园区网真实详细配置大全案例
实现要求:
1、只允许行政部电脑对全网telnet管理
2、所有dhcp都在核心
3、wifi用户只能上外网,不能访问局域网其它电脑
4、所有接入交换机上bpdu保护
5、只允许vlan 10-40上网
5、所有接入交换机开dhcp snoop
6、所有的交换机指定核心交换机为ntp时间服务器,ntp再指向外网作为服务器。
7、ac+ap为二层组网
8、所有的交换和路由console登陆都要账号密码
9、所有的管理vlan为999,网关在核心
10、nat上网,外线为pppoe拨号上网
R1配置:
dis current-configuration
[V200R003C00]
sysname isp
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
dhcp enable
ip pool pppoe
gateway-list 60.0.0.1
network 60.0.0.0 mask 255.255.255.0
dns-list 8.8.8.8
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher % % U6C1S:n4<F*(iTL^nQ'/5x% %
local-user admin service-type ppp
firewall zone Local
priority 15
interface Virtual-Template0
ppp authentication-mode chap
remote address pool pppoe
ip address 60.0.0.1 255.255.255.0
interface GigabitEthernet0/0/0
ip address 8.8.8.1 255.255.255.0
interface GigabitEthernet0/0/1
pppoe-server bind Virtual-Template 0
interface GigabitEthernet0/0/2
interface NULL0
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
return
R2配置:
<out_router>dis current-configuration
[V200R003C00]
sysname out_router
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load flash:/portalpage.zip
drop illegal-mac alarm
ntp-service unicast-server 192.168.99.1
wlan ac-global carrier id other ac id 0
set cpu-usage threshold 80 restore 75
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
acl number 2001
rule 5 permit source 192.168.0.0 0.0.63.255
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher % % |#rD/aWa47N_{G/1^[Q3`.0#% %
local-user admin privilege level 15
local-user admin service-type telnet terminal
firewall zone Local
priority 15
interface Dialer0
link-protocol ppp
ppp chap user admin
ppp chap password cipher % % KoFK!Yrm<T9h0T3{J3@@, l / l/% l/%$
ip address ppp-negotiate
dialer user admin
dialer bundle 1
nat outbound 2001
interface GigabitEthernet0/0/0
pppoe-client dial-bundle-number 1
interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/0/2
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 Dialer0
ip route-static 192.168.0.0 255.255.192.0 10.0.0.2
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
user-interface vty 16 20
wlan ac
return
lsw1配置
dis current-configuration
sysname core
vlan batch 10 20 30 40 50 100 999
cluster enable
ntdp enable
ndp enable
undo nap slave enable
drop illegal-mac alarm
dhcp enable
diffserv domain default
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
acl number 3000
rule 1 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.99.0 0.0.0.255
rule 5 deny ip source 192.168.40.0 0.0.0.255 destination 192.168.0.0 0.0.31.255
rule 10 permit ip
drop-profile default
ip pool vlan20
ip pool vlan40
gateway-list 192.168.40.1
network 192.168.40.0 mask 255.255.255.0
dns-list 8.8.8.8
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type telnet terminal
ntp-service unicast-server 8.8.8.8
ntp-service refclock-master 2
ntp-service unicast-server 192.168.99.1
interface Vlanif1
interface Vlanif10
description xzb
ip address 192.168.10.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 192.168.10.100 mac-address 5489-981f-2e0e
dhcp server dns-list 8.8.8.8
interface Vlanif20
description scb
ip address 192.168.20.1 255.255.255.0
dhcp select interface
dhcp server dns-list 8.8.8.8
interface Vlanif30
description yfb
ip address 192.168.30.1 255.255.255.0
dhcp select interface
dhcp server static-bind ip-address 192.168.30.100 mac-address 5489-9832-7ea4
dhcp server dns-list 8.8.8.8
interface Vlanif40
description wifi_yw
ip address 192.168.40.1 255.255.255.0
dhcp select global
interface Vlanif50
description ap_manage
ip address 192.168.50.1 255.255.255.0
dhcp select interface
interface Vlanif100
description to_router
ip address 10.0.0.2 255.255.255.0
interface Vlanif999
description manage_all
ip address 192.168.99.1 255.255.255.0
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 999
mode lacp-static
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20 999
mode lacp-static
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 30 999
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 40 50 999
traffic-filter inbound acl 3000
mode lacp-static
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100
interface GigabitEthernet0/0/2
port link-type access
port default vlan 50
interface GigabitEthernet0/0/3
eth-trunk 1
interface GigabitEthernet0/0/4
eth-trunk 1
interface GigabitEthernet0/0/5
eth-trunk 2
interface GigabitEthernet0/0/6
eth-trunk 2
interface GigabitEthernet0/0/7
eth-trunk 3
interface GigabitEthernet0/0/8
eth-trunk 3
interface GigabitEthernet0/0/9
eth-trunk 4
interface GigabitEthernet0/0/10
eth-trunk 4
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
lsw2配置:
<xzb_hj>dis current-configuration
sysname xzb_hj
vlan batch 10 999
stp bpdu-protection
cluster enable
ntdp enable
ndp enable
error-down auto-recovery cause bpdu-protection interval 60
undo nap slave enable
drop illegal-mac alarm
dhcp enable
dhcp snooping enable
diffserv domain default
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type telnet terminal
ntp-service unicast-server 192.168.99.1
interface Vlanif1
interface Vlanif999
ip address 192.168.99.2 255.255.255.0
interface MEth0/0/1
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 999
mode lacp-static
dhcp snooping trusted
interface GigabitEthernet0/0/1
eth-trunk 1
interface GigabitEthernet0/0/2
eth-trunk 1
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
stp edged-port enable
dhcp snooping enable
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 192.168.99.1
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
lsw3配置
<scb_hj>dis current-configuration
sysname scb_hj
vlan batch 20 999
stp bpdu-protection
cluster enable
ntdp enable
ndp enable
error-down auto-recovery cause bpdu-protection interval 60
undo nap slave enable
drop illegal-mac alarm
dhcp enable
dhcp snooping enable
diffserv domain default
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type telnet terminal
ntp-service unicast-server 192.168.99.1
interface Vlanif1
interface Vlanif999
ip address 192.168.99.3 255.255.255.0
interface MEth0/0/1
interface Eth-Trunk2
port link-type trunk
port trunk allow-pass vlan 20 999
mode lacp-static
dhcp snooping trusted
interface GigabitEthernet0/0/1
eth-trunk 2
interface GigabitEthernet0/0/2
eth-trunk 2
interface GigabitEthernet0/0/3
port hybrid pvid vlan 20
port hybrid untagged vlan 20
stp edged-port enable
dhcp snooping enable
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 192.168.99.1
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
port-group link-type
return
lsw4配置:
<yfb_hj>dis current-configuration
sysname yfb_hj
vlan batch 30 999
stp bpdu-protection
cluster enable
ntdp enable
ndp enable
error-down auto-recovery cause bpdu-protection interval 60
undo nap slave enable
drop illegal-mac alarm
dhcp enable
dhcp snooping enable
diffserv domain default
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type telnet terminal
ntp-service unicast-server 192.168.99.1
interface Vlanif1
interface Vlanif999
ip address 192.168.99.4 255.255.255.0
interface MEth0/0/1
interface Eth-Trunk3
port link-type trunk
port trunk allow-pass vlan 30 999
dhcp snooping trusted
interface GigabitEthernet0/0/1
eth-trunk 3
interface GigabitEthernet0/0/2
eth-trunk 3
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
stp edged-port enable
dhcp snooping enable
interface GigabitEthernet0/0/4
port link-type access
port default vlan 30
stp edged-port enable
dhcp snooping enable
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 192.168.99.1
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
lsw5配置
<jdzx_hj>dis current-configuration
sysname jdzx_hj
vlan batch 40 50 999
stp bpdu-protection
cluster enable
ntdp enable
ndp enable
error-down auto-recovery cause bpdu-protection interval 60
undo nap slave enable
drop illegal-mac alarm
dhcp enable
dhcp snooping enable
diffserv domain default
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
drop-profile default
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher XJUN8<9N-:5NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type telnet terminal
ntp-service unicast-server 192.168.99.1
interface Vlanif1
interface Vlanif999
ip address 192.168.99.5 255.255.255.0
interface MEth0/0/1
interface Eth-Trunk4
port link-type trunk
port trunk allow-pass vlan 40 50 999
mode lacp-static
dhcp snooping trusted
interface GigabitEthernet0/0/1
eth-trunk 4
interface GigabitEthernet0/0/2
eth-trunk 4
interface GigabitEthernet0/0/3
port link-type trunk
port trunk pvid vlan 50
port trunk allow-pass vlan 40 50
stp edged-port enable
dhcp snooping enable
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
interface GigabitEthernet0/0/8
interface GigabitEthernet0/0/9
interface GigabitEthernet0/0/10
interface GigabitEthernet0/0/11
interface GigabitEthernet0/0/12
interface GigabitEthernet0/0/13
interface GigabitEthernet0/0/14
interface GigabitEthernet0/0/15
interface GigabitEthernet0/0/16
interface GigabitEthernet0/0/17
interface GigabitEthernet0/0/18
interface GigabitEthernet0/0/19
interface GigabitEthernet0/0/20
interface GigabitEthernet0/0/21
interface GigabitEthernet0/0/22
interface GigabitEthernet0/0/23
interface GigabitEthernet0/0/24
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 192.168.99.1
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
return
AC配置:
dis current-configuration
set memory-usage threshold 0
ssl renegotiation-rate 1
vlan batch 50
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
diffserv domain default
radius-server template default
pki realm default
rsa local-key-pair default
enrollment self-signed
acl number 2000
rule 5 permit source 192.168.10.100 0
rule 10 deny
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
free-rule-template name default_free_rule
portal-access-profile name portal_access_profile
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user test password irreversible-cipher 1 a 1a 1arMSnJPC9I>KaTeX parse error: Undefined control sequence: \V at position 14: =QQ~JN4fKC5o,\̲V̲*x.# =o=Tm+og^8…
local-user test privilege level 15
local-user test service-type telnet terminal
local-user admin password irreversible-cipher 1 a 1a 1ayRep#S@6lN f X d fXd fXd/:y#d+]wLBZ\kT
L/6WIy~>Uj8Rh J ∣ 8 I " < ∣ 9 J|8I"<|9 J∣8I"<∣9
local-user admin privilege level 15
local-user admin service-type http
interface Vlanif50
ip address 192.168.50.2 255.255.255.0
interface GigabitEthernet0/0/1
port link-type access
port default vlan 50
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface GigabitEthernet0/0/4
interface GigabitEthernet0/0/5
interface GigabitEthernet0/0/6
interface GigabitEthernet0/0/7
undo negotiation auto
duplex half
interface GigabitEthernet0/0/8
undo negotiation auto
duplex half
interface NULL0
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
capwap source ip-address 192.168.50.2
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
protocol inbound all
user-interface vty 16 20
protocol inbound all
wlan
traffic-profile name default
security-profile name test
security wpa-wpa2 psk pass-phrase %^%#KL!*>z6z’m±`M{B{k+I(U9G1"rHU4W[n&;mq&+
%^%# aes
security-profile name default
security-profile name default-wds
security-profile name default-mesh
ssid-profile name test
ssid wlan-guset
ssid-profile name default
vap-profile name test
service-vlan vlan-id 40
ssid-profile test
security-profile test
vap-profile name default
wds-profile name default
mesh-handover-profile name default
mesh-profile name default
regulatory-domain-profile name default
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
wireless-access-specification
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
serial-profile name preset-enjoyor-toeap
ap-group name group1
radio 0
vap-profile test wlan 1
radio 1
vap-profile test wlan 1
radio 2
vap-profile test wlan 1
ap-group name default
ap-id 0 type-id 69 ap-mac 00e0-fcf6-0b20 ap-sn 210235448310E91E775B
ap-name 1_lou_ap
ap-group group1
provision-ap
dot1x-access-profile name dot1x_access_profile
mac-access-profile name mac_access_profile
ntp-service unicast-server 192.168.99.1
return