ipsec-野蛮模式

实例图:

ipsec-野蛮模式_border

配置步骤:

Fr1的配置:

配置ip地址:

inter Ether 0/1

ip add 10.10.10.2 255.255.255.0

quit

inter Ether 0/2

ip add 192.168.1.254 255.255.255.0

ip route-static 0.0.0.0 0 10.10.10.1 // 默认路由

开启防火墙默认策略

[F1]firewall packet-filter default permit

把端口 Ether 0/1 Ether 0/2加入到信任端口

[F1]firewall zone trust

[F1-zone-trust]add inter Ether 0/1

[F1-zone-trust]add inter Ether 0/2

quit

创建访问控制列表

[F1]acl number 3000

[F1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[F1-acl-adv-3000]rule deny ip source any destination any

[F1-acl-adv-3000]quit

[F1]acl number 3001

[F1-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[F1-acl-adv-3001]rule deny ip source any destination any

[F1-acl-adv-3001]quit

[F1]ike peer peer1 //指定peer的对等体

[F1-ike-peer-peer1]exchange-mode aggressive //更改为野蛮模式

[F1-ike-peer-peer1]pre-shared-key 12345 //配置预共享密匙

[F1-ike-peer-peer1]id-type name //启用名字的方式

[F1-ike-peer-peer1]remote-name Fr2

[F1-ike-peer-peer2]local-address 10.10.10.2

[F1-ike-peer-peer1]quit

[F1]ike peer peer2

[F1-ike-peer-peer2]pre-shared-key abcde

[F1-ike-peer-peer2]exchange-mode aggressive

[F1-ike-peer-peer2]id-type name

[F1-ike-peer-peer2]local-address 10.10.10.2

[F1-ike-peer-peer2]remote-name Fr3

[F1-ike-peer-peer2]quit

[F1]

[F1]ipsec proposal tran1 //安全提议

[F1-ipsec-proposal-tran1]encapsulation-mode tunnel

[F1-ipsec-proposal-tran1]transform esp

[F1-ipsec-proposal-tran1]esp encryption-algorithm des

[F1-ipsec-proposal-tran1]esp authentication-algorithm md5

[F1-ipsec-proposal-tran1]quit

[F1]

[F1]ipsec proposal tran2

[F1-ipsec-proposal-tran2]encapsulation-mode tunnel

[F1-ipsec-proposal-tran2]transform esp

[F1-ipsec-proposal-tran2]esp encryption-algorithm des

[F1-ipsec-proposal-tran2]esp authentication-algorithm md5

[F1-ipsec-proposal-tran2]quit

应用提议

[F1]ipsec policy policy 10

[F1]ipsec policy policy 10 isakmp

[F1-ipsec-policy-isakmp-policy-10]ike-peer peer1

[F1-ipsec-policy-isakmp-policy-10]proposal tran1

[F1-ipsec-policy-isakmp-policy-10]security acl 3000

[F1-ipsec-policy-isakmp-policy-10]quit

[F1]

[F1]ipsec policy policy 20

[F1]ipsec policy policy 20 isakmp

[F1-ipsec-policy-isakmp-policy-20]ike-peer peer2

[F1-ipsec-policy-isakmp-policy-20]proposal tran2

[F1-ipsec-policy-isakmp-policy-20]security acl 3001

[F1-ipsec-policy-isakmp-policy-20]quit

[F1]

应用于接口

[F1]inter Ether 0/1

[F1-Ethernet0/1]ipsec policy policy

[F1-Ethernet0/1]quit

[F1]

[F1-zone-trust]dis cu

#

sysname F1

#

super password level 3 simple 123

#

l2tp enable

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 12345

id-type name

remote-name Fr2

local-address 10.10.10.2

#

ike peer peer2

exchange-mode aggressive

pre-shared-key abcde

id-type name

remote-name Fr3

local-address 10.10.10.2

#

ipsec proposal tran1

#

ipsec proposal tran2

#

ipsec policy policy 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

ipsec policy policy 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.41 255.255.255.0

#

interface Ethernet0/1

ip address 10.10.10.2 255.0.0.0

ipsec policy policy

#

interface Ethernet0/2

ip address 192.168.1.254 255.255.255.0

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F1-zone-trust]

Fr2配置:

[F2]inter Ether 0/2

[F2-Ethernet0/2]ip add dhcp-alloc

[F2-Ethernet0/2]inter Ether 0/1

[F2-Ethernet0/1]ip add 192.168.2.254 24

[F2-Ethernet0/1]quit

[F2]firewall zone trust

[F2-zone-trust]add inter Ether 0/1

[F2-zone-trust]add inter Ether 0/2

[F2-zone-trust]quit

[F2]ip route-static 0.0.0.0 0 20.20.20.1

[F2]acl number 3000

[F2-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[F2-acl-adv-3000]rule deny ip source any destination any

[F2-acl-adv-3000]quit

[F2]

[F2]ike peer peer1

[F2-ike-peer-peer1]id-type name

[F2-ike-peer-peer1] remote-address 10.10.10.1

[F2-ike-peer-peer1]remote-name Fr1

[F2-ike-peer-peer1]exchange-mode aggressive

[F2-ike-peer-peer1]pre-shared-key 12345

[F2-ike-peer-peer1]quit

[F2]

[F2]ipsec proposal tran1

[F2-ipsec-proposal-tran1]encapsulation-mode tunnel

[F2-ipsec-proposal-tran1]transform esp

[F2-ipsec-proposal-tran1]esp encryption-algorithm des

[F2-ipsec-proposal-tran1]esp authentication-algorithm md5

[F2-ipsec-proposal-tran1]quit

[F2]

[F2]ipsec policy policy 10

此安全策略尚未创建,请指定模式

[F2]ipsec policy policy 10 isakmp

[F2-ipsec-policy-isakmp-policy-10]ike-peer peer1

[F2-ipsec-policy-isakmp-policy-10]proposal tran1

[F2-ipsec-policy-isakmp-policy-10]security acl 3000

[F2-ipsec-policy-isakmp-policy-10]quit

[F2]

应用于接口

[F2]inter Ether 0/2

[F2-Ethernet0/2]ipsec policy policy

[F2-Ethernet0/2]

[F2]dis cu

#

sysname F2

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 12345

id-type name

remote-name Fr1

remote-address 10.10.10.1

#

ipsec proposal tran1

#

ipsec policy policy 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

acl number 3000

rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.42 255.255.255.0

#

interface Ethernet0/1

ip address 192.168.2.254 255.255.255.0

#

interface Ethernet0/2

ip address dhcp-alloc

ipsec policy policy

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 20.20.20.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F2]

Fr3配置:

[F3]inter Ether 0/3

[F3-Ethernet0/3]ip add dhcp-alloc

F3-Ethernet0/3]quit

[F3]

[F3]inter Ether 0/1

[F3-Ethernet0/1]ip add 192.168.3.253 24

[F3-Ethernet0/1]quit

[F3]ip route-static 0.0.0.0 0 30.30.30.1

[F3]firewall zone trust

[F3-zone-trust]add inter Ether 0/1

[F3-zone-trust]add inter Ether 0/3

[F3-zone-trust]quit

[F3]

[F3]acl number 3001

[F3-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[F3-acl-adv-3001]rule deny ip source any destination any

[F3-acl-adv-3001]quit

[F3]

[F3]ike peer peer2

[F3-ike-peer-peer2]remote-address 10.10.10.1

[F3-ike-peer-peer2]pre-shared-key abcde

[F3-ike-peer-peer2]remote-name Fr2

[F3-ike-peer-peer2]exchange-mode aggressive

[F3-ike-peer-peer2]id-type name

[F3-ike-peer-peer2]quit

[F3]

[F3]ipsec proposal tran2

[F3-ipsec-proposal-tran2]encapsulation-mode tunnel

[F3-ipsec-proposal-tran2]transform esp

[F3-ipsec-proposal-tran2]esp encryption-algorithm des

[F3-ipsec-proposal-tran2]esp authentication-algorithm md5

[F3-ipsec-proposal-tran2]quit

[F3]

[F3]ipsec policy policy 20

此安全策略尚未创建,请指定模式

[F3]ipsec policy policy 20 isakmp

[F3-ipsec-policy-isakmp-policy-20]ike-peer peer2

[F3-ipsec-policy-isakmp-policy-20]proposal tran2

[F3-ipsec-policy-isakmp-policy-20]security acl 3001

[F3-ipsec-policy-isakmp-policy-20]quit

[F3]

[F3]inter Ether 0/3

[F3-Ethernet0/3]ipsec policy policy

[F3-Ethernet0/3]quit

[F3]

[F3]dis cu

#

sysname F3

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer2

exchange-mode aggressive

id-type name

remote-name Fr3

remote-address 10.10.10.1

#

ipsec proposal tran2

#

ipsec policy policy 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3001

rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.43 255.255.255.0

#

interface Ethernet0/1

ip address 192.168.3.254 255.255.255.0

#

interface Ethernet0/2

#

interface Ethernet0/3

ip address dhcp-alloc

ipsec policy policy

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/3

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 30.30.30.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F3]

Sw13配置:

[SW13]vlan 10

[SW13-vlan10]vlan 20

[SW13-vlan20]vlan 30

[SW13-vlan30]port e 0/20

[SW13-vlan30]vlan 20

[SW13-vlan20]port e 0/10

[SW13-vlan20]vlan 10

[SW13-vlan10]port e 0/5

[SW13-vlan10]quit

[SW13]inter vlan 10

[SW13-Vlan-interface10]ip add 10.10.10.1 255.255.255.0

[SW13-Vlan-interface10]quit

[SW13]inter vlan 20

[SW13-Vlan-interface20]ip add 20.20.20.1 255.255.255.0

[SW13-Vlan-interface20]inter vlan 30

[SW13-Vlan-interface30]ip add 30.30.30.1 255.255.255.0

[SW13-Vlan-interface30]quit

[SW13]

[SW13]dhcp enable

DHCP任务已经启动!

[SW13]dhcp server ip-pool Fr2

[SW13-dhcp-fr2]network 20.20.20.1 mask 255.255.255.0

[SW13-dhcp-fr2]gateway-list 20.20.20.1

[SW13-dhcp-fr2]quit

[SW13]dhcp server ip-pool Fr3

[SW13-dhcp-fr3]network 30.30.30.1 mask 255.255.255.0

[SW13-dhcp-fr3]gateway-list 30.30.30.1

[SW13-dhcp-fr3]quit

[SW13]dhcp server forbidden-ip 20.20.20.1

[SW13]dhcp server forbidden-ip 30.30.30.1

[SW13]

[SW13]dis cu

#

sysname SW13

#

radius scheme system

server-type huawei

primary authentication 127.0.0.1 1645

primary accounting 127.0.0.1 1646

user-name-format without-domain

domain system

radius-scheme system

access-limit disable

state active

vlan-assignment-mode integer

idle-cut disable

self-service-url disable

messenger time disable

domain default enable system

#

local-server nas-ip 127.0.0.1 key huawei

local-user user1

password simple 123

service-type telnet level 3

#

dhcp server ip-pool f2

#

dhcp server ip-pool fr2

network 20.20.20.0 mask 255.255.255.0

gateway-list 20.20.20.1

#

dhcp server ip-pool fr3

network 30.30.30.0 mask 255.255.255.0

gateway-list 30.30.30.1

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.100.33 255.255.255.0

#

interface Vlan-interface10

ip address 10.10.10.1 255.255.255.0

#

interface Vlan-interface20

ip address 20.20.20.1 255.255.255.0

#

interface Vlan-interface30

ip address 30.30.30.1 255.255.255.0

#

interface Aux0/0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Ethernet0/5

port access vlan 10

#

interface Ethernet0/6

#

interface Ethernet0/7

#

interface Ethernet0/8

#

interface Ethernet0/9

#

interface Ethernet0/10

port access vlan 20

#

interface Ethernet0/11

#

interface Ethernet0/12

#

interface Ethernet0/13

#

interface Ethernet0/14

#

interface Ethernet0/15

#

interface Ethernet0/16

#

interface Ethernet0/17

#

interface Ethernet0/18

#

interface Ethernet0/19

#

interface Ethernet0/20

port access vlan 30

#

interface Ethernet0/21

#

interface Ethernet0/22

#

interface Ethernet0/23

#

interface Ethernet0/24

#

interface NULL0

#

dhcp server forbidden-ip 20.20.20.0 20.20.20.1

dhcp server forbidden-ip 30.30.30.0 30.30.30.1

#

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[SW13]

配置步骤:

Fr1的配置:

inter Ether 0/1

ip add 10.10.10.2 255.255.255.0

quit

inter Ether 0/2

ip add 192.168.1.254 255.255.255.0

ip route-static 0.0.0.0 0 10.10.10.1

[F1]firewall packet-filter default permit

[F1]firewall zone trust

[F1-zone-trust]add inter Ether 0/1

[F1-zone-trust]add inter Ether 0/2

quit

[F1]acl number 3000

[F1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[F1-acl-adv-3000]rule deny ip source any destination any

[F1-acl-adv-3000]quit

[F1]acl number 3001

[F1-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[F1-acl-adv-3001]rule deny ip source any destination any

[F1-acl-adv-3001]quit

[F1]ike peer peer1

[F1-ike-peer-peer1]exchange-mode aggressive

[F1-ike-peer-peer1]pre-shared-key 12345

[F1-ike-peer-peer1]local-address 10.10.10.2

[F1-ike-peer-peer1]id-type name

[F1-ike-peer-peer1]remote-name Fr2

[F1-ike-peer-peer1]quit

[F1]ike peer peer2

[F1-ike-peer-peer2]pre-shared-key abcde

[F1-ike-peer-peer2]exchange-mode aggressive

[F1-ike-peer-peer2]id-type name

[F1-ike-peer-peer2]local-address 10.10.10.2

[F1-ike-peer-peer2]remote-name Fr3

[F1-ike-peer-peer2]quit

[F1]

[F1]ipsec proposal tran1

[F1-ipsec-proposal-tran1]encapsulation-mode tunnel

[F1-ipsec-proposal-tran1]transform esp

[F1-ipsec-proposal-tran1]esp encryption-algorithm des

[F1-ipsec-proposal-tran1]esp authentication-algorithm md5

[F1-ipsec-proposal-tran1]quit

[F1]

[F1]ipsec proposal tran2

[F1-ipsec-proposal-tran2]encapsulation-mode tunnel

[F1-ipsec-proposal-tran2]transform esp

[F1-ipsec-proposal-tran2]esp encryption-algorithm des

[F1-ipsec-proposal-tran2]esp authentication-algorithm md5

[F1-ipsec-proposal-tran2]quit

[F1]ipsec policy policy 10

[F1]ipsec policy policy 10 isakmp

[F1-ipsec-policy-isakmp-policy-10]ike-peer peer1

[F1-ipsec-policy-isakmp-policy-10]proposal tran1

[F1-ipsec-policy-isakmp-policy-10]security acl 3000

[F1-ipsec-policy-isakmp-policy-10]quit

[F1]

[F1]ipsec policy policy 20

[F1]ipsec policy policy 20 isakmp

[F1-ipsec-policy-isakmp-policy-20]ike-peer peer2

[F1-ipsec-policy-isakmp-policy-20]proposal tran2

[F1-ipsec-policy-isakmp-policy-20]security acl 3001

[F1-ipsec-policy-isakmp-policy-20]quit

[F1]

应用于接口

[F1]inter Ether 0/1

[F1-Ethernet0/1]ipsec policy policy

[F1-Ethernet0/1]quit

[F1]

[F1-zone-trust]dis cu

#

sysname F1

#

super password level 3 simple 123

#

l2tp enable

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 12345

id-type name

remote-name Fr2

local-address 10.10.10.2

#

ike peer peer2

exchange-mode aggressive

pre-shared-key abcde

id-type name

remote-name Fr3

local-address 10.10.10.2

#

ipsec proposal tran1

#

ipsec proposal tran2

#

ipsec policy policy 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

ipsec policy policy 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.41 255.255.255.0

#

interface Ethernet0/1

ip address 10.10.10.2 255.0.0.0

ipsec policy policy

#

interface Ethernet0/2

ip address 192.168.1.254 255.255.255.0

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F1-zone-trust]

Fr2配置:

[F2]inter Ether 0/2

[F2-Ethernet0/2]ip add dhcp-alloc

[F2-Ethernet0/2]inter Ether 0/1

[F2-Ethernet0/1]ip add 192.168.2.254 24

[F2-Ethernet0/1]quit

[F2]firewall zone trust

[F2-zone-trust]add inter Ether 0/1

[F2-zone-trust]add inter Ether 0/2

[F2-zone-trust]quit

[F2]ip route-static 0.0.0.0 0 20.20.20.1

[F2]acl number 3000

[F2-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[F2-acl-adv-3000]rule deny ip source any destination any

[F2-acl-adv-3000]quit

[F2]

[F2]ike peer peer1

[F2-ike-peer-peer1]id-type name

[F2-ike-peer-peer1] remote-address 10.10.10.1

[F2-ike-peer-peer1]remote-name Fr1

[F2-ike-peer-peer1]exchange-mode aggressive

[F2-ike-peer-peer1]pre-shared-key 12345

[F2-ike-peer-peer1]quit

[F2]

[F2]ipsec proposal tran1

[F2-ipsec-proposal-tran1]encapsulation-mode tunnel

[F2-ipsec-proposal-tran1]transform esp

[F2-ipsec-proposal-tran1]esp encryption-algorithm des

[F2-ipsec-proposal-tran1]esp authentication-algorithm md5

[F2-ipsec-proposal-tran1]quit

[F2]

[F2]ipsec policy policy 10

此安全策略尚未创建,请指定模式

[F2]ipsec policy policy 10 isakmp

[F2-ipsec-policy-isakmp-policy-10]ike-peer peer1

[F2-ipsec-policy-isakmp-policy-10]proposal tran1

[F2-ipsec-policy-isakmp-policy-10]security acl 3000

[F2-ipsec-policy-isakmp-policy-10]quit

[F2]

应用于接口

[F2]inter Ether 0/2

[F2-Ethernet0/2]ipsec policy policy

[F2-Ethernet0/2]

[F2]dis cu

#

sysname F2

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 12345

id-type name

remote-name Fr1

remote-address 10.10.10.1

#

ipsec proposal tran1

#

ipsec policy policy 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

acl number 3000

rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.42 255.255.255.0

#

interface Ethernet0/1

ip address 192.168.2.254 255.255.255.0

#

interface Ethernet0/2

ip address dhcp-alloc

ipsec policy policy

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 20.20.20.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F2]

Fr3配置:

[F3]inter Ether 0/3

[F3-Ethernet0/3]ip add dhcp-alloc

F3-Ethernet0/3]quit

[F3]

[F3]inter Ether 0/1

[F3-Ethernet0/1]ip add 192.168.3.253 24

[F3-Ethernet0/1]quit

[F3]ip route-static 0.0.0.0 0 30.30.30.1

[F3]firewall zone trust

[F3-zone-trust]add inter Ether 0/1

[F3-zone-trust]add inter Ether 0/3

[F3-zone-trust]quit

[F3]

[F3]acl number 3001

[F3-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[F3-acl-adv-3001]rule deny ip source any destination any

[F3-acl-adv-3001]quit

[F3]

[F3]ike peer peer2

[F3-ike-peer-peer2]remote-address 10.10.10.1

[F3-ike-peer-peer2]pre-shared-key abcde

[F3-ike-peer-peer2]remote-name Fr2

[F3-ike-peer-peer2]exchange-mode aggressive

[F3-ike-peer-peer2]id-type name

[F3-ike-peer-peer2]quit

[F3]

[F3]ipsec proposal tran2

[F3-ipsec-proposal-tran2]encapsulation-mode tunnel

[F3-ipsec-proposal-tran2]transform esp

[F3-ipsec-proposal-tran2]esp encryption-algorithm des

[F3-ipsec-proposal-tran2]esp authentication-algorithm md5

[F3-ipsec-proposal-tran2]quit

[F3]

[F3]ipsec policy policy 20

此安全策略尚未创建,请指定模式

[F3]ipsec policy policy 20 isakmp

[F3-ipsec-policy-isakmp-policy-20]ike-peer peer2

[F3-ipsec-policy-isakmp-policy-20]proposal tran2

[F3-ipsec-policy-isakmp-policy-20]security acl 3001

[F3-ipsec-policy-isakmp-policy-20]quit

[F3]

[F3]inter Ether 0/3

[F3-Ethernet0/3]ipsec policy policy

[F3-Ethernet0/3]quit

[F3]

[F3]dis cu

#

sysname F3

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer2

exchange-mode aggressive

id-type name

remote-name Fr3

remote-address 10.10.10.1

#

ipsec proposal tran2

#

ipsec policy policy 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3001

rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.43 255.255.255.0

#

interface Ethernet0/1

ip address 192.168.3.254 255.255.255.0

#

interface Ethernet0/2

#

interface Ethernet0/3

ip address dhcp-alloc

ipsec policy policy

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/3

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 30.30.30.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F3]

Sw13配置:

[SW13]vlan 10

[SW13-vlan10]vlan 20

[SW13-vlan20]vlan 30

[SW13-vlan30]port e 0/20

[SW13-vlan30]vlan 20

[SW13-vlan20]port e 0/10

[SW13-vlan20]vlan 10

[SW13-vlan10]port e 0/5

[SW13-vlan10]quit

[SW13]inter vlan 10

[SW13-Vlan-interface10]ip add 10.10.10.1 255.255.255.0

[SW13-Vlan-interface10]quit

[SW13]inter vlan 20

[SW13-Vlan-interface20]ip add 20.20.20.1 255.255.255.0

[SW13-Vlan-interface20]inter vlan 30

[SW13-Vlan-interface30]ip add 30.30.30.1 255.255.255.0

[SW13-Vlan-interface30]quit

[SW13]

[SW13]dhcp enable

DHCP任务已经启动!

[SW13]dhcp server ip-pool Fr2

[SW13-dhcp-fr2]network 20.20.20.1 mask 255.255.255.0

[SW13-dhcp-fr2]gateway-list 20.20.20.1

[SW13-dhcp-fr2]quit

[SW13]dhcp server ip-pool Fr3

[SW13-dhcp-fr3]network 30.30.30.1 mask 255.255.255.0

[SW13-dhcp-fr3]gateway-list 30.30.30.1

[SW13-dhcp-fr3]quit

[SW13]dhcp server forbidden-ip 20.20.20.1

[SW13]dhcp server forbidden-ip 30.30.30.1

[SW13]

[SW13]dis cu

#

sysname SW13

#

radius scheme system

server-type huawei

primary authentication 127.0.0.1 1645

primary accounting 127.0.0.1 1646

user-name-format without-domain

domain system

radius-scheme system

access-limit disable

state active

vlan-assignment-mode integer

idle-cut disable

self-service-url disable

messenger time disable

domain default enable system

#

local-server nas-ip 127.0.0.1 key huawei

local-user user1

password simple 123

service-type telnet level 3

#

dhcp server ip-pool f2

#

dhcp server ip-pool fr2

network 20.20.20.0 mask 255.255.255.0

gateway-list 20.20.20.1

#

dhcp server ip-pool fr3

network 30.30.30.0 mask 255.255.255.0

gateway-list 30.30.30.1

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.100.33 255.255.255.0

#

interface Vlan-interface10

ip address 10.10.10.1 255.255.255.0

#

interface Vlan-interface20

ip address 20.20.20.1 255.255.255.0

#

interface Vlan-interface30

ip address 30.30.30.1 255.255.255.0

#

interface Aux0/0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Ethernet0/5

port access vlan 10

#

interface Ethernet0/6

#

interface Ethernet0/7

#

interface Ethernet0/8

#

interface Ethernet0/9

#

interface Ethernet0/10

port access vlan 20

#

interface Ethernet0/11

#

interface Ethernet0/12

#

interface Ethernet0/13

#

interface Ethernet0/14

#

interface Ethernet0/15

#

interface Ethernet0/16

#

interface Ethernet0/17

#

interface Ethernet0/18

#

interface Ethernet0/19

#

interface Ethernet0/20

port access vlan 30

#

interface Ethernet0/21

#

interface Ethernet0/22

#

interface Ethernet0/23

#

interface Ethernet0/24

#

interface NULL0

#

dhcp server forbidden-ip 20.20.20.0 20.20.20.1

dhcp server forbidden-ip 30.30.30.0 30.30.30.1

#

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[SW13]

配置步骤:

Fr1的配置:

inter Ether 0/1

ip add 10.10.10.2 255.255.255.0

quit

inter Ether 0/2

ip add 192.168.1.254 255.255.255.0

ip route-static 0.0.0.0 0 10.10.10.1

[F1]firewall packet-filter default permit

[F1]firewall zone trust

[F1-zone-trust]add inter Ether 0/1

[F1-zone-trust]add inter Ether 0/2

quit

[F1]acl number 3000

[F1-acl-adv-3000]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

[F1-acl-adv-3000]rule deny ip source any destination any

[F1-acl-adv-3000]quit

[F1]acl number 3001

[F1-acl-adv-3001]rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

[F1-acl-adv-3001]rule deny ip source any destination any

[F1-acl-adv-3001]quit

[F1]ike peer peer1

[F1-ike-peer-peer1]exchange-mode aggressive

[F1-ike-peer-peer1]pre-shared-key 12345

[F1-ike-peer-peer1]local-address 10.10.10.2

[F1-ike-peer-peer1]id-type name

[F1-ike-peer-peer1]remote-name Fr2

[F1-ike-peer-peer1]quit

[F1]ike peer peer2

[F1-ike-peer-peer2]pre-shared-key abcde

[F1-ike-peer-peer2]exchange-mode aggressive

[F1-ike-peer-peer2]id-type name

[F1-ike-peer-peer2]local-address 10.10.10.2

[F1-ike-peer-peer2]remote-name Fr3

[F1-ike-peer-peer2]quit

[F1]

[F1]ipsec proposal tran1

[F1-ipsec-proposal-tran1]encapsulation-mode tunnel

[F1-ipsec-proposal-tran1]transform esp

[F1-ipsec-proposal-tran1]esp encryption-algorithm des

[F1-ipsec-proposal-tran1]esp authentication-algorithm md5

[F1-ipsec-proposal-tran1]quit

[F1]

[F1]ipsec proposal tran2

[F1-ipsec-proposal-tran2]encapsulation-mode tunnel

[F1-ipsec-proposal-tran2]transform esp

[F1-ipsec-proposal-tran2]esp encryption-algorithm des

[F1-ipsec-proposal-tran2]esp authentication-algorithm md5

[F1-ipsec-proposal-tran2]quit

[F1]ipsec policy policy 10

[F1]ipsec policy policy 10 isakmp

[F1-ipsec-policy-isakmp-policy-10]ike-peer peer1

[F1-ipsec-policy-isakmp-policy-10]proposal tran1

[F1-ipsec-policy-isakmp-policy-10]security acl 3000

[F1-ipsec-policy-isakmp-policy-10]quit

[F1]

[F1]ipsec policy policy 20

[F1]ipsec policy policy 20 isakmp

[F1-ipsec-policy-isakmp-policy-20]ike-peer peer2

[F1-ipsec-policy-isakmp-policy-20]proposal tran2

[F1-ipsec-policy-isakmp-policy-20]security acl 3001

[F1-ipsec-policy-isakmp-policy-20]quit

[F1]

应用于接口

[F1]inter Ether 0/1

[F1-Ethernet0/1]ipsec policy policy

[F1-Ethernet0/1]quit

[F1]

[F1-zone-trust]dis cu

#

sysname F1

#

super password level 3 simple 123

#

l2tp enable

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 12345

id-type name

remote-name Fr2

local-address 10.10.10.2

#

ike peer peer2

exchange-mode aggressive

pre-shared-key abcde

id-type name

remote-name Fr3

local-address 10.10.10.2

#

ipsec proposal tran1

#

ipsec proposal tran2

#

ipsec policy policy 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

ipsec policy policy 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3000

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255

rule 1 deny ip

acl number 3001

rule 0 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.41 255.255.255.0

#

interface Ethernet0/1

ip address 10.10.10.2 255.0.0.0

ipsec policy policy

#

interface Ethernet0/2

ip address 192.168.1.254 255.255.255.0

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

set priority 85

#

firewall zone untrust

add interface Ethernet0/4

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

ip route-static 0.0.0.0 0.0.0.0 10.10.10.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F1-zone-trust]

Fr2配置:

[F2]inter Ether 0/2

[F2-Ethernet0/2]ip add dhcp-alloc

[F2-Ethernet0/2]inter Ether 0/1

[F2-Ethernet0/1]ip add 192.168.2.254 24

[F2-Ethernet0/1]quit

[F2]firewall zone trust

[F2-zone-trust]add inter Ether 0/1

[F2-zone-trust]add inter Ether 0/2

[F2-zone-trust]quit

[F2]ip route-static 0.0.0.0 0 20.20.20.1

[F2]acl number 3000

[F2-acl-adv-3000]rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[F2-acl-adv-3000]rule deny ip source any destination any

[F2-acl-adv-3000]quit

[F2]

[F2]ike peer peer1

[F2-ike-peer-peer1]id-type name

[F2-ike-peer-peer1] remote-address 10.10.10.1

[F2-ike-peer-peer1]remote-name Fr1

[F2-ike-peer-peer1]exchange-mode aggressive

[F2-ike-peer-peer1]pre-shared-key 12345

[F2-ike-peer-peer1]quit

[F2]

[F2]ipsec proposal tran1

[F2-ipsec-proposal-tran1]encapsulation-mode tunnel

[F2-ipsec-proposal-tran1]transform esp

[F2-ipsec-proposal-tran1]esp encryption-algorithm des

[F2-ipsec-proposal-tran1]esp authentication-algorithm md5

[F2-ipsec-proposal-tran1]quit

[F2]

[F2]ipsec policy policy 10

此安全策略尚未创建,请指定模式

[F2]ipsec policy policy 10 isakmp

[F2-ipsec-policy-isakmp-policy-10]ike-peer peer1

[F2-ipsec-policy-isakmp-policy-10]proposal tran1

[F2-ipsec-policy-isakmp-policy-10]security acl 3000

[F2-ipsec-policy-isakmp-policy-10]quit

[F2]

应用于接口

[F2]inter Ether 0/2

[F2-Ethernet0/2]ipsec policy policy

[F2-Ethernet0/2]

[F2]dis cu

#

sysname F2

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer1

exchange-mode aggressive

pre-shared-key 12345

id-type name

remote-name Fr1

remote-address 10.10.10.1

#

ipsec proposal tran1

#

ipsec policy policy 10 isakmp

security acl 3000

ike-peer peer1

proposal tran1

#

acl number 3000

rule 0 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.42 255.255.255.0

#

interface Ethernet0/1

ip address 192.168.2.254 255.255.255.0

#

interface Ethernet0/2

ip address dhcp-alloc

ipsec policy policy

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/2

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 20.20.20.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F2]

Fr3配置:

[F3]inter Ether 0/3

[F3-Ethernet0/3]ip add dhcp-alloc

F3-Ethernet0/3]quit

[F3]

[F3]inter Ether 0/1

[F3-Ethernet0/1]ip add 192.168.3.253 24

[F3-Ethernet0/1]quit

[F3]ip route-static 0.0.0.0 0 30.30.30.1

[F3]firewall zone trust

[F3-zone-trust]add inter Ether 0/1

[F3-zone-trust]add inter Ether 0/3

[F3-zone-trust]quit

[F3]

[F3]acl number 3001

[F3-acl-adv-3001]rule permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

[F3-acl-adv-3001]rule deny ip source any destination any

[F3-acl-adv-3001]quit

[F3]

[F3]ike peer peer2

[F3-ike-peer-peer2]remote-address 10.10.10.1

[F3-ike-peer-peer2]pre-shared-key abcde

[F3-ike-peer-peer2]remote-name Fr2

[F3-ike-peer-peer2]exchange-mode aggressive

[F3-ike-peer-peer2]id-type name

[F3-ike-peer-peer2]quit

[F3]

[F3]ipsec proposal tran2

[F3-ipsec-proposal-tran2]encapsulation-mode tunnel

[F3-ipsec-proposal-tran2]transform esp

[F3-ipsec-proposal-tran2]esp encryption-algorithm des

[F3-ipsec-proposal-tran2]esp authentication-algorithm md5

[F3-ipsec-proposal-tran2]quit

[F3]

[F3]ipsec policy policy 20

此安全策略尚未创建,请指定模式

[F3]ipsec policy policy 20 isakmp

[F3-ipsec-policy-isakmp-policy-20]ike-peer peer2

[F3-ipsec-policy-isakmp-policy-20]proposal tran2

[F3-ipsec-policy-isakmp-policy-20]security acl 3001

[F3-ipsec-policy-isakmp-policy-20]quit

[F3]

[F3]inter Ether 0/3

[F3-Ethernet0/3]ipsec policy policy

[F3-Ethernet0/3]quit

[F3]

[F3]dis cu

#

sysname F3

#

firewall packet-filter enable

firewall packet-filter default permit

#

insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

#

domain system

#

local-user user1

password simple 123

service-type telnet

level 3

#

ike peer peer2

exchange-mode aggressive

id-type name

remote-name Fr3

remote-address 10.10.10.1

#

ipsec proposal tran2

#

ipsec policy policy 20 isakmp

security acl 3001

ike-peer peer2

proposal tran2

#

acl number 3001

rule 0 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255

rule 1 deny ip

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.100.43 255.255.255.0

#

interface Ethernet0/1

ip address 192.168.3.254 255.255.255.0

#

interface Ethernet0/2

#

interface Ethernet0/3

ip address dhcp-alloc

ipsec policy policy

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/1

add interface Ethernet0/3

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 30.30.30.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[F3]

Sw13配置:

[SW13]vlan 10

[SW13-vlan10]vlan 20

[SW13-vlan20]vlan 30

[SW13-vlan30]port e 0/20

[SW13-vlan30]vlan 20

[SW13-vlan20]port e 0/10

[SW13-vlan20]vlan 10

[SW13-vlan10]port e 0/5

[SW13-vlan10]quit

[SW13]inter vlan 10

[SW13-Vlan-interface10]ip add 10.10.10.1 255.255.255.0

[SW13-Vlan-interface10]quit

[SW13]inter vlan 20

[SW13-Vlan-interface20]ip add 20.20.20.1 255.255.255.0

[SW13-Vlan-interface20]inter vlan 30

[SW13-Vlan-interface30]ip add 30.30.30.1 255.255.255.0

[SW13-Vlan-interface30]quit

[SW13]

[SW13]dhcp enable

DHCP任务已经启动!

[SW13]dhcp server ip-pool Fr2

[SW13-dhcp-fr2]network 20.20.20.1 mask 255.255.255.0

[SW13-dhcp-fr2]gateway-list 20.20.20.1

[SW13-dhcp-fr2]quit

[SW13]dhcp server ip-pool Fr3

[SW13-dhcp-fr3]network 30.30.30.1 mask 255.255.255.0

[SW13-dhcp-fr3]gateway-list 30.30.30.1

[SW13-dhcp-fr3]quit

[SW13]dhcp server forbidden-ip 20.20.20.1

[SW13]dhcp server forbidden-ip 30.30.30.1

[SW13]

[SW13]dis cu

#

sysname SW13

#

radius scheme system

server-type huawei

primary authentication 127.0.0.1 1645

primary accounting 127.0.0.1 1646

user-name-format without-domain

domain system

radius-scheme system

access-limit disable

state active

vlan-assignment-mode integer

idle-cut disable

self-service-url disable

messenger time disable

domain default enable system

#

local-server nas-ip 127.0.0.1 key huawei

local-user user1

password simple 123

service-type telnet level 3

#

dhcp server ip-pool f2

#

dhcp server ip-pool fr2

network 20.20.20.0 mask 255.255.255.0

gateway-list 20.20.20.1

#

dhcp server ip-pool fr3

network 30.30.30.0 mask 255.255.255.0

gateway-list 30.30.30.1

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.100.33 255.255.255.0

#

interface Vlan-interface10

ip address 10.10.10.1 255.255.255.0

#

interface Vlan-interface20

ip address 20.20.20.1 255.255.255.0

#

interface Vlan-interface30

ip address 30.30.30.1 255.255.255.0

#

interface Aux0/0

#

interface Ethernet0/1

#

interface Ethernet0/2

#

interface Ethernet0/3

#

interface Ethernet0/4

#

interface Ethernet0/5

port access vlan 10

#

interface Ethernet0/6

#

interface Ethernet0/7

#

interface Ethernet0/8

#

interface Ethernet0/9

#

interface Ethernet0/10

port access vlan 20

#

interface Ethernet0/11

#

interface Ethernet0/12

#

interface Ethernet0/13

#

interface Ethernet0/14

#

interface Ethernet0/15

#

interface Ethernet0/16

#

interface Ethernet0/17

#

interface Ethernet0/18

#

interface Ethernet0/19

#

interface Ethernet0/20

port access vlan 30

#

interface Ethernet0/21

#

interface Ethernet0/22

#

interface Ethernet0/23

#

interface Ethernet0/24

#

interface NULL0

#

dhcp server forbidden-ip 20.20.20.0 20.20.20.1

dhcp server forbidden-ip 30.30.30.0 30.30.30.1

#

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

[SW13]

测试结果:

192.168.1.0 网段ping同192.168.2.0网段

ipsec-野蛮模式_blank_02

192.168.1.0 网段ping同192.168.3.0网段

ipsec-野蛮模式_blank_03