园区网真实详细配置大全案例

实现要求:

1、只允许行政部电脑对全网telnet管理

2、所有dhcp都在核心

3、wifi用户只能上外网,不能访问局域网其它电脑

4、所有接入交换机上bpdu保护

5、只允许vlan 10-40上网

5、所有接入交换机开dhcp snoop

6、所有的交换机指定核心交换机为ntp时间服务器,ntp再指向外网作为服务器。

7、ac+ap为二层组网

8、所有的交换和路由console登陆都要账号密码

9、所有的管理vlan为999,网关在核心

10、nat上网,外线为pppoe拨号上网

R1配置:

dis current-configuration

[V200R003C00]

sysname isp

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

dhcp enable

ip pool pppoe

gateway-list 60.0.0.1

network 60.0.0.0 mask 255.255.255.0

dns-list 8.8.8.8

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher % % U6C1S:n4<F*(iTL^nQ'/5x% %

local-user admin service-type ppp

firewall zone Local

priority 15

interface Virtual-Template0

ppp authentication-mode chap

remote address pool pppoe

ip address 60.0.0.1 255.255.255.0

interface GigabitEthernet0/0/0

ip address 8.8.8.1 255.255.255.0

interface GigabitEthernet0/0/1

pppoe-server bind Virtual-Template 0

interface GigabitEthernet0/0/2

interface NULL0

user-interface con 0

authentication-mode password

user-interface vty 0 4

user-interface vty 16 20

wlan ac

return

R2配置:

<out_router>dis current-configuration

[V200R003C00]

sysname out_router

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

clock timezone China-Standard-Time minus 08:00:00

portal local-server load flash:/portalpage.zip

drop illegal-mac alarm

ntp-service unicast-server 192.168.99.1

wlan ac-global carrier id other ac id 0

set cpu-usage threshold 80 restore 75

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

acl number 2001

rule 5 permit source 192.168.0.0 0.0.63.255

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher % % |#rD/aWa47N_{G/1^[Q3`.0#% %

local-user admin privilege level 15

local-user admin service-type telnet terminal

firewall zone Local

priority 15

interface Dialer0

link-protocol ppp

ppp chap user admin

ppp chap password cipher % % KoFK!Yrm<T9h0T3{J3@@, l / l/% l/%$

ip address ppp-negotiate

dialer user admin

dialer bundle 1

nat outbound 2001

interface GigabitEthernet0/0/0

pppoe-client dial-bundle-number 1

interface GigabitEthernet0/0/1

ip address 10.0.0.1 255.255.255.0

interface GigabitEthernet0/0/2

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 Dialer0

ip route-static 192.168.0.0 255.255.192.0 10.0.0.2

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

user-interface vty 16 20

wlan ac

return

lsw1配置

dis current-configuration

sysname core

vlan batch 10 20 30 40 50 100 999

cluster enable

ntdp enable

ndp enable

undo nap slave enable

drop illegal-mac alarm

dhcp enable

diffserv domain default

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

acl number 3000

rule 1 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.99.0 0.0.0.255

rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.0.0 0.0.31.255

rule 10 permit ip

drop-profile default

ip pool vlan20

ip pool vlan40

gateway-list 192.168.40.1

network 192.168.40.0 mask 255.255.255.0

dns-list 8.8.8.8

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!

local-user admin privilege level 15

local-user admin service-type telnet terminal

ntp-service unicast-server 8.8.8.8

ntp-service refclock-master 2

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif10

description xzb

ip address 192.168.10.1 255.255.255.0

dhcp select interface

dhcp server static-bind ip-address 192.168.10.100 mac-address 5489-981f-2e0e

dhcp server dns-list 8.8.8.8

interface Vlanif20

description scb

ip address 192.168.20.1 255.255.255.0

dhcp select interface

dhcp server dns-list 8.8.8.8

interface Vlanif30

description yfb

ip address 192.168.30.1 255.255.255.0

dhcp select interface

dhcp server static-bind ip-address 192.168.30.100 mac-address 5489-9832-7ea4

dhcp server dns-list 8.8.8.8

interface Vlanif40

description wifi_yw

ip address 192.168.40.1 255.255.255.0

dhcp select global

interface Vlanif50

description ap_manage

ip address 192.168.50.1 255.255.255.0

dhcp select interface

interface Vlanif100

description to_router

ip address 10.0.0.2 255.255.255.0

interface Vlanif999

description manage_all

ip address 192.168.99.1 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 10 999

mode lacp-static

interface Eth-Trunk2

port link-type trunk

port trunk allow-pass vlan 20 999

mode lacp-static

interface Eth-Trunk3

port link-type trunk

port trunk allow-pass vlan 30 999

interface Eth-Trunk4

port link-type trunk

port trunk allow-pass vlan 40 50 999

traffic-filter inbound acl 3000

mode lacp-static

interface GigabitEthernet0/0/1

port link-type trunk

port trunk pvid vlan 100

port trunk allow-pass vlan 100

interface GigabitEthernet0/0/2

port link-type access

port default vlan 50

interface GigabitEthernet0/0/3

eth-trunk 1

interface GigabitEthernet0/0/4

eth-trunk 1

interface GigabitEthernet0/0/5

eth-trunk 2

interface GigabitEthernet0/0/6

eth-trunk 2

interface GigabitEthernet0/0/7

eth-trunk 3

interface GigabitEthernet0/0/8

eth-trunk 3

interface GigabitEthernet0/0/9

eth-trunk 4

interface GigabitEthernet0/0/10

eth-trunk 4

interface GigabitEthernet0/0/11

interface GigabitEthernet0/0/12

interface GigabitEthernet0/0/13

interface GigabitEthernet0/0/14

interface GigabitEthernet0/0/15

interface GigabitEthernet0/0/16

interface GigabitEthernet0/0/17

interface GigabitEthernet0/0/18

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 10.0.0.1

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

lsw2配置:

<xzb_hj>dis current-configuration

sysname xzb_hj

vlan batch 10 999

stp bpdu-protection

cluster enable

ntdp enable

ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

drop-profile default

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!

local-user admin privilege level 15

local-user admin service-type telnet terminal

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999

ip address 192.168.99.2 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk1

port link-type trunk

port trunk allow-pass vlan 10 999

mode lacp-static

dhcp snooping trusted

interface GigabitEthernet0/0/1

eth-trunk 1

interface GigabitEthernet0/0/2

eth-trunk 1

interface GigabitEthernet0/0/3

port link-type access

port default vlan 10

stp edged-port enable

dhcp snooping enable

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7

interface GigabitEthernet0/0/8

interface GigabitEthernet0/0/9

interface GigabitEthernet0/0/10

interface GigabitEthernet0/0/11

interface GigabitEthernet0/0/12

interface GigabitEthernet0/0/13

interface GigabitEthernet0/0/14

interface GigabitEthernet0/0/15

interface GigabitEthernet0/0/16

interface GigabitEthernet0/0/17

interface GigabitEthernet0/0/18

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

lsw3配置

<scb_hj>dis current-configuration

sysname scb_hj

vlan batch 20 999

stp bpdu-protection

cluster enable

ntdp enable

ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

drop-profile default

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!

local-user admin privilege level 15

local-user admin service-type telnet terminal

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999

ip address 192.168.99.3 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk2

port link-type trunk

port trunk allow-pass vlan 20 999

mode lacp-static

dhcp snooping trusted

interface GigabitEthernet0/0/1

eth-trunk 2

interface GigabitEthernet0/0/2

eth-trunk 2

interface GigabitEthernet0/0/3

port hybrid pvid vlan 20

port hybrid untagged vlan 20

stp edged-port enable

dhcp snooping enable

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7

interface GigabitEthernet0/0/8

interface GigabitEthernet0/0/9

interface GigabitEthernet0/0/10

interface GigabitEthernet0/0/11

interface GigabitEthernet0/0/12

interface GigabitEthernet0/0/13

interface GigabitEthernet0/0/14

interface GigabitEthernet0/0/15

interface GigabitEthernet0/0/16

interface GigabitEthernet0/0/17

interface GigabitEthernet0/0/18

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

port-group link-type

return

lsw4配置:

<yfb_hj>dis current-configuration

sysname yfb_hj

vlan batch 30 999

stp bpdu-protection

cluster enable

ntdp enable

ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

drop-profile default

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!

local-user admin privilege level 15

local-user admin service-type telnet terminal

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999

ip address 192.168.99.4 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk3

port link-type trunk

port trunk allow-pass vlan 30 999

dhcp snooping trusted

interface GigabitEthernet0/0/1

eth-trunk 3

interface GigabitEthernet0/0/2

eth-trunk 3

interface GigabitEthernet0/0/3

port link-type access

port default vlan 30

stp edged-port enable

dhcp snooping enable

interface GigabitEthernet0/0/4

port link-type access

port default vlan 30

stp edged-port enable

dhcp snooping enable

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7

interface GigabitEthernet0/0/8

interface GigabitEthernet0/0/9

interface GigabitEthernet0/0/10

interface GigabitEthernet0/0/11

interface GigabitEthernet0/0/12

interface GigabitEthernet0/0/13

interface GigabitEthernet0/0/14

interface GigabitEthernet0/0/15

interface GigabitEthernet0/0/16

interface GigabitEthernet0/0/17

interface GigabitEthernet0/0/18

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

lsw5配置

<jdzx_hj>dis current-configuration

sysname jdzx_hj

vlan batch 40 50 999

stp bpdu-protection

cluster enable

ntdp enable

ndp enable

error-down auto-recovery cause bpdu-protection interval 60

undo nap slave enable

drop illegal-mac alarm

dhcp enable

dhcp snooping enable

diffserv domain default

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

drop-profile default

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!

local-user admin privilege level 15

local-user admin service-type telnet terminal

ntp-service unicast-server 192.168.99.1

interface Vlanif1

interface Vlanif999

ip address 192.168.99.5 255.255.255.0

interface MEth0/0/1

interface Eth-Trunk4

port link-type trunk

port trunk allow-pass vlan 40 50 999

mode lacp-static

dhcp snooping trusted

interface GigabitEthernet0/0/1

eth-trunk 4

interface GigabitEthernet0/0/2

eth-trunk 4

interface GigabitEthernet0/0/3

port link-type trunk

port trunk pvid vlan 50

port trunk allow-pass vlan 40 50

stp edged-port enable

dhcp snooping enable

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7

interface GigabitEthernet0/0/8

interface GigabitEthernet0/0/9

interface GigabitEthernet0/0/10

interface GigabitEthernet0/0/11

interface GigabitEthernet0/0/12

interface GigabitEthernet0/0/13

interface GigabitEthernet0/0/14

interface GigabitEthernet0/0/15

interface GigabitEthernet0/0/16

interface GigabitEthernet0/0/17

interface GigabitEthernet0/0/18

interface GigabitEthernet0/0/19

interface GigabitEthernet0/0/20

interface GigabitEthernet0/0/21

interface GigabitEthernet0/0/22

interface GigabitEthernet0/0/23

interface GigabitEthernet0/0/24

interface NULL0

ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

return

AC配置:

dis current-configuration

set memory-usage threshold 0

ssl renegotiation-rate 1

vlan batch 50

authentication-profile name default_authen_profile

authentication-profile name dot1x_authen_profile

authentication-profile name mac_authen_profile

authentication-profile name portal_authen_profile

authentication-profile name macportal_authen_profile

diffserv domain default

radius-server template default

pki realm default

rsa local-key-pair default

enrollment self-signed

acl number 2000

rule 5 permit source 192.168.10.100 0

rule 10 deny

ike proposal default

encryption-algorithm aes-256

dh group14

authentication-algorithm sha2-256

authentication-method pre-share

integrity-algorithm hmac-sha2-256

prf hmac-sha2-256

free-rule-template name default_free_rule

portal-access-profile name portal_access_profile

aaa

authentication-scheme default

authentication-scheme radius

authentication-mode radius

authorization-scheme default

accounting-scheme default

domain default

authentication-scheme radius

radius-server default

domain default_admin

authentication-scheme default

local-user test password irreversible-cipher 1 a 1a 1arMSnJPC9I>KaTeX parse error: Undefined control sequence: \V at position 14: =QQ~JN4fKC5o,\̲V̲*x.# =o=Tm+og^8...

local-user test privilege level 15

local-user test service-type telnet terminal

local-user admin password irreversible-cipher 1 a 1a 1ayRep#S@6lN f X d fXd fXd/:y#d+]wLBZ\kT

L/6WIy~>Uj8Rh J ∣ 8 I " < ∣ 9 J|8I"<|9 J∣8I"<∣9

local-user admin privilege level 15

local-user admin service-type http

interface Vlanif50

ip address 192.168.50.2 255.255.255.0

interface GigabitEthernet0/0/1

port link-type access

port default vlan 50

interface GigabitEthernet0/0/2

interface GigabitEthernet0/0/3

interface GigabitEthernet0/0/4

interface GigabitEthernet0/0/5

interface GigabitEthernet0/0/6

interface GigabitEthernet0/0/7

undo negotiation auto

duplex half

interface GigabitEthernet0/0/8

undo negotiation auto

duplex half

interface NULL0

snmp-agent local-engineid 800007DB03000000000000

snmp-agent

ssh server secure-algorithms cipher aes256_ctr aes128_ctr

ssh server key-exchange dh_group14_sha1

ssh client secure-algorithms cipher aes256_ctr aes128_ctr

ssh client secure-algorithms hmac sha2_256

ssh client key-exchange dh_group14_sha1

capwap source ip-address 192.168.50.2

user-interface con 0

authentication-mode aaa

user-interface vty 0 4

acl 2000 inbound

authentication-mode aaa

protocol inbound all

user-interface vty 16 20

protocol inbound all

wlan

traffic-profile name default

security-profile name test

security wpa-wpa2 psk pass-phrase %^%#KL!*>z6z'm±`M{B{k+I(U9G1"rHU4W[n&;mq&+

%^%# aes

security-profile name default

security-profile name default-wds

security-profile name default-mesh

ssid-profile name test

ssid wlan-guset

ssid-profile name default

vap-profile name test

service-vlan vlan-id 40

ssid-profile test

security-profile test

vap-profile name default

wds-profile name default

mesh-handover-profile name default

mesh-profile name default

regulatory-domain-profile name default

air-scan-profile name default

rrm-profile name default

radio-2g-profile name default

radio-5g-profile name default

wids-spoof-profile name default

wids-profile name default

wireless-access-specification

ap-system-profile name default

port-link-profile name default

wired-port-profile name default

serial-profile name preset-enjoyor-toeap

ap-group name group1

radio 0

vap-profile test wlan 1

radio 1

vap-profile test wlan 1

radio 2

vap-profile test wlan 1

ap-group name default

ap-id 0 type-id 69 ap-mac 00e0-fcf6-0b20 ap-sn 210235448310E91E775B

ap-name 1_lou_ap

ap-group group1

provision-ap

dot1x-access-profile name dot1x_access_profile

mac-access-profile name mac_access_profile

ntp-service unicast-server 192.168.99.1

return

相关推荐
小伍_Five1 小时前
透视网络世界:计算机网络习题的深度解析与总结【前3章】
服务器·网络·计算机网络
网络安全(king)3 小时前
网络安全攻防学习平台 - 基础关
网络·学习·web安全
李白你好4 小时前
家用无线路由器的 2.4GHz 和 5GHz
运维·网络
嵌入(师)4 小时前
嵌入式驱动开发详解21(网络驱动开发)
网络·驱动开发
柒烨带你飞4 小时前
路由器的原理
网络·智能路由器·php
xserver24 小时前
ensp 基于EASY IP的公司出口链路配置
网络·tcp/ip·智能路由器
枫零NET4 小时前
学习思考:一日三问(学习篇)之匹配VLAN
网络·学习·交换机
手心里的白日梦5 小时前
UDP传输层通信协议详解
网络·网络协议·udp
红米饭配南瓜汤6 小时前
WebRTC服务质量(11)- Pacer机制(03) IntervalBudget
网络·网络协议·音视频·webrtc·媒体