华为设备小型园区网方案（有线+无线+防火墙）

（一）配置有线部分

1.配置LSW2

（1）创建相关vlan

LSW2vlan batch 10 3000

（2）配置连接LSW1的Eth-Trunk1，透传VLAN 10 3000

LSW2int Eth-Trunk 1

LSW2-Eth-Trunk1port link-type trunk

LSW2-Eth-Trunk1port trunk allow-pass vlan 10 3000

LSW2-Eth-Trunk1mode lacp

LSW2int g0/0/1

LSW2-GigabitEthernet0/0/1eth-trunk 1

LSW2-GigabitEthernet0/0/1int g0/0/5

LSW2-GigabitEthernet0/0/5eth-trunk 1

（3）配置连接用户的接口，使用户加入VLAN，并将接口配置成边缘端口

LSW2int g0/0/2

LSW2-GigabitEthernet0/0/2port link-type access

LSW2-GigabitEthernet0/0/2port default vlan 10

LSW2-GigabitEthernet0/0/2stp edged-port enable

LSW2-GigabitEthernet0/0/2int g0/0/3

LSW2-GigabitEthernet0/0/3port link-type access

LSW2-GigabitEthernet0/0/3port default vlan 10

LSW2-GigabitEthernet0/0/3stp edged-port enable

（4）配置BPDU保护功能，加强网络的稳定性

LSW2stp bpdu-protection

2.配置LSW3，类似LSW2

LSW3vlan batch 20 3000

LSW3int Eth-Trunk 2

LSW3-Eth-Trunk2port link-type trunk

LSW3-Eth-Trunk2port trunk allow-pass vlan 20 3000

LSW3-Eth-Trunk2mode lacp

LSW3-Eth-Trunk2quit

LSW3int g0/0/1

LSW3-GigabitEthernet0/0/1eth-trunk 2

LSW3-GigabitEthernet0/0/1int g0/0/5

LSW3-GigabitEthernet0/0/5eth-trunk 2

LSW3-GigabitEthernet0/0/5quit

LSW3int g0/0/2

LSW3-GigabitEthernet0/0/2port link-type access

LSW3-GigabitEthernet0/0/2port default vlan 20

LSW3-GigabitEthernet0/0/2stp edged-port enable

LSW3-GigabitEthernet0/0/2int g0/0/3

LSW3-GigabitEthernet0/0/3port link-type access

LSW3-GigabitEthernet0/0/3port default vlan 20

LSW3-GigabitEthernet0/0/3stp edged-port enable

LSW3stp bpdu-protection

3. 配置LSW1

（1）创建相应vlan

LSW1vlan batch 10 20 1000 3000

（2）配置与LSW2相连参数

LSW1int Eth-Trunk 1

LSW1-Eth-Trunk1port link-type trunk

LSW1-Eth-Trunk1port trunk allow-pass vlan 10 1000 3000

LSW1-Eth-Trunk1mode lacp

LSW1int g0/0/2

LSW1-GigabitEthernet0/0/2eth-trunk 1

LSW1-GigabitEthernet0/0/2int g0/0/6

LSW1-GigabitEthernet0/0/6eth-trunk 1

LSW1int Vlanif 10

LSW1-Vlanif10ip add 192.168.1.1 24

（3）配置与LSW3相连参数

LSW1int Eth-Trunk 2

LSW1-Eth-Trunk2port link-type trunk

LSW1-Eth-Trunk2port trunk allow-pass vlan 20 1000 3000

LSW1-Eth-Trunk2mode lacp

LSW1-Eth-Trunk2quit

LSW1int g0/0/3

LSW1-GigabitEthernet0/0/3eth-trunk 2

LSW1-GigabitEthernet0/0/3int g0/0/7

LSW1-GigabitEthernet0/0/7eth-trunk 2

LSW1int Vlanif 20

LSW1-Vlanif20ip add 192.168.2.1 24

（4）配置与防火墙相连接口，使园区网络与Internet互通

LSW1int g0/0/1

LSW1-GigabitEthernet0/0/1port link-type access

LSW1-GigabitEthernet0/0/1port default vlan 1000

LSW1-GigabitEthernet0/0/1quit

LSW1int Vlanif 1000

LSW1-Vlanif1000ip add 10.1.1.1 24

（5）查看配置结果

4. 配置DHCP：在LSW1上配置DHCP Server，使用户都能获取到正确的IP地址
   （1）创建全局地址池，配置出口网关、租期（采用缺省值1天，不需配置）并配置PC3分配固定的IP地址192.168.2.200
   LSW1dhcp enable
   LSW1ip pool 10
   LSW1-ip-pool-10network 192.168.1.0 mask 24
   LSW1-ip-pool-10gateway-list 192.168.1.1
   LSW1-ip-pool-10ip pool 20
   LSW1-ip-pool-20network 192.168.2.0 mask 24
   LSW1-ip-pool-20gateway-list 192.168.2.1
   LSW1-ip-pool-20static-bind ip-address 192.168.2.200 mac-address 5489-98B8-805C
   （2）配置用户从全局地址池获取IP地址
   LSW1int Vlanif 10
   LSW1-Vlanif10dhcp select global
   LSW1-Vlanif10int Vlanif 20
   LSW1-Vlanif20dhcp select global
   （3）查看全局地址池的配置和使用信息
   
   
   

（4）配置完动态分配地址之后，刚开电脑获取地址的时间比较长，这是因为对于开启了生成树协议的交换机，每当有电脑接入之后导致生成树重新收敛，所以需要的时间比较长；通过关闭接口的生成树协议或者把连接终端的交换机接口配置为边缘端口即可解决

LSW2int g0/0/2

LSW2-GigabitEthernet0/0/2stp edged-port enable

LSW2-GigabitEthernet0/0/2int g0/0/3

LSW2-GigabitEthernet0/0/3stp edged-port enable

LSW3int g0/0/2

LSW3-GigabitEthernet0/0/2stp disable

LSW3-GigabitEthernet0/0/2int g0/0/3

LSW3-GigabitEthernet0/0/3stp disable

5. 配置LSW1路由，使内部网络数据可以发送出去

LSW1ip route-static 0.0.0.0 0.0.0.0 10.1.1.2

6. 配置AR1

（1）配置IP地址

AR1int g0/0/1

AR1-GigabitEthernet0/0/1ip add 10.1.2.1 24

AR1-GigabitEthernet0/0/1int g0/0/2

AR1-GigabitEthernet0/0/2ip add 20.1.1.1 24

（2）配置允许上网的acl，将所有允许访问Internet的用户网段写入该acl

AR1acl 2000

AR1-acl-basic-2000rule permit source 192.168.1.0 0.0.0.255

AR1-acl-basic-2000rule permit source 192.168.2.0 0.0.0.255

AR1-acl-basic-2000rule permit source 10.1.1.0 0.0.0.255

AR1-acl-basic-2000rule permit source 10.1.2.0 0.0.0.255

（3）在连接Internet的接口配置NAT转换实现内网用户访问Internet

AR1int g0/0/0

AR1-GigabitEthernet0/0/0nat outbound 2000

（4）配置到内网的明细路由和到公网的静态缺省路由

AR1ip route-static 192.168.1.0 24 10.1.2.2

AR1ip route-static 192.168.2.0 24 10.1.2.2

AR1ip route-static 10.1.1.0 24 10.1.2.2

AR1ip route-static 0.0.0.0 0.0.0.0 20.1.1.2

（5）配置DNS地址解析功能，DNS服务器地址为运营商给的

AR1dns resolve

AR1dns server 8.8.8.8

AR1dns proxy enable

7.配置DHCP Snooping和IPSG：配置了DHCP功能之后，用户主机可以自动获取地址。但是为了防止员工在内网私自接一个小路由器并开启DHCP自动分配地址的功能，导致内网合法用户获取到了私接的小路由器分配的地址而不能正常上网，还需要配置DHCP Snooping功能

（1）在LSW2和LSW3上开启DHCP Snooping功能

LSW2dhcp enable

LSW2dhcp snooping enable

LSW3dhcp enable

LSW3dhcp snooping enable

（2）在连接DHCP服务器的接口上使能DHCP Snooping功能，并将此接口配置为信任接口

LSW2int Eth-Trunk 1

LSW2-Eth-Trunk1dhcp snooping enable

LSW2-Eth-Trunk1dhcp snooping trusted

LSW3int Eth-Trunk 2

LSW3-Eth-Trunk2dhcp snooping enable

LSW3-Eth-Trunk2dhcp snooping trusted

（3）在连接终端的接口上使能DHCP Snooping功能

LSW2int g0/0/2

LSW2-GigabitEthernet0/0/2dhcp snooping enable

LSW2-GigabitEthernet0/0/2int g0/0/3

LSW2-GigabitEthernet0/0/3dhcp snooping enable

LSW3int g0/0/2

LSW3-GigabitEthernet0/0/2dhcp snooping enable

LSW3-GigabitEthernet0/0/2int g0/0/3

LSW3-GigabitEthernet0/0/3dhcp snooping enable

（4）在LSW2和LSW3上开启IP报文检查功能：为了防止用户私自更改IP地址后攻击网络，在接入交换机开启DHCP Snooping功能后，还需要开启IP报文检查功能，这样LSW收到报文后会将报文与动态绑定表的表项进行匹配，放行匹配的报文，丢弃不匹配的报文。如果不想对整个VLAN收到的报文进行检查，可以只在连接某个终端的接口上开启IP报文检查功能。

LSW2vlan 10

LSW2-vlan10ip source check user-bind enable

LSW3vlan 20

LSW3-vlan20ip source check user-bind enable

8. 配置AR2-Internet

AR2int g0/0/0

AR2-GigabitEthernet0/0/0ip add 20.1.1.2 24

9.防火墙FW1的配置

（1）配置基本的IP地址

FW1int g1/0/1

FW1-GigabitEthernet1/0/1ip add 10.1.1.2 24

FW1-GigabitEthernet1/0/1int g1/0/0

FW1-GigabitEthernet1/0/0ip add 10.1.2.2 24

（2）在接口上开启ping功能后，并将接口加入相关区域，PC可以ping通与防火墙相连的接口

FW1-GigabitEthernet1/0/0service-manage enable

FW1-GigabitEthernet1/0/0service-manage ping permit

FW1-GigabitEthernet1/0/0int g1/0/1

FW1-GigabitEthernet1/0/1service-manage enable

FW1-GigabitEthernet1/0/1service-manage ping permit

FW1firewall zone trust

FW1-zone-trustadd interface g1/0/1

FW1-zone-trustfirewall zone untrust

FW1-zone-untrustadd interface g1/0/0

（3）配置trust和untrust之间的转发策略，使PC3无法访问互联网，其余主机可以访问互联网(配置顺序很重要)

FW1security-policy

FW1-policy-securityrule name deny_internet

FW1-policy-security-rule-deny_internetsource-zone trust

FW1-policy-security-rule-deny_internetsource-address 192.168.2.200 32

FW1-policy-security-rule-deny_internetdestination-zone untrust

FW1-policy-security-rule-deny_internetdestination-address any

FW1-policy-security-rule-deny_internetaction deny

FW1-policy-securityrule name permit_internet

FW1-policy-security-rule-permit_internetsource-zone trust

FW1-policy-security-rule-permit_internetsource-address 192.168.1.0 24

FW1-policy-security-rule-permit_internetsource-address 192.168.2.0 24

FW1-policy-security-rule-permit_internetsource-address 10.1.1.0 24

FW1-policy-security-rule-permit_internetdestination-zone untrust

FW1-policy-security-rule-permit_internetdestination-address any

FW1-policy-security-rule-permit_internetaction permit

（4）配置防火墙路由

FW1ip route-static 192.168.1.0 24 10.1.1.1

FW1ip route-static 192.168.2.0 24 10.1.1.1

FW1ip route-static 0.0.0.0 0.0.0.0 10.1.2.1

（二）配置服务器

1.配置服务器IP地址

2.配置防火墙IP地址及其区域

FW1int g1/0/2

FW1-GigabitEthernet1/0/2ip add 192.168.3.2 24

FW1firewall zone dmz

FW1-zone-dmzadd interface g1/0/2

3.配置防火墙策略

（1）配置外网访问DMZ区域

FW1security-policy

FW1-policy-securityrule name untrust_dmz

FW1-policy-security-rule-untrust_dmzsource-zone untrust

FW1-policy-security-rule-untrust_dmzdestination-zone dmz

FW1-policy-security-rule-untrust_dmzdestination-address 192.168.3.0 24

FW1-policy-security-rule-untrust_dmzservice http

FW1-policy-security-rule-untrust_dmzservice icmp

FW1-policy-security-rule-untrust_dmzaction permit

（2）配置内网访问DMZ区域

FW1-policy-securityrule name trust_dmz

FW1-policy-security-rule-trust_dmzsource-zone trust

FW1-policy-security-rule-trust_dmzsource-address 192.168.1.0 24

FW1-policy-security-rule-trust_dmzsource-address 192.168.2.0 24

FW1-policy-security-rule-trust_dmzsource-address 10.1.1.0 24

FW1-policy-security-rule-trust_dmzdestination-zone dmz

FW1-policy-security-rule-trust_dmzdestination-address 192.168.3.0 24

FW1-policy-security-rule-trust_dmzaction permit

（3）配置NAT Server

FW1nat server server1 protocol tcp global 10.1.2.100 www inside 192.168.3.1 www

FW1nat server server2 protocol icmp global 10.1.2.100 inside 192.168.3.1 //配置协议icmp，方便用ping测试

AR1-GigabitEthernet0/0/0nat server global 20.1.1.100 inside 10.1.2.100

4.配置外网访问server时的路由

AR1ip route-static 192.168.3.0 24 10.1.2.2

5.测试

（三）配置无线部分

1. 配置网络互通

   （1）配置相关vlan

   LSW2vlan batch 50 60 70 100

   LSW2int g0/0/4

   LSW2-GigabitEthernet0/0/4port link-type trunk

   LSW2-GigabitEthernet0/0/4port trunk allow-pass vlan 50 60 70 100

   LSW2-GigabitEthernet0/0/4port trunk pvid vlan 100

   LSW2-GigabitEthernet0/0/4port-isolate enable

   LSW2int Eth-Trunk 1

   LSW2-Eth-Trunk1port link-type trunk

   LSW2-Eth-Trunk1port trunk allow-pass vlan 50 60 70 100

   LSW3vlan batch 50 60 70 100

   LSW3int g0/0/4

   LSW3-GigabitEthernet0/0/4port link-type trunk

   LSW3-GigabitEthernet0/0/4port trunk allow-pass vlan 50 60 70 100

   LSW3-GigabitEthernet0/0/4port trunk pvid vlan 100

   LSW3-GigabitEthernet0/0/4port-isolate enable

   LSW3int Eth-Trunk 2

   LSW3-Eth-Trunk2port link-type trunk

   LSW3-Eth-Trunk2port trunk allow-pass vlan 50 60 70 100

   LSW1vlan batch 50 60 70 100

   LSW1int Eth-Trunk 1

   LSW1-Eth-Trunk1port link-type trunk

   LSW1-Eth-Trunk1port trunk allow-pass vlan 50 60 70 100

   LSW1int Eth-Trunk 2

   LSW1-Eth-Trunk2port link-type trunk

   LSW1-Eth-Trunk2port trunk allow-pass vlan 50 60 70 100

   LSW1-GigabitEthernet0/0/4port link-type trunk

   LSW1-GigabitEthernet0/0/4port trunk allow-pass vlan 70 100

   AC1vlan batch 50 60 70 100

   AC1int g0/0/1

   AC1-GigabitEthernet0/0/1port link-type trunk

   AC1-GigabitEthernet0/0/1port trunk allow-pass vlan 70 100

   （2）配置IP地址

   LSW1int Vlanif 100

   LSW1-Vlanif100ip add 192.168.10.1 24

   LSW1-Vlanif100int Vlanif 50

   LSW1-Vlanif50ip add 192.168.5.1 24

   LSW1-Vlanif50int Vlanif 60

   LSW1-Vlanif60ip add 192.168.6.1 24

   LSW1-Vlanif60int Vlanif 70

   LSW1-Vlanif70ip add 192.168.7.1 24

   AC1int Vlanif 100

   AC1-Vlanif100ip add 192.168.10.2 24

   （3）配置路由

   FW1ip route-static 192.168.5.0 24 10.1.1.1

   FW1ip route-static 192.168.6.0 24 10.1.1.1

   FW1ip route-static 192.168.7.0 24 10.1.1.1

   FW1ip route-static 192.168.10.0 24 10.1.1.1

   AC1ip route-static 192.168.5.0 24 192.168.10.1

   AC1ip route-static 192.168.6.0 24 192.168.10...1

   AC1ip route-static 192.168.7.0 24 192.168.10.1

   （4）配置NAT

   AR1-GigabitEthernet0/0/0undo nat outbound 2000

   AR1acl 2000

   AR1-acl-basic-2000rule permit source 192.168.5.0 0.0.0.255

   AR1-acl-basic-2000rule permit source 192.168.6.0 0.0.0.255

   AR1-acl-basic-2000rule permit source 192.168.7.0 0.0.0.255

   AR1-acl-basic-2000rule permit source 192.168.10.0 0.0.0.255

   AR1int g0/0/0

   AR1-GigabitEthernet0/0/0nat outbound 2000

   （5）配置防火墙策略

   FW1-policy-securityrule name permit_internet

   FW1-policy-security-rule-permit_internetsource-address 192.168.5.0 mask 255.255.255.0

   FW1-policy-security-rule-permit_internetsource-address 192.168.6.0 mask 255.255.255.0

   FW1-policy-security-rule-permit_internetsource-address 192.168.7.0 mask 255.255.255.0

   FW1-policy-security-rule-permit_internetsource-address 192.168.10.0 mask 255.255.255.0

   FW1-policy-securityrule name trust_dmz

   FW1-policy-security-rule-trust_dmzsource-address 192.168.5.0 mask 255.255.255.0

   FW1-policy-security-rule-trust_dmzsource-address 192.168.6.0 mask 255.255.255.0

   FW1-policy-security-rule-trust_dmzsource-address 192.168.7.0 mask 255.255.255.0

   FW1-policy-security-rule-trust_dmzsource-address 192.168.10.0 mask 255.255.255.0

2. 配置DHCP服务，为AP和STA分配IP地址

   （1）配置AC为AP分配IP地址

   AC1dhcp enable

   AC1ip pool ap_pool

   AC1-ip-pool-ap_poolnetwork 192.168.10.0 mask 24

   AC1-ip-pool-ap_poolgateway-list 192.168.10.1

   LSW1dhcp enable

   LSW1int Vlanif 100

   LSW1-Vlanif100dhcp select relay

   LSW1-Vlanif100dhcp relay server-ip 192.168.10.2

   （2）配置SW1作为DHCP服务器为STA分配IP地址

   LSW1ip pool guest1

   LSW1-ip-pool-guest1network 192.168.5.0 mask 24

   LSW1-ip-pool-guest1gateway-list 192.168.5.1

   LSW1ip pool guest2

   LSW1-ip-pool-guest2network 192.168.6.0 mask 24

   LSW1-ip-pool-guest2gateway-list 192.168.6.1

   LSW1ip pool employee

   LSW1-ip-pool-employeenetwork 192.168.7.0 mask 24

   LSW1-ip-pool-employee gateway-list 192.168.7.1

   LSW1int Vlanif 50

   LSW1-Vlanif50dhcp select global

   LSW1-Vlanif50int Vlanif 60

   LSW1-Vlanif60dhcp select global

   LSW1-Vlanif60int Vlanif 70

   LSW1-Vlanif70dhcp select global

   （3）配置VLAN pool，用于作为业务VLAN

   AC1vlan pool sta_pool1

   AC1-vlan-pool-sta_pool1vlan 50 60

   AC1-vlan-pool-sta_pool1assignment hash

   AC1vlan pool sta_pool2

   AC1-vlan-pool-sta_pool2vlan 70

   AC1-vlan-pool-sta_pool2assignment hash

3. 配置AP上线

   （1）创建AP组

   AC1wlan

   AC1-wlan-viewap-group name guest

   AC1-wlan-ap-group-guestquit

   AC1-wlan-viewap-group name employee

   （2）创建域管理模板

   AC1-wlan-viewregulatory-domain-profile name domain1

   AC1-wlan-regulate-domain-domain1country-code cn

   AC1-wlan-viewap-group name guest

   AC1-wlan-ap-group-guestregulatory-domain-profile domain1

   AC1-wlan-viewap-group name employee

   AC1-wlan-ap-group-employeeregulatory-domain-profile domain1

   （3）配置AC源接口

   AC1capwap source interface Vlanif 100

   （4）在AC上离线导入AP

   AC1wlan

   AC1-wlan-viewap auth-mode mac-auth

   AC1-wlan-viewap-id 0 ap-mac 00e0-fc40-2710

   AC1-wlan-ap-0ap-name ap1

   AC1-wlan-ap-0ap-group guest

   AC1-wlan-viewap-id 1 ap-mac 00e0-fcbf-0ce0

   AC1-wlan-ap-1ap-name ap2

   AC1-wlan-ap-1ap-group employee
   

4. 配置WLAN业务参数

   （1）创建安全模板

   AC1wlan

   AC1-wlan-viewsecurity-profile name guest

   AC1-wlan-sec-prof-guestsecurity wpa2 psk pass-phrase abc@1234 aes

   AC1-wlan-viewsecurity-profile name employee

   AC1-wlan-sec-prof-employeesecurity wpa2 psk pass-phrase abcd@1234 aes

   （2）创建SSID模板

   AC1-wlan-viewssid-profile name guest

   AC1-wlan-ssid-prof-guestssid guest

   AC1-wlan-viewssid-profile name employee

   AC1-wlan-ssid-prof-employeessid employee

   （3）创建VAP模板

   AC1-wlan-viewvap-profile name guest

   AC1-wlan-vap-prof-guestforward-mode direct-forward

   AC1-wlan-vap-prof-guestservice-vlan vlan-pool sta_pool1

   AC1-wlan-vap-prof-guestsecurity-profile guest

   AC1-wlan-vap-prof-guestssid-profile guest

   AC1-wlan-viewvap-profile name employee

   AC1-wlan-vap-prof-employeeforward-mode tunnel

   AC1-wlan-vap-prof-employeeservice-vlan vlan-pool sta_pool2

   AC1-wlan-vap-prof-employeesecurity-profile employee

   AC1-wlan-vap-prof-employeessid-profile employee

   （4）配置AP组引用VAP模板，AP上射频使用VAP模板的配置

   AC1-wlan-viewap-group name guest

   AC1-wlan-ap-group-guestvap-profile guest wlan 1 radio 0

   AC1-wlan-ap-group-guestvap-profile guest wlan 1 radio 1

   AC1-wlan-viewap-group name employee

   AC1-wlan-ap-group-employeevap-profile employee wlan 1 radio 0

   AC1-wlan-ap-group-employeevap-profile employee wlan 1 radio 1

5. 配置AP射频的信道和功率

   AC1-wlan-viewap-id 0

   AC1-wlan-ap-0radio 0

   AC1-wlan-radio-0/0channel 20mhz 6

   AC1-wlan-radio-0/0eirp 127

   AC1-wlan-radio-0/0radio 1

   AC1-wlan-radio-0/1channel 20mhz 149

   AC1-wlan-radio-0/1eirp 127

   6.验证配置：sta连接AP
   
   
   

（四）设备Telnet配置：SW5为管理端，用以Telnet其他设备

1.配置相关IP地址

LSW2int Vlanif 3000

LSW2-Vlanif3000ip add 10.1.3.2 24

LSW3int Vlanif 3000

LSW3-Vlanif3000ip add 10.1.3.3 24

LSW1int g0/0/5

LSW1-GigabitEthernet0/0/5port link-type access

LSW1-GigabitEthernet0/0/5port default vlan 3000 LSW1int Vlanif 3000

LSW1-Vlanif3000ip add 10.1.3.1 24

SW5int g0/0/1

SW5-GigabitEthernet0/0/1port link-type trunk

SW5-GigabitEthernet0/0/1port trunk allow-pass vlan 3000

SW5-GigabitEthernet0/0/1port trunk pvid vlan 3000

SW5vlan 3000

SW5int Vlanif 3000

SW5-Vlanif3000ip add 10.1.3.100 24

2.配置相关路由

AC1ip route-static 10.1.3.0 24 192.168.10.1

FW1ip route-static 10.1.3.0 24 10.1.1.1

AR1ip route-static 10.1.3.0 24 10.1.2.2

SW5ip route-static 0.0.0.0 0.0.0.0 10.1.3.1

3.配置防火墙放行相关流量

FW1security-policy

FW1-policy-securityrule name telnet_AR1

FW1-policy-security-rule-telnet_AR1source-zone trust

FW1-policy-security-rule-telnet_AR1source-address 10.1.3.100 0.0.0.0

FW1-policy-security-rule-telnet_AR1destination-zone untrust

FW1-policy-security-rule-telnet_AR1destination-address 10.1.2.0 0.0.0.255

FW1-policy-security-rule-telnet_AR1source-zone untrust

FW1-policy-security-rule-telnet_AR1source-address 10.1.2.0 24

FW1-policy-security-rule-telnet_AR1destination-zone trust

FW1-policy-security-rule-telnet_AR1destination-address 10.1.3.100 32

FW1-policy-security-rule-telnet_AR1service telnet

FW1-policy-security-rule-telnet_AR1action permit

FW1-policy-securityrule name telnet_FW1

FW1-policy-security-rule-telnet_FW1source-zone trust

FW1-policy-security-rule-telnet_FW1source-address 10.1.3.100 0.0.0.0

FW1-policy-security-rule-telnet_FW1destination-zone local

FW1-policy-security-rule-telnet_FW1source-zone local

FW1-policy-security-rule-telnet_FW1destination-zone trust

FW1-policy-security-rule-telnet_FW1destination-address 10.1.3.100 32

FW1-policy-security-rule-telnet_FW1service telnet

FW1-policy-security-rule-telnet_FW1action permit

FW1-policy-securityrule name telnet_dmz

FW1-policy-security-rule-telnet_dmzsource-zone trust

FW1-policy-security-rule-telnet_dmzsource-address 10.1.3.100 0.0.0.0

FW1-policy-security-rule-telnet_dmzdestination-zone dmz

FW1-policy-security-rule-telnet_dmzsource-zone dmz

FW1-policy-security-rule-telnet_dmzdestination-zone trust

FW1-policy-security-rule-telnet_dmzdestination-address 10.1.3.100 32

FW1-policy-security-rule-telnet_dmzservice telnet

FW1-policy-security-rule-telnet_dmzaction permit

4.创建相关账号

AC1telnet server enable

AC1aaa

AC1-aaalocal-user ac1 password irreversible-cipher abc@1234

AC1-aaalocal-user ac1 privilege level 3

AC1-aaalocal-user ac1 service-type telnet

AC1user-interface vty 0 4

AC1-ui-vty0-4authentication-mode aaa

AC1-ui-vty0-4user privilege level 3

LSW1aaa

LSW1-aaalocal-user SW1 password cipher abc@1234

LSW1-aaalocal-user SW1 service-type telnet

LSW1-aaalocal-user SW1 privilege level 3

LSW1-ui-vty4user-interface vty 0 4

LSW1-ui-vty0-4authentication-mode aaa

LSW1-ui-vty0-4user privilege level 3

FW1telnet server enable

FW1int g1/0/1

FW1-GigabitEthernet1/0/1service-manage enable

FW1-GigabitEthernet1/0/1service-manage telnet permit

FW1aaa

FW1-aaamanager-user FW1

FW1-aaa-manager-user-FW1password cipher abc@1234

FW1-aaa-manager-user-FW1service-type telnet

FW1-aaa-manager-user-FW1level 3

FW1user-interface vty 0 4

FW1-ui-vty0-4authentication-mode aaa

FW1-ui-vty0-4protocol inbound telnet

FW1-ui-vty0-4user privilege level 3

AR1aaa

AR1-aaalocal-user AR1 password cipher abc@1234 privilege level 3

AR1-aaalocal-user AR1 service-type telnet

AR1user-interface vty 0 4

AR1-ui-vty0-4authentication-mode aaa

AR1-ui-vty0-4user privilege level 3

AR1-ui-vty0-4authentication-mode aaa

LSW2telnet server enable

LSW2aaa

LSW2-aaalocal-user SW2 password cipher abc@1234 privilege level 3

LSW2-aaalocal-user SW2 service-type telnet

LSW2user-interface vty 0 4

LSW2-ui-vty0-4authentication-mode aaa

LSW2-ui-vty0-4user privilege level 3

LSW3telnet server enable

LSW3aaa

LSW3-aaalocal-user SW3 password cipher abc@1234 privilege level 3

LSW3-aaalocal-user SW3 service-type telnet

LSW3user-interface vty 0 4

LSW3-ui-vty0-4authentication-mode aaa

LSW3-ui-vty0-4u

LSW3-ui-vty0-4user privilege level 3

5.测试