网工基础 小型企业网配置 Ruijie锐捷篇

sw1-sw4,二层vrrp/mstp/vlan/

sw1

#vrrp

interface VLAN 10
ip address 192.168.10.252 255.255.255.0
vrrp 1 ip 192.168.10.254
vrrp 1 priority 105
!
interface VLAN 20
ip address 192.168.20.252 255.255.255.0
vrrp 2 ip 192.168.20.254
!
interface VLAN 30
ip address 192.168.30.252 255.255.255.0
vrrp 3 ip 192.168.30.254
vrrp 3 priority 105
!
interface VLAN 40
ip address 192.168.40.252 255.255.255.0
vrrp 4 ip 192.168.40.254

#mstp

!

spanning-tree

spanning-tree mode mstp

!

spanning-tree mst configuration

 instance 1 vlan 10, 30

 instance 2 vlan 20, 40

spanning-tree mst 1 priority 4096

//设置优先级，越小越优先，默认32768

##G0/7-8口配置为聚合端口,LACP动态聚合模式

int aggregatePort 1

switchport mode trunk

switchport trunk allowed vlan all

exit

int range gi0/7 -8

port-group 1 mode active

##接口配置

int range g0/0-1

switchport mode trunk

switchport trunk allowed vlan all

##ospf

route ospf 1

network 192.168.101.1 0.0.0.255 area 0

network 192.168.103.1 0.0.0.255 area 0

network 192.168.10.252 0.0.0.255 area 0

network 192.168.20.252 0.0.0.255 area 0

network 192.168.30.252 0.0.0.255 area 0

network 192.168.40.252 0.0.0.255 area 0

##dhcp中继

service dhcp

ip helper-address 192.168.203.2

sw2

#vrrp

interface VLAN 10
ip address 192.168.10.253 255.255.255.0
vrrp 1 ip 192.168.10.254
!
interface VLAN 20
ip address 192.168.20.253 255.255.255.0
vrrp 2 ip 192.168.20.254
vrrp 2 priority 105
!
interface VLAN 30
ip address 192.168.30.253 255.255.255.0
vrrp 3 ip 192.168.30.254
!
interface VLAN 40
ip address 192.168.40.253 255.255.255.0
vrrp 4 ip 192.168.40.254
vrrp 4 priority 105

#mstp

!

spanning-tree

spanning-tree mode mstp

!

spanning-tree mst configuration

 instance 1 vlan 10, 30

 instance 2 vlan 20, 40

spanning-tree mst 2 priority 4096

//设置优先级，越小越优先，默认32768

##G0/7-8口配置为聚合端口,LACP动态聚合模式

int aggregatePort 1

switchport mode trunk

switchport trunk allowed vlan all

exit

int range gi0/7 -8

port-group 1 mode active

##ospf

route ospf 1

network 192.168.104.1 0.0.0.255 area 0

network 192.168.102.1 0.0.0.255 area 0

network 192.168.10.253 0.0.0.255 area 0

network 192.168.20.253 0.0.0.255 area 0

network 192.168.30.253 0.0.0.255 area 0

network 192.168.40.253 0.0.0.255 area 0

##dhcp中继

service dhcp

ip helper-address 192.168.203.2

sw3

vlan range 10,20,30,40

#mstp

!

spanning-tree

spanning-tree mode mstp

!

spanning-tree mst configuration

 instance 1 vlan 10, 30

 instance 2 vlan 20, 40

//无优先值

##接口配置

int range g0/0-1

switchport  mode  trunk

switchport  trunk  allowed  vlan all

3层配置

#数据规划

!

R1-SW1：

192.168.101.100 - 192.168.101.1

R1-SW2：

192.168.102.100 - 192.168.102.1

R2-SW1：

192.168.103.100 - 192.168.103.1

R2-SW2：

192.168.104.100 - 192.168.104.1

!

R1-R2

192.168.201.1 - 192.168.201.2

!

R1-DHCP

192.168.203.1 - 192.168.203.2

!

R1-FW1

192.168.204.1 - 192.168.204.2

R1

##ospf

route ospf 1

network 192.168.201.1 0.0.0.255 area 0

network 192.168.203.1 0.0.0.255 area 0

network 192.168.204.1 0.0.0.255 area 0

network 192.168.101.100 0.0.0.255 area 0

network 192.168.102.100 0.0.0.255 area 0

R2

##ospf

route ospf 1

network 192.168.201.2 0.0.0.255 area 0

network 192.168.104.100 0.0.0.255 area 0

network 192.168.103.100 0.0.0.255 area 0

DHCP

##ospf

route ospf 1

network 192.168.203.2 0.0.0.255 area 0

##ip pool

service dhcp

ip dhcp pool vlan10

network 192.168.10.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.10.254

ip dhcp pool vlan20

network 192.168.20.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.20.254

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.30.254

ip dhcp pool vlan40

network 192.168.40.0 255.255.255.0

dns-server 8.8.8.8

default-router 192.168.40.254

ip dhcp excluded-address 192.168.10.250 192.168.10.254

ip dhcp excluded-address 192.168.20.250 192.168.20.254

ip dhcp excluded-address 192.168.30.250 192.168.30.254

ip dhcp excluded-address 192.168.40.250 192.168.40.254

FW1

##ospf

ospf 1

 area 0.0.0.0

  network 192.168.204.254 0.0.0.0

  network 202.15.15.1 0.0.0.0

ip route-static 0.0.0.0 0 202.15.15.254

interface GigabitEthernet2/0

 port link-mode route

 ip address 192.168.204.254 255.255.255.0

interface GigabitEthernet8/0

 port link-mode route

 ip address 202.15.15.1 255.255.255.0

 nat outbound 

security-zone name Trust

 import interface GigabitEthernet2/0

security-zone name Untrust

 import interface GigabitEthernet8/0

security-zone name Management

 import interface GigabitEthernet1/0

配置安全策略将 Trust 到 Untrust 域内网数据放通

#创建对象策略 pass。

object-policy ip pass

rule 0 pass

#创建 Trust 到 Untrust 域的域间策略调用 pass 策略

zone-pair security source Trust destination Untrust

object-policy apply ip pass

#创建 Trust 到 Local 域的域间策略调用 pass 策略

zone-pair security source Trust destination Localobject-policy apply ip pass

#创建 Local 到 Trust 域的域间策略调用 pass 策略

zone-pair security source Local destination Trust

object-policy apply ip pass

IPS

##接口

interface GigabitEthernet 0/8

 no switchport

 ip address 202.15.15.254 255.255.255.0

!

interface Loopback 0

 ip address 1.1.1.1 255.255.255.0