华为设备总部与分部配置

1.要求：

（1）总部实现高可靠性设计，接入层断掉一根线或汇聚、核心设备故障都不能影响数据正常转发

（2）分部1人数较少，采用单臂路由互通

（3）总部、分部1、2之间都能访问互联网

（4）外网能够访问总部的HTTP server 和FTP server

（5）总部和两个分部之间通过DSVPN实现内网互通

2.总部配置

（1）创建vlan并加入接口，将核心交换机之间链路捆绑为e-trunk，确保任何一台故障时另一台能正常转发数据

LSW3\]vlan batch 10 20 30 \[LSW3\]int g0/0/3 \[LSW3-GigabitEthernet0/0/3\]port link-type access \[LSW3-GigabitEthernet0/0/3\]port default vlan 10 \[LSW3-GigabitEthernet0/0/3\]int g0/0/1 \[LSW3-GigabitEthernet0/0/1\]port link-type trunk \[LSW3-GigabitEthernet0/0/1\]port trunk allow-pass vlan 10 20 30 \[LSW3-GigabitEthernet0/0/1\]int g0/0/2 \[LSW3-GigabitEthernet0/0/2\]port link-type trunk \[LSW3-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 30 \[LSW4\]vlan batch 10 20 30 \[LSW4\]int g0/0/3 \[LSW4-GigabitEthernet0/0/3\]port link-type access \[LSW4-GigabitEthernet0/0/3\]port default vlan 20 \[LSW4-GigabitEthernet0/0/3\]int g0/0/1 \[LSW4-GigabitEthernet0/0/1\]port link-type trunk \[LSW4-GigabitEthernet0/0/1\]port trunk allow-pass vlan 10 20 30 \[LSW4-GigabitEthernet0/0/1\]int g0/0/2 \[LSW4-GigabitEthernet0/0/2\]port link-type trunk \[LSW4-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 30 \[LSW5\]vlan batch 10 20 30 \[LSW5\]int g0/0/3 \[LSW5-GigabitEthernet0/0/3\]port link-type access \[LSW5-GigabitEthernet0/0/3\]port default vlan 30 \[LSW5-GigabitEthernet0/0/3\]int g0/0/1 \[LSW5-GigabitEthernet0/0/1\]port link-type trunk \[LSW5-GigabitEthernet0/0/1\]port trunk allow-pass vlan 10 20 30 \[LSW5-GigabitEthernet0/0/1\]int g0/0/2 \[LSW5-GigabitEthernet0/0/2\]port link-type trunk \[LSW5-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 30 \[LSW1\]vlan batch 10 20 30 11 12 \[LSW1\]int g0/0/1 \[LSW1-GigabitEthernet0/0/1\]port link-type access \[LSW1-GigabitEthernet0/0/1\]port default vlan 11 \[LSW1-GigabitEthernet0/0/1\]int g0/0/2 \[LSW1-GigabitEthernet0/0/2\]port link-type access \[LSW1-GigabitEthernet0/0/2\]port default vlan 12 \[LSW1-GigabitEthernet0/0/2\]int g0/0/3 \[LSW1-GigabitEthernet0/0/3\]port link-type trunk \[LSW1-GigabitEthernet0/0/3\]port trunk allow-pass vlan 10 20 30 11 12 \[LSW1-GigabitEthernet0/0/3\]int g0/0/4 \[LSW1-GigabitEthernet0/0/4\]port link-type trunk \[LSW1-GigabitEthernet0/0/4\]port trunk allow-pass vlan 10 20 30 11 12 13 14 \[LSW1-GigabitEthernet0/0/4\]int g0/0/5 \[LSW1-GigabitEthernet0/0/5\]port link-type trunk \[LSW1-GigabitEthernet0/0/5\]port trunk allow-pass vlan 10 20 30 11 12 13 14 \[LSW1-GigabitEthernet0/0/5\]quit \[LSW1\]int Eth-Trunk 1 \[LSW1-Eth-Trunk1\]trunkport GigabitEthernet 0/0/6 to 0/0/7 \[LSW1-Eth-Trunk1\]port link-type trunk \[LSW1-Eth-Trunk1\]port trunk allow-pass vlan 10 20 30 11 12 13 14 \[LSW2\]vlan batch 10 20 30 13 14 \[LSW2\]int g0/0/1 \[LSW2-GigabitEthernet0/0/1\]port link-type access \[LSW2-GigabitEthernet0/0/1\]port default vlan 14 \[LSW2-GigabitEthernet0/0/1\]int g0/0/2 \[LSW2-GigabitEthernet0/0/2\]port link-type access \[LSW2-GigabitEthernet0/0/2\]port default vlan 13 \[LSW2-GigabitEthernet0/0/2\]int g0/0/3 \[LSW2-GigabitEthernet0/0/3\]port link-type t \[LSW2-GigabitEthernet0/0/3\]port link-type trunk \[LSW2-GigabitEthernet0/0/3\]port trunk allow-pass vlan 10 20 30 11 12 13 14 \[LSW2-GigabitEthernet0/0/3\]int g0/0/4 \[LSW2-GigabitEthernet0/0/4\]port link-type trunk \[LSW2-GigabitEthernet0/0/4\]port trunk allow-pass vlan 10 20 30 11 12 13 14 \[LSW2-GigabitEthernet0/0/4\]int g0/0/5 \[LSW2-GigabitEthernet0/0/5\]port link-type trunk \[LSW2-GigabitEthernet0/0/5\]port trunk allow-pass vlan 10 20 30 11 12 13 14 \[LSW2-GigabitEthernet0/0/5\]quit \[LSW2\]int Eth-Trunk 1 \[LSW2-Eth-Trunk1\]trunkport GigabitEthernet 0/0/6 to 0/0/7 \[LSW2-Eth-Trunk1\]port link-type trunk \[LSW2-Eth-Trunk1\]port trunk allow-pass vlan 10 20 30 11 12 13 14   （2）配置MSTP破除环路：LSW1为vlan 10 20的根桥、vlan 30 的次根，LSW2为vlan 30的根桥、vlan 10 20的次根；将连接终端的接口配置为边缘端口 \[LSW1\]stp region-configuration \[LSW1-mst-region\]region-name 1 \[LSW1-mst-region\]revision-level 1 \[LSW1-mst-region\]instance 1 vlan 10 20 \[LSW1-mst-region\]instance 2 vlan 30 \[LSW1-mst-region\]active region-configuration \[LSW1\]stp instance 1 priority 0 \[LSW1\]stp instance 2 priority 4096  \[LSW2\]stp region-configuration \[LSW2-mst-region\]region-name 1 \[LSW2-mst-region\]revision-level 1 \[LSW2-mst-region\]instance 1 vlan 10 20 \[LSW2-mst-region\]instance 2 vlan 30 \[LSW2-mst-region\]active region-configuration \[LSW2\]stp instance 1 priority 4096 \[LSW2\]stp instance 2 priority 0  \[LSW3\]stp region-configuration \[LSW3-mst-region\]region-name 1 \[LSW3-mst-region\]revision-level 1 \[LSW3-mst-region\]instance 1 vlan 10 20 \[LSW3-mst-region\]instance 2 vlan 30 \[LSW3-mst-region\]active region-configuration \[LSW3-mst-region\]quit \[LSW4\]stp region-configuration \[LSW4-mst-region\]region-name 1 \[LSW4-mst-region\]revision-level 1 \[LSW4-mst-region\]instance 1 vlan 10 20 \[LSW4-mst-region\]instance 2 vlan 30 \[LSW4-mst-region\]active region-configuration \[LSW4-mst-region\]quit \[LSW5\]stp region-configuration \[LSW5-mst-region\]region-name 1 \[LSW5-mst-region\]revision-level 1 \[LSW5-mst-region\]instance 1 vlan 10 20 \[LSW5-mst-region\]instance 2 vlan 30 \[LSW5-mst-region\]active region-configuration    \[LSW3\]int g0/0/3 \[LSW3-GigabitEthernet0/0/3\]stp edged-port enable \[LSW4\]int g0/0/3 \[LSW4-GigabitEthernet0/0/3\]stp edged-port enable \[LSW5\]int g0/0/3 \[LSW5-GigabitEthernet0/0/3\]stp edged-port enable （3）配置vlan间路由，使内网互通：配置vrrp，LSW1为vlan 10 20的master、为vlan 30的backup，LSW2为vlan 10 20的backup、为vlan 30的master \[LSW1\]int Vlanif 10 \[LSW1-Vlanif10\]ip add 10.1.1.1 24 \[LSW1-Vlanif10\]int Vlanif 20 \[LSW1-Vlanif20\]ip add 10.1.2.1 24 \[LSW1-Vlanif20\]int Vlanif 30 \[LSW1-Vlanif30\]ip add 10.1.3.1 24 \[LSW2\]int Vlanif 10 \[LSW2-Vlanif10\]ip add 10.1.1.2 24 \[LSW2-Vlanif10\]int Vlanif 20 \[LSW2-Vlanif20\]ip add 10.1.2.2 24 \[LSW2-Vlanif20\]int Vlanif 30 \[LSW2-Vlanif30\]ip add 10.1.3.2 24 \[LSW1\]int Vlanif 10 \[LSW1-Vlanif10\]vrrp vrid 1 virtual-ip 10.1.1.254 \[LSW1-Vlanif10\]vrrp vrid 1 priority 200 \[LSW1-Vlanif10\]vrrp vrid 1 preempt-mode timer delay 60 \[LSW1-Vlanif10\]vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 120 \[LSW1\]int Vlanif 20 \[LSW1-Vlanif20\]vrrp vrid 2 virtual-ip 10.1.2.254 \[LSW1-Vlanif20\]vrrp vrid 2 priority 200 \[LSW1-Vlanif20\]vrrp vrid 2 preempt-mode timer delay 60 \[LSW1-Vlanif20\]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120 \[LSW1\]int Vlanif 30 \[LSW1-Vlanif30\]vrrp vrid 3 virtual-ip 10.1.3.254 \[LSW2\]int Vlanif 10 \[LSW2-Vlanif10\]vrrp vrid 1 virtual-ip 10.1.1.254 \[LSW2-Vlanif10\]int Vlanif 20 \[LSW2-Vlanif20\]vrrp vrid 2 virtual-ip 10.1.2.254 \[LSW2-Vlanif20\]int Vlanif 30 \[LSW2-Vlanif30\]vrrp vrid 3 virtual-ip 10.1.3.254 \[LSW2-Vlanif30\]vrrp vrid 3 priority 200 \[LSW2-Vlanif30\]vrrp vrid 3 preempt-mode timer delay 60 \[LSW2-Vlanif30\]vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 120       （4）配置三层互联接口 \[LSW1\]int Vlanif 11 \[LSW1-Vlanif11\]ip add 192.168.11.1 24 \[LSW1-Vlanif11\]int Vlanif 12 \[LSW1-Vlanif12\]ip add 192.168.12.1 24 \[LSW2\]int Vlanif 13 \[LSW2-Vlanif13\]ip add 192.168.13.2 24 \[LSW2-Vlanif13\]int Vlanif 14 \[LSW2-Vlanif14\]ip add 192.168.14.2 24 \[FW1\]firewall zone trust \[FW1-zone-trust\]add interface GigabitEthernet 1/0/2 \[FW1-zone-trust\]add interface GigabitEthernet 1/0/0 \[FW1\]firewall zone untrust \[FW1-zone-untrust\]add interface GigabitEthernet 1/0/1 \[FW1-zone-untrust\]firewall zone dmz \[FW1-zone-dmz\]add interface GigabitEthernet 1/0/3 \[FW1-zone-dmz\]add interface GigabitEthernet 1/0/4 \[FW1\]int g1/0/1 \[FW1-GigabitEthernet1/0/1\]ip add 20.1.1.3 24 \[FW1-GigabitEthernet1/0/1\]int g1/0/0 \[FW1-GigabitEthernet1/0/0\]ip add 192.168.13.3 24 \[FW1-GigabitEthernet1/0/0\]int g1/0/2 \[FW1-GigabitEthernet1/0/2\]ip add 192.168.11.3 24 \[FW1-GigabitEthernet1/0/2\]int g1/0/3 \[FW1-GigabitEthernet1/0/3\]ip add 192.168.15.3 24 \[FW1-GigabitEthernet1/0/3\]int g1/0/4 \[FW1-GigabitEthernet1/0/4\]ip add 192.168.16.3 24  \[AR2\]int g0/0/0 \[AR2-GigabitEthernet0/0/0\]ip add 192.168.12.4 24 \[AR2-GigabitEthernet0/0/0\]int g0/0/1 \[AR2-GigabitEthernet0/0/1\]ip add 192.168.14.4 24 \[AR2-GigabitEthernet0/0/1\]int g0/0/2 \[AR2-GigabitEthernet0/0/2\]ip add 20.1.1.4 24 \[AR1\]int g4/0/0 \[AR1-GigabitEthernet4/0/0\]ip add 50.1.1.5 24 \[AR1-GigabitEthernet4/0/0\]int g0/0/1 \[AR1-GigabitEthernet0/0/1\]ip add 30.1.1.5 24 \[AR1-GigabitEthernet0/0/1\]int g0/0/2 \[AR1-GigabitEthernet0/0/2\]ip add 40.1.1.5 24 \[AR1-GigabitEthernet0/0/2\]int g0/0/0 \[AR1-GigabitEthernet0/0/0\]ip add 20.1.1.5 24 （5）配置DMZ区域 1）配置vlan \[LSW10\]vlan batch 100 101 \[LSW10\]int g0/0/3 \[LSW10-GigabitEthernet0/0/3\]port link-type access \[LSW10-GigabitEthernet0/0/3\]port default vlan 100 \[LSW10-GigabitEthernet0/0/3\]int g0/0/4 \[LSW10-GigabitEthernet0/0/4\]port link-type access \[LSW10-GigabitEthernet0/0/4\]port default vlan 101 \[LSW10-GigabitEthernet0/0/4\]int g0/0/1 \[LSW10-GigabitEthernet0/0/1\]port link-type trunk \[LSW10-GigabitEthernet0/0/1\]port trunk allow-pass vlan 100 101 \[LSW10-GigabitEthernet0/0/1\]int g0/0/2 \[LSW10-GigabitEthernet0/0/2\]port link-type trunk \[LSW10-GigabitEthernet0/0/2\]port trunk allow-pass vlan 100 101 \[LSW8\]vlan batch 15 100 101 \[LSW8\]int g0/0/1 \[LSW8-GigabitEthernet0/0/1\]port link-type access \[LSW8-GigabitEthernet0/0/1\]port default vlan 15 \[LSW8-GigabitEthernet0/0/1\]int g0/0/2 \[LSW8-GigabitEthernet0/0/2\]port link-type trunk \[LSW8-GigabitEthernet0/0/2\]port trunk allow-pass vlan 15 100 101 \[LSW8-GigabitEthernet0/0/2\]quit \[LSW8\]int Eth-Trunk 1 \[LSW8-Eth-Trunk1\]trunkport GigabitEthernet 0/0/3 to 0/0/4 \[LSW8-Eth-Trunk1\]port link-type trunk \[LSW8-Eth-Trunk1\]port trunk allow-pass vlan 15 100 101 \[LSW9\]vlan batch 16 100 101 \[LSW9\]int g0/0/1 \[LSW9-GigabitEthernet0/0/1\]port link-type access \[LSW9-GigabitEthernet0/0/1\]port default vlan 16 \[LSW9-GigabitEthernet0/0/1\]int g0/0/2 \[LSW9-GigabitEthernet0/0/2\]port link-type trunk \[LSW9-GigabitEthernet0/0/2\]po \[LSW9-GigabitEthernet0/0/2\]port trunk allow-pass vlan 16 100 101 \[LSW9-GigabitEthernet0/0/2\]quit \[LSW9\]int Eth-Trunk 1 \[LSW9-Eth-Trunk1\]trunkport GigabitEthernet 0/0/3 to 0/0/4 \[LSW9-Eth-Trunk1\]port link-type trunk \[LSW9-Eth-Trunk1\]port trunk allow-pass vlan 16 100 101 2）配置MSTP（要求vlan 100的根桥为LSW8，vlan 101的根桥为LSW9） \[LSW10\]stp region-configuration \[LSW10-mst-region\]region-name DMZ1 \[LSW10-mst-region\]revision-level 1 \[LSW10-mst-region\]instance 1 vlan 100 \[LSW10-mst-region\]instance 2 vlan 101 \[LSW10-mst-region\]active region-configuration \[LSW8\]stp region-configuration \[LSW8-mst-region\]region-name DMZ1 \[LSW8-mst-region\]revision-level 1 \[LSW8-mst-region\]instance 1 vlan 100 \[LSW8-mst-region\]instance 2 vlan 101 \[LSW8-mst-region\]active region-configuration \[LSW9\]stp region-configuration \[LSW9-mst-region\]region-name DMZ1 \[LSW9-mst-region\]revision-level 1 \[LSW9-mst-region\]instance 1 vlan 100 \[LSW9-mst-region\]instance 2 vlan 101 \[LSW9-mst-region\]active region-configuration \[LSW8\]stp instance 1 priority 0 \[LSW8\]stp instance 2 priority 4096 \[LSW9\]stp instance 1 priority 4096 \[LSW9\]stp instance 2 priority 0  \[LSW10\]int g0/0/3 \[LSW10-GigabitEthernet0/0/3\]stp edged-port enable \[LSW10-GigabitEthernet0/0/3\]int g0/0/4 \[LSW10-GigabitEthernet0/0/4\]stp edged-port enable 3）配置VLAN间路由 \[LSW8\]int Vlanif 15 \[LSW8-Vlanif15\]ip add 192.168.15.1 24 \[LSW8\]int Vlanif 100 \[LSW8-Vlanif100\]ip add 10.1.100.1 24 \[LSW8-Vlanif100\]int Vlanif 101 \[LSW8-Vlanif101\]ip add 10.1.101.1 24 \[LSW9\]int Vlanif 16 \[LSW9-Vlanif16\]ip add 192.168.16.2 24 \[LSW9\]int Vlanif 100 \[LSW9-Vlanif100\]ip add 10.1.100.2 24 \[LSW9-Vlanif100\]int Vlanif 101 \[LSW9-Vlanif101\]ip add 10.1.101.2 24 4）配置VRRP，保证链路备份 \[LSW8\]int Vlanif 100 \[LSW8-Vlanif100\]vrrp vrid 1 virtual-ip 10.1.100.254 \[LSW8-Vlanif100\]vrrp vrid 1 priority 200 \[LSW8-Vlanif100\]vrrp vrid 1 preempt-mode timer delay 60 \[LSW8-Vlanif100\]vrrp vrid 1 track interface g0/0/1 reduced 120 \[LSW8-Vlanif100\]quit \[LSW8\]int Vlanif 101 \[LSW8-Vlanif101\]vrrp vrid 2 virtual-ip 10.1.101.254 \[LSW9\]int Vlanif 100 \[LSW9-Vlanif100\]vrrp vrid 1 virtual-ip 10.1.100.254 \[LSW9-Vlanif100\]int Vlanif 101 \[LSW9-Vlanif101\]vrrp vrid 2 virtual-ip 10.1.101.254 \[LSW9-Vlanif101\]vrrp vrid 2 preempt-mode timer delay 60 \[LSW9-Vlanif101\]vrrp vrid 2 priority 200 \[LSW9-Vlanif101\]vrrp vrid 2 track interface g0/0/1 reduced 120  （6）配置全网路由：将总部在OSFP的area 0区域，服务器在 area 1区域，分部1在area 2区域，分部2在area 3区域 1）配置OSPF \[LSW1\]ospf 1 router-id 11.1.1.1 \[LSW1-ospf-1\]area 0 \[LSW1-ospf-1-area-0.0.0.0\]ne \[LSW1-ospf-1-area-0.0.0.0\]network 10.1.1.0 0.0.0.255 \[LSW1-ospf-1-area-0.0.0.0\]network 10.1.2.0 0.0.0.255 \[LSW1-ospf-1-area-0.0.0.0\]network 10.1.3.0 0.0.0.255 \[LSW1-ospf-1-area-0.0.0.0\]network 192.168.11.0 0.0.0.255 \[LSW1-ospf-1-area-0.0.0.0\]network 192.168.12.0 0.0.0.255 \[LSW2\]ospf 1 router-id 22.1.1.1 \[LSW2-ospf-1\]area 0 \[LSW2-ospf-1-area-0.0.0.0\]network 10.1.1.0 0.0.0.255 \[LSW2-ospf-1-area-0.0.0.0\]network 10.1.2.0 0.0.0.255 \[LSW2-ospf-1-area-0.0.0.0\]network 10.1.3.0 0.0.0.255 \[LSW2-ospf-1-area-0.0.0.0\]network 192.168.13.0 0.0.0.255 \[LSW2-ospf-1-area-0.0.0.0\]network 192.168.14.0 0.0.0.255 \[FW1\]ospf router-id 33.1.1.1 \[FW1-ospf-1\]ospf 1 \[FW1-ospf-1\]area 0 \[FW1-ospf-1-area-0.0.0.0\]network 192.168.11.0 0.0.0.255 \[FW1-ospf-1-area-0.0.0.0\]network 192.168.13.0 0.0.0.255 \[FW1-ospf-1-area-0.0.0.0\]network 192.168.15.0 0.0.0.255 \[FW1-ospf-1-area-0.0.0.0\]network 192.168.16.0 0.0.0.255 \[AR2\]ospf router-id 44.1.1.1 \[AR2-ospf-1\]area 0 \[AR2-ospf-1-area-0.0.0.0\]network 192.168.12.0 0.0.0.255 \[AR2-ospf-1-area-0.0.0.0\]network 192.168.14.0 0.0.0.255 \[LSW8\]ospf router-id 111.1.1.1 \[LSW8-ospf-1\]area 0 \[LSW8-ospf-1-area-0.0.0.0\]network 192.168.15.0 0.0.0.255 \[LSW8-ospf-1-area-0.0.0.0\]area 1 \[LSW8-ospf-1-area-0.0.0.1\]network 10.1.100.0 0.0.0.255 \[LSW8-ospf-1-area-0.0.0.1\]network 10.1.101.0 0.0.0.255 \[LSW9\]ospf router-id 222.1.1.1 \[LSW9-ospf-1\]area 0 \[LSW9-ospf-1-area-0.0.0.0\]net \[LSW9-ospf-1-area-0.0.0.0\]network 192.168.16.0 0.0.0.255 \[LSW9-ospf-1-area-0.0.0.0\]area 1 \[LSW9-ospf-1-area-0.0.0.1\]network 10.1.101.0 0.0.0.255 \[LSW9-ospf-1-area-0.0.0.1\]network 10.1.100.0 0.0.0.255 2）将vlanif接口静默 \[LSW1\]ospf 1 \[LSW1-ospf-1\]silent-interface Vlanif 10 \[LSW1-ospf-1\]silent-interface Vlanif 20 \[LSW1-ospf-1\]silent-interface Vlanif 30 \[LSW2\]ospf 1 \[LSW2-ospf-1\]silent-interface Vlanif 10 \[LSW2-ospf-1\]silent-interface Vlanif 20 \[LSW2-ospf-1\]silent-interface Vlanif 30 \[LSW8-ospf-1\]silent-interface Vlanif 100 \[LSW8-ospf-1\]silent-interface Vlanif 101 \[LSW9-ospf-1\]silent-interface Vlanif 100 \[LSW9-ospf-1\]silent-interface Vlanif 101  （7）配置trust到dmz的安全策略 \[FW1\]security-policy \[FW1-policy-security\]rule name t-to-dmz \[FW1-policy-security-rule-t-to-dmz\]source-zone trust \[FW1-policy-security-rule-t-to-dmz\]source-address 10.1.0.0 16 \[FW1-policy-security-rule-t-to-dmz\]destination-zone dmz \[FW1-policy-security-rule-t-to-dmz\]action permit  （8）配置 NAT \[FW1\]nat-policy \[FW1-policy-nat\]rule name to-ISP \[FW1-policy-nat-rule-to-ISP\]source-zone trust \[FW1-policy-nat-rule-to-ISP\]destination-zone untrust \[FW1-policy-nat-rule-to-ISP\]source-address 10.1.0.0 16 \[FW1-policy-nat-rule-to-ISP\]action source-nat easy-ip \[FW1\]security-policy \[FW1-policy-security\]rule name to-ISP \[FW1-policy-security-rule-to-ISP\]source-zone trust \[FW1-policy-security-rule-to-ISP\]destination-zone untrust \[FW1-policy-security-rule-to-ISP\]source-address 10.1.0.0 16 \[FW1-policy-security-rule-to-ISP\]action permit \[FW1\]ip route-static 0.0.0.0 0.0.0.0 20.1.1.5 \[FW1\]ospf 1 \[FW1-ospf-1\]default-route-advertise   （9）公网访问 dmz 区域的 http 服务和 FTP 服务：通过 nat-server 进行映射 \[FW1\]nat server protocol tcp global 20.1.1.100 80 inside 10.1.100.10 80 \[FW1\]nat server protocol tcp global 20.1.1.101 21 inside 10.1.101.10 21 \[FW1\]security-policy \[FW1-policy-security\]rule name u-to-dmz \[FW1-policy-security-rule-u-to-dmz\]source-zone untrust \[FW1-policy-security-rule-u-to-dmz\]destination-zone dmz \[FW1-policy-security-rule-u-to-dmz\]destination-address 10.1.100.10 32 \[FW1-policy-security-rule-u-to-dmz\]destination-address 10.1.101.10 32 \[FW1-policy-security-rule-u-to-dmz\]action permit   4.分部1的配置：单臂路由和NAT （1）单臂路由配置 \[LSW11\]vlan batch 10 20 \[LSW11\]int g0/0/2 \[LSW11-GigabitEthernet0/0/2\]port link-type access \[LSW11-GigabitEthernet0/0/2\]port default vlan 10 \[LSW11-GigabitEthernet0/0/2\]int g0/0/3 \[LSW11-GigabitEthernet0/0/3\]port link-type access \[LSW11-GigabitEthernet0/0/3\]port default vlan 20 \[LSW11-GigabitEthernet0/0/3\]int g0/0/1 \[LSW11-GigabitEthernet0/0/1\]port link-type trunk \[LSW11-GigabitEthernet0/0/1\]port trunk allow-pass vlan 10 20 \[AR4\]int g0/0/1.10 \[AR4-GigabitEthernet0/0/1.10\]dot1q termination vid 10 \[AR4-GigabitEthernet0/0/1.10\]arp broadcast enable \[AR4-GigabitEthernet0/0/1.10\]ip add 10.2.1.1 2 \[AR4-GigabitEthernet0/0/1.10\]int g0/0/1.20 \[AR4-GigabitEthernet0/0/1.20\]dot1q termination vid 20 \[AR4-GigabitEthernet0/0/1.20\]arp broadcast enable \[AR4-GigabitEthernet0/0/1.20\]ip add 10.2.2.1 24 \[AR4\]int g0/0/0 \[AR4-GigabitEthernet0/0/0\]ip add 40.1.1.1 24 \[AR4\]ip route-static 0.0.0.0 0.0.0.0 40.1.1.5 \[AR4\]acl 2000 \[AR4-acl-basic-2000\]rule permit source 10.2.0.0 0.0.255.255 \[AR4-acl-basic-2000\]int g0/0/0 \[AR4-GigabitEthernet0/0/0\]nat outbound 2000  5.分部2的配置 （1）配置vlan \[LSW13\]vlan batch 10 20 17 \[LSW13\]int g0/0/1 \[LSW13-GigabitEthernet0/0/1\]port link-type access \[LSW13-GigabitEthernet0/0/1\]port default vlan 17 \[LSW13-GigabitEthernet0/0/1\]int g0/0/2 \[LSW13-GigabitEthernet0/0/2\]port link-type trunk \[LSW13-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 17 \[LSW13-GigabitEthernet0/0/2\]int g0/0/3 \[LSW13-GigabitEthernet0/0/3\]port link-type trunk \[LSW13-GigabitEthernet0/0/3\]port trunk allow-pass vlan 10 20 17 \[LSW13-GigabitEthernet0/0/3\]quit \[LSW13\]int Eth-Trunk 1 \[LSW13-Eth-Trunk1\]trunkport GigabitEthernet 0/0/4 to 0/0/5 \[LSW13-Eth-Trunk1\]port link-type trunk \[LSW13-Eth-Trunk1\]port trunk allow-pass vlan 10 20 17 \[LSW14\]vlan batch 10 20 18 \[LSW14\]int g0/0/1 \[LSW14-GigabitEthernet0/0/1\]port link-type access \[LSW14-GigabitEthernet0/0/1\]port default vlan 18 \[LSW14-GigabitEthernet0/0/1\]int g0/0/2 \[LSW14-GigabitEthernet0/0/2\]port link-type trunk \[LSW14-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 18 \[LSW14-GigabitEthernet0/0/2\]int g0/0/3 \[LSW14-GigabitEthernet0/0/3\]port link-type trunk \[LSW14-GigabitEthernet0/0/3\]port trunk allow-pass vlan 10 20 18 \[LSW14-GigabitEthernet0/0/3\]quit \[LSW14\]int Eth-Trunk 1 \[LSW14-Eth-Trunk1\]trunkport GigabitEthernet 0/0/4 to 0/0/5 \[LSW14-Eth-Trunk1\]port link-type trunk \[LSW14-Eth-Trunk1\]port trunk allow-pass vlan 10 20 18 \[LSW15\]vlan batch 10 20 \[LSW15\]int g0/0/3 \[LSW15-GigabitEthernet0/0/3\]port link-type access \[LSW15-GigabitEthernet0/0/3\]port default vlan 10 \[LSW15-GigabitEthernet0/0/3\]int g0/0/1 \[LSW15-GigabitEthernet0/0/1\]port link-type trunk \[LSW15-GigabitEthernet0/0/1\]port trunk allow-pass vlan 10 20 \[LSW15-GigabitEthernet0/0/1\]int g0/0/2 \[LSW15-GigabitEthernet0/0/2\]port link-type trunk \[LSW15-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 \[LSW16\]vlan batch 10 20 \[LSW16\]int g0/0/3 \[LSW16-GigabitEthernet0/0/3\]port link-type access \[LSW16-GigabitEthernet0/0/3\]port default vlan 20 \[LSW16-GigabitEthernet0/0/3\]int g0/0/1 \[LSW16-GigabitEthernet0/0/1\]port link-type trunk \[LSW16-GigabitEthernet0/0/1\]port trunk allow-pass vlan 10 20 \[LSW16-GigabitEthernet0/0/1\]int g0/0/2 \[LSW16-GigabitEthernet0/0/2\]port link-type trunk \[LSW16-GigabitEthernet0/0/2\]port trunk allow-pass vlan 10 20 （2）配置MSTP：LSW13为vlan 10的主根、vlan 20的次根，LSW14为vlan 20的主根、vlan 10的次根 \[LSW13\]stp region-configuration \[LSW13-mst-region\]region-name FB2 \[LSW13-mst-region\]revision-level 1 \[LSW13-mst-region\]instance 1 vlan 10 \[LSW13-mst-region\]instance 2 vlan 20 \[LSW13-mst-region\]active region-configuration \[LSW14\]stp region-configuration \[LSW14-mst-region\]region-name FB2 \[LSW14-mst-region\]revision-level 1 \[LSW14-mst-region\]instance 1 vlan 10 \[LSW14-mst-region\]instance 2 vlan 20 \[LSW14-mst-region\]active region-configuration \[LSW15\]stp region-configuration \[LSW15-mst-region\]region-name FB2 \[LSW15-mst-region\]revision-level 1 \[LSW15-mst-region\]instance 1 vlan 10 \[LSW15-mst-region\]instance 2 vlan 20 \[LSW15-mst-region\]active region-configuration \[LSW16\]stp region-configuration \[LSW16-mst-region\]region-name FB2 \[LSW16-mst-region\]revision-level 1 \[LSW16-mst-region\]instance 1 vlan 10 \[LSW16-mst-region\]instance 2 vlan 20 \[LSW16-mst-region\]active region-configuration \[LSW13\]stp instance 1 priority 0 \[LSW13\]stp instance 2 priority 4096 \[LSW14\]stp instance 1 priority 4096 \[LSW14\]stp instance 2 priority 0   \[LSW16-GigabitEthernet0/0/3\]stp edged-port enable \[LSW15-GigabitEthernet0/0/3\]stp edged-port enable （3）配置vlan间路由 \[LSW13\]int Vlanif 10 \[LSW13-Vlanif10\]ip add 10.3.1.1 24 \[LSW13-Vlanif10\]int Vlanif 20 \[LSW13-Vlanif20\]ip add 10.3.2.1 24 \[LSW13-Vlanif20\]int Vlanif 10 \[LSW13-Vlanif10\]vrrp vrid 1 virtual-ip 10.3.1.254 \[LSW13-Vlanif10\]vrrp vrid 1 priority 200 \[LSW13-Vlanif10\]vrrp vrid 1 preempt-mode timer delay 60 \[LSW13-Vlanif10\]vrrp vrid 1 track interface g0/0/1 reduced 120 \[LSW13-Vlanif10\]int Vlanif 20 \[LSW13-Vlanif20\]vrrp vrid 2 virtual-ip 10.3.2.254 \[LSW14\]int Vlanif 10 \[LSW14-Vlanif10\]ip add 10.3.1.2 24 \[LSW14-Vlanif10\]int Vlanif 20 \[LSW14-Vlanif20\]ip add 10.3.2.2 24 \[LSW14-Vlanif20\]vrrp vrid 2 virtual-ip 10.3.2.254 \[LSW14-Vlanif20\]vrrp vrid 2 priority 200 \[LSW14-Vlanif20\]vrrp vrid 2 preempt-mode timer delay 60 \[LSW14-Vlanif20\]vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120 \[LSW14-Vlanif20\]int Vlanif 10 \[LSW14-Vlanif10\]vrrp vrid 1 virtual-ip 10.3.1.254   （4）配置全网路由 \[LSW13\]int Vlanif 17 \[LSW13-Vlanif17\]ip add 192.168.17.1 24 \[LSW13-Vlanif17\]quit \[LSW13\]ospf 1 router-id 17.1.1.1 \[LSW13-ospf-1\]area 2 \[LSW13-ospf-1-area-0.0.0.2\]ne \[LSW13-ospf-1-area-0.0.0.2\]network 192.168.17.0 0.0.0.255 \[LSW13-ospf-1-area-0.0.0.2\]network 10.3.1.0 0.0.0.255 \[LSW13-ospf-1-area-0.0.0.2\]network 10.3.2.0 0.0.0.255 \[LSW13-ospf-1-area-0.0.0.2\]qui \[LSW13-ospf-1\]silent-interface Vlanif 10 \[LSW13-ospf-1\]silent-interface Vlanif 20 \[LSW14\]int Vlanif 18 \[LSW14-Vlanif18\]ip add 192.168.18.1 24 \[LSW14-Vlanif18\]quit \[LSW14\]ospf 1 router-id 18.1.1.1 \[LSW14-ospf-1\]area 2 \[LSW14-ospf-1-area-0.0.0.2\]network 10.3.1.0 0.0.0.255 \[LSW14-ospf-1-area-0.0.0.2\]network 10.3.2.0 0.0.0.255 \[LSW14-ospf-1-area-0.0.0.2\]network 192.168.18.0 0.0.0.255 \[LSW14-ospf-1-area-0.0.0.2\]quit \[LSW14-ospf-1\]silent-interface Vlanif 10 \[LSW14-ospf-1\]silent-interface Vlanif 20 \[AR5\]int g0/0/1 \[AR5-GigabitEthernet0/0/1\]ip add 192.168.17.6 24 \[AR5-GigabitEthernet0/0/1\]int g0/0/2 \[AR5-GigabitEthernet0/0/2\]ip add 192.168.18.6 24 \[AR5-GigabitEthernet0/0/2\]int g0/0/0 \[AR5-GigabitEthernet0/0/0\]ip add 50.1.1.6 24 \[AR5\]ospf 1 router-id 55.1.1.1 \[AR5-ospf-1\]area 2 \[AR5-ospf-1-area-0.0.0.2\]network 192.168.17.0 0.0.0.255 \[AR5-ospf-1-area-0.0.0.2\]network 192.168.18.0 0.0.0.255 \[AR5\]ip route-static 0.0.0.0 0.0.0.0 50.1.1.5 \[AR5\]ospf 1 \[AR5-ospf-1\]default-route-advertise （5）源NAT地址转换 \[AR5\]acl 2000 \[AR5-acl-basic-2000\]rule permit source 10.3.0.0 0.0.255.255 \[AR5\]int g0/0/0 \[AR5-GigabitEthernet0/0/0\]nat outbound 2000  6.总校分校DSVPN配置：AR2作为hub端，AR4、AR5作为spoke端，三个接口配置在172.1.1.0网段 \[AR2\]int Tunnel 0/0/0 \[AR2-Tunnel0/0/0\]tunnel-protocol gre p2mp \[AR2-Tunnel0/0/0\]ip add 172.1.1.1 24 \[AR2-Tunnel0/0/0\]source GigabitEthernet 0/0/2 \[AR2-Tunnel0/0/0\]nhrp entry multicast dynamic \[AR2-Tunnel0/0/0\]ospf dr-priority 255 //调整优先级至最大，使其成为 DR \[AR4\]int Tunnel 0/0/0 \[AR4-Tunnel0/0/0\]tunnel-protocol gre p2mp \[AR4-Tunnel0/0/0\]ip add 172.1.1.3 24 \[AR4-Tunnel0/0/0\]source GigabitEthernet 0/0/0 \[AR4-Tunnel0/0/0\]nhrp entry 172.1.1.1 20.1.1.4 register \[AR4-Tunnel0/0/0\]ospf network-type broadcast \[AR4-Tunnel0/0/0\]ospf dr-priority 0 \[AR5\]int Tunnel 0/0/0 \[AR5-Tunnel0/0/0\]tunnel-protocol gre p2mp \[AR5-Tunnel0/0/0\]ip add 172.1.1.2 24 \[AR5-Tunnel0/0/0\]source GigabitEthernet 0/0/0 \[AR5-Tunnel0/0/0\]nhrp entry 172.1.1.1 20.1.1.4 register \[AR5-Tunnel0/0/0\]ospf network-type broadcast \[AR5-Tunnel0/0/0\]ospf dr-priority 0  \[AR2\]ospf 1 \[AR2-ospf-1\]area 0 \[AR2-ospf-1-area-0.0.0.0\]network 172.1.1.0 0.0.0.255 \[AR4\]ospf 1 \[AR4-ospf-1\]area 0 \[AR4-ospf-1-area-0.0.0.0\]network 172.1.1.0 0.0.0.255 \[AR5\]ospf 1 \[AR5-ospf-1\]area 0 \[AR5-ospf-1-area-0.0.0.0\]network 172.1.1.0 0.0.0.255