AR1:
dis current-configuration
[V200R003C00]
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load portalpage.zip
drop illegal-mac alarm
set cpu-usage threshold 80 restore 75
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %K8m.Nt84DZ}e#<0`8bmE3Uw}%
local-user admin service-type http
firewall zone Local
priority 15
interface GigabitEthernet0/0/0
ip address 21.21.1.1 255.255.255.0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface NULL0
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
return
AR2
:
dis current-configuration
[V200R003C00]
board add 0/4 4GET
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
clock timezone China-Standard-Time minus 08:00:00
portal local-server load portalpage.zip
drop illegal-mac alarm
set cpu-usage threshold 80 restore 75
acl number 2000 //用于上外网nat
rule 5 permit source 192.168.0.0 0.0.255.255
acl number 3000 //用于vlan10上网回程包抓取
rule 5 permit ip destination 192.168.10.0 0.0.0.255
acl number 3001 //用于vlan10出去外网包抓取
rule 5 permit ip source 192.168.10.0 0.0.0.255
traffic classifier 2 operator or
if-match acl 3001
traffic classifier 1 operator or
if-match acl 3000
traffic behavior 2
redirect ip-nexthop 23.1.1.2
traffic behavior 1
redirect ip-nexthop 12.1.1.2
traffic policy 2
classifier 2 behavior 2
traffic policy 1
classifier 1 behavior 1
interface GigabitEthernet0/0/0
ip address 21.21.1.2 255.255.255.0
traffic-policy 1 inbound //内网vlan10回程包进来路由的包给匹配重定向到防火墙
nat outbound 2000
interface GigabitEthernet0/0/1
ip address 12.1.1.1 255.255.255.0
interface GigabitEthernet0/0/2
ip address 23.1.1.1 255.255.255.0
interface GigabitEthernet4/0/0
ip address 21.1.1.2 255.255.255.0
traffic-policy 2 inbound //内网进来路由的vlan10包给匹配重定向到防火墙
interface GigabitEthernet4/0/1
interface GigabitEthernet4/0/2
interface GigabitEthernet4/0/3
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 21.21.1.1
ip route-static 192.168.10.0 255.255.255.0 21.1.1.1 //用于防火墙把vlan10的数据返回给路由后用
ip route-static 192.168.20.0 255.255.255.0 21.1.1.1
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
wlan ac
return
FW配置:
dis current-configuration
01:07:19 2023/07/20
stp region-configuration
region-name e81582044529
active region-configuration
interface GigabitEthernet0/0/1
ip address 12.1.1.2 255.255.255.0
interface GigabitEthernet0/0/2
ip address 23.1.1.2 255.255.255.0
interface NULL0
alias NULL0
firewall zone local
set priority 100
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/2
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/1
firewall zone dmz
set priority 50
ip route-static 0.0.0.0 0.0.0.0 12.1.1.1 //和放出口一样,只要有数据我就给路由
ip route-static 192.168.10.0 255.255.255.0 23.1.1.1 //vlan10的数据从外回来我给路由
banner enable
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
slb
right-manager server-group
sysname SRG
l2tp domain suffix-separator @
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outboun
d
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outboun
//其它都是默认,就配置了这一条策略trust到untrust
ip df-unreachables enable
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
dns resolve
firewall statistic system enable
pki ocsp response cache refresh interval 0
pki ocsp response cache number 0
undo dns proxy
license-server domain lic.huawei.com
web-manager enable
return
核心 交换机
dis current-configuration
sysname Huawei
undo info-center enable
vlan batch 10 20 100
cluster enable
ntdp enable
ndp enable
drop illegal-mac alarm
dhcp enable
diffserv domain default
drop-profile default
interface Vlanif1
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select interface
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select interface
interface Vlanif100
ip address 21.1.1.1 255.255.255.0
interface MEth0/0/1
interface GigabitEthernet0/0/1
port link-type access
port default vlan 100
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
ip route-static 0.0.0.0 0.0.0.0 21.1.1.2
