华为中型网ensp

1、实现

1、MSTP防环、设置边缘端口
2、CORE充当DHCP服务器，地址池双核心各使用一半（1-127/128-254）
3、开启DHCP嗅探并生成dhcp snooping绑定表，防止DHCP饿死攻击（DHCP攻击参考DHCP Starvation）和内网用户仿冒DHCP服务器
4、ACC4使用IPSG技术，静态绑定http server 和ftp server的ip、mac、vlan、接口
5、双核心之间配置链路聚合、vrrp
6、出口路由AR1配置NAT地址转换、NAT server
7、总部和分部建立GRE VPN（GRE不具备加密功能，实际请结合IPsec）

2、拓扑图

3、命令（可刷）

ACC1

sys
sys ACC1
vlan batch 10 20
dhcp enable
dhcp snooping enable

int g0/0/1
p l a
p d v 10
dhcp snooping enable
q
int g0/0/2
p l a 
p d v 20
dhcp snooping enable
q
int g0/0/3
p l t
p t a v 10 20
dhcp snooping trusted
q
int g0/0/4
p l t
p t a v 10 20
dhcp snooping trusted
q

stp enable
stp mode mstp
stp region-configuration
region-name huawei
instance 1 vlan 10 20 
instance 2 vlan 30
instance 3 vlan 40
instance 4 vlan 50
active region-configuration
q
int g0/0/1
stp edged-port enable 
q
int g0/0/2
stp edged-port enable 
q

ACC2

sys 
sys ACC2
dhcp enable
dhcp snooping enable
vlan 30
q
int g0/0/1
p l a
p d v 30
dhcp snooping enable
q
int g0/0/2
p l t
p t a v 30
dhcp snooping trusted
q
int g0/0/3
p l t
p t a v 30
dhcp snooping trusted
q

stp enable
stp mode mstp
stp region-configuration
region-name huawei
instance 1 vlan 10 20 
instance 2 vlan 30
instance 3 vlan 40
instance 4 vlan 50
active region-configuration
q
int g0/0/1
stp edged-port enable 
q

ACC3

sys 
sys ACC3
dhcp enable
dhcp snooping enable
vlan 40
q
int g0/0/1
p l a
p d v 40   
dhcp snooping enable
q
int g0/0/2
p l t
p t a v 40
dhcp snooping trusted
q
int g0/0/3
p l t
p t a v 40
dhcp snooping trusted
q

stp enable
stp mode mstp
stp region-configuration
region-name huawei
instance 1 vlan 10 20 
instance 2 vlan 30
instance 3 vlan 40
instance 4 vlan 50
active region-configuration
q
int g0/0/1
stp edged-port enable 
q

ACC4

sys 
sys ACC4
vlan 50
q
int g0/0/1
p l a
p d v 50
ip source check user-bind enable
q
int g0/0/2
p l a
p d v 50
ip source check user-bind enable
q
int g0/0/3
p l t
p t a v 50
q
int g0/0/4
p l t
p t a v 50
q


stp enable
stp mode mstp
stp region-configuration
region-name huawei
instance 1 vlan 10 20 
instance 2 vlan 30
instance 3 vlan 40
instance 4 vlan 50
active region-configuration
q
int g0/0/1
stp edged-port enable 
q
int g0/0/2
stp edged-port enable 
q

user-bind static ip-address 192.168.50.4 mac-address 5489-9817-364A interface g0/0/1 vlan 50
user-bind static ip-address 192.168.50.5 mac-address 5489-983F-78B5 interface g0/0/2 vlan 50

CORE1

sys
sys CORE1
dhcp enable
vlan batch 10 20 30 40 50 100 
ip pool vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.127 192.168.10.254
lease day 0 hour 8 minute 0
q
ip pool vlan20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.127 192.168.20.254
lease day 0 hour 8 minute 0
q
ip pool vlan30
gateway-list 192.168.30.1
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.127 192.168.30.254
lease day 0 hour 8 minute 0
q
ip pool vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.127 192.168.40.254
lease day 0 hour 8 minute 0
q
int vlan 10
ip address 192.168.10.127 255.255.255.0
dhcp select global
q
int vlan 20
ip address 192.168.20.127 255.255.255.0
dhcp select global
q
int vlan 30
ip address 192.168.30.127 255.255.255.0
dhcp select global
q
int vlan 40
ip address 192.168.40.127 255.255.255.0
dhcp select global
q
int vlan 50
ip address 192.168.50.2 255.255.255.0
q
int vlan 100
ip address 192.168.100.1 255.255.255.0
q
interface loopback 0
ip address 2.2.2.2 32
q
int g0/0/1
p l t
p t a v 10 20
q
int g0/0/2
p l t
p t a v 30
q
int g0/0/3
p l t
p t a v 40
q
int g0/0/4
p l t
p t a v 50
q
int g0/0/5
stp edged-port enable 
p l a
p d v 100
q

stp enable
stp mode mstp
stp region-configuration
region-name huawei
instance 1 vlan 10 20 
instance 2 vlan 30
instance 3 vlan 40
instance 4 vlan 50
active region-configuration
q
stp instance 1 root primary
stp instance 2 root primary
stp instance 3 root secondary
stp instance 4 root secondary

int eth-trunk 1
mode lacp
trunkport g 0/0/6 to 0/0/8
p l t
p t a v all
max active-linknumber 2
q
lacp priority 100
int g0/0/6
lacp priority 100
q
int g0/0/7
lacp priority 100
q

int vlan 10
vrrp vrid 1 virtual-ip 192.168.10.1
vrrp vrid 1 priority 120
vrrp vrid 1 track interface g0/0/5 reduced 30
q
int vlan 20
vrrp vrid 2 virtual-ip 192.168.20.1
vrrp vrid 2 priority 120
vrrp vrid 2 track interface g0/0/5 reduced 30
q
int vlan 30
vrrp vrid 3 virtual-ip 192.168.30.1
vrrp vrid 3 priority 120
vrrp vrid 3 track interface g0/0/5 reduced 30
q
int vlan 40
vrrp vrid 4 virtual-ip 192.168.40.1
q
int vlan 50
vrrp vrid 5 virtual-ip 192.168.50.1
q


ospf 1 router-id 2.2.2.2
a 0
network 192.168.0.0 0.0.255.255
network 2.2.2.2 0.0.0.0
q
q

CORE2

sys
sys CORE2
dhcp enable
vlan batch 10 20 30 40 50 200 
ip pool vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.1 192.168.10.127
excluded-ip-address 192.168.10.254
lease day 0 hour 8 minute 0
q
ip pool vlan20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.1 192.168.20.127
excluded-ip-address 192.168.20.254
lease day 0 hour 8 minute 0
q
ip pool vlan30
gateway-list 192.168.30.1
network 192.168.30.0 mask 255.255.255.0
excluded-ip-address 192.168.30.1 192.168.30.127
excluded-ip-address 192.168.30.254
lease day 0 hour 8 minute 0
q
ip pool vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
excluded-ip-address 192.168.40.1 192.168.40.127
excluded-ip-address 192.168.40.254
lease day 0 hour 8 minute 0
q
int vlan 10
ip address 192.168.10.254 255.255.255.0
dhcp select global
q
int vlan 20
ip address 192.168.20.254 255.255.255.0
dhcp select global
q
int vlan 30
ip address 192.168.30.254 255.255.255.0
dhcp select global
q
int vlan 40
ip address 192.168.40.254 255.255.255.0
dhcp select global
q
int vlan 50
ip address 192.168.50.3 255.255.255.0
q
int vlan 200
ip address 192.168.200.1 255.255.255.0
q
interface loopback 0
ip address 3.3.3.3 32
q
int g0/0/1
p l t
p t a v 10 20
q
int g0/0/2
p l t
p t a v 30
q
int g0/0/3
p l t
p t a v 40
q
int g0/0/4
p l t
p t a v 50
q
int g0/0/5
stp edged-port enable 
p l a
p d v 200
q


stp enable
stp mode mstp
stp region-configuration
region-name huawei
instance 1 vlan 10 20 
instance 2 vlan 30
instance 3 vlan 40
instance 4 vlan 50
active region-configuration
q
stp instance 1 root secondary
stp instance 2 root secondary
stp instance 3 root primary
stp instance 4 root primary


int eth-trunk 1
mode lacp
trunkport g 0/0/6 to 0/0/8
p l t
p t a v all
max active-linknumber 2
q
int g0/0/6
lacp priority 100
q
int g0/0/7
lacp priority 100
q

int vlan 10
vrrp vrid 1 virtual-ip 192.168.10.1
q
int vlan 20
vrrp vrid 2 virtual-ip 192.168.20.1
q
int vlan 30
vrrp vrid 3 virtual-ip 192.168.30.1
q
int vlan 40
vrrp vrid 4 virtual-ip 192.168.40.1
vrrp vrid 4 priority 120
vrrp vrid 4 track interface g0/0/5 reduced 30
q
int vlan 50
vrrp vrid 5 virtual-ip 192.168.50.1
vrrp vrid 5 priority 120
vrrp vrid 5 track interface g0/0/5 reduced 30
q

ospf 1 router-id 3.3.3.3
a 0
network 192.168.0.0 0.0.255.255
network 3.3.3.3 0.0.0.0
q
q

AR1

sys 
sys AR1
acl 2000
rule permit source 192.168.0.0 0.0.255.255
q
int g0/0/0
ip address 192.168.100.2 24
q
int g0/0/1
ip address 192.168.200.2 24
q
int g0/0/2
ip address 12.0.0.1 24
nat outbound 2000
nat server protocol tcp global 12.0.0.3  8080 inside 192.168.50.4 80
nat server protocol tcp global 12.0.0.3  2121 inside 192.168.50.5 21
q
nat alg ftp enable
interface loopback 0
ip address 1.1.1.1 32
q
int Tunnel0/0/0
ip ad 172.16.1.1 24
tunnel-protocol gre
source g0/0/2
destination 23.0.0.3
keepalive
q

ip route-static 10.1.1.0 24 Tunnel0/0/0
ip route-static 0.0.0.0 0 12.0.0.2

ospf 1 router-id 1.1.1.1
default-route-advertise
a 0
network 192.168.0.0 0.0.255.255
network 1.1.1.1 0.0.0.0
q
q

AR2

sys
sys AR2
int g0/0/0
ip ad 12.0.0.2 24
q
int g0/0/1
ip ad 23.0.0.2 24
q
int g0/0/2
ip ad 22.0.0.2 24
q
int loopback 0
ip ad 4.4.4.4 32
q
ospf 1 router-id 4.4.4.4
a 0
network 12.0.0.0 0.0.0.255
network 23.0.0.0 0.0.0.255
network 22.0.0.0 0.0.0.255
q
q

AR3

sys
sys AR3
acl 2000
rule permit source 10.1.1.0 0.0.0.255
int g0/0/0
ip ad 23.0.0.3 24
nat outbound 2000
q
int g0/0/1
ip ad 10.1.1.3 24
q
int loopback 0
ip ad 5.5.5.5 32
q
int Tunnel0/0/0
ip ad 172.16.1.2 24
tunnel-protocol gre
source g0/0/0
destination 12.0.0.1
keepalive
q

ip route-static 172.16.1.0 24 Tunnel0/0/0
ip route-static 192.168.0.0 16 Tunnel0/0/0

ip route-static 0.0.0.0 0 23.0.0.2