1. 在小型园区中,S5735-L-V2通常部署在网络的接入层,S8700-4通常部署在网络的核心,出口路由器一般选用AR系列路由器。
2. 接入交换机与核心交换机通过Eth-Trunk组网保证可靠性。
3. 每个部门业务划分到一个VLAN中,部门间的业务在CORE上通过VLANIF三层互通。
4. 核心交换机作为DHCP Server,为园区用户分配IP地址。
5. 接入交换机上配置DHCP Snooping功能,防止内网用户私接小路由器分配IP地址;同时配置IPSG功能,防止内网用户私自更改IP地址。ACC0的配置
#
sysname ACC1
#
dhcp enable
#
dhcp snooping enable
#
vlan batch 10
#
#配置BPDU保护功能,加强网络的稳定性。
stp bpdu-protection
#
#
vlan 10
description ith
ipv4 source check user-bind enable
#
interface Vlanif10
#
interface MEth0/0/0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10
mode lacp-static
dhcp snooping enable
dhcp snooping trusted
#
interface GE1/0/1
eth-trunk 1
#
interface GE1/0/2
eth-trunk 1
#
interface GE1/0/3
#
interface GE1/0/4
#
interface GE1/0/5
port default vlan 10
stp edged-port enable
dhcp snooping enable
#
interface GE1/0/6
port default vlan 10
stp edged-port enable
dhcp snooping enable
#
interface GE1/0/7
port default vlan 10
stp edged-port enable
dhcp snooping enable
#
interface GE1/0/8
#
interface GE1/0/9
#
interface GE1/0/10
#ACC2的配置
#
sysname ACC2
#
dhcp enable
#
dhcp snooping enable
#
vlan batch 20
#配置BPDU保护功能,加强网络的稳定性。
stp bpdu-protection
#
vlan 20
ipv4 source check user-bind enable
#
#
interface Vlanif20
#
interface GE1/0/3
eth-trunk 2
#
interface GE1/0/4
eth-trunk 2
#
interface GE1/0/5
port default vlan 20
stp edged-port enable
dhcp snooping enable
#
interface GE1/0/6
port default vlan 20
stp edged-port enable
dhcp snooping enable
#
interface GE1/0/7
port default vlan 20
stp edged-port enable
dhcp snooping enableCORE配置
#
sysname CORE
#
dhcp enable
#
ip pool 10
network 10.10.10.0 mask 255.255.255.0
gateway-list 10.10.10.1
#
ip pool 20
network 10.10.20.0 mask 255.255.255.0
gateway-list 10.10.20.1
#
#
vlan batch 5 10 20 100
#
telnet server enable
telnet server-source -i Vlanif5
#
vlan 5
management-vlan
#
aaa
authentication-scheme default
authentication-mode local
authorization-scheme default
authorization-mode local
accounting-scheme default
accounting-mode none
local-aaa-user password policy administrator
domain default
authentication-scheme default
accounting-scheme default
domain default_admin
authentication-scheme default
accounting-scheme default
local-user admin1 password irreversible-cipher $1d$Vy0gSYg@]QV-aiF>$;6vcY2EqR~kkz3Jxzq%9sxU;/pWK!XDx]`IZiF5F$
local-user admin1 privilege level 3
local-user admin1 service-type ssh telnet
#
license
#
interface Vlanif5
ip address 10.10.1.1 255.255.255.0
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 10.10.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.10.100.1 255.255.255.0
#
interface Eth-Trunk1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
mode lacp-static
#
interface Eth-Trunk2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20
#
interface GE1/0/1
eth-trunk 1
#
interface GE1/0/2
eth-trunk 1
#
interface GE1/0/3
eth-trunk 2
#
interface GE1/0/4
eth-trunk 2
#
interface GE1/0/8
port link-type trunk
port trunk pvid vlan 5
port trunk allow-pass vlan 5
#
interface GE1/0/9
#
interface GE1/0/10
port default vlan 100
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.100.2
#
# config ssh user admin1 配置
stelnet server enable
ssh user admin1
ssh user admin1 authentication-type password
ssh user admin1 service-type stelnet
ssh server-source all-interface
undo ssh ipv6 server-source all-interface
ssh authorization-type default aaa
#
ssh server cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh server hmac sha2_512 sha2_256
ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512
#
ssh server publickey rsa_sha2_256 rsa_sha2_512
#
ssh server dh-exchange min-len 3072
#
ssh client publickey rsa_sha2_256 rsa_sha2_512
#
ssh client cipher aes256_gcm aes128_gcm aes256_ctr aes192_ctr aes128_ctr
ssh client hmac sha2_512 sha2_256
ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 curve25519_sha256
#到这里结束
#
user-interface con 0
authentication-mode password
set authentication password cipher $1d$$%Q-7@{kt8aM'W#b$]ei;G"qJ$8(i,CE0If-F:UGSE+apw6l%Bv2Ped}K$
# ssh and telnet user-interface config
user-interface vty 0 4
authentication-mode aaa
idle-timeout 5 0
protocol inbound ssh telnetrouter配置
#
sysname Router
#
#
acl number 2000
rule 5 permit source 10.10.10.0 0.0.0.255
rule 10 permit source 10.10.20.0 0.0.0.255
rule 15 permit source 10.10.100.0 0.0.0.255
#
interface Ethernet3/0/0
undo shutdown
ip address 10.10.100.2 255.255.255.0
#
interface Ethernet3/0/1
undo shutdown
ip address 1.1.1.2 255.255.255.252
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
ip route-static 10.10.10.0 255.255.255.0 10.10.100.1
ip route-static 10.10.20.0 255.255.255.0 10.10.100.1
#
dns resolve
dns server 114.114.114.114