下面两台电脑模拟两个部门的vlan
最终效果是两个部门不能互通,但都能上网ping通8.8.8.8,两个部门的都能绕行旁挂防火墙
全网跑ospf 区域0
R1配置 :
dis cu
dis current-configuration
V200R003C00
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load portalpage.zip
drop illegal-mac alarm
set cpu-usage threshold 80 restore 75
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher % % K8m.Nt84DZ}e#<0`8bmE3Uw}% %
local-user admin service-type http
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 10.1.200.2 255.255.255.252
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
ospf 1 router-id 8.8.8.8
default-route-advertise always
import-route direct
area 0.0.0.0
network 10.1.200.2 0.0.0.0
lsw1配置
dis cu
dis current-configuration
sysname Huawei
vlan batch 10 20 31 to 34 200
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
dhcp enable
diffserv domain default
ip vpn-instance pr
ipv4-family
route-distinguisher 65001:2
ip vpn-instance rd
ipv4-family
route-distinguisher 65001:1
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
interface Vlanif1
interface Vlanif10
ip binding vpn-instance rd
ip address 192.168.10.254 255.255.255.0
dhcp select interface
interface Vlanif20
ip binding vpn-instance pr
ip address 192.168.20.254 255.255.255.0
dhcp select interface
interface Vlanif31
ip binding vpn-instance rd
ip address 100.1.31.1 255.255.255.252
interface Vlanif32
ip binding vpn-instance pr
ip address 100.1.32.1 255.255.255.252
interface Vlanif33
ip address 100.1.33.1 255.255.255.252
interface Vlanif34
ip address 100.1.34.1 255.255.255.252
interface Vlanif200
ip address 10.1.200.1 255.255.255.252
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 31 to 34
mode lacp-static
interface GigabitEthernet0/0/1
eth-trunk 1
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
interface GigabitEthernet0/0/4
port link-type access
port default vlan 200
interface GigabitEthernet0/0/5
port link-type access
port default vlan 20
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 10.1.200.1 0.0.0.0
network 100.1.34.1 0.0.0.0
network 100.1.33.1 0.0.0.0
ospf 2 router-id 1.1.1.1 vpn-instance rd
area 0.0.0.0
network 100.1.31.1 0.0.0.0
network 192.168.10.0 0.0.0.255
ospf 3 router-id 2.2.2.2 vpn-instance pr
area 0.0.0.0
network 100.1.32.1 0.0.0.0
network 192.168.20.0 0.0.0.255
防火墙配置
dis current-configuration
2025-05-19 15:22:05.870
!Software Version V500R005C10SPC300
sysname USG6000V1
l2tp domain suffix-separator @
vlan batch 31 to 34
ipsec sha2 compatible enable
undo telnet server enable
undo telnet ipv6 server enable
update schedule location-sdb weekly Sun 07:35
firewall defend action discard
banner enable
user-manage web-authentication security port 8887
undo privacy-statement english
undo privacy-statement chinese
page-setting
user-manage security version tlsv1.1 tlsv1.2
password-policy
level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
web-manager security version tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable
firewall dataplane to manageplane application-apperceive default-action drop
undo ips log merge enable
decoding uri-cache disable
update schedule ips-sdb daily 00:32
update schedule av-sdb daily 00:32
update schedule sa-sdb daily 00:32
update schedule cnc daily 00:32
update schedule file-reputation daily 00:32
ip vpn-instance default
ipv4-family
ip vpn-instance pr
ipv4-family
route-distinguisher 65002:2
ip vpn-instance rd
ipv4-family
route-distinguisher 65002:1
time-range worktime
period-range 08:00:00 to 18:00:00 working-day
ike proposal default
encryption-algorithm aes-256 aes-192 aes-128
dh group14
authentication-algorithm sha2-512 sha2-384 sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
aaa
authentication-scheme default
authentication-scheme admin_local
authentication-scheme admin_radius_local
authentication-scheme admin_hwtacacs_local
authentication-scheme admin_ad_local
authentication-scheme admin_ldap_local
authentication-scheme admin_radius
authentication-scheme admin_hwtacacs
authentication-scheme admin_ad
authorization-scheme default
accounting-scheme default
domain default
service-type internetaccess ssl-vpn l2tp ike
internet-access mode password
reference user current-domain
manager-user audit-admin
password cipher @%@%ah6i16uG6@e{GzA60A_%S'b`N"cMD]%50Pl3RY*T'CL='bcS@%@%
service-type web terminal
level 15
manager-user api-admin
password cipher @%@%%DLD!:31xTLL~XB^;l8K,fvN2pTC@qcLy*=`QG;wm4ZTfvQ,@%@%
level 15
manager-user admin
password cipher @%@%|=;p8)lOE.Cg,fJO$U(ldcNdz)~D'2$NEF<a=:(O"~dcQl@%@%
service-type web terminal
level 15
role system-admin
role device-admin
role device-admin(monitor)
role audit-admin
bind manager-user audit-admin role audit-admin
bind manager-user admin role system-admin
interface Vlanif31
ip binding vpn-instance rd
ip address 100.1.31.2 255.255.255.252
interface Vlanif32
ip binding vpn-instance pr
ip address 100.1.32.2 255.255.255.252
interface Vlanif33
ip binding vpn-instance rd
ip address 100.1.33.2 255.255.255.252
interface Vlanif34
ip binding vpn-instance pr
ip address 100.1.34.2 255.255.255.252
interface Eth-Trunk1
portswitch
port link-type trunk
port trunk allow-pass vlan 31 to 34
mode lacp-static
l2tp-group default-lns
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.0.1 255.255.255.0
alias GE0/METH
interface GigabitEthernet1/0/0
undo shutdown
eth-trunk 1
interface GigabitEthernet1/0/1
undo shutdown
eth-trunk 1
interface GigabitEthernet1/0/2
undo shutdown
interface GigabitEthernet1/0/3
undo shutdown
interface GigabitEthernet1/0/4
undo shutdown
interface GigabitEthernet1/0/5
undo shutdown
interface GigabitEthernet1/0/6
undo shutdown
interface Virtual-if0
interface NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface Vlanif31
add interface Vlanif32
firewall zone untrust
set priority 5
add interface Vlanif33
add interface Vlanif34
firewall zone dmz
set priority 50
ospf 1 router-id 6.6.6.6 vpn-instance rd
area 0.0.0.0
network 100.1.31.2 0.0.0.0
network 100.1.33.2 0.0.0.0
ospf 2 router-id 7.7.7.7 vpn-instance pr
area 0.0.0.0
network 100.1.32.2 0.0.0.0
network 100.1.34.2 0.0.0.0
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
firewall detect ftp
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
pki realm default
sa
location
multi-linkif
mode proportion-of-weight
right-manager server-group
device-classification
device-group pc
device-group mobile-terminal
device-group undefined-group
user-manage server-sync tsm
security-policy
rule name ospf
source-zone local
source-zone trust
source-zone untrust
destination-zone local
destination-zone trust
destination-zone untrust
service ospf
action permit
rule name rd
source-zone trust
destination-zone untrust
source-address 192.168.10.0 mask 255.255.255.0
action permit
rule name pr
source-zone trust
destination-zone untrust
source-address 192.168.20.0 mask 255.255.255.0
action permit