园区网典型配置案例

配置各设备的ssh
Sw:
[Huawei]sysname SW
[SW]undo info enable
[SW]stelnet server enable
[SW]rsa local-key-pair create
[SW]user-interface vty 0 4
[SW-ui-vty0-4]authentication-mode aaa
[SW-ui-vty0-4]protocol inbound ssh
[SW]aaa
[SW-aaa]local-user admin password cipher admin@123
[SW-aaa]local-user admin privilege level 15
[SW-aaa]local-user admin service-type ssh

Router:
[Huawei]sysna Router
[Router]undo inf enable
[Router]stelnet server enable
[Router]rsa local-key-pair create
[Router]user-interface vty 0 4
[Router-ui-vty0-4]authentication-mode aaa
[Router-ui-vty0-4]protocol inbound ssh
[Router-ui-vty0-4]qu
[Router]aaa
[Router-aaa]local-user admin password cipher admin@123
[Router-aaa]local-user admin privilege level 15
[Router-aaa]local-user admin service-type ssh

SwitchA:
[Huawei]sysname SwitchA
[SwitchA]undo info enable
[SwitchA]stelnet server enable
[SwitchA]rsa local-key-pair create

[SwitchA]user-interface vty 0 4
[SwitchA-ui-vty0-4]authentication-mode aaa
[SwitchA-ui-vty0-4]protocol inbound ssh
[SwitchA-ui-vty0-4]qu
[SwitchA]aaa
[SwitchA-aaa]lo
[SwitchA-aaa]local-user admin password cipher admin@123
[SwitchA-aaa]local-user admin privilege level 15
[SwitchA-aaa]local-user admin service-type ssh

SwitchB:

[Huawei]sysname SwitchB
[SwitchB]undo info enable
[SwitchB]stelnet server enable
[SwitchB]rsa local-key-pair create
[SwitchB]user-interface vty 0 4
[SwitchB-ui-vty0-4]authentication-mode aaa
[SwitchB-ui-vty0-4]protocol inbound ssh
[SwitchB-ui-vty0-4]qu
[SwitchB]aaa
[SwitchB-aaa]local-user admin password cipher admin@123
[SwitchB-aaa]local-user admin privilege level 15
[SwitchB-aaa]local-user admin service-type ssh

1.vlan5管理vlan 10.10.1.0/24

[SW]vlan 5
[SW-vlan5]quit
[SW]int vlan 5
[SW-Vlanif5]ip add 10.10.1.200 255.255.255.0

[SwitchA]VLAN 5
[SwitchA-vlan5]description mgmt
[SwitchA-vlan5]quit
[SwitchA]int vlan 5
[SwitchA-Vlanif5]ip address 10.10.1.1 255.255.255.0

[SwitchB]vlan 5
[SwitchB-vlan5]desc mgmt
[SwitchB-vlan5]qu
[SwitchB]int vlan 5
[SwitchB-Vlanif5]ip add 10.10.1.2 255.255.255.0

2.eth-trunk 配置，静态 lacp
[SW]int Eth-Trunk 1
[SW-Eth-Trunk1]port link-type trunk
[SW-Eth-Trunk1]port trunk allow-pass vlan 5 10
[SW-Eth-Trunk1]mode lacp-static
[SW-Eth-Trunk1]trunkport GigabitEthernet 0/0/23 to 0/0/24
[SW-Eth-Trunk1]qu

[SW]int Eth-Trunk 2
[SW-Eth-Trunk2]port link
[SW-Eth-Trunk2]port link-type trunk
[SW-Eth-Trunk2]port trunk allow-pass vlan 5 20
[SW-Eth-Trunk2]trunkport GigabitEthernet 0/0/21 to 0/0/22
[SW-Eth-Trunk2]mode lacp-static

[SwitchA]int Eth-Trunk 1
[SwitchA-Eth-Trunk1]port link-type trunk
[SwitchA-Eth-Trunk1]port trunk allow-pass vlan 5 10
[SwitchA-Eth-Trunk1]mode lacp-static
[SwitchA-Eth-Trunk1]trunkport GigabitEthernet 0/0/23 to 0/0/24

[SwitchB]int Eth-Trunk 2
[SwitchB-Eth-Trunk2]port link-type trunk
[SwitchB-Eth-Trunk2]port trunk allow-pass vlan 5 20
[SwitchB-Eth-Trunk2]mode lacp-static
[SwitchB-Eth-Trunk2]trunkport GigabitEthernet 0/0/21 to 0/0/22

[SW]disp eth-trunk 1
Eth-Trunk1’s state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 4c1f-ccdd-0290
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2

ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/23 Selected 1GE 32768 24 305 10111100 1
GigabitEthernet0/0/24 Selected 1GE 32768 25 305 10111100 1

Partner:

ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/23 32768 4c1f-cce6-3048 32768 24 305 10111100
GigabitEthernet0/0/24 32768 4c1f-cce6-3048 32768 25 305 10111100

[SW]disp eth-trunk 2
Eth-Trunk2’s state information is:
Local:
LAG ID: 2 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 4c1f-ccdd-0290
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2

ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/21 Selected 1GE 32768 22 561 10111100 1
GigabitEthernet0/0/22 Selected 1GE 32768 23 561 10111100 1

Partner:

ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/21 32768 4c1f-cc34-2395 32768 22 561 10111100
GigabitEthernet0/0/22 32768 4c1f-cc34-2395 32768 23 561 10111100

3.vlan10 部门A 10.10.10.0/24
[SwitchA]vlan 10
[SwitchA-vlan10]qui
[SwitchA]int gi0/0/1
[SwitchA-GigabitEthernet0/0/1]port link acc
[SwitchA-GigabitEthernet0/0/1]port def vlan 20
Error: The VLAN does not exist.
[SwitchA-GigabitEthernet0/0/1]port def vlan 10
[SwitchA-GigabitEthernet0/0/1]int g0/0/2
[SwitchA-GigabitEthernet0/0/2]port link acc
[SwitchA-GigabitEthernet0/0/2]port def vlan 10
[SwitchA-GigabitEthernet0/0/2]int g0/0/22
[SwitchA-GigabitEthernet0/0/22]port link acc
[SwitchA-GigabitEthernet0/0/22]port def vlan 10

4.vlan20 部门B 10.10.20.0/24
[SwitchB]vlan 20
[SwitchB-vlan20]quit
[SwitchB]int GigabitEthernet 0/0/3
[SwitchB-GigabitEthernet0/0/3]port link acc
[SwitchB-GigabitEthernet0/0/3]port def vlan 20
[SwitchB-GigabitEthernet0/0/3]int gi0/0/4
[SwitchB-GigabitEthernet0/0/4]port link acc
[SwitchB-GigabitEthernet0/0/4]port def vlan 20
[SwitchB-GigabitEthernet0/0/4]int gi0/0/24
[SwitchB-GigabitEthernet0/0/24]port link acc
[SwitchB-GigabitEthernet0/0/24]port def vlan 20
[SwitchB-GigabitEthernet0/0/24]

5.核心交换机配置DHCP基于全局地址模式
[SW]ip pool pool1
[SW-ip-pool-pool1]network 10.10.10.2 mask 24
[SW-ip-pool-pool1]gateway-list 10.10.10.1
[SW-ip-pool-pool1]lease day 8
[SW-ip-pool-pool1]qu

[SW]vlan batch 20
[SW]vlan 10

[SW-vlan10]qui
[SW]int vlan 10
[SW-Vlanif10]dhcp select global
[SW-Vlanif10]qu
[SW]ip pool pool2
[SW-ip-pool-pool2]network 10.10.20.0 mask 24
[SW-ip-pool-pool2]gateway-list 10.10.20.1
[SW-ip-pool-pool2]lease day 8
[SW-ip-pool-pool2]q
[SW]int vlan 20
[SW-Vlanif20]dhcp select global

[SW]int vlan 10
[SW-Vlanif10]ip add 10.10.10.1 24
[SW-Vlanif10]undo shut
Info: Interface Vlanif10 is not shutdown.
[SW-Vlanif10]int vlan 20
[SW-Vlanif20]ip add 10.10.20.1 24
[SW-Vlanif20]undo shut
Info: Interface Vlanif20 is not shutdown.

Vlan10，vlan20主机能自动获取地址

6.配置核心交槐机路由：vlan100是核心交换机与出口路由器对接的地址，用于园区网内部网络与出口路由器互通，核心交换机上需要配置一条缺省路由，下一条指向出口路由器

[SW]vlan 100
[SW-vlan100]qu
[SW]int gi0/0/1
[SW-GigabitEthernet0/0/1]port link access
[SW-GigabitEthernet0/0/1]port def vlan 100
[SW-GigabitEthernet0/0/1]qu
[SW]int vlan 100
[SW-Vlanif100]ip add 10.10.100.2 255.255.255.252

[Router]int gi0/0/1
[Router-GigabitEthernet0/0/1]ip add 10.10.100.1 30
[Router-GigabitEthernet0/0/1]qu
[Router]ping 10.10.100.2
PING 10.10.100.2: 56 data bytes, press CTRL_C to break
Reply from 10.10.100.2: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 10.10.100.2: bytes=56 Sequence=2 ttl=255 time=10 ms
Reply from 10.10.100.2: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 10.10.100.2: bytes=56 Sequence=4 ttl=255 time=10 ms
Reply from 10.10.100.2: bytes=56 Sequence=5 ttl=255 time=30 ms

配置缺省路由：
[SW]ip route-static 0.0.0.0 0.0.0.0 10.10.100.1

7.配置出口路由器对接的运营商 设备的ip地址，出口路由器上需要配置一条缺省路由指向该地址，用于指导内网流量转发到 internet,回指部门和部门B的路由

[Router]int gi0/0/0
[Router-GigabitEthernet0/0/0]ip add 1.1.1.2 30
[Router]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
[Router]ip route-static 10.10.10.0 24 10.10.100.2
[Router]ip route-static 10.10.20.0 24 10.10.100.2

8.配置nat 实现用户访问互联网
[Router]acl number 2001
[Router-acl-basic-2001]rule 5 permit source 10.10.10.0 0.0.0.255
[Router-acl-basic-2001]rule 10 permit source 10.10.20.0 0.0.0.255
[Router-acl-basic-2001]rule deny source any
[Router-acl-basic-2001]qui
[Router]int g0/0/1
[Router-GigabitEthernet0/0/1]nat outbound 2001

测试：内可以访问外网