一、拓扑图
二、实验要求
-
pc地址请自行规划,vlan已给出
-
服务器地址自行规划,vlan,网段已给出
-
交换机互联链路捆绑保证冗余性
-
内网pc网关集中于核心交换机,交换机vlan 40互联路由器
,地址网段已给出
5.配置静态路由实现内外网互通(内网主机在公网上使用公网地址访问外网)
内网有线无线用户以拨号的形式访问外网(PPPoE)
6.外网主机vlan、地址网段已给出,自行规划地址及网关
- 外网客户端可以访问内网FTP服务器(隐藏服务器内网地址)
8.利用基本ACL/高级ACL实现
pc1 不能访问服务器
pc3 不能访问pc4
注意:交换机也可以
调用ACL,可以使用traffic-filter 命令
- 无线部分配置要求:管理vlan100,业务vlan101
AC作为服务器,为AP分配地址,接口地址池
SW3作为服务器为用户分配地址,接口地址池
AP管理组、安全模板、域管理模板、SSID模板、VAP模板等请自行规划,
用户能正确获取地址并连接无线网络为准,AC建立CAPWAP隧道源接口地址为vlanfi接口
三、配置命令
AR4:
[ar4]dis cu
[V200R003C00]
#
sysname ar4
#
board add 0/4 2SA
#
undo info-center enable
#
acl number 2000
rule 10 permit source 192.168.10.0 0.0.0.255
rule 20 permit source 192.168.20.0 0.0.0.255
rule 101 permit source 192.168.101.0 0.0.0.255
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
nat address-group 4 200.1.1.10 200.1.1.20
#
interface Serial4/0/0
link-protocol ppp
ppp chap user huawei
ppp chap password cipher %$%$smyT5"wVxGLN>.Eku2fN,.^~%$%$
ip address 200.1.1.1 255.255.255.0
nat server protocol tcp global 200.1.1.21 ftp inside 192.168.30.1 ftp
nat outbound 2000 address-group 4
#
interface Serial4/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/1
ip address 10.1.1.2 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 Serial4/0/0
ip route-static 192.168.10.0 255.255.255.0 10.1.1.1
ip route-static 192.168.20.0 255.255.255.0 10.1.1.1
ip route-static 192.168.30.0 255.255.255.0 10.1.1.1
ip route-static 192.168.100.0 255.255.255.0 10.1.1.1
ip route-static 192.168.101.0 255.255.255.0 10.1.1.1
#
return
S3:
[Sw3]dis cu
#
sysname Sw3
#
undo info-center enable
#
vlan batch 10 20 30 40 100 to 101
#
dhcp enable
#
acl number 3000
rule 10 deny ip source 192.168.10.1 0 destination 192.168.30.1 0
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
dhcp select interface
#
interface Vlanif20
ip address 192.168.20.254 255.255.255.0
dhcp select interface
#
interface Vlanif30
ip address 192.168.30.254 255.255.255.0
dhcp select interface
#
interface Vlanif40
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.101.254 255.255.255.0
dhcp select interface
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 100 to 101
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 30
traffic-filter outbound acl 3000
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
eth-trunk 2
#
interface GigabitEthernet0/0/6
eth-trunk 2
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/8
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return
AC:
[AC6605]dis cu
#
vlan batch 100 to 101
#
dhcp enable
#
interface Vlanif100
ip address 192.168.100.254 255.255.255.0
dhcp select interface
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/2
#
undo info-center enable
#
capwap source interface vlanif100
#
wlan
traffic-profile name default
security-profile name default
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase %^%#.],$1'A0v3fyOs28$.VWFo(}Xn*W@G&FB.*W!@V~
%^%# aes
security-profile name default-wds
security-profile name default-mesh
ssid-profile name default
ssid-profile name wlan-net
ssid wlan-net
vap-profile name default
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-net
security-profile wlan-net
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name default
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 1 type-id 61 ap-mac 00e0-fc39-4180 ap-sn 210235448310AD5CEC06
ap-name area1
ap-group ap-group1
ap-id 2 type-id 61 ap-mac 00e0-fcf9-1830 ap-sn 2102354483102877682D
ap-name area2
ap-group ap-group1
provision-ap
#
return
S7:
[s7]]dis cu
#
sysname s7]
#
undo info-center enable
#
vlan batch 10 100 to 101
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 100 to 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
eth-trunk 1
#
interface GigabitEthernet0/0/4
eth-trunk 1
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/6
#
return
S8:
[s8]dis cu
#
sysname s8
#
undo info-center enable
#
vlan batch 20 100 to 101
#
acl number 3001
rule 10 deny ip source 192.168.20.3 0 destination 192.168.20.4 0
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20 100 to 101
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
traffic-filter outbound acl 3001
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 to 101
#
interface GigabitEthernet0/0/5
eth-trunk 2
#
interface GigabitEthernet0/0/6
eth-trunk 2
#
interface GigabitEthernet0/0/7
#
interface NULL0
#
return
AR5:
[ar5]dis cu
[V200R003C00]
#
sysname ar5
#
board add 0/4 2SA
#
undo info-center enable
#
dhcp enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
local-user huawei password cipher %$%$"5_":.XY0UJ:+GUN5>^>>I#9%$%$
local-user huawei privilege level 15
local-user huawei service-type ppp
#
firewall zone Local
priority 15
#
interface Serial4/0/0
link-protocol ppp
ppp authentication-mode chap
ip address 200.1.1.2 255.255.255.0
#
interface Serial4/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/0.1
#
interface GigabitEthernet0/0/0.2
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 100
ip address 172.16.100.254 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/1.2
dot1q termination vid 200
ip address 172.16.200.254 255.255.255.0
arp broadcast enable
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 Serial4/0/0
#
return
S6:
[s6]dis cu
#
sysname s6
#
undo info-center enable
#
vlan batch 100 200
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 100
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
完成过程可参照前面其他文章,文章仅为个人学习资料