码
[Huawei]ip route-static 0.0.0.0 0 192.168.70.2 默认路由,去往防火墙
链路聚合:
[Huawei]interface eth-trunk 0 创建链路聚合端口
[Huawei-Eth-Trunk0]trunkport g0/0/3 将实际端口加入链路聚合端口
[Huawei-Eth-Trunk0]trunkport g0/0/4
[Huawei-Eth-Trunk0]port link-type trunk 链路聚合端口的链路状态为trunk
[Huawei-Eth-Trunk0]port trunk allow-pass vlan all 放通所有vlan
分配网关(vlan10)、VRRP:
[Huawei]int vlan 10
[Huawei-Vlanif10]ip add 192.168.10.252 24 252给到LSW9,253给到LSW10,254给到vrrp,以此来实现三层负载均衡
vrrp(vlan10)(主):
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254
[Huawei-Vlanif10]vrrp vrid 1 priority 120 默认优先级为100,配置优先级为120。
[Huawei-Vlanif10]dis vrrp brief 查看选举状况,优先级高的为主
[Huawei-Vlanif10]vrrp vrid 1 track interface Vlanif 70 reduced 30 只要vlanif10断了,vlanif70就断,优先级降低30,变为90低于默认的100,马上切换备用路由,丢包较少。
[Huawei-Vlanif10]vrrp vrid 1 preempt-mode timer delay 30 30秒延迟后切换主备
分配网关(vlan20):
[Huawei]int vlan 20
[Huawei-Vlanif20]ip add 192.168.20.252 24
vrrp(vlan20)(主):
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.254
[Huawei-Vlanif20]vrrp vrid 2 priority 120 默认优先级为100,配置优先级为120。
[Huawei-Vlanif20]dis vrrp brief
[Huawei-Vlanif20]vrrp vrid 2 track interface Vlanif 70 reduced 30 只要vlanif20断了,vlanif70就断,优先级降低30,变为90低于默认的100,马上切换备用路由,丢包较少。
[Huawei-Vlanif20]vrrp vrid 2 preempt-mode timer delay 30 30秒延迟后切换主备
分配网关(vlan30):
[Huawei]int vlan 30
[Huawei-Vlanif30]ip add 192.168.30.252 24
vrrp(vlan30)(主):
[Huawei-Vlanif30]vrrp vrid 3 virtual-ip 192.168.30.254
[Huawei-Vlanif30]vrrp vrid 3 priority 120 默认优先级为100,配置优先级为120。
[Huawei-Vlanif30]dis vrrp brief
[Huawei-Vlanif30]vrrp vrid 3 track interface Vlanif 70 reduced 30 只要vlanif30断了,vlanif70就断,优先级降低30,变为90低于默认的100,马上切换备用路由,丢包较少。
[Huawei-Vlanif30]vrrp vrid 3 preempt-mode timer delay 30 30秒延迟后切换主备
分配网关(vlan40):
[Huawei]int vlan 40
[Huawei-Vlanif40]ip add 192.168.40.252 24
vrrp(vlan40)(备):
[Huawei-Vlanif40]vrrp vrid 4 virtual-ip 192.168.40.254 取默认优先级100
[Huawei-Vlanif40]dis vrrp brief 查看vrrp选举状况
分配网关(vlan50):
[Huawei]int vlan 50
[Huawei-Vlanif50]ip add 192.168.50.252 24
vrrp(vlan50)(备):
[Huawei-Vlanif50]vrrp vrid 5 virtual-ip 192.168.50.254 取默认优先级100
[Huawei-Vlanif50]dis vrrp brief 查看vrrp选举状况
分配网关(vlan60):
[Huawei]int vlan 60
[Huawei-Vlanif60]ip add 192.168.60.252 24
vrrp(vlan60)(备):
[Huawei-Vlanif60]vrrp vrid 6 virtual-ip 192.168.60.254 取默认优先级100
[Huawei-Vlanif60]dis vrrp brief 查看vrrp选举状况
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configuration
[Huawei]stp instance 1 root primary 做为实例1的主根桥
[Huawei]stp instance 2 root secondary 做为实例2的副根桥
DHCP(vlan10):
[Huawei]dhcp enable
[Huawei]ip pool vlan10
[Huawei-ip-pool-vlan10]network 192.168.10.0 mask 24
[Huawei-ip-pool-vlan10]gateway-list 192.168.10.254 网关配成vrrp的虚拟网关,实现负载均衡、故障转移
[Huawei-ip-pool-vlan10]dns-list 192.168.101.1 dns服务器
[Huawei]int Vlanif 10
[Huawei-Vlanif10]dhcp select global
DHCP(vlan20):
[Huawei]dhcp enable
[Huawei]ip pool vlan20
[Huawei-ip-pool-vlan20]network 192.168.20.0 mask 24
[Huawei-ip-pool-vlan20]gateway-list 192.168.20.254 网关配成vrrp的虚拟网关,实现负载均衡、故障转移
[Huawei-ip-pool-vlan20]dns-list 192.168.101.1 dns服务器
[Huawei]int Vlanif 20
[Huawei-Vlanif20]dhcp select global
DHCP(vlan30):
[Huawei]dhcp enable
[Huawei]ip pool vlan30
[Huawei-ip-pool-vlan30]network 192.168.30.0 mask 24
[Huawei-ip-pool-vlan30]gateway-list 192.168.30.254 网关配成vrrp的虚拟网关,实现负载均衡、故障转移
[Huawei-ip-pool-vlan30]dns-list 192.168.101.1 dns服务器
[Huawei]int Vlanif 30
[Huawei-Vlanif30]dhcp select global
DHCP(vlan40):
[Huawei]dhcp enable
[Huawei]ip pool vlan40
[Huawei-ip-pool-vlan40]network 192.168.40.0 mask 24
[Huawei-ip-pool-vlan40]gateway-list 192.168.40.254 网关配成vrrp的虚拟网关,实现负载均衡、故障转移
[Huawei-ip-pool-vlan40]dns-list 192.168.101.1 dns服务器
[Huawei]int Vlanif 40
[Huawei-Vlanif40]dhcp select global
DHCP(vlan50):
[Huawei]dhcp enable
[Huawei]ip pool vlan50
[Huawei-ip-pool-vlan50]network 192.168.50.0 mask 24
[Huawei-ip-pool-vlan50]gateway-list 192.168.50.254 网关配成vrrp的虚拟网关,实现负载均衡、故障转移
[Huawei-ip-pool-vlan50]dns-list 192.168.101.1 dns服务器
[Huawei]int Vlanif 50
[Huawei-Vlanif50]dhcp select global
DHCP(vlan60):
[Huawei]dhcp enable
[Huawei]ip pool vlan60
[Huawei-ip-pool-vlan60]network 192.168.60.0 mask 24
[Huawei-ip-pool-vlan60]gateway-list 192.168.60.254 网关配成vrrp的虚拟网关,实现负载均衡、故障转移
[Huawei-ip-pool-vlan60]dns-list 192.168.101.1 dns服务器
[Huawei]int Vlanif 60
[Huawei-Vlanif60]dhcp select global
OSPF:
[Huawei]ospf 1 router-id 1.1.1.1 进程号为1
[Huawei-ospf-1]area 0 创建核心区域
[Huawei-ospf-1-area-0.0.0.0]network 192.168.70.1 0.0.0.0 精确宣告
[Huawei-ospf-1]area 1 区域划分
[Huawei-ospf-1-area-0.0.0.1]stub
[Huawei-ospf-1-area-0.0.0.1]network 192.168.10.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.20.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.30.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.40.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.50.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.60.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.100.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.201.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.203.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.205.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.207.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.1]network 192.168.209.0 0.0.0.255
验证telnet:
telnet 172.16.10.254
用户:wys
密码:123456
注意:需要给用户设置级别3以上才有配置权限
无线网络:
[Huawei]int g0/0/6
[Huawei-GigabitEthernet0/0/6]port link-type trunk
[Huawei-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[Huawei]int vlan100
[Huawei-Vlanif100]ip add 192.168.100.252 24
[Huawei-Vlanif100]dhcp select interface
[Huawei]stp instance 0 root primary 无线AP默认加入instance 0 ,指定LSW9为instance 0 的默认根桥
ACL:
[Huawei]acl name NotMutualAccess 给ACL起个名
[Huawei-acl-adv-NotMutualAccess]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[Huawei-acl-adv-NotMutualAccess]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 创建acl列表规则,拒绝互相访问的相关数据。
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3999
[Huawei]int G0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 3999LSW10
划分vlan:
[Huawei]vlan batch 10 20 30 40 50 60 100 200 300 400
[Huawei]vlan batch 500 600 700 800 900 1000 1100 1200
[Huawei]vlan 80 连接防火墙一侧
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan all
[Huawei]int g0/0/5
[Huawei-GigabitEthernet0/0/5]port link-type access
[Huawei-GigabitEthernet0/0/5]port default vlan 80
[Huawei]int Vlanif 80
[Huawei-Vlanif80]ip add 192.168.80.1 30 只需要两个ip,所以使用30位掩码
[Huawei]ip route-static 0.0.0.0 0 192.168.80.2 默认路由
链路聚合:
[Huawei]interface eth-trunk 0 创建链路聚合端口
[Huawei-Eth-Trunk0]trunkport g0/0/3 将实际端口加入链路聚合端口
[Huawei-Eth-Trunk0]trunkport g0/0/4
[Huawei-Eth-Trunk0]port link-type trunk
[Huawei-Eth-Trunk0]port trunk allow-pass vlan all
分配网关(vlan10)、VRRP:
[Huawei]int vlan 10
[Huawei-Vlanif10]ip add 192.168.10.253 24 252给到LSW9,253给到LSW10,254给到vrrp,以此来实现三层负载均衡
vrrp(vlan10)(备):
[Huawei-Vlanif10]vrrp vrid 1 virtual-ip 192.168.10.254 取默认优先级100
[Huawei-Vlanif10]dis vrrp brief 查看vrrp选举状况
分配网关(vlan20):
[Huawei]int vlan 20
[Huawei-Vlanif20]ip add 192.168.20.253 24
vrrp(vlan20)(备):
[Huawei-Vlanif20]vrrp vrid 2 virtual-ip 192.168.20.254 取默认优先级100
[Huawei-Vlanif20]dis vrrp brief 查看vrrp选举状况
分配网关(vlan30):
[Huawei]int vlan 30
[Huawei-Vlanif30]ip add 192.168.30.253 24
vrrp(vlan30)(备):
[Huawei-Vlanif30]vrrp vrid 3 virtual-ip 192.168.30.254 取默认优先级100
[Huawei-Vlanif30]dis vrrp brief 查看vrrp选举状况
分配网关(vlan40):
[Huawei]int vlan 40
[Huawei-Vlanif40]ip add 192.168.40.253 24
vrrp(vlan40)(主):
[Huawei-Vlanif40]vrrp vrid 4 virtual-ip 192.168.40.254
[Huawei-Vlanif40]vrrp vrid 4 priority 120 默认优先级为100,配置优先级为120。
[Huawei-Vlanif40]dis vrrp brief
[Huawei-Vlanif40]vrrp vrid 4 track interface Vlanif 80 reduced 30 只要vlanif40断了,vlanif80就断,优先级降低30,变为90低于默认的100,马上切换备用路由,丢包较少。
[Huawei-Vlanif40]vrrp vrid 4 preempt-mode timer delay 30 30秒延迟后切换主备
分配网关(vlan50):
[Huawei]int vlan 50
[Huawei-Vlanif50]ip add 192.168.50.253 24
vrrp(vlan50)(主):
[Huawei-Vlanif50]vrrp vrid 5 virtual-ip 192.168.50.254
[Huawei-Vlanif50]vrrp vrid 5 priority 120 默认优先级为100,配置优先级为120。
[Huawei-Vlanif50]dis vrrp brief
[Huawei-Vlanif50]vrrp vrid 5 track interface Vlanif 80 reduced 30 只要vlanif50断了,vlanif80就断,优先级降低30,变为90低于默认的100,马上切换备用路由,丢包较少。
[Huawei-Vlanif50]vrrp vrid 5 preempt-mode timer delay 30 30秒延迟后切换主备
分配网关(vlan60):
[Huawei]int vlan 60
[Huawei-Vlanif60]ip add 192.168.60.253 24
vrrp(vlan60)(主):
[Huawei-Vlanif60]vrrp vrid 6 virtual-ip 192.168.60.254
[Huawei-Vlanif60]vrrp vrid 6 priority 120 默认优先级为100,配置优先级为120。
[Huawei-Vlanif60]dis vrrp brief
[Huawei-Vlanif60]vrrp vrid 6 track interface Vlanif 80 reduced 30 只要vlanif60断了,优先级降低30,变为90低于默认的100,马上切换备用路由,丢包较少。
[Huawei-Vlanif60]vrrp vrid 6 preempt-mode timer delay 30 30秒延迟后切换主备
mstp:
[Huawei]stp region-configuration
[Huawei-mst-region] region-name huawei_wys
[Huawei-mst-region] revision-level 1
[Huawei-mst-region] instance 1 vlan 10 20 30
[Huawei-mst-region] instance 2 vlan 40 50 60
[Huawei-mst-region] active region-configuration
[Huawei]stp instance 2 root primary 做为实例2的主根桥
[Huawei]stp instance 1 root secondary 做为实例1的备份根桥
OSPF:
[Huawei]ospf 1 router-id 2.2.2.2 进程号为1
[Huawei-ospf-1]area 0 创建核心区域
[Huawei-ospf-1-area-0.0.0.0]network 192.168.80.1 0.0.0.0 精确宣告
[Huawei-ospf-1]area 2 区域划分,注意与LSW9的区域不同
[Huawei-ospf-1-area-0.0.0.2]stub
[Huawei-ospf-1-area-0.0.0.2]network 192.168.10.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]network 192.168.20.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]network 192.168.30.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]network 192.168.40.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]network 192.168.50.0 0.0.0.255
[Huawei-ospf-1-area-0.0.0.2]network 192.168.60.0 0.0.0.255
无线网络:
[Huawei]int g0/0/6
[Huawei-GigabitEthernet0/0/6]port link-type trunk
[Huawei-GigabitEthernet0/0/6]port trunk allow-pass vlan all
[Huawei]int vlan100
[Huawei-Vlanif100]ip add 192.168.100.253 24
ACL:
[Huawei]acl name NotMutualAccess 给ACL起个名
[Huawei-acl-adv-NotMutualAccess]rule 5 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
[Huawei-acl-adv-NotMutualAccess]rule 10 deny ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 创建acl列表规则,拒绝互相访问的相关数据。
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3999
[Huawei]int G0/0/2
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 3999 调用acl列表规则LSW11
[Huawei]vlan batch 100 200
[Huawei]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/3
[Huawei-port-group]port link-type trunk
[Huawei-port-group]port trunk allow-pass vlan allLSW13
[Huawei]vlan batch 10 20 30
[Huawei]int GigabitEthernet 0/0/7
[Huawei-GigabitEthernet0/0/7]port link-type trunk
[Huawei-GigabitEthernet0/0/7]port trunk allow-pass vlan all
[Huawei]int g0/0/1 和2 和3
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan all
aaa(开启telnet):
local-user wys password cipher 123456 设置本地账号密码
local-user wys service-type telnet 设置服务类型为telnet
local-user wys privilege level 15 设置帐户的登录级别为15级,最低为1级
user-interface vty 0 4 进入终端接入端口
authentication-mode aaa 应用aaa认证模式,此时在别处就可以通过telnet IP 命令远程接入LSW14
[Huawei]vlan batch 40 50 60
[Huawei]int GigabitEthernet 0/0/7
[Huawei-GigabitEthernet0/0/7]port link-type trunk
[Huawei-GigabitEthernet0/0/7]port trunk allow-pass vlan all
[Huawei]int g0/0/4 和 5 和6
[Huawei-GigabitEthernet0/0/1]port link-type trunk
[Huawei-GigabitEthernet0/0/1]port trunk allow-pass vlan allLSW15
[Huawei]vlan batch 10 20 30
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 10
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type access
[Huawei-Ethernet0/0/2]port default vlan 10
ACL:
不允许主校区和软件园的学生宿舍访问主校区的财务部门。
[Huawei]acl 3000 高级acl
[Huawei-acl-adv-3000]rule deny tcp source 172.16.10.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 创建acl列表规则
[Huawei]int e0/0/2
[Huawei-GigabitEthernet0/0/1]traffic-filter inbound acl 3000 调用acl列表规则
[Huawei]int e0/0/3
[Huawei-GigabitEthernet0/0/2]traffic-filter inbound acl 3000 调用acl列表规则LSW16
[Huawei]vlan batch 10 20 30
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 20LSW17
[Huawei]vlan batch 10 20 30
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]port link-type trunk
[Huawei-Ethernet0/0/1]port trunk allow-pass vlan all
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 30LSW18
[Huawei]vlan batch 40 50 60
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 40LSW19
[Huawei]vlan batch 40 50 60
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 50LSW20
[Huawei]vlan batch 40 50 60
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]port link-type trunk
[Huawei-Ethernet0/0/2]port trunk allow-pass vlan all
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]port link-type access
[Huawei-Ethernet0/0/3]port default vlan 60本文作者为A9bot,转载请注明。