二层SW3 SW4
vlan 10 20 30 40
<设置 MSTP>
stp region-configuration
region-name demo
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
stp global enable
<接口设置>
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/1
port access vlan 10
stp edged-port
interface GigabitEthernet1/0/2
port access vlan 30
stp edged-port
三层SW1 SW2
vlan 10 20 30 40
<接口设置>
interface GigabitEthernet1/0/21
port link-type trunk
port trunk permit vlan 1 10 20 30 40
interface GigabitEthernet1/0/22
port link-type trunk
port trunk permit vlan 1 10 20 30 40
<链路聚合>
interface Bridge-Aggregation1
link-aggregation mode dynamic
port link-type trunk
port trunk permit vlan all
interface GigabitEthernet1/0/23
port link-type trunk
port link-aggregation group 1
interface GigabitEthernet1/0/24
port link-type trunk
port link-aggregation group 1
<设置 MSTP>
stp region-configuration
region-name demo
revision-level 1
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
#sw1
stp instance 1 root primary
stp instance 2 root secondary
#sw2
stp instance 1 root secondary
stp instance 2 root primary
#sw1 sw2
stp global enable
#sw1
Vlan10 up up 192.168.10.252 --
Vlan20 up up 192.168.20.252 --
Vlan30 up up 192.168.30.252 --
Vlan40 up up 192.168.40.252 --
#sw2
Vlan10 up up 192.168.10.253 --
Vlan20 up up 192.168.20.253 --
Vlan30 up up 192.168.30.253 --
Vlan40 up up 192.168.40.253 --
<设置 VRRP>
#sw1
interface Vlan-interface10
ip address 192.168.10.252 255.255.255.0
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 120
interface Vlan-interface30
vrrp vrid 10 virtual-ip 192.168.30.254
vrrp vrid 10 priority 120
interface Vlan-interface20
vrrp vrid 10 virtual-ip 192.168.20.254
interface Vlan-interface40
vrrp vrid 10 virtual-ip 192.168.40.254
#sw2
interface Vlan-interface20
vrrp vrid 10 virtual-ip 192.168.20.254
vrrp vrid 10 priority 120
interface Vlan-interface40
vrrp vrid 10 virtual-ip 192.168.40.254
vrrp vrid 10 priority 120
interface Vlan-interface10
vrrp vrid 10 virtual-ip 192.168.10.254
interface Vlan-interface40
vrrp vrid 10 virtual-ip 192.168.30.254
路由R1 R2
< R1--R2连通>
port link-mode route
OSPF
#R1
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.1.2.1 0.0.0.0
network 10.1.3.1 0.0.0.0
network 10.1.4.1 0.0.0.0
authentication-mode hmac-md5 1 plain h3c@123
#R2
ospf 1 router-id 2.2.2.2
area 0.0.0.0
network 10.1.1.2 0.0.0.0
network 10.2.3.1 0.0.0.0
network 10.2.4.1 0.0.0.0
authentication-mode hmac-md5 1 plain h3c@123
#dhcp-server
ospf 1 router-id 4.4.4.4
area 0.0.0.0
network 10.1.2.2 0.0.0.0
authentication-mode hmac-md5 1 plain h3c@123
#sw1
ospf 1 router-id 10.10.10.10
area 0.0.0.0
network 10.1.3.2 0.0.0.0
network 10.2.4.2 0.0.0.0
network 192.168.10.252 0.0.0.0
network 192.168.20.252 0.0.0.0
network 192.168.30.252 0.0.0.0
network 192.168.40.252 0.0.0.0
authentication-mode hmac-md5 1 plain h3c@123
#sw2
ospf 1 router-id 20.20.20.20
area 0.0.0.0
network 10.1.4.2 0.0.0.0
network 10.2.3.2 0.0.0.0
network 192.168.10.253 0.0.0.0
network 192.168.20.253 0.0.0.0
network 192.168.30.253 0.0.0.0
network 192.168.40.253 0.0.0.0
authentication-mode hmac-md5 1 plain h3c@123
DHCP-SERVER
GE0/0 up up 10.1.2.2
dhcp server ip-pool vlan10
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.10.252
forbidden-ip 192.168.10.253
forbidden-ip 192.168.10.254
dhcp server ip-pool vlan20
gateway-list 192.168.20.254
network 192.168.20.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.20.252
forbidden-ip 192.168.20.253
forbidden-ip 192.168.20.254
dhcp server ip-pool vlan30
gateway-list 192.168.30.254
network 192.168.30.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.30.252
forbidden-ip 192.168.30.253
forbidden-ip 192.168.30.254
dhcp server ip-pool vlan40
gateway-list 192.168.40.254
network 192.168.40.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.40.252
forbidden-ip 192.168.40.253
forbidden-ip 192.168.40.254
< SW1--SW2-DHCP中继 >
interface Vlan-interface10
dhcp select relay
dhcp relay server-address 10.1.2.2
interface Vlan-interface20
dhcp select relay
dhcp relay server-address 10.1.2.2
interface Vlan-interface30
dhcp select relay
dhcp relay server-address 10.1.2.2
interface Vlan-interface40
dhcp select relay
dhcp relay server-address 10.1.2.2
FW1
< 开启web管理>
#开启服务
ip http enable
ip https enable
telnet server enable
#管理口
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
security-zone name Management
import interface GigabitEthernet1/0/1
#安全模板放行所有IP
acl advanced 3000
rule permit ip
zone-pair security source Local destination Management
packet-filter 3000
zone-pair security source Management destination Local
packet-filter 3000
< CLI>
#内网
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 10.10.1.2 255.255.255.0
#外网
interface GigabitEthernet1/0/2
port link-mode route
combo enable copper
ip address 10.0.0.88 255.255.255.0
nat outbound
#默认路由 –to-- IPS网关
ip route-static 0.0.0.0 0 10.0.0.1
#配置外网接口加入Untrust安全区域
security-zone name Untrust
import interface GigabitEthernet1/0/2
#配置内网接口加入Trust安全区域
security-zone name Trust
import interface GigabitEthernet1/0/0
配置安全策略将Trust到Untrust域内网数据放通
#创建对象策略pass。
object-policy ip pass
rule 0 pass
#创建Trust到Untrust域的域间策略调用pass策略
zone-pair security source Trust destination Untrust
object-policy apply ip pass
#创建Trust到Local域的域间策略调用pass策略
zone-pair security source Trust destination Local
object-policy apply ip pass
#创建Local到Trust域的域间策略调用pass策略
zone-pair security source Local destination Trust
object-policy apply ip pass
< DHCP>
[H3C]dhcp enable
[H3C]dhcp server ip-pool 1
[H3C-dhcp-pool-1]network 192.168.10.0 mask 255.255.255.0
[H3C-dhcp-pool-1]gateway-list 192.168.10.1
[H3C-dhcp-pool-1]dns-list 114.114.114.114
[H3C-dhcp-pool-1]quit
3.10 保存配置
[H3C]save force
5504
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
