实验需求:
某企业有总部与分部两个办公地点,要求完成网络设计,主要实现以下需求:1.总公司内部全部使用ospf协议通信,分公司使用静态路由。2.为了减少网络管理员工作量,方便管理,除服务器外,总部其它所有部门采用动态获取IP地址 ,总部使用两台核心交换机作为DHCP服务器冗余。除了访客无线、分部使用基于接口DHCP外,其他所有网段使用全局DHCP。3.使用VRRP+MSTP联动完成故障毫秒级切换。4.无线要求员工与访客之间完成隔离。5.为了公司业务的安全,要求访客无线网络除了访问公司服务器资源与外网外,不许访问任何部门。6.VPN实现:总部可以与分公司通信。
总部AC的配置:
<AC6605>dis current-configuration
#
#
interface Vlanif100
ip address 192.168.90.37 255.255.255.252
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
#
ip route-static 0.0.0.0 0.0.0.0 192.168.90.38
#
capwap source interface vlanif100
#
wlan
security-profile name secp
security wpa-wpa2 psk pass-phrase %^%#k<E#6$h%>0i("sA;6pTO1+Je"il,cN(B]YN\{qDI
%^%# aes
security-profile name secpg
ssid-profile name ssidp
ssid guimei
ssid-profile name ssidpg
ssid guest
vap-profile name vapp
service-vlan vlan-id 82
ssid-profile ssidp
security-profile secp
vap-profile name vappg
service-vlan vlan-id 83
ssid-profile ssidpg
security-profile secpg
regulatory-domain-profile name default
ap auth-mode no-auth
ap-group name apg
radio 0
vap-profile vapp wlan 1
vap-profile vappg wlan 2
radio 1
vap-profile vapp wlan 1
vap-profile vappg wlan 2
radio 2
vap-profile vapp wlan 1
vap-profile vappg wlan 2
ap-id 0 type-id 45 ap-mac 00e0-fcab-4630 ap-sn 2102354483108F573269
ap-group apg
provision-ap
#
return
<AC6605> 总部汇聚交换机配置:
<C_SW1>dis current-configuration
#
sysname Huawei
#
vlan batch 10 20 30 40 50 60 81 to 83 91 to 92
#
stp instance 1 priority 4096
stp instance 2 priority 4096
stp instance 3 priority 4096
stp instance 4 priority 4096
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
stp region-configuration
region-name abc
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
instance 4 vlan 40
instance 5 vlan 50
instance 6 vlan 60
instance 7 vlan 70
instance 8 vlan 80
instance 9 vlan 81
instance 10 vlan 82
instance 11 vlan 83
active region-configuration
#
interface Vlanif10
ip address 192.168.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 110
dhcp select relay
dhcp relay server-ip 192.168.90.1
dhcp relay server-ip 192.168.90.13
#
interface Vlanif20
ip address 192.168.20.252 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 110
#
interface Vlanif30
ip address 192.168.30.252 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 110
#
interface Vlanif40
ip address 192.168.40.252 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
#
interface Vlanif50
ip address 192.168.50.252 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.254
#
interface Vlanif60
ip address 192.168.60.252 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
#
interface Vlanif81
ip address 192.168.81.252 255.255.255.0
vrrp vrid 81 virtual-ip 192.168.81.254
dhcp select relay
dhcp relay server-ip 192.168.90.1
dhcp relay server-ip 192.168.90.13
#
interface Vlanif82
ip address 192.168.82.252 255.255.255.0
vrrp vrid 82 virtual-ip 192.168.82.254
dhcp select relay
dhcp relay server-ip 192.168.90.1
dhcp relay server-ip 192.168.90.13
#
interface Vlanif83
ip address 192.168.83.252 255.255.255.0
vrrp vrid 83 virtual-ip 192.168.83.254
dhcp select relay
dhcp relay server-ip 192.168.90.1
#
interface Vlanif91
ip address 192.168.90.2 255.255.255.252
#
interface Vlanif92
ip address 192.168.90.6 255.255.255.252
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/8
port link-type access
port default vlan 91
#
interface GigabitEthernet0/0/9
port link-type access
port default vlan 92
#
ospf 1
area 0.0.0.0
network 192.168.90.0 0.0.0.3
network 192.168.90.4 0.0.0.3
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.81.0 0.0.0.255
network 192.168.82.0 0.0.0.255
network 192.168.83.0 0.0.0.255
#
return
<C_SW1> [C_SW2]dis current-configuration
#
sysname C_SW2
#
vlan batch 10 20 30 40 50 60 81 to 83 91 to 94
#
stp instance 5 priority 4096
stp instance 6 priority 4096
stp instance 9 priority 4096
stp instance 10 priority 4096
stp instance 11 priority 4096
#
dhcp enable
#
stp region-configuration
region-name abc
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
instance 4 vlan 40
instance 5 vlan 50
instance 6 vlan 60
instance 7 vlan 70
instance 8 vlan 80
instance 9 vlan 81
instance 10 vlan 82
instance 11 vlan 83
active region-configuration
#
interface Vlanif10
ip address 192.168.10.253 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
dhcp select relay
dhcp relay server-ip 192.168.90.1
dhcp relay server-ip 192.168.90.13
#
interface Vlanif20
ip address 192.168.20.253 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
#
interface Vlanif30
ip address 192.168.30.253 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
#
interface Vlanif40
ip address 192.168.40.253 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 110
#
interface Vlanif50
ip address 192.168.50.253 255.255.255.0
vrrp vrid 50 virtual-ip 192.168.50.254
vrrp vrid 50 priority 110
#
interface Vlanif60
ip address 192.168.60.253 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
vrrp vrid 60 priority 110
#
interface Vlanif81
ip address 192.168.81.253 255.255.255.0
vrrp vrid 81 virtual-ip 192.168.81.254
vrrp vrid 81 priority 110
dhcp select relay
dhcp relay server-ip 192.168.90.1
dhcp relay server-ip 192.168.90.13
#
interface Vlanif82
ip address 192.168.82.253 255.255.255.0
vrrp vrid 82 virtual-ip 192.168.82.254
vrrp vrid 82 priority 110
dhcp select relay
dhcp relay server-ip 192.168.90.1
dhcp relay server-ip 192.168.90.13
#
interface Vlanif83
ip address 192.168.83.253 255.255.255.0
vrrp vrid 83 virtual-ip 192.168.83.254
vrrp vrid 83 priority 110
dhcp select relay
dhcp relay server-ip 192.168.90.1
#
interface Vlanif93
ip address 192.168.90.10 255.255.255.252
#
interface Vlanif94
ip address 192.168.90.14 255.255.255.252
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/8
port link-type access
port default vlan 94
#
interface GigabitEthernet0/0/9
port link-type access
port default vlan 93
#
ospf 1
area 0.0.0.0
network 192.168.90.12 0.0.0.3
network 192.168.90.8 0.0.0.3
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
network 192.168.30.0 0.0.0.255
network 192.168.40.0 0.0.0.255
network 192.168.50.0 0.0.0.255
network 192.168.60.0 0.0.0.255
network 192.168.81.0 0.0.0.255
network 192.168.82.0 0.0.0.255
network 192.168.83.0 0.0.0.255
#
return
[C_SW2] 总部核心交换机配置:
<Core_SW1>dis current-configuration
#
sysname Core_SW1
#
vlan batch 83 91 93 95 98
#
stp instance 11 priority 4096
#
#
dhcp enable
#
stp region-configuration
region-name abc
instance 11 vlan 91
instance 12 vlan 95
active region-configuration
#
drop-profile default
#
ip pool v10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.129 192.168.10.253
#
ip pool v81
gateway-list 192.168.81.254
network 192.168.81.0 mask 255.255.255.0
option 43 sub-option 3 ascii 192.168.90.37
#
ip pool v82
gateway-list 192.168.82.254
network 192.168.82.0 mask 255.255.255.0
#
ip pool v83
gateway-list 192.168.83.254
network 192.168.83.0 mask 255.255.255.0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif91
ip address 192.168.90.1 255.255.255.252
dhcp select global
#
interface Vlanif93
ip address 192.168.90.9 255.255.255.252
#
interface Vlanif95
ip address 192.168.90.18 255.255.255.252
#
interface Vlanif98
ip address 192.168.90.30 255.255.255.252
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 91
stp disable
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 93
stp disable
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 98
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 95
stp disable
#
ospf 1
area 0.0.0.0
network 192.168.90.16 0.0.0.3
network 192.168.90.0 0.0.0.3
network 192.168.90.8 0.0.0.3
network 192.168.90.28 0.0.0.3
#
user-interface con 0
user-interface vty 0 4
#
return
<Core_SW1> [Core_SW2]dis current-configuration
#
sysname Core_SW2
#
vlan batch 83 92 94 96 99
#
dhcp enable
#
ip pool v10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.128
excluded-ip-address 192.168.10.252 192.168.10.253
#
ip pool v81
gateway-list 192.168.81.254
network 192.168.81.0 mask 255.255.255.0
option 43 sub-option 3 ascii 192.168.90.37
#
ip pool v82
gateway-list 192.168.82.254
network 192.168.82.0 mask 255.255.255.0
#
interface Vlanif92
ip address 192.168.90.5 255.255.255.252
#
interface Vlanif94
ip address 192.168.90.13 255.255.255.252
dhcp select global
#
interface Vlanif96
ip address 192.168.90.22 255.255.255.252
#
interface Vlanif99
ip address 192.168.90.34 255.255.255.252
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 94
stp disable
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 92
stp disable
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 99
#
interface GigabitEthernet0/0/6
port link-type access
port default vlan 96
stp disable
#
ospf 1
area 0.0.0.0
network 192.168.90.12 0.0.0.3
network 192.168.90.20 0.0.0.3
network 192.168.90.4 0.0.0.3
network 192.168.90.32 0.0.0.3
#
user-interface con 0
user-interface vty 0 4
#
return
[Core_SW2]总部防火墙设置:
[ZB_FW]dis current-configuration
2025-04-17 04:19:59.200
!Software Version V500R005C10SPC300
#
sysname ZB_FW
#
acl number 3000
rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.110.0 0.0.0.
255
rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.120.0 0.0.0
.255
rule 15 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.130.0 0.0.0
.255
rule 20 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.140.0 0.0.0
.255
rule 25 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.110.0 0.0.0
.255
rule 30 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.120.0 0.0.0
.255
rule 35 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.130.0 0.0.0
.255
rule 40 permit ip source 192.168.20.0 0.0.0.255 destination 192.168.140.0 0.0.0
.255
rule 45 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.110.0 0.0.0
.255
rule 50 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.120.0 0.0.0
.255
rule 55 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.130.0 0.0.0
.255
rule 60 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.140.0 0.0.0
.255
rule 65 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.110.0 0.0.0
.255
rule 70 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.120.0 0.0.0
.255
rule 75 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.130.0 0.0.0
.255
rule 80 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.140.0 0.0.0
.255
rule 85 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.110.0 0.0.0
.255
rule 90 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.120.0 0.0.0
.255
rule 95 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.130.0 0.0.0
.255
rule 100 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.140.0 0.0.
0.255
rule 105 permit ip source 192.168.60.0 0.0.0.255 destination 192.168.110.0 0.0.
0.255
rule 110 permit ip source 192.168.60.0 0.0.0.255 destination 192.168.120.0 0.0.
0.255
rule 115 permit ip source 192.168.60.0 0.0.0.255 destination 192.168.130.0 0.0.
0.255
rule 120 permit ip source 192.168.60.0 0.0.0.255 destination 192.168.140.0 0.0.
0.255
rule 125 permit ip source 192.168.70.0 0.0.0.255 destination 192.168.110.0 0.0.
0.255
rule 130 permit ip source 192.168.70.0 0.0.0.255 destination 192.168.120.0 0.0.
0.255
rule 135 permit ip source 192.168.70.0 0.0.0.255 destination 192.168.130.0 0.0.
0.255
rule 140 permit ip source 192.168.70.0 0.0.0.255 destination 192.168.140.0 0.0.
0.255
rule 145 permit ip source 192.168.82.0 0.0.0.255 destination 192.168.110.0 0.0.
0.255
rule 150 permit ip source 192.168.82.0 0.0.0.255 destination 192.168.120.0 0.0.
0.255
rule 155 permit ip source 192.168.82.0 0.0.0.255 destination 192.168.130.0 0.0.
0.255
rule 160 permit ip source 192.168.82.0 0.0.0.255 destination 192.168.140.0 0.0.
0.255
#
ipsec proposal ipsecp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer fb
pre-shared-key %^%#y!"C*l^6_O1m;`/#ug@!!_WsC=5W!=+:,3HNM}61%^%#
ike-proposal 1
remote-address 200.200.200.2
#
ipsec policy ipsecp 1 isakmp
security acl 3000
ike-peer fb
proposal ipsecp
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.90.17 255.255.255.252
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.90.21 255.255.255.252
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.90.25 255.255.255.252
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 100.100.100.2 255.255.255.252
service-manage https permit
service-manage ping permit
ipsec policy ipsecp
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/2
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/1
#
ospf 1
default-route-advertise always
area 0.0.0.0
network 192.168.90.16 0.0.0.3
network 192.168.90.20 0.0.0.3
network 192.168.90.24 0.0.0.3
#
ip route-static 0.0.0.0 0.0.0.0 100.100.100.1
#
security-policy
rule name 111
source-zone dmz
destination-zone untrust
action permit
rule name 112
source-zone trust
destination-zone untrust
action permit
rule name 113
source-zone trust
destination-zone dmz
action permit
rule name 114
source-zone trust
destination-zone local
action permit
rule name 115
source-zone local
destination-zone untrust
action permit
rule name 116
source-zone untrust
destination-zone local
source-address 200.200.200.2 mask 255.255.255.255
action permit
rule name 117
source-zone local
destination-zone trust
action permit
rule name 118
source-zone local
destination-zone dmz
action permit
rule name 119
source-zone untrust
destination-zone dmz
action permit
rule name 120
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.0.0
action permit
#
#
nat-policy
rule name 123
source-zone dmz
source-zone trust
destination-zone untrust
destination-address 123.123.123.123 mask 255.255.255.255
action source-nat easy-ip
#
return
[ZB_FW] 分公司防火墙配置:
[FB_FW]dis current-configuration
2025-04-17 04:23:17.850
!Software Version V500R005C10SPC300
#
sysname FB_FW
#
acl number 3000
rule 5 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.10.0 0.0.0.
255
rule 10 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.10.0 0.0.0
.255
rule 15 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.10.0 0.0.0
.255
rule 20 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.10.0 0.0.0
.255
rule 25 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.20.0 0.0.0
.255
rule 30 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.20.0 0.0.0
.255
rule 35 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.20.0 0.0.0
.255
rule 40 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.20.0 0.0.0
.255
rule 45 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.30.0 0.0.0
.255
rule 50 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.30.0 0.0.0
.255
rule 55 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.30.0 0.0.0
.255
rule 60 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.30.0 0.0.0
.255
rule 65 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.40.0 0.0.0
.255
rule 70 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.40.0 0.0.0
.255
rule 75 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.40.0 0.0.0
.255
rule 80 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.40.0 0.0.0
.255
rule 85 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.50.0 0.0.0
.255
rule 90 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.50.0 0.0.0
.255
rule 95 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.50.0 0.0.0
.255
rule 100 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.50.0 0.0.
0.255
rule 105 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.60.0 0.0.
0.255
rule 110 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.60.0 0.0.
0.255
rule 115 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.60.0 0.0.
0.255
rule 120 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.60.0 0.0.
0.255
rule 125 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.70.0 0.0.
0.255
rule 130 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.70.0 0.0.
0.255
rule 135 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.70.0 0.0.
0.255
rule 140 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.70.0 0.0.
0.255
rule 145 permit ip source 192.168.110.0 0.0.0.255 destination 192.168.82.0 0.0.
0.255
rule 150 permit ip source 192.168.120.0 0.0.0.255 destination 192.168.82.0 0.0.
0.255
rule 155 permit ip source 192.168.130.0 0.0.0.255 destination 192.168.82.0 0.0.
0.255
rule 160 permit ip source 192.168.140.0 0.0.0.255 destination 192.168.82.0 0.0.
0.255
#
#
ipsec proposal ipsecp
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ike proposal 1
encryption-algorithm 3des
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
ike peer zb
pre-shared-key %^%#iwUwJ{gw!QV:O@T~CP[>|EtTEg]A/VSz.0H6t}};%^%#
ike-proposal 1
remote-address 100.100.100.2
#
ipsec policy ipsecp 1 isakmp
security acl 3000
ike-peer zb
proposal ipsecp
#
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.100.1 255.255.255.252
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 200.200.200.2 255.255.255.252
service-manage https permit
service-manage ping permit
ipsec policy ipsecp
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 200.200.200.1
ip route-static 192.168.110.0 255.255.255.0 192.168.100.2
ip route-static 192.168.120.0 255.255.255.0 192.168.100.2
ip route-static 192.168.130.0 255.255.255.0 192.168.100.2
ip route-static 192.168.140.0 255.255.255.0 192.168.100.2
#
security-policy
rule name 111
source-zone trust
destination-zone untrust
action permit
rule name 112
source-zone trust
destination-zone local
action permit
rule name 113
source-zone local
destination-zone untrust
action permit
rule name 114
source-zone untrust
destination-zone local
source-address 100.100.100.2 mask 255.255.255.255
action permit
rule name 115
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.0.0
action permit
#
nat-policy
rule name 123
source-zone trust
destination-zone untrust
destination-address 123.123.123.123 mask 255.255.255.255
action source-nat easy-ip
#
return
[FB_FW]总部接入交换机配置:
[A_SW1]dis current-configuration
#
sysname A_SW1
#
vlan batch 10 81 to 83
#
stp region-configuration
region-name abc
instance 1 vlan 10
instance 2 vlan 20
instance 3 vlan 30
instance 4 vlan 40
instance 5 vlan 50
instance 6 vlan 60
instance 7 vlan 70
instance 8 vlan 80
instance 9 vlan 81
instance 10 vlan 82
instance 11 vlan 83
active region-configuration
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type trunk
port trunk pvid vlan 81
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
return
[A_SW1]AC交换机配置:
[AC_SW]dis current-configuration
#
sysname AC_SW
#
vlan batch 98 to 100
#
interface Vlanif98
ip address 192.168.90.29 255.255.255.252
#
interface Vlanif99
ip address 192.168.90.33 255.255.255.252
#
interface Vlanif100
ip address 192.168.90.38 255.255.255.252
#
interface Ethernet0/0/1
port link-type access
port default vlan 98
stp disable
#
interface Ethernet0/0/2
port link-type access
port default vlan 99
stp disable
#
interface Ethernet0/0/3
port link-type access
port default vlan 100
stp disable
#
ospf 1
area 0.0.0.0
network 192.168.90.36 0.0.0.3
network 192.168.90.32 0.0.0.3
network 192.168.90.28 0.0.0.3
#
return
[AC_SW]机房交换机的配置:
[JF_SW]dis current-configuration
#
sysname JF_SW
#
vlan batch 70 97
#
interface Vlanif70
ip address 192.168.70.254 255.255.255.0
#
interface Vlanif97
ip address 192.168.90.26 255.255.255.252
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 70
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 70
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 70
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 97
#
ospf 1
area 0.0.0.0
network 192.168.90.24 0.0.0.3
network 192.168.70.0 0.0.0.255
#
return
[JF_SW]ISP路由器的配置:
[ISP]dis current-configuration
[V200R003C00]
#
sysname ISP
#
interface GigabitEthernet0/0/0
ip address 100.100.100.1 255.255.255.252
#
interface GigabitEthernet0/0/1
ip address 200.200.200.1 255.255.255.252
#
interface LoopBack0
ip address 123.123.123.123 255.255.255.255
#
return
[ISP]分部路由器配置:
[FB_R]dis current-configuration
[V200R003C00]
#
sysname FB_R
#
vlan batch 110 120 130 140
#
dhcp enable
#
interface Vlanif110
ip address 192.168.110.254 255.255.255.0
dhcp select interface
#
interface Ethernet4/0/0
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface Ethernet4/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/0
ip address 192.168.100.2 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
return
[FB_R]分部汇聚交换机配置:
[FB_A_SW1]dis current-configuration
#
sysname FB_A_SW1
#
vlan batch 110 120
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 110
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 120
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
return
[FB_A_SW1] 注意:
1、核心层不存在二层环路的区域可以在相应的接口上面关闭STP功能。
2、AC与AP通过三层连接需要DHCP给AP分配IP的同时通过option 43指定AC的IP地址
3、STP域要成立必须保证所有域内交换机的stp instance数量及内容必须一致。
4、DHCP服务器给客户端分配IP必须保证他们直接的路由配置正确。
5、防火墙配置vpn需要开启相应的数据进入的权限。
Leave a Reply