华为设备总部与分部配置

1.要求：

（1）总部实现高可靠性设计，接入层断掉一根线或汇聚、核心设备故障都不能影响数据正常转发

（2）分部1人数较少，采用单臂路由互通

（3）总部、分部1、2之间都能访问互联网

（4）外网能够访问总部的HTTP server 和FTP server

（5）总部和两个分部之间通过DSVPN实现内网互通

2.总部配置

（1）创建vlan并加入接口，将核心交换机之间链路捆绑为e-trunk，确保任何一台故障时另一台能正常转发数据

$LSW3$ vlan batch 10 20 30

$LSW3$ int g0/0/3

$LSW3-GigabitEthernet0/0/3$ port link-type access

$LSW3-GigabitEthernet0/0/3$ port default vlan 10

$LSW3-GigabitEthernet0/0/3$ int g0/0/1

$LSW3-GigabitEthernet0/0/1$ port link-type trunk

$LSW3-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20 30

$LSW3-GigabitEthernet0/0/1$ int g0/0/2

$LSW3-GigabitEthernet0/0/2$ port link-type trunk

$LSW3-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 30

$LSW4$ vlan batch 10 20 30

$LSW4$ int g0/0/3

$LSW4-GigabitEthernet0/0/3$ port link-type access

$LSW4-GigabitEthernet0/0/3$ port default vlan 20

$LSW4-GigabitEthernet0/0/3$ int g0/0/1

$LSW4-GigabitEthernet0/0/1$ port link-type trunk

$LSW4-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20 30

$LSW4-GigabitEthernet0/0/1$ int g0/0/2

$LSW4-GigabitEthernet0/0/2$ port link-type trunk

$LSW4-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 30

$LSW5$ vlan batch 10 20 30

$LSW5$ int g0/0/3

$LSW5-GigabitEthernet0/0/3$ port link-type access

$LSW5-GigabitEthernet0/0/3$ port default vlan 30

$LSW5-GigabitEthernet0/0/3$ int g0/0/1

$LSW5-GigabitEthernet0/0/1$ port link-type trunk

$LSW5-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20 30

$LSW5-GigabitEthernet0/0/1$ int g0/0/2

$LSW5-GigabitEthernet0/0/2$ port link-type trunk

$LSW5-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 30

$LSW1$ vlan batch 10 20 30 11 12

$LSW1$ int g0/0/1

$LSW1-GigabitEthernet0/0/1$ port link-type access

$LSW1-GigabitEthernet0/0/1$ port default vlan 11

$LSW1-GigabitEthernet0/0/1$ int g0/0/2

$LSW1-GigabitEthernet0/0/2$ port link-type access

$LSW1-GigabitEthernet0/0/2$ port default vlan 12

$LSW1-GigabitEthernet0/0/2$ int g0/0/3

$LSW1-GigabitEthernet0/0/3$ port link-type trunk

$LSW1-GigabitEthernet0/0/3$ port trunk allow-pass vlan 10 20 30 11 12

$LSW1-GigabitEthernet0/0/3$ int g0/0/4

$LSW1-GigabitEthernet0/0/4$ port link-type trunk

$LSW1-GigabitEthernet0/0/4$ port trunk allow-pass vlan 10 20 30 11 12 13 14

$LSW1-GigabitEthernet0/0/4$ int g0/0/5

$LSW1-GigabitEthernet0/0/5$ port link-type trunk

$LSW1-GigabitEthernet0/0/5$ port trunk allow-pass vlan 10 20 30 11 12 13 14

$LSW1-GigabitEthernet0/0/5$ quit

$LSW1$ int Eth-Trunk 1

$LSW1-Eth-Trunk1$ trunkport GigabitEthernet 0/0/6 to 0/0/7

$LSW1-Eth-Trunk1$ port link-type trunk

$LSW1-Eth-Trunk1$ port trunk allow-pass vlan 10 20 30 11 12 13 14

$LSW2$ vlan batch 10 20 30 13 14

$LSW2$ int g0/0/1

$LSW2-GigabitEthernet0/0/1$ port link-type access

$LSW2-GigabitEthernet0/0/1$ port default vlan 14

$LSW2-GigabitEthernet0/0/1$ int g0/0/2

$LSW2-GigabitEthernet0/0/2$ port link-type access

$LSW2-GigabitEthernet0/0/2$ port default vlan 13

$LSW2-GigabitEthernet0/0/2$ int g0/0/3

$LSW2-GigabitEthernet0/0/3$ port link-type t

$LSW2-GigabitEthernet0/0/3$ port link-type trunk

$LSW2-GigabitEthernet0/0/3$ port trunk allow-pass vlan 10 20 30 11 12 13 14

$LSW2-GigabitEthernet0/0/3$ int g0/0/4

$LSW2-GigabitEthernet0/0/4$ port link-type trunk

$LSW2-GigabitEthernet0/0/4$ port trunk allow-pass vlan 10 20 30 11 12 13 14

$LSW2-GigabitEthernet0/0/4$ int g0/0/5

$LSW2-GigabitEthernet0/0/5$ port link-type trunk

$LSW2-GigabitEthernet0/0/5$ port trunk allow-pass vlan 10 20 30 11 12 13 14

$LSW2-GigabitEthernet0/0/5$ quit

$LSW2$ int Eth-Trunk 1

$LSW2-Eth-Trunk1$ trunkport GigabitEthernet 0/0/6 to 0/0/7

$LSW2-Eth-Trunk1$ port link-type trunk

$LSW2-Eth-Trunk1$ port trunk allow-pass vlan 10 20 30 11 12 13 14

（2）配置MSTP破除环路：LSW1为vlan 10 20的根桥、vlan 30 的次根，LSW2为vlan 30的根桥、vlan 10 20的次根；将连接终端的接口配置为边缘端口

$LSW1$ stp region-configuration

$LSW1-mst-region$ region-name 1

$LSW1-mst-region$ revision-level 1

$LSW1-mst-region$ instance 1 vlan 10 20

$LSW1-mst-region$ instance 2 vlan 30

$LSW1-mst-region$ active region-configuration

$LSW1$ stp instance 1 priority 0

$LSW1$ stp instance 2 priority 4096

$LSW2$ stp region-configuration

$LSW2-mst-region$ region-name 1

$LSW2-mst-region$ revision-level 1

$LSW2-mst-region$ instance 1 vlan 10 20

$LSW2-mst-region$ instance 2 vlan 30

$LSW2-mst-region$ active region-configuration

$LSW2$ stp instance 1 priority 4096

$LSW2$ stp instance 2 priority 0

$LSW3$ stp region-configuration

$LSW3-mst-region$ region-name 1

$LSW3-mst-region$ revision-level 1

$LSW3-mst-region$ instance 1 vlan 10 20

$LSW3-mst-region$ instance 2 vlan 30

$LSW3-mst-region$ active region-configuration

$LSW3-mst-region$ quit

$LSW4$ stp region-configuration

$LSW4-mst-region$ region-name 1

$LSW4-mst-region$ revision-level 1

$LSW4-mst-region$ instance 1 vlan 10 20

$LSW4-mst-region$ instance 2 vlan 30

$LSW4-mst-region$ active region-configuration

$LSW4-mst-region$ quit

$LSW5$ stp region-configuration

$LSW5-mst-region$ region-name 1

$LSW5-mst-region$ revision-level 1

$LSW5-mst-region$ instance 1 vlan 10 20

$LSW5-mst-region$ instance 2 vlan 30

$LSW5-mst-region$ active region-configuration

$LSW3$ int g0/0/3

$LSW3-GigabitEthernet0/0/3$ stp edged-port enable

$LSW4$ int g0/0/3

$LSW4-GigabitEthernet0/0/3$ stp edged-port enable

$LSW5$ int g0/0/3

$LSW5-GigabitEthernet0/0/3$ stp edged-port enable

（3）配置vlan间路由，使内网互通：配置vrrp，LSW1为vlan 10 20的master、为vlan 30的backup，LSW2为vlan 10 20的backup、为vlan 30的master

$LSW1$ int Vlanif 10

$LSW1-Vlanif10$ ip add 10.1.1.1 24

$LSW1-Vlanif10$ int Vlanif 20

$LSW1-Vlanif20$ ip add 10.1.2.1 24

$LSW1-Vlanif20$ int Vlanif 30

$LSW1-Vlanif30$ ip add 10.1.3.1 24

$LSW2$ int Vlanif 10

$LSW2-Vlanif10$ ip add 10.1.1.2 24

$LSW2-Vlanif10$ int Vlanif 20

$LSW2-Vlanif20$ ip add 10.1.2.2 24

$LSW2-Vlanif20$ int Vlanif 30

$LSW2-Vlanif30$ ip add 10.1.3.2 24

$LSW1$ int Vlanif 10

$LSW1-Vlanif10$ vrrp vrid 1 virtual-ip 10.1.1.254

$LSW1-Vlanif10$ vrrp vrid 1 priority 200

$LSW1-Vlanif10$ vrrp vrid 1 preempt-mode timer delay 60

$LSW1-Vlanif10$ vrrp vrid 1 track interface GigabitEthernet 0/0/1 reduced 120

$LSW1$ int Vlanif 20

$LSW1-Vlanif20$ vrrp vrid 2 virtual-ip 10.1.2.254

$LSW1-Vlanif20$ vrrp vrid 2 priority 200

$LSW1-Vlanif20$ vrrp vrid 2 preempt-mode timer delay 60

$LSW1-Vlanif20$ vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120

$LSW1$ int Vlanif 30

$LSW1-Vlanif30$ vrrp vrid 3 virtual-ip 10.1.3.254

$LSW2$ int Vlanif 10

$LSW2-Vlanif10$ vrrp vrid 1 virtual-ip 10.1.1.254

$LSW2-Vlanif10$ int Vlanif 20

$LSW2-Vlanif20$ vrrp vrid 2 virtual-ip 10.1.2.254

$LSW2-Vlanif20$ int Vlanif 30

$LSW2-Vlanif30$ vrrp vrid 3 virtual-ip 10.1.3.254

$LSW2-Vlanif30$ vrrp vrid 3 priority 200

$LSW2-Vlanif30$ vrrp vrid 3 preempt-mode timer delay 60

$LSW2-Vlanif30$ vrrp vrid 3 track interface GigabitEthernet 0/0/1 reduced 120

（4）配置三层互联接口

$LSW1$ int Vlanif 11

$LSW1-Vlanif11$ ip add 192.168.11.1 24

$LSW1-Vlanif11$ int Vlanif 12

$LSW1-Vlanif12$ ip add 192.168.12.1 24

$LSW2$ int Vlanif 13

$LSW2-Vlanif13$ ip add 192.168.13.2 24

$LSW2-Vlanif13$ int Vlanif 14

$LSW2-Vlanif14$ ip add 192.168.14.2 24

$FW1$ firewall zone trust

$FW1-zone-trust$ add interface GigabitEthernet 1/0/2

$FW1-zone-trust$ add interface GigabitEthernet 1/0/0

$FW1$ firewall zone untrust

$FW1-zone-untrust$ add interface GigabitEthernet 1/0/1

$FW1-zone-untrust$ firewall zone dmz

$FW1-zone-dmz$ add interface GigabitEthernet 1/0/3

$FW1-zone-dmz$ add interface GigabitEthernet 1/0/4

$FW1$ int g1/0/1

$FW1-GigabitEthernet1/0/1$ ip add 20.1.1.3 24

$FW1-GigabitEthernet1/0/1$ int g1/0/0

$FW1-GigabitEthernet1/0/0$ ip add 192.168.13.3 24

$FW1-GigabitEthernet1/0/0$ int g1/0/2

$FW1-GigabitEthernet1/0/2$ ip add 192.168.11.3 24

$FW1-GigabitEthernet1/0/2$ int g1/0/3

$FW1-GigabitEthernet1/0/3$ ip add 192.168.15.3 24

$FW1-GigabitEthernet1/0/3$ int g1/0/4

$FW1-GigabitEthernet1/0/4$ ip add 192.168.16.3 24

$AR2$ int g0/0/0

$AR2-GigabitEthernet0/0/0$ ip add 192.168.12.4 24

$AR2-GigabitEthernet0/0/0$ int g0/0/1

$AR2-GigabitEthernet0/0/1$ ip add 192.168.14.4 24

$AR2-GigabitEthernet0/0/1$ int g0/0/2

$AR2-GigabitEthernet0/0/2$ ip add 20.1.1.4 24

$AR1$ int g4/0/0

$AR1-GigabitEthernet4/0/0$ ip add 50.1.1.5 24

$AR1-GigabitEthernet4/0/0$ int g0/0/1

$AR1-GigabitEthernet0/0/1$ ip add 30.1.1.5 24

$AR1-GigabitEthernet0/0/1$ int g0/0/2

$AR1-GigabitEthernet0/0/2$ ip add 40.1.1.5 24

$AR1-GigabitEthernet0/0/2$ int g0/0/0

$AR1-GigabitEthernet0/0/0$ ip add 20.1.1.5 24

（5）配置DMZ区域

1）配置vlan

$LSW10$ vlan batch 100 101

$LSW10$ int g0/0/3

$LSW10-GigabitEthernet0/0/3$ port link-type access

$LSW10-GigabitEthernet0/0/3$ port default vlan 100

$LSW10-GigabitEthernet0/0/3$ int g0/0/4

$LSW10-GigabitEthernet0/0/4$ port link-type access

$LSW10-GigabitEthernet0/0/4$ port default vlan 101

$LSW10-GigabitEthernet0/0/4$ int g0/0/1

$LSW10-GigabitEthernet0/0/1$ port link-type trunk

$LSW10-GigabitEthernet0/0/1$ port trunk allow-pass vlan 100 101

$LSW10-GigabitEthernet0/0/1$ int g0/0/2

$LSW10-GigabitEthernet0/0/2$ port link-type trunk

$LSW10-GigabitEthernet0/0/2$ port trunk allow-pass vlan 100 101

$LSW8$ vlan batch 15 100 101

$LSW8$ int g0/0/1

$LSW8-GigabitEthernet0/0/1$ port link-type access

$LSW8-GigabitEthernet0/0/1$ port default vlan 15

$LSW8-GigabitEthernet0/0/1$ int g0/0/2

$LSW8-GigabitEthernet0/0/2$ port link-type trunk

$LSW8-GigabitEthernet0/0/2$ port trunk allow-pass vlan 15 100 101

$LSW8-GigabitEthernet0/0/2$ quit

$LSW8$ int Eth-Trunk 1

$LSW8-Eth-Trunk1$ trunkport GigabitEthernet 0/0/3 to 0/0/4

$LSW8-Eth-Trunk1$ port link-type trunk

$LSW8-Eth-Trunk1$ port trunk allow-pass vlan 15 100 101

$LSW9$ vlan batch 16 100 101

$LSW9$ int g0/0/1

$LSW9-GigabitEthernet0/0/1$ port link-type access

$LSW9-GigabitEthernet0/0/1$ port default vlan 16

$LSW9-GigabitEthernet0/0/1$ int g0/0/2

$LSW9-GigabitEthernet0/0/2$ port link-type trunk

$LSW9-GigabitEthernet0/0/2$ po

$LSW9-GigabitEthernet0/0/2$ port trunk allow-pass vlan 16 100 101

$LSW9-GigabitEthernet0/0/2$ quit

$LSW9$ int Eth-Trunk 1

$LSW9-Eth-Trunk1$ trunkport GigabitEthernet 0/0/3 to 0/0/4

$LSW9-Eth-Trunk1$ port link-type trunk

$LSW9-Eth-Trunk1$ port trunk allow-pass vlan 16 100 101

2）配置MSTP（要求vlan 100的根桥为LSW8，vlan 101的根桥为LSW9）

$LSW10$ stp region-configuration

$LSW10-mst-region$ region-name DMZ1

$LSW10-mst-region$ revision-level 1

$LSW10-mst-region$ instance 1 vlan 100

$LSW10-mst-region$ instance 2 vlan 101

$LSW10-mst-region$ active region-configuration

$LSW8$ stp region-configuration

$LSW8-mst-region$ region-name DMZ1

$LSW8-mst-region$ revision-level 1

$LSW8-mst-region$ instance 1 vlan 100

$LSW8-mst-region$ instance 2 vlan 101

$LSW8-mst-region$ active region-configuration

$LSW9$ stp region-configuration

$LSW9-mst-region$ region-name DMZ1

$LSW9-mst-region$ revision-level 1

$LSW9-mst-region$ instance 1 vlan 100

$LSW9-mst-region$ instance 2 vlan 101

$LSW9-mst-region$ active region-configuration

$LSW8$ stp instance 1 priority 0

$LSW8$ stp instance 2 priority 4096

$LSW9$ stp instance 1 priority 4096

$LSW9$ stp instance 2 priority 0

$LSW10$ int g0/0/3

$LSW10-GigabitEthernet0/0/3$ stp edged-port enable

$LSW10-GigabitEthernet0/0/3$ int g0/0/4

$LSW10-GigabitEthernet0/0/4$ stp edged-port enable

3）配置VLAN间路由

$LSW8$ int Vlanif 15

$LSW8-Vlanif15$ ip add 192.168.15.1 24

$LSW8$ int Vlanif 100

$LSW8-Vlanif100$ ip add 10.1.100.1 24

$LSW8-Vlanif100$ int Vlanif 101

$LSW8-Vlanif101$ ip add 10.1.101.1 24

$LSW9$ int Vlanif 16

$LSW9-Vlanif16$ ip add 192.168.16.2 24

$LSW9$ int Vlanif 100

$LSW9-Vlanif100$ ip add 10.1.100.2 24

$LSW9-Vlanif100$ int Vlanif 101

$LSW9-Vlanif101$ ip add 10.1.101.2 24

4）配置VRRP，保证链路备份

$LSW8$ int Vlanif 100

$LSW8-Vlanif100$ vrrp vrid 1 virtual-ip 10.1.100.254

$LSW8-Vlanif100$ vrrp vrid 1 priority 200

$LSW8-Vlanif100$ vrrp vrid 1 preempt-mode timer delay 60

$LSW8-Vlanif100$ vrrp vrid 1 track interface g0/0/1 reduced 120

$LSW8-Vlanif100$ quit

$LSW8$ int Vlanif 101

$LSW8-Vlanif101$ vrrp vrid 2 virtual-ip 10.1.101.254

$LSW9$ int Vlanif 100

$LSW9-Vlanif100$ vrrp vrid 1 virtual-ip 10.1.100.254

$LSW9-Vlanif100$ int Vlanif 101

$LSW9-Vlanif101$ vrrp vrid 2 virtual-ip 10.1.101.254

$LSW9-Vlanif101$ vrrp vrid 2 preempt-mode timer delay 60

$LSW9-Vlanif101$ vrrp vrid 2 priority 200

$LSW9-Vlanif101$ vrrp vrid 2 track interface g0/0/1 reduced 120

（6）配置全网路由：将总部在OSFP的area 0区域，服务器在 area 1区域，分部1在area 2区域，分部2在area 3区域

1）配置OSPF

$LSW1$ ospf 1 router-id 11.1.1.1

$LSW1-ospf-1$ area 0

$LSW1-ospf-1-area-0.0.0.0$ ne

$LSW1-ospf-1-area-0.0.0.0$ network 10.1.1.0 0.0.0.255

$LSW1-ospf-1-area-0.0.0.0$ network 10.1.2.0 0.0.0.255

$LSW1-ospf-1-area-0.0.0.0$ network 10.1.3.0 0.0.0.255

$LSW1-ospf-1-area-0.0.0.0$ network 192.168.11.0 0.0.0.255

$LSW1-ospf-1-area-0.0.0.0$ network 192.168.12.0 0.0.0.255

$LSW2$ ospf 1 router-id 22.1.1.1

$LSW2-ospf-1$ area 0

$LSW2-ospf-1-area-0.0.0.0$ network 10.1.1.0 0.0.0.255

$LSW2-ospf-1-area-0.0.0.0$ network 10.1.2.0 0.0.0.255

$LSW2-ospf-1-area-0.0.0.0$ network 10.1.3.0 0.0.0.255

$LSW2-ospf-1-area-0.0.0.0$ network 192.168.13.0 0.0.0.255

$LSW2-ospf-1-area-0.0.0.0$ network 192.168.14.0 0.0.0.255

$FW1$ ospf router-id 33.1.1.1

$FW1-ospf-1$ ospf 1

$FW1-ospf-1$ area 0

$FW1-ospf-1-area-0.0.0.0$ network 192.168.11.0 0.0.0.255

$FW1-ospf-1-area-0.0.0.0$ network 192.168.13.0 0.0.0.255

$FW1-ospf-1-area-0.0.0.0$ network 192.168.15.0 0.0.0.255

$FW1-ospf-1-area-0.0.0.0$ network 192.168.16.0 0.0.0.255

$AR2$ ospf router-id 44.1.1.1

$AR2-ospf-1$ area 0

$AR2-ospf-1-area-0.0.0.0$ network 192.168.12.0 0.0.0.255

$AR2-ospf-1-area-0.0.0.0$ network 192.168.14.0 0.0.0.255

$LSW8$ ospf router-id 111.1.1.1

$LSW8-ospf-1$ area 0

$LSW8-ospf-1-area-0.0.0.0$ network 192.168.15.0 0.0.0.255

$LSW8-ospf-1-area-0.0.0.0$ area 1

$LSW8-ospf-1-area-0.0.0.1$ network 10.1.100.0 0.0.0.255

$LSW8-ospf-1-area-0.0.0.1$ network 10.1.101.0 0.0.0.255

$LSW9$ ospf router-id 222.1.1.1

$LSW9-ospf-1$ area 0

$LSW9-ospf-1-area-0.0.0.0$ net

$LSW9-ospf-1-area-0.0.0.0$ network 192.168.16.0 0.0.0.255

$LSW9-ospf-1-area-0.0.0.0$ area 1

$LSW9-ospf-1-area-0.0.0.1$ network 10.1.101.0 0.0.0.255

$LSW9-ospf-1-area-0.0.0.1$ network 10.1.100.0 0.0.0.255

2）将vlanif接口静默

$LSW1$ ospf 1

$LSW1-ospf-1$ silent-interface Vlanif 10

$LSW1-ospf-1$ silent-interface Vlanif 20

$LSW1-ospf-1$ silent-interface Vlanif 30

$LSW2$ ospf 1

$LSW2-ospf-1$ silent-interface Vlanif 10

$LSW2-ospf-1$ silent-interface Vlanif 20

$LSW2-ospf-1$ silent-interface Vlanif 30

$LSW8-ospf-1$ silent-interface Vlanif 100

$LSW8-ospf-1$ silent-interface Vlanif 101

$LSW9-ospf-1$ silent-interface Vlanif 100

$LSW9-ospf-1$ silent-interface Vlanif 101

（7）配置trust到dmz的安全策略

$FW1$ security-policy

$FW1-policy-security$ rule name t-to-dmz

$FW1-policy-security-rule-t-to-dmz$ source-zone trust

$FW1-policy-security-rule-t-to-dmz$ source-address 10.1.0.0 16

$FW1-policy-security-rule-t-to-dmz$ destination-zone dmz

$FW1-policy-security-rule-t-to-dmz$ action permit

（8）配置 NAT

$FW1$ nat-policy

$FW1-policy-nat$ rule name to-ISP

$FW1-policy-nat-rule-to-ISP$ source-zone trust

$FW1-policy-nat-rule-to-ISP$ destination-zone untrust

$FW1-policy-nat-rule-to-ISP$ source-address 10.1.0.0 16

$FW1-policy-nat-rule-to-ISP$ action source-nat easy-ip

$FW1$ security-policy

$FW1-policy-security$ rule name to-ISP

$FW1-policy-security-rule-to-ISP$ source-zone trust

$FW1-policy-security-rule-to-ISP$ destination-zone untrust

$FW1-policy-security-rule-to-ISP$ source-address 10.1.0.0 16

$FW1-policy-security-rule-to-ISP$ action permit

$FW1$ ip route-static 0.0.0.0 0.0.0.0 20.1.1.5

$FW1$ ospf 1

$FW1-ospf-1$ default-route-advertise

（9）公网访问 dmz 区域的 http 服务和 FTP 服务：通过 nat-server 进行映射

$FW1$ nat server protocol tcp global 20.1.1.100 80 inside 10.1.100.10 80

$FW1$ nat server protocol tcp global 20.1.1.101 21 inside 10.1.101.10 21

$FW1$ security-policy

$FW1-policy-security$ rule name u-to-dmz

$FW1-policy-security-rule-u-to-dmz$ source-zone untrust

$FW1-policy-security-rule-u-to-dmz$ destination-zone dmz

$FW1-policy-security-rule-u-to-dmz$ destination-address 10.1.100.10 32

$FW1-policy-security-rule-u-to-dmz$ destination-address 10.1.101.10 32

$FW1-policy-security-rule-u-to-dmz$ action permit

4.分部1的配置：单臂路由和NAT

（1）单臂路由配置

$LSW11$ vlan batch 10 20

$LSW11$ int g0/0/2

$LSW11-GigabitEthernet0/0/2$ port link-type access

$LSW11-GigabitEthernet0/0/2$ port default vlan 10

$LSW11-GigabitEthernet0/0/2$ int g0/0/3

$LSW11-GigabitEthernet0/0/3$ port link-type access

$LSW11-GigabitEthernet0/0/3$ port default vlan 20

$LSW11-GigabitEthernet0/0/3$ int g0/0/1

$LSW11-GigabitEthernet0/0/1$ port link-type trunk

$LSW11-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20

$AR4$ int g0/0/1.10

$AR4-GigabitEthernet0/0/1.10$ dot1q termination vid 10

$AR4-GigabitEthernet0/0/1.10$ arp broadcast enable

$AR4-GigabitEthernet0/0/1.10$ ip add 10.2.1.1 2

$AR4-GigabitEthernet0/0/1.10$ int g0/0/1.20

$AR4-GigabitEthernet0/0/1.20$ dot1q termination vid 20

$AR4-GigabitEthernet0/0/1.20$ arp broadcast enable

$AR4-GigabitEthernet0/0/1.20$ ip add 10.2.2.1 24

$AR4$ int g0/0/0

$AR4-GigabitEthernet0/0/0$ ip add 40.1.1.1 24

$AR4$ ip route-static 0.0.0.0 0.0.0.0 40.1.1.5

$AR4$ acl 2000

$AR4-acl-basic-2000$ rule permit source 10.2.0.0 0.0.255.255

$AR4-acl-basic-2000$ int g0/0/0

$AR4-GigabitEthernet0/0/0$ nat outbound 2000

5.分部2的配置

（1）配置vlan

$LSW13$ vlan batch 10 20 17

$LSW13$ int g0/0/1

$LSW13-GigabitEthernet0/0/1$ port link-type access

$LSW13-GigabitEthernet0/0/1$ port default vlan 17

$LSW13-GigabitEthernet0/0/1$ int g0/0/2

$LSW13-GigabitEthernet0/0/2$ port link-type trunk

$LSW13-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 17

$LSW13-GigabitEthernet0/0/2$ int g0/0/3

$LSW13-GigabitEthernet0/0/3$ port link-type trunk

$LSW13-GigabitEthernet0/0/3$ port trunk allow-pass vlan 10 20 17

$LSW13-GigabitEthernet0/0/3$ quit

$LSW13$ int Eth-Trunk 1

$LSW13-Eth-Trunk1$ trunkport GigabitEthernet 0/0/4 to 0/0/5

$LSW13-Eth-Trunk1$ port link-type trunk

$LSW13-Eth-Trunk1$ port trunk allow-pass vlan 10 20 17

$LSW14$ vlan batch 10 20 18

$LSW14$ int g0/0/1

$LSW14-GigabitEthernet0/0/1$ port link-type access

$LSW14-GigabitEthernet0/0/1$ port default vlan 18

$LSW14-GigabitEthernet0/0/1$ int g0/0/2

$LSW14-GigabitEthernet0/0/2$ port link-type trunk

$LSW14-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20 18

$LSW14-GigabitEthernet0/0/2$ int g0/0/3

$LSW14-GigabitEthernet0/0/3$ port link-type trunk

$LSW14-GigabitEthernet0/0/3$ port trunk allow-pass vlan 10 20 18

$LSW14-GigabitEthernet0/0/3$ quit

$LSW14$ int Eth-Trunk 1

$LSW14-Eth-Trunk1$ trunkport GigabitEthernet 0/0/4 to 0/0/5

$LSW14-Eth-Trunk1$ port link-type trunk

$LSW14-Eth-Trunk1$ port trunk allow-pass vlan 10 20 18

$LSW15$ vlan batch 10 20

$LSW15$ int g0/0/3

$LSW15-GigabitEthernet0/0/3$ port link-type access

$LSW15-GigabitEthernet0/0/3$ port default vlan 10

$LSW15-GigabitEthernet0/0/3$ int g0/0/1

$LSW15-GigabitEthernet0/0/1$ port link-type trunk

$LSW15-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20

$LSW15-GigabitEthernet0/0/1$ int g0/0/2

$LSW15-GigabitEthernet0/0/2$ port link-type trunk

$LSW15-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20

$LSW16$ vlan batch 10 20

$LSW16$ int g0/0/3

$LSW16-GigabitEthernet0/0/3$ port link-type access

$LSW16-GigabitEthernet0/0/3$ port default vlan 20

$LSW16-GigabitEthernet0/0/3$ int g0/0/1

$LSW16-GigabitEthernet0/0/1$ port link-type trunk

$LSW16-GigabitEthernet0/0/1$ port trunk allow-pass vlan 10 20

$LSW16-GigabitEthernet0/0/1$ int g0/0/2

$LSW16-GigabitEthernet0/0/2$ port link-type trunk

$LSW16-GigabitEthernet0/0/2$ port trunk allow-pass vlan 10 20

（2）配置MSTP：LSW13为vlan 10的主根、vlan 20的次根，LSW14为vlan 20的主根、vlan 10的次根

$LSW13$ stp region-configuration

$LSW13-mst-region$ region-name FB2

$LSW13-mst-region$ revision-level 1

$LSW13-mst-region$ instance 1 vlan 10

$LSW13-mst-region$ instance 2 vlan 20

$LSW13-mst-region$ active region-configuration

$LSW14$ stp region-configuration

$LSW14-mst-region$ region-name FB2

$LSW14-mst-region$ revision-level 1

$LSW14-mst-region$ instance 1 vlan 10

$LSW14-mst-region$ instance 2 vlan 20

$LSW14-mst-region$ active region-configuration

$LSW15$ stp region-configuration

$LSW15-mst-region$ region-name FB2

$LSW15-mst-region$ revision-level 1

$LSW15-mst-region$ instance 1 vlan 10

$LSW15-mst-region$ instance 2 vlan 20

$LSW15-mst-region$ active region-configuration

$LSW16$ stp region-configuration

$LSW16-mst-region$ region-name FB2

$LSW16-mst-region$ revision-level 1

$LSW16-mst-region$ instance 1 vlan 10

$LSW16-mst-region$ instance 2 vlan 20

$LSW16-mst-region$ active region-configuration

$LSW13$ stp instance 1 priority 0

$LSW13$ stp instance 2 priority 4096

$LSW14$ stp instance 1 priority 4096

$LSW14$ stp instance 2 priority 0

$LSW16-GigabitEthernet0/0/3$ stp edged-port enable

$LSW15-GigabitEthernet0/0/3$ stp edged-port enable

（3）配置vlan间路由

$LSW13$ int Vlanif 10

$LSW13-Vlanif10$ ip add 10.3.1.1 24

$LSW13-Vlanif10$ int Vlanif 20

$LSW13-Vlanif20$ ip add 10.3.2.1 24

$LSW13-Vlanif20$ int Vlanif 10

$LSW13-Vlanif10$ vrrp vrid 1 virtual-ip 10.3.1.254

$LSW13-Vlanif10$ vrrp vrid 1 priority 200

$LSW13-Vlanif10$ vrrp vrid 1 preempt-mode timer delay 60

$LSW13-Vlanif10$ vrrp vrid 1 track interface g0/0/1 reduced 120

$LSW13-Vlanif10$ int Vlanif 20

$LSW13-Vlanif20$ vrrp vrid 2 virtual-ip 10.3.2.254

$LSW14$ int Vlanif 10

$LSW14-Vlanif10$ ip add 10.3.1.2 24

$LSW14-Vlanif10$ int Vlanif 20

$LSW14-Vlanif20$ ip add 10.3.2.2 24

$LSW14-Vlanif20$ vrrp vrid 2 virtual-ip 10.3.2.254

$LSW14-Vlanif20$ vrrp vrid 2 priority 200

$LSW14-Vlanif20$ vrrp vrid 2 preempt-mode timer delay 60

$LSW14-Vlanif20$ vrrp vrid 2 track interface GigabitEthernet 0/0/1 reduced 120

$LSW14-Vlanif20$ int Vlanif 10

$LSW14-Vlanif10$ vrrp vrid 1 virtual-ip 10.3.1.254

（4）配置全网路由

$LSW13$ int Vlanif 17

$LSW13-Vlanif17$ ip add 192.168.17.1 24

$LSW13-Vlanif17$ quit

$LSW13$ ospf 1 router-id 17.1.1.1

$LSW13-ospf-1$ area 2

$LSW13-ospf-1-area-0.0.0.2$ ne

$LSW13-ospf-1-area-0.0.0.2$ network 192.168.17.0 0.0.0.255

$LSW13-ospf-1-area-0.0.0.2$ network 10.3.1.0 0.0.0.255

$LSW13-ospf-1-area-0.0.0.2$ network 10.3.2.0 0.0.0.255

$LSW13-ospf-1-area-0.0.0.2$ qui

$LSW13-ospf-1$ silent-interface Vlanif 10

$LSW13-ospf-1$ silent-interface Vlanif 20

$LSW14$ int Vlanif 18

$LSW14-Vlanif18$ ip add 192.168.18.1 24

$LSW14-Vlanif18$ quit

$LSW14$ ospf 1 router-id 18.1.1.1

$LSW14-ospf-1$ area 2

$LSW14-ospf-1-area-0.0.0.2$ network 10.3.1.0 0.0.0.255

$LSW14-ospf-1-area-0.0.0.2$ network 10.3.2.0 0.0.0.255

$LSW14-ospf-1-area-0.0.0.2$ network 192.168.18.0 0.0.0.255

$LSW14-ospf-1-area-0.0.0.2$ quit

$LSW14-ospf-1$ silent-interface Vlanif 10

$LSW14-ospf-1$ silent-interface Vlanif 20

$AR5$ int g0/0/1

$AR5-GigabitEthernet0/0/1$ ip add 192.168.17.6 24

$AR5-GigabitEthernet0/0/1$ int g0/0/2

$AR5-GigabitEthernet0/0/2$ ip add 192.168.18.6 24

$AR5-GigabitEthernet0/0/2$ int g0/0/0

$AR5-GigabitEthernet0/0/0$ ip add 50.1.1.6 24

$AR5$ ospf 1 router-id 55.1.1.1

$AR5-ospf-1$ area 2

$AR5-ospf-1-area-0.0.0.2$ network 192.168.17.0 0.0.0.255

$AR5-ospf-1-area-0.0.0.2$ network 192.168.18.0 0.0.0.255

$AR5$ ip route-static 0.0.0.0 0.0.0.0 50.1.1.5

$AR5$ ospf 1

$AR5-ospf-1$ default-route-advertise

（5）源NAT地址转换

$AR5$ acl 2000

$AR5-acl-basic-2000$ rule permit source 10.3.0.0 0.0.255.255

$AR5$ int g0/0/0

$AR5-GigabitEthernet0/0/0$ nat outbound 2000

6.总校分校DSVPN配置：AR2作为hub端，AR4、AR5作为spoke端，三个接口配置在172.1.1.0网段

$AR2$ int Tunnel 0/0/0

$AR2-Tunnel0/0/0$ tunnel-protocol gre p2mp

$AR2-Tunnel0/0/0$ ip add 172.1.1.1 24

$AR2-Tunnel0/0/0$ source GigabitEthernet 0/0/2

$AR2-Tunnel0/0/0$ nhrp entry multicast dynamic

$AR2-Tunnel0/0/0$ ospf dr-priority 255 //调整优先级至最大，使其成为 DR

$AR4$ int Tunnel 0/0/0

$AR4-Tunnel0/0/0$ tunnel-protocol gre p2mp

$AR4-Tunnel0/0/0$ ip add 172.1.1.3 24

$AR4-Tunnel0/0/0$ source GigabitEthernet 0/0/0

$AR4-Tunnel0/0/0$ nhrp entry 172.1.1.1 20.1.1.4 register

$AR4-Tunnel0/0/0$ ospf network-type broadcast

$AR4-Tunnel0/0/0$ ospf dr-priority 0

$AR5$ int Tunnel 0/0/0

$AR5-Tunnel0/0/0$ tunnel-protocol gre p2mp

$AR5-Tunnel0/0/0$ ip add 172.1.1.2 24

$AR5-Tunnel0/0/0$ source GigabitEthernet 0/0/0

$AR5-Tunnel0/0/0$ nhrp entry 172.1.1.1 20.1.1.4 register

$AR5-Tunnel0/0/0$ ospf network-type broadcast

$AR5-Tunnel0/0/0$ ospf dr-priority 0

$AR2$ ospf 1

$AR2-ospf-1$ area 0

$AR2-ospf-1-area-0.0.0.0$ network 172.1.1.0 0.0.0.255

$AR4$ ospf 1

$AR4-ospf-1$ area 0

$AR4-ospf-1-area-0.0.0.0$ network 172.1.1.0 0.0.0.255

$AR5$ ospf 1

$AR5-ospf-1$ area 0

$AR5-ospf-1-area-0.0.0.0$ network 172.1.1.0 0.0.0.255