中小型企业网络搭建实践

 

都是一些基础的东西,该标的图中差不多都标注出来了。详细的各个机器的配置放在附页中了。正文简单说下图中没有展现的。

技术组成

路由(静态,策略)

    ENSP策略路由对于设备本身发出的包是不生效的。刚开始在FW-BJ做了[s:192.168.100.0/24 d:10.0.0.0/24 --> 192.168.40.2]这样一条策略路由。FW-BJ和FW-TJ两边建立IPSec后,由192.168.100.2 ping 10.0.0.1,此时ping reply包通过VPN解密后直接通过默认路由发往了1.1.1.1。

NAT(SNAT,DNAT)

    ENSP里面是先做SNAT,再匹配IPSec感兴趣流的。

VPN(IPSec VPN,PPTP VPN)

    站点到站点这种使用IPSec,出差这种点到站点的使用PPTP VPN。下面是PPTP VPN的教程。上面链接是服务端配置,下面链接是win10客户端的配置。
    使用PPTP VPN有弊端。linux客户端拨号的号,是不能更改分配给的IP的。多个linux客户端接入PPTP VPN服务器是会起冲突的。

交换(VLAN(TRUNK,ACCESS),STP,堆叠)

    这里说下堆叠。实验用的24口交换机。实际使用这么个交换机往往捉襟见肘。堆叠可以使两个交换机合二为一。ENSP无法堆叠实验,我用HCL搭建了一下,具体可以参考这个链接:
    HCL配置 IRF 堆叠实验 https://blog.csdn.net/long_up/article/details/107471388

WALN(AP,AC)

    无线信号这个圈会被调色板盖住的。刚开始一直没出现这个圈,我以为是我哪里配的有问题,重搭了3遍,哈哈哈哈哈哈。无线部分的搭建可以参考这个链接:
    eNSP-无线技术原理 https://blog.csdn.net/weixin_51491005/article/details/119514373

IP-MAC绑定

    这里说的是DHCP的预留地址。需要分配固定IP的主机。服务器或者前端的主机。
    延申一下,说一下局域网IP冲突问题,如果都是DHCP不会有冲突,但显然是不可能的。非法的机器先开机抢走了IP,正常的机器无法上网。  关键的服务器部分和办公区分开。冲突主要集中在有线网办公区,办公区比较大,人比较多的话再划vlan,再细分几个网段,将排错环境调小点。使用静态IP时,有意识地先ping一下,确定没人用再用。网络问题,规划和管理很重要。

DHCP

    ENSP图形化界面开启DHCP Server保存时,还要命令行到接口下打DHCP select interface。

DDNS

    ISP大多为我们提供动态IP,DDNS捕获用户每次变化的IP,然后将其与域名相对应。方便实惠的内网穿透解决办法。

FTP

    带宽不够用,网关限速。局域网内经常传大文件可以搭建个FTP服务器。

补充内容

    这里说一下状态防火墙为什么能快速转发。防火墙会对数据流的第一个包的五元组做一个hash,后续的包五元组hash值相同,不再检测,直接转发。

常用命令

# windows
# tracert
# nslookup
# arp查看和清空
arp -a/d
# ipconfig
# 清空DNS缓存
ipconfig /flushdns
# 所有DHCP网卡重新获取地址
ipconfig /release_all
ipconfig /renew_all
# 查看端口号是否被占用
netstat -ano | findstr <端口号>
# 查看路由表
route print
# 添加路由
route add 192.168.1.2 mask 255.255.255.0 192.168.1.1 -p
# 添加主机路由
route add -host 192.168.1.2 192.168.1.1 -p
# 删除路由
route delete 192.168.1.2 mask 255.255.255.0 192.168.1.1

# linux
# 查看路由表
route -n
# 添加静态路由
route add -net 10.20.30.40 netmask 255.255.255.0 gw 192.168.0.1
# 添加默认路由
route add default gw 192.168.0.1
# 添加主机路由
route add -host 10.20.30.40 gw 192.168.0.1

# huawei switch/router

# 查看内存配置文件/当前窗口配置
dis cu/th
# 查看路由表
dis ip routing-table
# 查看各个接口的IP
dis ip int b
# 查看vlan
dis vlan b
# 配置端口类型(trunk为例)
p l t
# 配置允许通过vlan(trunk为例)
p t a v xx xx 
# 保存
CTRL+Z save

附页

FW-BJ.cfg


!Software Version V500R005C10SPC300
!Last configuration was saved at 2023-03-21 10:17:14 UTC
#
sysname FW-BJ
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 23:18
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dhcp enable
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 22:40
 update schedule av-sdb daily 22:40
 update schedule sa-sdb daily 22:40
 update schedule cnc daily 22:40
 update schedule file-reputation daily 22:40
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%5bIr:B4|[9sEFC&]CoG&<L1%u.[F;n"k'Tgazf.:GXpAL1(<@%@%
  service-type web terminal 
  level 15 

 manager-user api-admin 
  password cipher @%@%9gL|,]3)i7UN:@+0{o@)zfYuW93fLW<#6I;<NASML~*RfYxz@%@%
  level 15 

 manager-user admin 
  password cipher @%@%s2$z4ztu0~~g#&8^{d[X4%nefKeM<il4L$b5$8SQ*pz/%nh4@%@%
  service-type web terminal 
  level 15 

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 192.168.20.1 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.30.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 dhcp select interface
 dhcp server ip-range 192.168.30.100 192.168.30.200
 dhcp server gateway-list 192.168.30.1 
 dhcp server dns-list 114.114.114.114 
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.10.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.0.0.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
 ip address 192.168.40.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 1.1.1.2 255.255.255.252
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/5
 add interface GigabitEthernet1/0/6
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/6 1.1.1.1
ip route-static 192.168.100.0 255.255.255.0 GigabitEthernet1/0/5 192.168.40.2 preference 40
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name "DNAT UDP 4500"
  destination-address 1.1.1.2 mask 255.255.255.255
  service protocol udp source-port 0 to 65535 destination-port 4500
  action destination-nat static address-to-address address 192.168.40.2 
 rule name "DNAT UDP 500"
  destination-address 1.1.1.2 mask 255.255.255.255
  service protocol udp source-port 0 to 65535 destination-port 500
  action destination-nat static address-to-address address 192.168.40.2 
 rule name SNAT
  egress-interface GigabitEthernet1/0/6
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return  

FW-TJ.cfg


!Software Version V500R005C10SPC300
!Last configuration was saved at 2023-03-20 03:08:31 UTC
#
sysname FW-TJ
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 06:15
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 03:45
 update schedule av-sdb daily 03:45
 update schedule sa-sdb daily 03:45
 update schedule cnc daily 03:45
 update schedule file-reputation daily 03:45
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 192.168.100.0 0.0.0.255 destination 10.0.0.0 0.255.255.255 
#
ipsec proposal prop20311533248
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike20311533248
 exchange-mode auto
 pre-shared-key %^%#>mGX3/DEMS&za9Jnk*bRt,}z#/hGw3G%+&=`X5W.%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 1.1.1.2
 local-id 2.2.2.2
 dpd type periodic
 remote-address 1.1.1.2 
#
ipsec policy ipsec203115330 1 isakmp
 security acl 3000
 ike-peer ike20311533248
 proposal prop20311533248
 tunnel local applied-interface
 alias ipsec-tj 
 sa trigger-mode auto
 sa duration traffic-based 10485760
 sa duration time-based 3600
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%V5ix8UyTG44K4PG,2<=!HbIpg$ob2`4>h7sk-Y)R\R(%bIsH@%@%
  service-type web terminal 
  level 15 

 manager-user api-admin 
  password cipher @%@%Sr|_@R.p/LMKFfN6p.Y8[bXVfYB/BA(0RKv6b+"KTbo*bXY[@%@%
  level 15 

 manager-user admin 
  password cipher @%@%uV\t'gaj,+|v/x4=c@~J`[/lVnLSR95o7Y,*-/SHTp0Y[/o`@%@%
  service-type web terminal 
  level 15 

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.20.13 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 2.2.2.2 255.255.255.252
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 ipsec policy ipsec203115330
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.100.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 2.2.2.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name "NOT SNAT FOR 192.168.100.0/24"
  egress-interface GigabitEthernet1/0/1
  source-address 192.168.100.0 mask 255.255.255.0
  destination-address 10.0.0.0 mask 255.255.255.0
  action no-nat
 rule name SNAT
  egress-interface GigabitEthernet1/0/1
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return  

VPN.cfg


!Software Version V500R005C10SPC300
!Last configuration was saved at 2023-03-21 09:24:01 UTC
#
sysname VPN
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 06:17
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 22:40
 update schedule av-sdb daily 22:40
 update schedule sa-sdb daily 22:40
 update schedule cnc daily 22:40
 update schedule file-reputation daily 22:40
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 10.0.0.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 
#
ipsec proposal prop21316393881
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike213163938816
 exchange-mode auto
 pre-shared-key %^%#%"=T17GK4LSHF(WP_,I0EaC^QoiS=4/)sJ>O6>2'%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 2.2.2.2
 local-id 1.1.1.2
 dpd type periodic
 remote-address 2.2.2.2 
#
ipsec policy ipsec2131639384 1 isakmp
 security acl 3000
 ike-peer ike213163938816
 proposal prop21316393881
 tunnel local applied-interface
 alias ipsec-bj 
 sa trigger-mode auto
 sa duration traffic-based 10485760
 sa duration time-based 3600
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%8azD3YE\e,CQ6;ZW^{f:X'Ih-=\<8OxpM@0Y:3HF4Am@'IkX@%@%
  service-type web terminal 
  level 15 

 manager-user api-admin 
  password cipher @%@%igXR#;oDGKmbC1DxfUL1Rq)>k}.]48\e`+/5G2Yj2PsPq)AR@%@%
  level 15 

 manager-user admin 
  password cipher @%@%`>i59$y0";%C<kGmm6UMhVgg|~$RADLAjP{l>]Xd^Vo6Vgjh@%@%
  service-type web terminal 
  level 15 

 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.20.12 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 80.0.0.2 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.40.2 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 ipsec policy ipsec2131639384
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 192.168.40.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return  

SW.cfg


#
sysname SW
#
vlan batch 10 20 30 40 50
#
stp disable
#
cluster enable
ntdp enable
ndp enable
#
undo nap slave enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
vlan 10
 description guanli
vlan 20
 description bangong
vlan 30
 description server
vlan 40
 description wuxian-yewu
vlan 50
 description wuxian-guanli
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password simple admin
 local-user admin service-type http
 local-user telnet password cipher A-+=WM`TG,)NZPO3JBXBHA!!
 local-user telnet service-type telnet
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.20.254 255.255.255.0 
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 40 50
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 50
 port trunk allow-pass vlan 40 50
#
interface GigabitEthernet0/0/4
 port link-type access
#
interface GigabitEthernet0/0/5
 port link-type access
#
interface GigabitEthernet0/0/6
 port link-type access
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/8
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/9
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/11
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/12
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/13
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/14
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/15
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/16
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/17
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/18
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/19
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/20
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/21
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/22
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 10
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1
#
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
#
port-group bangong
 group-member GigabitEthernet0/0/7
 group-member GigabitEthernet0/0/8
 group-member GigabitEthernet0/0/9
 group-member GigabitEthernet0/0/10
 group-member GigabitEthernet0/0/11
 group-member GigabitEthernet0/0/12
#
port-group guanli
 group-member GigabitEthernet0/0/19
 group-member GigabitEthernet0/0/20
 group-member GigabitEthernet0/0/21
 group-member GigabitEthernet0/0/22
 group-member GigabitEthernet0/0/23
 group-member GigabitEthernet0/0/24
#
port-group server
 group-member GigabitEthernet0/0/13
 group-member GigabitEthernet0/0/14
 group-member GigabitEthernet0/0/15
 group-member GigabitEthernet0/0/16
 group-member GigabitEthernet0/0/17
 group-member GigabitEthernet0/0/18
#
return

AC.cfg


[V200R007C10SPC300]
#
 sysname AC
#
 set memory-usage threshold 0
#
ssl renegotiation-rate 1 
#
vlan batch 10 40 50
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
 rsa local-key-pair default
 enrollment self-signed
#
ike proposal default
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 local-user admin password irreversible-cipher $1a$.#W$6hAnhG$"jIhCdQ%gEBM$n,Hn|pY\"d(%$ayJ+'5}vIYY<<S$
 local-user admin privilege level 15
 local-user admin service-type http
#
interface Vlanif10
 ip address 192.168.20.253 255.255.255.0
#
interface Vlanif40
 ip address 192.168.30.254 255.255.255.0
#
interface Vlanif50
 ip address 192.168.50.254 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 40 50
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
 undo negotiation auto
 duplex half
#
interface GigabitEthernet0/0/8
 undo negotiation auto
 duplex half
#
interface NULL0
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1
#
capwap source interface vlanif50
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
 protocol inbound all
user-interface vty 16 20
 protocol inbound all
#
wlan
 traffic-profile name default
 security-profile name 1
 security-profile name default
 security-profile name default-wds
 security-profile name default-mesh
 ssid-profile name 1
  ssid 1
 ssid-profile name 2
  ssid 2
 ssid-profile name default
 vap-profile name 1
  service-vlan vlan-id 40
  ssid-profile 1
  security-profile 1
 vap-profile name 2
  service-vlan vlan-id 40
  ssid-profile 2
  security-profile 1
 vap-profile name default
 wds-profile name default
 mesh-handover-profile name default
 mesh-profile name default
 regulatory-domain-profile name area
 regulatory-domain-profile name default
 air-scan-profile name default
 rrm-profile name default
 radio-2g-profile name default
 radio-5g-profile name default
 wids-spoof-profile name default
 wids-profile name default
 wireless-access-specification
 ap-system-profile name default
 port-link-profile name default
 wired-port-profile name default
 serial-profile name preset-enjoyor-toeap 
 ap-group name AP
  regulatory-domain-profile area
 ap-group name we
  radio 0
   vap-profile 1 wlan 1
  radio 1
   vap-profile 2 wlan 2
 ap-group name default
 ap-id 0 type-id 69 ap-mac 00e0-fcfe-65d0 ap-sn 210235448310896B403C
  ap-group we
 provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return

Server.cfg


[V200R003C00]
#
 sysname Server
#
 board add 0/2 1GEC 
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
stp disable
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
 ip address 10.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 80.0.0.2 255.255.255.0 
#
interface GigabitEthernet2/0/0
 ip address 192.168.20.10 255.255.255.0 
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

bangong-pc.cfg


[V200R003C00]
#
 sysname bangong-pc
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
 ip address 192.168.10.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

写在最后

余生可能与动态路由和标签转发什么的无缘了,😂,不再搭实验弄了。

网络项目要因地制宜,无论什么规模上来都套大的模板不太合适。能高效地解决用户的需求,最小代价实现需要的功能为主。

需要拓扑图的可以留个邮箱,私发给你们。机器启动时最好一个个开,否则可能丢配置。对了,实际工作中,别忘了配完保存一下,否则重启后新加的配置全没了,哈哈哈。

That's it, if my content is good for you, don't forget to subscribe to it! Bye!

posted @ 2023-03-22 12:01  neutrinos  阅读(516)  评论(0编辑  收藏  举报