实例图:
配置步骤:
Fr1的配置:
配置ip地址:
inter Ether 0/1
ip add 10.10.10.2 255.255.255.0
quit
inter Ether 0/2
ip add 192.168.1.254 255.255.255.0
ip route-static 0.0.0.0 0 10.10.10.1 // 默认路由
开启防火墙默认策略
[F1]firewall packet-filter default permit
把端口 Ether 0/1 Ether 0/2加入到信任端口
[F1]firewall zone trust
[F1-zone-trust]add inter Ether 0/1
[F1-zone-trust]add inter Ether 0/2
quit
创建访问控制列表
[F1]acl number 3000
[F1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[F1-acl-adv-3000]rule deny ip source any destination any
[F1-acl-adv-3000]quit
[F1]acl number 3001
[F1-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[F1-acl-adv-3001]rule deny ip source any destination any
[F1-acl-adv-3001]quit
[F1]ike peer peer1 //指定peer的对等体
[F1-ike-peer-peer1]exchange-mode aggressive //更改为野蛮模式
[F1-ike-peer-peer1]pre-shared-key 12345 //配置预共享密匙
[F1-ike-peer-peer1]id-type name //启用名字的方式
[F1-ike-peer-peer1]remote-name Fr2
[F1-ike-peer-peer2]local-address 10.10.10.2
[F1-ike-peer-peer1]quit
[F1]ike peer peer2
[F1-ike-peer-peer2]pre-shared-key abcde
[F1-ike-peer-peer2]exchange-mode aggressive
[F1-ike-peer-peer2]id-type name
[F1-ike-peer-peer2]local-address 10.10.10.2
[F1-ike-peer-peer2]remote-name Fr3
[F1-ike-peer-peer2]quit
[F1]
[F1]ipsec proposal tran1 //安全提议
[F1-ipsec-proposal-tran1]encapsulation-mode tunnel
[F1-ipsec-proposal-tran1]transform esp
[F1-ipsec-proposal-tran1]esp encryption-algorithm des
[F1-ipsec-proposal-tran1]esp authentication-algorithm md5
[F1-ipsec-proposal-tran1]quit
[F1]
[F1]ipsec proposal tran2
[F1-ipsec-proposal-tran2]encapsulation-mode tunnel
[F1-ipsec-proposal-tran2]transform esp
[F1-ipsec-proposal-tran2]esp encryption-algorithm des
[F1-ipsec-proposal-tran2]esp authentication-algorithm md5
[F1-ipsec-proposal-tran2]quit
应用提议
[F1]ipsec policy policy 10
[F1]ipsec policy policy 10 isakmp
[F1-ipsec-policy-isakmp-policy-10]ike-peer peer1
[F1-ipsec-policy-isakmp-policy-10]proposal tran1
[F1-ipsec-policy-isakmp-policy-10]security acl 3000
[F1-ipsec-policy-isakmp-policy-10]quit
[F1]
[F1]ipsec policy policy 20
[F1]ipsec policy policy 20 isakmp
[F1-ipsec-policy-isakmp-policy-20]ike-peer peer2
[F1-ipsec-policy-isakmp-policy-20]proposal tran2
[F1-ipsec-policy-isakmp-policy-20]security acl 3001
[F1-ipsec-policy-isakmp-policy-20]quit
[F1]
应用于接口
[F1]inter Ether 0/1
[F1-Ethernet0/1]ipsec policy policy
[F1-Ethernet0/1]quit
[F1]
[F1-zone-trust]dis cu
#
sysname F1
#
super password level 3 simple 123
#
l2tp enable
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 12345
id-type name
remote-name Fr2
local-address 10.10.10.2
#
ike peer peer2
exchange-mode aggressive
pre-shared-key abcde
id-type name
remote-name Fr3
local-address 10.10.10.2
#
ipsec proposal tran1
#
ipsec proposal tran2
#
ipsec policy policy 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
ipsec policy policy 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.41 255.255.255.0
#
interface Ethernet0/1
ip address 10.10.10.2 255.0.0.0
ipsec policy policy
#
interface Ethernet0/2
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F1-zone-trust]
Fr2配置:
[F2]inter Ether 0/2
[F2-Ethernet0/2]ip add dhcp-alloc
[F2-Ethernet0/2]inter Ether 0/1
[F2-Ethernet0/1]ip add 192.168.2.254 24
[F2-Ethernet0/1]quit
[F2]firewall zone trust
[F2-zone-trust]add inter Ether 0/1
[F2-zone-trust]add inter Ether 0/2
[F2-zone-trust]quit
[F2]ip route-static 0.0.0.0 0 20.20.20.1
[F2]acl number 3000
[F2-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[F2-acl-adv-3000]rule deny ip source any destination any
[F2-acl-adv-3000]quit
[F2]
[F2]ike peer peer1
[F2-ike-peer-peer1]id-type name
[F2-ike-peer-peer1] remote-address 10.10.10.1
[F2-ike-peer-peer1]remote-name Fr1
[F2-ike-peer-peer1]exchange-mode aggressive
[F2-ike-peer-peer1]pre-shared-key 12345
[F2-ike-peer-peer1]quit
[F2]
[F2]ipsec proposal tran1
[F2-ipsec-proposal-tran1]encapsulation-mode tunnel
[F2-ipsec-proposal-tran1]transform esp
[F2-ipsec-proposal-tran1]esp encryption-algorithm des
[F2-ipsec-proposal-tran1]esp authentication-algorithm md5
[F2-ipsec-proposal-tran1]quit
[F2]
[F2]ipsec policy policy 10
此安全策略尚未创建,请指定模式
[F2]ipsec policy policy 10 isakmp
[F2-ipsec-policy-isakmp-policy-10]ike-peer peer1
[F2-ipsec-policy-isakmp-policy-10]proposal tran1
[F2-ipsec-policy-isakmp-policy-10]security acl 3000
[F2-ipsec-policy-isakmp-policy-10]quit
[F2]
应用于接口
[F2]inter Ether 0/2
[F2-Ethernet0/2]ipsec policy policy
[F2-Ethernet0/2]
[F2]dis cu
#
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 12345
id-type name
remote-name Fr1
remote-address 10.10.10.1
#
ipsec proposal tran1
#
ipsec policy policy 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.42 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
#
interface Ethernet0/2
ip address dhcp-alloc
ipsec policy policy
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 20.20.20.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F2]
Fr3配置:
[F3]inter Ether 0/3
[F3-Ethernet0/3]ip add dhcp-alloc
F3-Ethernet0/3]quit
[F3]
[F3]inter Ether 0/1
[F3-Ethernet0/1]ip add 192.168.3.253 24
[F3-Ethernet0/1]quit
[F3]ip route-static 0.0.0.0 0 30.30.30.1
[F3]firewall zone trust
[F3-zone-trust]add inter Ether 0/1
[F3-zone-trust]add inter Ether 0/3
[F3-zone-trust]quit
[F3]
[F3]acl number 3001
[F3-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[F3-acl-adv-3001]rule deny ip source any destination any
[F3-acl-adv-3001]quit
[F3]
[F3]ike peer peer2
[F3-ike-peer-peer2]remote-address 10.10.10.1
[F3-ike-peer-peer2]pre-shared-key abcde
[F3-ike-peer-peer2]remote-name Fr2
[F3-ike-peer-peer2]exchange-mode aggressive
[F3-ike-peer-peer2]id-type name
[F3-ike-peer-peer2]quit
[F3]
[F3]ipsec proposal tran2
[F3-ipsec-proposal-tran2]encapsulation-mode tunnel
[F3-ipsec-proposal-tran2]transform esp
[F3-ipsec-proposal-tran2]esp encryption-algorithm des
[F3-ipsec-proposal-tran2]esp authentication-algorithm md5
[F3-ipsec-proposal-tran2]quit
[F3]
[F3]ipsec policy policy 20
此安全策略尚未创建,请指定模式
[F3]ipsec policy policy 20 isakmp
[F3-ipsec-policy-isakmp-policy-20]ike-peer peer2
[F3-ipsec-policy-isakmp-policy-20]proposal tran2
[F3-ipsec-policy-isakmp-policy-20]security acl 3001
[F3-ipsec-policy-isakmp-policy-20]quit
[F3]
[F3]inter Ether 0/3
[F3-Ethernet0/3]ipsec policy policy
[F3-Ethernet0/3]quit
[F3]
[F3]dis cu
#
sysname F3
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer2
exchange-mode aggressive
id-type name
remote-name Fr3
remote-address 10.10.10.1
#
ipsec proposal tran2
#
ipsec policy policy 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.43 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/3
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 30.30.30.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F3]
Sw13配置:
[SW13]vlan 10
[SW13-vlan10]vlan 20
[SW13-vlan20]vlan 30
[SW13-vlan30]port e 0/20
[SW13-vlan30]vlan 20
[SW13-vlan20]port e 0/10
[SW13-vlan20]vlan 10
[SW13-vlan10]port e 0/5
[SW13-vlan10]quit
[SW13]inter vlan 10
[SW13-Vlan-interface10]ip add 10.10.10.1 255.255.255.0
[SW13-Vlan-interface10]quit
[SW13]inter vlan 20
[SW13-Vlan-interface20]ip add 20.20.20.1 255.255.255.0
[SW13-Vlan-interface20]inter vlan 30
[SW13-Vlan-interface30]ip add 30.30.30.1 255.255.255.0
[SW13-Vlan-interface30]quit
[SW13]
[SW13]dhcp enable
DHCP任务已经启动!
[SW13]dhcp server ip-pool Fr2
[SW13-dhcp-fr2]network 20.20.20.1 mask 255.255.255.0
[SW13-dhcp-fr2]gateway-list 20.20.20.1
[SW13-dhcp-fr2]quit
[SW13]dhcp server ip-pool Fr3
[SW13-dhcp-fr3]network 30.30.30.1 mask 255.255.255.0
[SW13-dhcp-fr3]gateway-list 30.30.30.1
[SW13-dhcp-fr3]quit
[SW13]dhcp server forbidden-ip 20.20.20.1
[SW13]dhcp server forbidden-ip 30.30.30.1
[SW13]
[SW13]dis cu
#
sysname SW13
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
local-user user1
password simple 123
service-type telnet level 3
#
dhcp server ip-pool f2
#
dhcp server ip-pool fr2
network 20.20.20.0 mask 255.255.255.0
gateway-list 20.20.20.1
#
dhcp server ip-pool fr3
network 30.30.30.0 mask 255.255.255.0
gateway-list 30.30.30.1
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.100.33 255.255.255.0
#
interface Vlan-interface10
ip address 10.10.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 20.20.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 30.30.30.1 255.255.255.0
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
port access vlan 10
#
interface Ethernet0/6
#
interface Ethernet0/7
#
interface Ethernet0/8
#
interface Ethernet0/9
#
interface Ethernet0/10
port access vlan 20
#
interface Ethernet0/11
#
interface Ethernet0/12
#
interface Ethernet0/13
#
interface Ethernet0/14
#
interface Ethernet0/15
#
interface Ethernet0/16
#
interface Ethernet0/17
#
interface Ethernet0/18
#
interface Ethernet0/19
#
interface Ethernet0/20
port access vlan 30
#
interface Ethernet0/21
#
interface Ethernet0/22
#
interface Ethernet0/23
#
interface Ethernet0/24
#
interface NULL0
#
dhcp server forbidden-ip 20.20.20.0 20.20.20.1
dhcp server forbidden-ip 30.30.30.0 30.30.30.1
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[SW13]
配置步骤:
Fr1的配置:
inter Ether 0/1
ip add 10.10.10.2 255.255.255.0
quit
inter Ether 0/2
ip add 192.168.1.254 255.255.255.0
ip route-static 0.0.0.0 0 10.10.10.1
[F1]firewall packet-filter default permit
[F1]firewall zone trust
[F1-zone-trust]add inter Ether 0/1
[F1-zone-trust]add inter Ether 0/2
quit
[F1]acl number 3000
[F1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[F1-acl-adv-3000]rule deny ip source any destination any
[F1-acl-adv-3000]quit
[F1]acl number 3001
[F1-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[F1-acl-adv-3001]rule deny ip source any destination any
[F1-acl-adv-3001]quit
[F1]ike peer peer1
[F1-ike-peer-peer1]exchange-mode aggressive
[F1-ike-peer-peer1]pre-shared-key 12345
[F1-ike-peer-peer1]local-address 10.10.10.2
[F1-ike-peer-peer1]id-type name
[F1-ike-peer-peer1]remote-name Fr2
[F1-ike-peer-peer1]quit
[F1]ike peer peer2
[F1-ike-peer-peer2]pre-shared-key abcde
[F1-ike-peer-peer2]exchange-mode aggressive
[F1-ike-peer-peer2]id-type name
[F1-ike-peer-peer2]local-address 10.10.10.2
[F1-ike-peer-peer2]remote-name Fr3
[F1-ike-peer-peer2]quit
[F1]
[F1]ipsec proposal tran1
[F1-ipsec-proposal-tran1]encapsulation-mode tunnel
[F1-ipsec-proposal-tran1]transform esp
[F1-ipsec-proposal-tran1]esp encryption-algorithm des
[F1-ipsec-proposal-tran1]esp authentication-algorithm md5
[F1-ipsec-proposal-tran1]quit
[F1]
[F1]ipsec proposal tran2
[F1-ipsec-proposal-tran2]encapsulation-mode tunnel
[F1-ipsec-proposal-tran2]transform esp
[F1-ipsec-proposal-tran2]esp encryption-algorithm des
[F1-ipsec-proposal-tran2]esp authentication-algorithm md5
[F1-ipsec-proposal-tran2]quit
[F1]ipsec policy policy 10
[F1]ipsec policy policy 10 isakmp
[F1-ipsec-policy-isakmp-policy-10]ike-peer peer1
[F1-ipsec-policy-isakmp-policy-10]proposal tran1
[F1-ipsec-policy-isakmp-policy-10]security acl 3000
[F1-ipsec-policy-isakmp-policy-10]quit
[F1]
[F1]ipsec policy policy 20
[F1]ipsec policy policy 20 isakmp
[F1-ipsec-policy-isakmp-policy-20]ike-peer peer2
[F1-ipsec-policy-isakmp-policy-20]proposal tran2
[F1-ipsec-policy-isakmp-policy-20]security acl 3001
[F1-ipsec-policy-isakmp-policy-20]quit
[F1]
应用于接口
[F1]inter Ether 0/1
[F1-Ethernet0/1]ipsec policy policy
[F1-Ethernet0/1]quit
[F1]
[F1-zone-trust]dis cu
#
sysname F1
#
super password level 3 simple 123
#
l2tp enable
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 12345
id-type name
remote-name Fr2
local-address 10.10.10.2
#
ike peer peer2
exchange-mode aggressive
pre-shared-key abcde
id-type name
remote-name Fr3
local-address 10.10.10.2
#
ipsec proposal tran1
#
ipsec proposal tran2
#
ipsec policy policy 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
ipsec policy policy 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.41 255.255.255.0
#
interface Ethernet0/1
ip address 10.10.10.2 255.0.0.0
ipsec policy policy
#
interface Ethernet0/2
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F1-zone-trust]
Fr2配置:
[F2]inter Ether 0/2
[F2-Ethernet0/2]ip add dhcp-alloc
[F2-Ethernet0/2]inter Ether 0/1
[F2-Ethernet0/1]ip add 192.168.2.254 24
[F2-Ethernet0/1]quit
[F2]firewall zone trust
[F2-zone-trust]add inter Ether 0/1
[F2-zone-trust]add inter Ether 0/2
[F2-zone-trust]quit
[F2]ip route-static 0.0.0.0 0 20.20.20.1
[F2]acl number 3000
[F2-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[F2-acl-adv-3000]rule deny ip source any destination any
[F2-acl-adv-3000]quit
[F2]
[F2]ike peer peer1
[F2-ike-peer-peer1]id-type name
[F2-ike-peer-peer1] remote-address 10.10.10.1
[F2-ike-peer-peer1]remote-name Fr1
[F2-ike-peer-peer1]exchange-mode aggressive
[F2-ike-peer-peer1]pre-shared-key 12345
[F2-ike-peer-peer1]quit
[F2]
[F2]ipsec proposal tran1
[F2-ipsec-proposal-tran1]encapsulation-mode tunnel
[F2-ipsec-proposal-tran1]transform esp
[F2-ipsec-proposal-tran1]esp encryption-algorithm des
[F2-ipsec-proposal-tran1]esp authentication-algorithm md5
[F2-ipsec-proposal-tran1]quit
[F2]
[F2]ipsec policy policy 10
此安全策略尚未创建,请指定模式
[F2]ipsec policy policy 10 isakmp
[F2-ipsec-policy-isakmp-policy-10]ike-peer peer1
[F2-ipsec-policy-isakmp-policy-10]proposal tran1
[F2-ipsec-policy-isakmp-policy-10]security acl 3000
[F2-ipsec-policy-isakmp-policy-10]quit
[F2]
应用于接口
[F2]inter Ether 0/2
[F2-Ethernet0/2]ipsec policy policy
[F2-Ethernet0/2]
[F2]dis cu
#
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 12345
id-type name
remote-name Fr1
remote-address 10.10.10.1
#
ipsec proposal tran1
#
ipsec policy policy 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.42 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
#
interface Ethernet0/2
ip address dhcp-alloc
ipsec policy policy
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 20.20.20.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F2]
Fr3配置:
[F3]inter Ether 0/3
[F3-Ethernet0/3]ip add dhcp-alloc
F3-Ethernet0/3]quit
[F3]
[F3]inter Ether 0/1
[F3-Ethernet0/1]ip add 192.168.3.253 24
[F3-Ethernet0/1]quit
[F3]ip route-static 0.0.0.0 0 30.30.30.1
[F3]firewall zone trust
[F3-zone-trust]add inter Ether 0/1
[F3-zone-trust]add inter Ether 0/3
[F3-zone-trust]quit
[F3]
[F3]acl number 3001
[F3-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[F3-acl-adv-3001]rule deny ip source any destination any
[F3-acl-adv-3001]quit
[F3]
[F3]ike peer peer2
[F3-ike-peer-peer2]remote-address 10.10.10.1
[F3-ike-peer-peer2]pre-shared-key abcde
[F3-ike-peer-peer2]remote-name Fr2
[F3-ike-peer-peer2]exchange-mode aggressive
[F3-ike-peer-peer2]id-type name
[F3-ike-peer-peer2]quit
[F3]
[F3]ipsec proposal tran2
[F3-ipsec-proposal-tran2]encapsulation-mode tunnel
[F3-ipsec-proposal-tran2]transform esp
[F3-ipsec-proposal-tran2]esp encryption-algorithm des
[F3-ipsec-proposal-tran2]esp authentication-algorithm md5
[F3-ipsec-proposal-tran2]quit
[F3]
[F3]ipsec policy policy 20
此安全策略尚未创建,请指定模式
[F3]ipsec policy policy 20 isakmp
[F3-ipsec-policy-isakmp-policy-20]ike-peer peer2
[F3-ipsec-policy-isakmp-policy-20]proposal tran2
[F3-ipsec-policy-isakmp-policy-20]security acl 3001
[F3-ipsec-policy-isakmp-policy-20]quit
[F3]
[F3]inter Ether 0/3
[F3-Ethernet0/3]ipsec policy policy
[F3-Ethernet0/3]quit
[F3]
[F3]dis cu
#
sysname F3
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer2
exchange-mode aggressive
id-type name
remote-name Fr3
remote-address 10.10.10.1
#
ipsec proposal tran2
#
ipsec policy policy 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.43 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/3
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 30.30.30.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F3]
Sw13配置:
[SW13]vlan 10
[SW13-vlan10]vlan 20
[SW13-vlan20]vlan 30
[SW13-vlan30]port e 0/20
[SW13-vlan30]vlan 20
[SW13-vlan20]port e 0/10
[SW13-vlan20]vlan 10
[SW13-vlan10]port e 0/5
[SW13-vlan10]quit
[SW13]inter vlan 10
[SW13-Vlan-interface10]ip add 10.10.10.1 255.255.255.0
[SW13-Vlan-interface10]quit
[SW13]inter vlan 20
[SW13-Vlan-interface20]ip add 20.20.20.1 255.255.255.0
[SW13-Vlan-interface20]inter vlan 30
[SW13-Vlan-interface30]ip add 30.30.30.1 255.255.255.0
[SW13-Vlan-interface30]quit
[SW13]
[SW13]dhcp enable
DHCP任务已经启动!
[SW13]dhcp server ip-pool Fr2
[SW13-dhcp-fr2]network 20.20.20.1 mask 255.255.255.0
[SW13-dhcp-fr2]gateway-list 20.20.20.1
[SW13-dhcp-fr2]quit
[SW13]dhcp server ip-pool Fr3
[SW13-dhcp-fr3]network 30.30.30.1 mask 255.255.255.0
[SW13-dhcp-fr3]gateway-list 30.30.30.1
[SW13-dhcp-fr3]quit
[SW13]dhcp server forbidden-ip 20.20.20.1
[SW13]dhcp server forbidden-ip 30.30.30.1
[SW13]
[SW13]dis cu
#
sysname SW13
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
local-user user1
password simple 123
service-type telnet level 3
#
dhcp server ip-pool f2
#
dhcp server ip-pool fr2
network 20.20.20.0 mask 255.255.255.0
gateway-list 20.20.20.1
#
dhcp server ip-pool fr3
network 30.30.30.0 mask 255.255.255.0
gateway-list 30.30.30.1
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.100.33 255.255.255.0
#
interface Vlan-interface10
ip address 10.10.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 20.20.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 30.30.30.1 255.255.255.0
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
port access vlan 10
#
interface Ethernet0/6
#
interface Ethernet0/7
#
interface Ethernet0/8
#
interface Ethernet0/9
#
interface Ethernet0/10
port access vlan 20
#
interface Ethernet0/11
#
interface Ethernet0/12
#
interface Ethernet0/13
#
interface Ethernet0/14
#
interface Ethernet0/15
#
interface Ethernet0/16
#
interface Ethernet0/17
#
interface Ethernet0/18
#
interface Ethernet0/19
#
interface Ethernet0/20
port access vlan 30
#
interface Ethernet0/21
#
interface Ethernet0/22
#
interface Ethernet0/23
#
interface Ethernet0/24
#
interface NULL0
#
dhcp server forbidden-ip 20.20.20.0 20.20.20.1
dhcp server forbidden-ip 30.30.30.0 30.30.30.1
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[SW13]
配置步骤:
Fr1的配置:
inter Ether 0/1
ip add 10.10.10.2 255.255.255.0
quit
inter Ether 0/2
ip add 192.168.1.254 255.255.255.0
ip route-static 0.0.0.0 0 10.10.10.1
[F1]firewall packet-filter default permit
[F1]firewall zone trust
[F1-zone-trust]add inter Ether 0/1
[F1-zone-trust]add inter Ether 0/2
quit
[F1]acl number 3000
[F1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[F1-acl-adv-3000]rule deny ip source any destination any
[F1-acl-adv-3000]quit
[F1]acl number 3001
[F1-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
[F1-acl-adv-3001]rule deny ip source any destination any
[F1-acl-adv-3001]quit
[F1]ike peer peer1
[F1-ike-peer-peer1]exchange-mode aggressive
[F1-ike-peer-peer1]pre-shared-key 12345
[F1-ike-peer-peer1]local-address 10.10.10.2
[F1-ike-peer-peer1]id-type name
[F1-ike-peer-peer1]remote-name Fr2
[F1-ike-peer-peer1]quit
[F1]ike peer peer2
[F1-ike-peer-peer2]pre-shared-key abcde
[F1-ike-peer-peer2]exchange-mode aggressive
[F1-ike-peer-peer2]id-type name
[F1-ike-peer-peer2]local-address 10.10.10.2
[F1-ike-peer-peer2]remote-name Fr3
[F1-ike-peer-peer2]quit
[F1]
[F1]ipsec proposal tran1
[F1-ipsec-proposal-tran1]encapsulation-mode tunnel
[F1-ipsec-proposal-tran1]transform esp
[F1-ipsec-proposal-tran1]esp encryption-algorithm des
[F1-ipsec-proposal-tran1]esp authentication-algorithm md5
[F1-ipsec-proposal-tran1]quit
[F1]
[F1]ipsec proposal tran2
[F1-ipsec-proposal-tran2]encapsulation-mode tunnel
[F1-ipsec-proposal-tran2]transform esp
[F1-ipsec-proposal-tran2]esp encryption-algorithm des
[F1-ipsec-proposal-tran2]esp authentication-algorithm md5
[F1-ipsec-proposal-tran2]quit
[F1]ipsec policy policy 10
[F1]ipsec policy policy 10 isakmp
[F1-ipsec-policy-isakmp-policy-10]ike-peer peer1
[F1-ipsec-policy-isakmp-policy-10]proposal tran1
[F1-ipsec-policy-isakmp-policy-10]security acl 3000
[F1-ipsec-policy-isakmp-policy-10]quit
[F1]
[F1]ipsec policy policy 20
[F1]ipsec policy policy 20 isakmp
[F1-ipsec-policy-isakmp-policy-20]ike-peer peer2
[F1-ipsec-policy-isakmp-policy-20]proposal tran2
[F1-ipsec-policy-isakmp-policy-20]security acl 3001
[F1-ipsec-policy-isakmp-policy-20]quit
[F1]
应用于接口
[F1]inter Ether 0/1
[F1-Ethernet0/1]ipsec policy policy
[F1-Ethernet0/1]quit
[F1]
[F1-zone-trust]dis cu
#
sysname F1
#
super password level 3 simple 123
#
l2tp enable
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 12345
id-type name
remote-name Fr2
local-address 10.10.10.2
#
ike peer peer2
exchange-mode aggressive
pre-shared-key abcde
id-type name
remote-name Fr3
local-address 10.10.10.2
#
ipsec proposal tran1
#
ipsec proposal tran2
#
ipsec policy policy 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
ipsec policy policy 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3000
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
rule 1 deny ip
acl number 3001
rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.41 255.255.255.0
#
interface Ethernet0/1
ip address 10.10.10.2 255.0.0.0
ipsec policy policy
#
interface Ethernet0/2
ip address 192.168.1.254 255.255.255.0
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
add interface Ethernet0/4
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F1-zone-trust]
Fr2配置:
[F2]inter Ether 0/2
[F2-Ethernet0/2]ip add dhcp-alloc
[F2-Ethernet0/2]inter Ether 0/1
[F2-Ethernet0/1]ip add 192.168.2.254 24
[F2-Ethernet0/1]quit
[F2]firewall zone trust
[F2-zone-trust]add inter Ether 0/1
[F2-zone-trust]add inter Ether 0/2
[F2-zone-trust]quit
[F2]ip route-static 0.0.0.0 0 20.20.20.1
[F2]acl number 3000
[F2-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[F2-acl-adv-3000]rule deny ip source any destination any
[F2-acl-adv-3000]quit
[F2]
[F2]ike peer peer1
[F2-ike-peer-peer1]id-type name
[F2-ike-peer-peer1] remote-address 10.10.10.1
[F2-ike-peer-peer1]remote-name Fr1
[F2-ike-peer-peer1]exchange-mode aggressive
[F2-ike-peer-peer1]pre-shared-key 12345
[F2-ike-peer-peer1]quit
[F2]
[F2]ipsec proposal tran1
[F2-ipsec-proposal-tran1]encapsulation-mode tunnel
[F2-ipsec-proposal-tran1]transform esp
[F2-ipsec-proposal-tran1]esp encryption-algorithm des
[F2-ipsec-proposal-tran1]esp authentication-algorithm md5
[F2-ipsec-proposal-tran1]quit
[F2]
[F2]ipsec policy policy 10
此安全策略尚未创建,请指定模式
[F2]ipsec policy policy 10 isakmp
[F2-ipsec-policy-isakmp-policy-10]ike-peer peer1
[F2-ipsec-policy-isakmp-policy-10]proposal tran1
[F2-ipsec-policy-isakmp-policy-10]security acl 3000
[F2-ipsec-policy-isakmp-policy-10]quit
[F2]
应用于接口
[F2]inter Ether 0/2
[F2-Ethernet0/2]ipsec policy policy
[F2-Ethernet0/2]
[F2]dis cu
#
sysname F2
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
service-type telnet terminal
level 3
service-type ftp
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer1
exchange-mode aggressive
pre-shared-key 12345
id-type name
remote-name Fr1
remote-address 10.10.10.1
#
ipsec proposal tran1
#
ipsec policy policy 10 isakmp
security acl 3000
ike-peer peer1
proposal tran1
#
acl number 3000
rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.42 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.2.254 255.255.255.0
#
interface Ethernet0/2
ip address dhcp-alloc
ipsec policy policy
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 20.20.20.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F2]
Fr3配置:
[F3]inter Ether 0/3
[F3-Ethernet0/3]ip add dhcp-alloc
F3-Ethernet0/3]quit
[F3]
[F3]inter Ether 0/1
[F3-Ethernet0/1]ip add 192.168.3.253 24
[F3-Ethernet0/1]quit
[F3]ip route-static 0.0.0.0 0 30.30.30.1
[F3]firewall zone trust
[F3-zone-trust]add inter Ether 0/1
[F3-zone-trust]add inter Ether 0/3
[F3-zone-trust]quit
[F3]
[F3]acl number 3001
[F3-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[F3-acl-adv-3001]rule deny ip source any destination any
[F3-acl-adv-3001]quit
[F3]
[F3]ike peer peer2
[F3-ike-peer-peer2]remote-address 10.10.10.1
[F3-ike-peer-peer2]pre-shared-key abcde
[F3-ike-peer-peer2]remote-name Fr2
[F3-ike-peer-peer2]exchange-mode aggressive
[F3-ike-peer-peer2]id-type name
[F3-ike-peer-peer2]quit
[F3]
[F3]ipsec proposal tran2
[F3-ipsec-proposal-tran2]encapsulation-mode tunnel
[F3-ipsec-proposal-tran2]transform esp
[F3-ipsec-proposal-tran2]esp encryption-algorithm des
[F3-ipsec-proposal-tran2]esp authentication-algorithm md5
[F3-ipsec-proposal-tran2]quit
[F3]
[F3]ipsec policy policy 20
此安全策略尚未创建,请指定模式
[F3]ipsec policy policy 20 isakmp
[F3-ipsec-policy-isakmp-policy-20]ike-peer peer2
[F3-ipsec-policy-isakmp-policy-20]proposal tran2
[F3-ipsec-policy-isakmp-policy-20]security acl 3001
[F3-ipsec-policy-isakmp-policy-20]quit
[F3]
[F3]inter Ether 0/3
[F3-Ethernet0/3]ipsec policy policy
[F3-Ethernet0/3]quit
[F3]
[F3]dis cu
#
sysname F3
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system
#
local-user user1
password simple 123
service-type telnet
level 3
#
ike peer peer2
exchange-mode aggressive
id-type name
remote-name Fr3
remote-address 10.10.10.1
#
ipsec proposal tran2
#
ipsec policy policy 20 isakmp
security acl 3001
ike-peer peer2
proposal tran2
#
acl number 3001
rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 deny ip
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.100.43 255.255.255.0
#
interface Ethernet0/1
ip address 192.168.3.254 255.255.255.0
#
interface Ethernet0/2
#
interface Ethernet0/3
ip address dhcp-alloc
ipsec policy policy
#
interface Ethernet0/4
#
interface Encrypt1/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/3
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 30.30.30.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[F3]
Sw13配置:
[SW13]vlan 10
[SW13-vlan10]vlan 20
[SW13-vlan20]vlan 30
[SW13-vlan30]port e 0/20
[SW13-vlan30]vlan 20
[SW13-vlan20]port e 0/10
[SW13-vlan20]vlan 10
[SW13-vlan10]port e 0/5
[SW13-vlan10]quit
[SW13]inter vlan 10
[SW13-Vlan-interface10]ip add 10.10.10.1 255.255.255.0
[SW13-Vlan-interface10]quit
[SW13]inter vlan 20
[SW13-Vlan-interface20]ip add 20.20.20.1 255.255.255.0
[SW13-Vlan-interface20]inter vlan 30
[SW13-Vlan-interface30]ip add 30.30.30.1 255.255.255.0
[SW13-Vlan-interface30]quit
[SW13]
[SW13]dhcp enable
DHCP任务已经启动!
[SW13]dhcp server ip-pool Fr2
[SW13-dhcp-fr2]network 20.20.20.1 mask 255.255.255.0
[SW13-dhcp-fr2]gateway-list 20.20.20.1
[SW13-dhcp-fr2]quit
[SW13]dhcp server ip-pool Fr3
[SW13-dhcp-fr3]network 30.30.30.1 mask 255.255.255.0
[SW13-dhcp-fr3]gateway-list 30.30.30.1
[SW13-dhcp-fr3]quit
[SW13]dhcp server forbidden-ip 20.20.20.1
[SW13]dhcp server forbidden-ip 30.30.30.1
[SW13]
[SW13]dis cu
#
sysname SW13
#
radius scheme system
server-type huawei
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
domain system
radius-scheme system
access-limit disable
state active
vlan-assignment-mode integer
idle-cut disable
self-service-url disable
messenger time disable
domain default enable system
#
local-server nas-ip 127.0.0.1 key huawei
local-user user1
password simple 123
service-type telnet level 3
#
dhcp server ip-pool f2
#
dhcp server ip-pool fr2
network 20.20.20.0 mask 255.255.255.0
gateway-list 20.20.20.1
#
dhcp server ip-pool fr3
network 30.30.30.0 mask 255.255.255.0
gateway-list 30.30.30.1
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
interface Vlan-interface1
ip address 192.168.100.33 255.255.255.0
#
interface Vlan-interface10
ip address 10.10.10.1 255.255.255.0
#
interface Vlan-interface20
ip address 20.20.20.1 255.255.255.0
#
interface Vlan-interface30
ip address 30.30.30.1 255.255.255.0
#
interface Aux0/0
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet0/4
#
interface Ethernet0/5
port access vlan 10
#
interface Ethernet0/6
#
interface Ethernet0/7
#
interface Ethernet0/8
#
interface Ethernet0/9
#
interface Ethernet0/10
port access vlan 20
#
interface Ethernet0/11
#
interface Ethernet0/12
#
interface Ethernet0/13
#
interface Ethernet0/14
#
interface Ethernet0/15
#
interface Ethernet0/16
#
interface Ethernet0/17
#
interface Ethernet0/18
#
interface Ethernet0/19
#
interface Ethernet0/20
port access vlan 30
#
interface Ethernet0/21
#
interface Ethernet0/22
#
interface Ethernet0/23
#
interface Ethernet0/24
#
interface NULL0
#
dhcp server forbidden-ip 20.20.20.0 20.20.20.1
dhcp server forbidden-ip 30.30.30.0 30.30.30.1
#
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[SW13]
测试结果:
192.168.1.0 网段ping同192.168.2.0网段
192.168.1.0 网段ping同192.168.3.0网段