• 园区网真实详细配置大全案例


    在这里插入图片描述

    实现要求:
    1、只允许行政部电脑对全网telnet管理
    2、所有dhcp都在核心
    3、wifi用户只能上外网,不能访问局域网其它电脑
    4、所有交换机上开rstp协议,接入交换机上都开bpdu保护,核心lsw1设置为根桥
    5、只允许vlan 10-40上网
    5、所有接入交换机开dhcp snoop
    6、所有的交换机指定核心交换机为ntp时间服务器,ntp再指向外网作为服务器。
    7、ac+ap为二层组网
    8、所有的交换和路由console登陆都要账号密码
    9、所有的管理vlan为999,网关在核心
    10、nat上网,外线为pppoe拨号上网

    R1配置:

    dis current-configuration
    [V200R003C00]

    sysname isp

    clock timezone China-Standard-Time minus 08:00:00
    dhcp enable

    ip pool pppoe
    gateway-list 60.0.0.1
    network 60.0.0.0 mask 255.255.255.0
    dns-list 8.8.8.8

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher % % U6C1S:n4iTL^nQ'/5x% %
    local-user admin service-type ppp

    firewall zone Local
    priority 15

    interface Virtual-Template0
    ppp authentication-mode chap
    remote address pool pppoe
    ip address 60.0.0.1 255.255.255.0

    interface GigabitEthernet0/0/0
    ip address 8.8.8.1 255.255.255.0

    interface GigabitEthernet0/0/1
    pppoe-server bind Virtual-Template 0

    user-interface con 0
    authentication-mode password
    user-interface vty 0 4
    user-interface vty 16 20

    wlan ac

    return

    R2配置:

    dis current-configuration
    [V200R003C00]

    sysname out_router

    clock timezone China-Standard-Time minus 08:00:00

    portal local-server load flash:/portalpage.zip

    drop illegal-mac alarm

    ntp-service unicast-server 192.168.99.1

    wlan ac-global carrier id other ac id 0

    set cpu-usage threshold 80 restore 75

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny
    acl number 2001
    rule 5 permit source 192.168.0.0 0.0.63.255

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher % % |#rD/aWa47N_{G/1^[Q3`.0#% %
    local-user admin privilege level 15
    local-user admin service-type telnet terminal

    firewall zone Local
    priority 15

    interface Dialer0
    link-protocol ppp
    ppp chap user admin
    ppp chap password cipher % % KoFK!Yrm l / l/% l/%$
    ip address ppp-negotiate
    dialer user admin
    dialer bundle 1
    nat outbound 2001

    interface GigabitEthernet0/0/0
    pppoe-client dial-bundle-number 1

    interface GigabitEthernet0/0/1
    ip address 10.0.0.1 255.255.255.0

    interface GigabitEthernet0/0/2

    interface NULL0

    ip route-static 0.0.0.0 0.0.0.0 Dialer0
    ip route-static 192.168.0.0 255.255.192.0 10.0.0.2

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa
    user-interface vty 16 20

    wlan ac

    return

    lsw1配置

    dis current-configuration

    sysname core

    vlan batch 10 20 30 40 50 100 999

    cluster enable
    ntdp enable
    ndp enable

    undo nap slave enable

    drop illegal-mac alarm

    stp mode rstp
    stp root primary
    dhcp enable

    diffserv domain default

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny

    acl number 3000
    rule 1 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.99.0 0.0.0.255
    rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.0.0 0.0.31.255
    rule 10 permit ip

    drop-profile default

    ip pool vlan20

    ip pool vlan40
    gateway-list 192.168.40.1
    network 192.168.40.0 mask 255.255.255.0
    dns-list 8.8.8.8

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
    local-user admin privilege level 15
    local-user admin service-type telnet terminal

    ntp-service unicast-server 8.8.8.8
    ntp-service refclock-master 2
    ntp-service unicast-server 192.168.99.1

    interface Vlanif1

    interface Vlanif10
    description xzb
    ip address 192.168.10.1 255.255.255.0
    dhcp select interface
    dhcp server static-bind ip-address 192.168.10.100 mac-address 5489-981f-2e0e
    dhcp server dns-list 8.8.8.8

    interface Vlanif20
    description scb
    ip address 192.168.20.1 255.255.255.0
    dhcp select interface
    dhcp server dns-list 8.8.8.8

    interface Vlanif30
    description yfb
    ip address 192.168.30.1 255.255.255.0
    dhcp select interface
    dhcp server static-bind ip-address 192.168.30.100 mac-address 5489-9832-7ea4
    dhcp server dns-list 8.8.8.8

    interface Vlanif40
    description wifi_yw
    ip address 192.168.40.1 255.255.255.0
    dhcp select global

    interface Vlanif50
    description ap_manage
    ip address 192.168.50.1 255.255.255.0
    dhcp server excluded-ip-address 192.168.50.2
    dhcp select interface

    interface Vlanif100
    description to_router
    ip address 10.0.0.2 255.255.255.0

    interface Vlanif999
    description manage_all
    ip address 192.168.99.1 255.255.255.0

    interface MEth0/0/1

    interface Eth-Trunk1
    port link-type trunk
    port trunk allow-pass vlan 10 999
    mode lacp-static

    interface Eth-Trunk2
    port link-type trunk
    port trunk allow-pass vlan 20 999
    mode lacp-static

    interface Eth-Trunk3
    port link-type trunk
    port trunk allow-pass vlan 30 999

    interface Eth-Trunk4
    port link-type trunk
    port trunk allow-pass vlan 40 50 999
    traffic-filter inbound acl 3000
    mode lacp-static

    interface GigabitEthernet0/0/1
    port link-type trunk
    port trunk pvid vlan 100
    port trunk allow-pass vlan 100

    interface GigabitEthernet0/0/2
    port link-type access
    port default vlan 50

    interface GigabitEthernet0/0/3
    eth-trunk 1

    interface GigabitEthernet0/0/4
    eth-trunk 1

    interface GigabitEthernet0/0/5
    eth-trunk 2

    interface GigabitEthernet0/0/6
    eth-trunk 2

    interface GigabitEthernet0/0/7
    eth-trunk 3

    interface GigabitEthernet0/0/8
    eth-trunk 3

    interface GigabitEthernet0/0/9
    eth-trunk 4

    interface GigabitEthernet0/0/10
    eth-trunk 4

    ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
    ip route-static 192.168.0.0 255.255.192.0 NULL0 //放一条汇总的黑洞路由

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa

    lsw2配置:

    dis current-configuration

    sysname xzb_hj

    vlan batch 10 999

    stp bpdu-protection

    cluster enable
    ntdp enable
    ndp enable

    error-down auto-recovery cause bpdu-protection interval 60

    undo nap slave enable

    drop illegal-mac alarm

    stp mode rstp
    dhcp enable

    dhcp snooping enable

    diffserv domain default

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny

    drop-profile default

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
    local-user admin privilege level 15
    local-user admin service-type telnet terminal

    ntp-service unicast-server 192.168.99.1

    interface Vlanif1

    interface Vlanif999
    ip address 192.168.99.2 255.255.255.0

    interface MEth0/0/1

    interface Eth-Trunk1
    port link-type trunk
    port trunk allow-pass vlan 10 999
    mode lacp-static
    dhcp snooping trusted

    interface GigabitEthernet0/0/1
    eth-trunk 1

    interface GigabitEthernet0/0/2
    eth-trunk 1

    interface GigabitEthernet0/0/3
    port link-type access
    port default vlan 10
    stp edged-port enable
    dhcp snooping enable

    ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa

    lsw3配置

    dis current-configuration

    sysname scb_hj

    vlan batch 20 999

    stp bpdu-protection

    cluster enable
    ntdp enable
    ndp enable

    error-down auto-recovery cause bpdu-protection interval 60

    undo nap slave enable

    drop illegal-mac alarm

    stp mode rstp
    dhcp enable

    dhcp snooping enable

    diffserv domain default

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny

    drop-profile default

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
    local-user admin privilege level 15
    local-user admin service-type telnet terminal

    ntp-service unicast-server 192.168.99.1

    interface Vlanif1

    interface Vlanif999
    ip address 192.168.99.3 255.255.255.0

    interface MEth0/0/1

    interface Eth-Trunk2
    port link-type trunk
    port trunk allow-pass vlan 20 999
    mode lacp-static
    dhcp snooping trusted

    interface GigabitEthernet0/0/1
    eth-trunk 2

    interface GigabitEthernet0/0/2
    eth-trunk 2

    interface GigabitEthernet0/0/3
    port hybrid pvid vlan 20
    port hybrid untagged vlan 20
    stp edged-port enable
    dhcp snooping enable

    ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa

    port-group link-type

    return

    lsw4配置:

    dis current-configuration

    sysname yfb_hj

    vlan batch 30 999

    stp bpdu-protection

    cluster enable
    ntdp enable
    ndp enable

    error-down auto-recovery cause bpdu-protection interval 60

    undo nap slave enable

    drop illegal-mac alarm

    stp mode rstp
    dhcp enable

    dhcp snooping enable

    diffserv domain default

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny

    drop-profile default

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
    local-user admin privilege level 15
    local-user admin service-type telnet terminal

    ntp-service unicast-server 192.168.99.1

    interface Vlanif1

    interface Vlanif999
    ip address 192.168.99.4 255.255.255.0

    interface MEth0/0/1

    interface Eth-Trunk3
    port link-type trunk
    port trunk allow-pass vlan 30 999
    dhcp snooping trusted

    interface GigabitEthernet0/0/1
    eth-trunk 3

    interface GigabitEthernet0/0/2
    eth-trunk 3

    interface GigabitEthernet0/0/3
    port link-type access
    port default vlan 30
    stp edged-port enable
    dhcp snooping enable

    interface GigabitEthernet0/0/4
    port link-type access
    port default vlan 30
    stp edged-port enable
    dhcp snooping enable

    ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa

    lsw5配置

    dis current-configuration

    sysname jdzx_hj

    vlan batch 40 50 999

    stp bpdu-protection

    cluster enable
    ntdp enable
    ndp enable

    error-down auto-recovery cause bpdu-protection interval 60

    undo nap slave enable

    drop illegal-mac alarm

    dhcp enable

    dhcp snooping enable

    diffserv domain default

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny

    drop-profile default

    aaa
    authentication-scheme default
    authorization-scheme default
    accounting-scheme default
    domain default
    domain default_admin
    local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
    local-user admin privilege level 15
    local-user admin service-type telnet terminal

    ntp-service unicast-server 192.168.99.1

    interface Vlanif1

    interface Vlanif999
    ip address 192.168.99.5 255.255.255.0

    interface MEth0/0/1

    interface Eth-Trunk4
    port link-type trunk
    port trunk allow-pass vlan 40 50 999
    mode lacp-static
    dhcp snooping trusted

    interface GigabitEthernet0/0/1
    eth-trunk 4

    interface GigabitEthernet0/0/2
    eth-trunk 4

    interface GigabitEthernet0/0/3
    port link-type trunk
    port trunk pvid vlan 50
    port trunk allow-pass vlan 40 50
    stp edged-port enable
    dhcp snooping enable

    ip route-static 0.0.0.0 0.0.0.0 192.168.99.1

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa

    return

    AC配置:

    dis current-configuration

    set memory-usage threshold 0

    ssl renegotiation-rate 1

    vlan batch 50

    authentication-profile name default_authen_profile
    authentication-profile name dot1x_authen_profile
    authentication-profile name mac_authen_profile
    authentication-profile name portal_authen_profile
    authentication-profile name macportal_authen_profile

    diffserv domain default

    radius-server template default

    pki realm default
    rsa local-key-pair default
    enrollment self-signed

    acl number 2000
    rule 5 permit source 192.168.10.100 0
    rule 10 deny

    ike proposal default
    encryption-algorithm aes-256
    dh group14
    authentication-algorithm sha2-256
    authentication-method pre-share
    integrity-algorithm hmac-sha2-256
    prf hmac-sha2-256

    free-rule-template name default_free_rule

    portal-access-profile name portal_access_profile

    aaa
    authentication-scheme default
    authentication-scheme radius
    authentication-mode radius
    authorization-scheme default
    accounting-scheme default
    domain default
    authentication-scheme radius
    radius-server default
    domain default_admin
    authentication-scheme default
    local-user test password irreversible-cipher 1 a 1a 1arMSnJPC9I>KaTeX parse error: Undefined control sequence: \V at position 14: =QQ~JN4fKC5o,\̲V̲*x.# =o=Tm+og^8…
    local-user test privilege level 15
    local-user test service-type telnet terminal
    local-user admin password irreversible-cipher 1 a 1a 1ayRep#S@6lN f X d fXd fXd/:y#d+]wLBZ\kT
    L/6WIy~>Uj8Rh J ∣ 8 I " < ∣ 9 J|8I"<|9 J8I"<9
    local-user admin privilege level 15
    local-user admin service-type http

    interface Vlanif50
    ip address 192.168.50.2 255.255.255.0

    interface GigabitEthernet0/0/1
    port link-type access
    port default vlan 50

    interface GigabitEthernet0/0/7
    undo negotiation auto
    duplex half

    interface GigabitEthernet0/0/8
    undo negotiation auto
    duplex half

    interface NULL0

    snmp-agent local-engineid 800007DB03000000000000
    snmp-agent

    ssh server secure-algorithms cipher aes256_ctr aes128_ctr
    ssh server key-exchange dh_group14_sha1
    ssh client secure-algorithms cipher aes256_ctr aes128_ctr
    ssh client secure-algorithms hmac sha2_256
    ssh client key-exchange dh_group14_sha1

    capwap source ip-address 192.168.50.2

    user-interface con 0
    authentication-mode aaa
    user-interface vty 0 4
    acl 2000 inbound
    authentication-mode aaa
    protocol inbound all
    user-interface vty 16 20
    protocol inbound all

    wlan
    traffic-profile name default
    security-profile name test
    security wpa-wpa2 psk pass-phrase %^%#KL!*>z6z’m±`M{B{k+I(U9G1"rHU4W[n&;mq&+
    %^%# aes
    security-profile name default
    security-profile name default-wds
    security-profile name default-mesh
    ssid-profile name test
    ssid wlan-guset
    ssid-profile name default
    vap-profile name test
    service-vlan vlan-id 40
    ssid-profile test
    security-profile test
    vap-profile name default
    wds-profile name default
    mesh-handover-profile name default
    mesh-profile name default
    regulatory-domain-profile name default
    air-scan-profile name default
    rrm-profile name default
    radio-2g-profile name default
    radio-5g-profile name default
    wids-spoof-profile name default
    wids-profile name default
    wireless-access-specification
    ap-system-profile name default
    port-link-profile name default
    wired-port-profile name default
    serial-profile name preset-enjoyor-toeap
    ap-group name group1
    radio 0
    vap-profile test wlan 1
    radio 1
    vap-profile test wlan 1
    radio 2
    vap-profile test wlan 1
    ap-group name default
    ap-id 0 type-id 69 ap-mac 00e0-fcf6-0b20 ap-sn 210235448310E91E775B
    ap-name 1_lou_ap
    ap-group group1
    provision-ap

    dot1x-access-profile name dot1x_access_profile

    mac-access-profile name mac_access_profile

    ntp-service unicast-server 192.168.99.1

    return

  • 相关阅读:
    DBA的一天是怎样的?运维工程师告诉你答案
    【docker】windows版本安装学习使用
    Weblogic管理控制台未授权远程命令执行漏洞(CVE-2020-14882,CVE-2020-14883)
    Centos7安装Docker
    Python | 数学计算那点事儿不完全总结 - 计算平均值、几何平均值等等
    VMware WorkStation安装和在VMware上安装Linux
    Java实现3DES加密解密(DESede/ECB/PKCS5Padding使用)
    mysql学习笔记1:mysql字符集和字符集编码
    投资的思考
    PL/SQL基本程序结构和语句(三)
  • 原文地址:https://blog.csdn.net/ydaxia110/article/details/134224908