园区网真实详细配置大全案例

项目工程师余工

已于 2023-11-07 19:16:38 修改

阅读量882

点赞数

分类专栏：网络工程文章标签：网络

于 2023-11-04 23:17:21 首次发布

项目工程师余工

本文链接：https://blog.csdn.net/ydaxia110/article/details/134224908

版权

网络工程专栏收录该内容

237 篇文章 34 订阅

订阅专栏

在这里插入图片描述

实现要求：
1、只允许行政部电脑对全网telnet管理
2、所有dhcp都在核心
3、wifi用户只能上外网，不能访问局域网其它电脑
4、所有交换机上开rstp协议，接入交换机上都开bpdu保护，核心lsw1设置为根桥
5、只允许vlan 10-40上网
5、所有接入交换机开dhcp snoop
6、所有的交换机指定核心交换机为ntp时间服务器，ntp再指向外网作为服务器。
7、ac+ap为二层组网
8、所有的交换和路由console登陆都要账号密码
9、所有的管理vlan为999，网关在核心
10、nat上网，外线为pppoe拨号上网

R1配置：

dis current-configuration
[V200R003C00]

sysname isp

clock timezone China-Standard-Time minus 08:00:00
dhcp enable

ip pool pppoe
gateway-list 60.0.0.1
network 60.0.0.0 mask 255.255.255.0
dns-list 8.8.8.8

aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %U6C1S:n4<F*(iTL^nQ'/5x%
local-user admin service-type ppp

firewall zone Local
priority 15

interface Virtual-Template0
ppp authentication-mode chap
remote address pool pppoe
ip address 60.0.0.1 255.255.255.0

interface GigabitEthernet0/0/0
ip address 8.8.8.1 255.255.255.0

interface GigabitEthernet0/0/1
pppoe-server bind Virtual-Template 0

user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20

wlan ac

return

R2配置：

<out_router>dis current-configuration
[V200R003C00]

sysname out_router

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

ntp-service unicast-server 192.168.99.1

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
acl number 2001
rule 5 permit source 192.168.0.0 0.0.63.255

aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %|#rD/aWa47N_{G/1^[Q3`.0#%
local-user admin privilege level 15
local-user admin service-type telnet terminal

firewall zone Local
priority 15

interface Dialer0
link-protocol ppp
ppp chap user admin
ppp chap password cipher %KoFK!Yrm<T9h0T3{J3@@, $l /$ %$
ip address ppp-negotiate
dialer user admin
dialer bundle 1
nat outbound 2001

interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1

interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0

interface GigabitEthernet0/0/2

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 Dialer0
ip route-static 192.168.0.0 255.255.192.0 10.0.0.2

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
user-interface vty 16 20

wlan ac

return

lsw1配置

dis current-configuration

sysname core

vlan batch 10 20 30 40 50 100 999

cluster enable
ntdp enable
ndp enable

undo nap slave enable

drop illegal-mac alarm

stp mode rstp
stp root primary
dhcp enable

diffserv domain default

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny

acl number 3000
rule 1 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.99.0 0.0.0.255
rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.0.0 0.0.31.255
rule 10 permit ip

drop-profile default

ip pool vlan20

ip pool vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
dns-list 8.8.8.8

aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type telnet terminal

ntp-service unicast-server 8.8.8.8
ntp-service refclock-master 2
ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif10
description xzb
ip address 192.168.10.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 192.168.10.100 mac-address 5489-981f-2e0e
dhcp server dns-list 8.8.8.8

interface Vlanif20
description scb
ip address 192.168.20.1 255.255.255.0
dhcp select interface
dhcp server dns-list 8.8.8.8

interface Vlanif30
description yfb
ip address 192.168.30.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 192.168.30.100 mac-address 5489-9832-7ea4
dhcp server dns-list 8.8.8.8

interface Vlanif40
description wifi_yw
ip address 192.168.40.1 255.255.255.0
dhcp select global

interface Vlanif50
description ap_manage
ip address 192.168.50.1 255.255.255.0
dhcp server excluded-ip-address 192.168.50.2
dhcp select interface

interface Vlanif100
description to_router
ip address 10.0.0.2 255.255.255.0

interface Vlanif999
description manage_all
ip address 192.168.99.1 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 999
mode lacp-static

interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20 999
mode lacp-static

interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 30 999

interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 40 50 999
traffic-filter inbound acl 3000
mode lacp-static

interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100

interface GigabitEthernet0/0/2
port link-type access
port default vlan 50

interface GigabitEthernet0/0/3
eth-trunk 1

interface GigabitEthernet0/0/4
eth-trunk 1

interface GigabitEthernet0/0/5
eth-trunk 2

interface GigabitEthernet0/0/6
eth-trunk 2

interface GigabitEthernet0/0/7
eth-trunk 3

interface GigabitEthernet0/0/8
eth-trunk 3

interface GigabitEthernet0/0/9
eth-trunk 4

interface GigabitEthernet0/0/10
eth-trunk 4

ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
ip route-static 192.168.0.0 255.255.192.0 NULL0 //放一条汇总的黑洞路由

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa

lsw2配置：

<xzb_hj>dis current-configuration

sysname xzb_hj

vlan batch 10 999

stp bpdu-protection

cluster enable
ntdp enable
ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

stp mode rstp
dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny

drop-profile default

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999
ip address 192.168.99.2 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 999
mode lacp-static
dhcp snooping trusted

interface GigabitEthernet0/0/1
eth-trunk 1

interface GigabitEthernet0/0/2
eth-trunk 1

interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
stp edged-port enable
dhcp snooping enable

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa

lsw3配置

<scb_hj>dis current-configuration

sysname scb_hj

vlan batch 20 999

stp bpdu-protection

cluster enable
ntdp enable
ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

stp mode rstp
dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny

drop-profile default

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999
ip address 192.168.99.3 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20 999
mode lacp-static
dhcp snooping trusted

interface GigabitEthernet0/0/1
eth-trunk 2

interface GigabitEthernet0/0/2
eth-trunk 2

interface GigabitEthernet0/0/3
port hybrid pvid vlan 20
port hybrid untagged vlan 20
stp edged-port enable
dhcp snooping enable

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa

port-group link-type

return

lsw4配置：

<yfb_hj>dis current-configuration

sysname yfb_hj

vlan batch 30 999

stp bpdu-protection

cluster enable
ntdp enable
ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

stp mode rstp
dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny

drop-profile default

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999
ip address 192.168.99.4 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 30 999
dhcp snooping trusted

interface GigabitEthernet0/0/1
eth-trunk 3

interface GigabitEthernet0/0/2
eth-trunk 3

interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
stp edged-port enable
dhcp snooping enable

interface GigabitEthernet0/0/4
port link-type access
port default vlan 30
stp edged-port enable
dhcp snooping enable

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa

lsw5配置

<jdzx_hj>dis current-configuration

sysname jdzx_hj

vlan batch 40 50 999

stp bpdu-protection

cluster enable
ntdp enable
ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny

drop-profile default

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999
ip address 192.168.99.5 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 40 50 999
mode lacp-static
dhcp snooping trusted

interface GigabitEthernet0/0/1
eth-trunk 4

interface GigabitEthernet0/0/2
eth-trunk 4

interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 40 50
stp edged-port enable
dhcp snooping enable

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa

return

AC配置：

dis current-configuration

set memory-usage threshold 0

ssl renegotiation-rate 1

vlan batch 50

authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile

diffserv domain default

radius-server template default

pki realm default
rsa local-key-pair default
enrollment self-signed

acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny

ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256

free-rule-template name default_free_rule

portal-access-profile name portal_access_profile

aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user test password irreversible-cipher $1 a$ rMSnJPC9I> $KaTeX parse error: Undefined control sequence: \V at position 14: =QQ~JN4fKC5o,\̲V̲*x.# =o=Tm+og^8…$
local-user test privilege level 15
local-user test service-type telnet terminal
local-user admin password irreversible-cipher $1 a$ yRep#S@6lN $f X d$ /:y#d+]wLBZ\kT
L/6WIy~>Uj8Rh $J ∣ 8 I " < ∣ 9$
local-user admin privilege level 15
local-user admin service-type http

interface Vlanif50
ip address 192.168.50.2 255.255.255.0

interface GigabitEthernet0/0/1
port link-type access
port default vlan 50

interface GigabitEthernet0/0/7
undo negotiation auto
duplex half

interface GigabitEthernet0/0/8
undo negotiation auto
duplex half

interface NULL0

snmp-agent local-engineid 800007DB03000000000000
snmp-agent

ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1

capwap source ip-address 192.168.50.2

user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
protocol inbound all
user-interface vty 16 20
protocol inbound all

wlan
traffic-profile name default
security-profile name test
security wpa-wpa2 psk pass-phrase %^%#KL!*>z6z’m±`M{B{k+I(U9G1"rHU4W[n&;mq&+
%^%# aes
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name test
ssid wlan-guset
ssid-profile name default
vap-profile name test
service-vlan vlan-id 40
ssid-profile test
security-profile test
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name group1
radio 0
vap-profile test wlan 1
radio 1
vap-profile test wlan 1
radio 2
vap-profile test wlan 1
ap-group name default
ap-id 0 type-id 69 ap-mac 00e0-fcf6-0b20 ap-sn 210235448310E91E775B
ap-name 1_lou_ap
ap-group group1
provision-ap