小型企业网络设计与规划

2024年1月6日发(作者：)

rule 5 permit source 192.168.11.0 0.0.0.255 rule 10 permit source 192.168.12.0 0.0.0.255 rule 15 permit source 192.168.13.0 0.0.0.255 rule 20 permit source 192.168.14.0 0.0.0.255 rule 25 permit source 192.168.15.0 0.0.0.255 rule 30 permit source 192.168.16.0 0.0.0.255#acl number 3000

rule 5 permit ip source 200.1.1.1 0 destination 200.2.1.1 0#ipsec proposal 1 encapsulation-mode transport esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192#ike proposal 1 encryption-algorithm aes-cbc-128 dh group14#ike peer 1 v1 pre-shared-key cipher huawei ike-proposal 1 remote-address 200.2.1.1#ipsec policy ATOB 1 isakmp security acl 3000 ike-peer 1 proposal 1#dhcpv6 pool 11 address prefix 2001:192:168:11::/64 excluded-address 2001:192:168:11::254 dns-server 3000:8:8:8::8 dns-domain-name

#dhcpv6 pool 12 address prefix 2001:192:168:12::/64 excluded-address 2001:192:168:12::254 dns-server 3000:8:8:8::8 dns-domain-name #dhcpv6 pool 13 address prefix 2001:192:168:13::/64 excluded-address 2001:192:168:13::254 dns-server 3000:8:8:8::8 dns-domain-name #dhcpv6 pool 14 address prefix 2001:192:168:14::/64 excluded-address 2001:192:168:14::254 dns-server 3000:8:8:8::8 dns-domain-name #dhcpv6 pool 15 address prefix 2001:192:168:15::/64 excluded-address 2001:192:168:15::254 dns-server 3000:8:8:8::8 dns-domain-name #dhcpv6 pool 16 address prefix 2001:192:168:16::/64 excluded-address 2001:192:168:16::254 dns-server 3000:8:8:8::8 dns-domain-name #ospfv3 32 router-id 172.16.1.11 import-route static

#interface GigabitEthernet0/0/0 ip address 200.1.1.1 255.255.255.248 ipsec policy ATOB nat outbound 2001#interface GigabitEthernet0/0/1 ipv6 enable ip address 10.1.1.1 255.255.255.252 ipv6 address 2001:10:1:1::1/64 ospfv3 32 area 0.0.0.0#interface GigabitEthernet0/0/2 ipv6 enable ip address 10.2.1.1 255.255.255.252 ipv6 address 2001:10:2:1::1/64 ospfv3 32 area 0.0.0.0#interface LoopBack0 ipv6 enable ip address 172.16.1.11 255.255.255.255 ipv6 address 2001:172:16:1::11/64 ospfv3 32 area 0.0.0.0#interface Tunnel0/0/1 ip address 100.1.1.1 255.255.255.252 tunnel-protocol gre source 200.1.1.1 destination 200.2.1.1#interface Tunnel0/0/2 ipv6 enable ipv6 address 2001:1313::1/64 tunnel-protocol ipv6-ipv4

local-user user-ssh password cipher huawei local-user user-ssh privilege level 15 local-user user-ssh service-type ssh

#user-interface vty 0 4authentication-mode aaaprotocol inbound ssh

quitssh user user-ssh authentication-type all#vlan batch 11 to 16 100 106#stp instance 11 root primarystp instance 12 root secondarystp instance 13 root primarystp instance 14 root secondarystp instance 15 root primarystp instance 16 root secondary#dhcp enable#stp region-configuration region-name QYW revision-level 12 instance 11 vlan 11 instance 12 vlan 12 instance 13 vlan 13 instance 14 vlan 14 instance 15 vlan 15 instance 16 vlan 16 active region-configuration#bfd#

ip pool 11 gateway-list 192.168.11.254 network 192.168.11.0 mask 255.255.255.0 excluded-ip-address 192.168.11.128 192.168.11.253 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 12 gateway-list 192.168.12.254 network 192.168.12.0 mask 255.255.255.0 excluded-ip-address 192.168.12.128 192.168.12.253 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 13 gateway-list 192.168.13.254 network 192.168.13.0 mask 255.255.255.0 excluded-ip-address 192.168.13.128 192.168.13.253 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 14 gateway-list 192.168.14.254 network 192.168.14.0 mask 255.255.255.0 excluded-ip-address 192.168.14.128 192.168.14.253 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 15 gateway-list 192.168.15.254 network 192.168.15.0 mask 255.255.255.0 excluded-ip-address 192.168.15.128 192.168.15.253 lease day 3 hour 0 minute 0 dns-list 8.8.8.8

#ip pool 16 gateway-list 192.168.16.254 network 192.168.16.0 mask 255.255.255.0 excluded-ip-address 192.168.16.128 192.168.16.253 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ospfv3 32 router-id 172.16.1.1#interface Vlanif1#interface Vlanif11 ipv6 enable ip address 192.168.11.251 255.255.255.0 ipv6 address 2001:192:168:11::251/64 ospfv3 32 area 0.0.0.0 vrrp vrid 11 virtual-ip 192.168.11.254 vrrp vrid 11 priority 105 vrrp vrid 11 preempt-mode timer delay 60 vrrp vrid 11 track bfd-session session-name 1 reduced 20 vrrp6 vrid 11 virtual-ip FE80::11 link-local vrrp6 vrid 11 virtual-ip 2001:192:168:11::254 vrrp6 vrid 11 priority 105 vrrp6 vrid 11 preempt-mode timer delay 60 dhcp select global#interface Vlanif12 ipv6 enable ip address 192.168.12.251 255.255.255.0 ipv6 address 2001:192:168:12::251/64 ospfv3 32 area 0.0.0.0 vrrp vrid 12 virtual-ip 192.168.12.254

vrrp6 vrid 12 virtual-ip FE80::12 link-local vrrp6 vrid 12 virtual-ip 2001:192:168:12::254 dhcp select global#interface Vlanif13 ipv6 enable ip address 192.168.13.251 255.255.255.0 ipv6 address 2001:192:168:13::251/64 ospfv3 32 area 0.0.0.0 vrrp vrid 13 virtual-ip 192.168.13.254 vrrp vrid 13 priority 105 vrrp vrid 13 preempt-mode timer delay 60 vrrp vrid 13 track bfd-session session-name 1 reduced 20 vrrp6 vrid 13 virtual-ip FE80::13 link-local vrrp6 vrid 13 virtual-ip 2001:192:168:13::254 vrrp6 vrid 13 priority 105 vrrp6 vrid 13 preempt-mode timer delay 60 dhcp select global#interface Vlanif14 ipv6 enable ip address 192.168.14.251 255.255.255.0 ipv6 address 2001:192:168:14::251/64 ospfv3 32 area 0.0.0.0 vrrp vrid 14 virtual-ip 192.168.14.254 vrrp6 vrid 14 virtual-ip FE80::14 link-local vrrp6 vrid 14 virtual-ip 2001:192:168:14::254 dhcp select global#interface Vlanif15 ipv6 enable ip address 192.168.15.251 255.255.255.0 ipv6 address 2001:192:168:15::251/64 ospfv3 32 area 0.0.0.0 vrrp vrid 15 virtual-ip 192.168.15.254

vrrp vrid 15 virtual-ip 192.168.15.254 vrrp vrid 15 priority 105 vrrp vrid 15 preempt-mode timer delay 60 vrrp vrid 15 track bfd-session session-name 1 reduced 20 vrrp6 vrid 15 virtual-ip FE80::15 link-local vrrp6 vrid 15 virtual-ip 2001:192:168:15::254 vrrp6 vrid 15 priority 105 vrrp6 vrid 15 preempt-mode timer delay 60 dhcp select global#interface Vlanif16 ipv6 enable ip address 192.168.16.251 255.255.255.0 ipv6 address 2001:192:168:16::251/64 ospfv3 32 area 0.0.0.0 vrrp vrid 16 virtual-ip 192.168.16.254 vrrp6 vrid 16 virtual-ip FE80::16 link-local vrrp6 vrid 16 virtual-ip 2001:192:168:16::254 dhcp select global#interface Vlanif100 ipv6 enable ip address 10.1.1.2 255.255.255.252 ipv6 address 2001:10:1:1::2/64 ospfv3 32 area 0.0.0.0#interface Vlanif106 ip address 10.6.6.5 255.255.255.252#interface Eth-Trunk12 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/1 port link-type trunk

port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/10 eth-trunk 12#interface GigabitEthernet0/0/11 eth-trunk 12#interface GigabitEthernet0/0/20 port link-type access port default vlan 100#interface GigabitEthernet0/0/24 port link-type access

local-user user-ssh password cipher huawei local-user user-ssh privilege level 15 local-user user-ssh service-type ssh

#user-interface vty 0 4authentication-mode aaaprotocol inbound ssh

quitssh user user-ssh authentication-type all#vlan batch 10 to 16 200 to 201#stp instance 11 root secondarystp instance 12 root primarystp instance 13 root secondarystp instance 14 root primarystp instance 15 root secondarystp instance 16 root primary#dhcp enable#stp region-configuration region-name QYW revision-level 12 instance 11 vlan 11 instance 12 vlan 12 instance 13 vlan 13 instance 14 vlan 14 instance 15 vlan 15 instance 16 vlan 16 active region-configuration#bfd#ip pool 11

ip pool 11 gateway-list 192.168.11.254 network 192.168.11.0 mask 255.255.255.0 excluded-ip-address 192.168.11.1 192.168.11.127 dns-list 8.8.8.8#ip pool 12 gateway-list 192.168.12.254 network 192.168.12.0 mask 255.255.255.0 excluded-ip-address 192.168.12.1 192.168.12.127 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 13 gateway-list 192.168.13.254 network 192.168.13.0 mask 255.255.255.0 excluded-ip-address 192.168.13.1 192.168.13.127 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 14 gateway-list 192.168.14.254 network 192.168.14.0 mask 255.255.255.0 excluded-ip-address 192.168.14.1 192.168.14.127 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 15 gateway-list 192.168.15.254 network 192.168.15.0 mask 255.255.255.0 excluded-ip-address 192.168.15.1 192.168.15.127 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ip pool 16

ip pool 16 gateway-list 192.168.16.254 network 192.168.16.0 mask 255.255.255.0 excluded-ip-address 192.168.16.1 192.168.16.127 lease day 3 hour 0 minute 0 dns-list 8.8.8.8#ospfv3 32 router-id 172.16.1.2#interface Vlanif10 ip address 10.23.10.1 255.255.255.0 dhcp select relay dhcp relay server-ip 10.23.100.1#interface Vlanif11 ipv6 enable ip address 192.168.11.252 255.255.255.0 ipv6 address 2001:192:168:11::252/64 ospfv3 32 area 0.0.0.0 vrrp vrid 11 virtual-ip 192.168.11.254 vrrp6 vrid 11 virtual-ip FE80::11 link-local vrrp6 vrid 11 virtual-ip 2001:192:168:11::254 dhcp select global#interface Vlanif12 ipv6 enable ip address 192.168.12.252 255.255.255.0 ipv6 address 2001:192:168:12::252/64 ospfv3 32 area 0.0.0.0 vrrp vrid 12 virtual-ip 192.168.12.254 vrrp vrid 12 priority 105 vrrp vrid 12 preempt-mode timer delay 60 vrrp vrid 12 track bfd-session session-name 1 reduced 20 vrrp6 vrid 12 virtual-ip FE80::12 link-local

vrrp6 vrid 12 virtual-ip FE80::12 link-local vrrp6 vrid 12 virtual-ip 2001:192:168:12::254 vrrp6 vrid 12 priority 105 vrrp6 vrid 12 preempt-mode timer delay 60 dhcp select global#interface Vlanif13 ipv6 enable ip address 192.168.13.252 255.255.255.0 ipv6 address 2001:192:168:13::252/64 ospfv3 32 area 0.0.0.0 vrrp vrid 13 virtual-ip 192.168.13.254 vrrp6 vrid 13 virtual-ip FE80::13 link-local vrrp6 vrid 13 virtual-ip 2001:192:168:13::254 dhcp select global#interface Vlanif14 ipv6 enable ip address 192.168.14.252 255.255.255.0 ipv6 address 2001:192:168:14::252/64 ospfv3 32 area 0.0.0.0 vrrp vrid 14 virtual-ip 192.168.14.254 vrrp vrid 14 priority 105 vrrp vrid 14 preempt-mode timer delay 60 vrrp vrid 14 track bfd-session session-name 1 reduced 20 vrrp6 vrid 14 virtual-ip FE80::14 link-local vrrp6 vrid 14 virtual-ip 2001:192:168:14::254 vrrp6 vrid 14 priority 105 vrrp6 vrid 14 preempt-mode timer delay 60 dhcp select global#interface Vlanif15 ipv6 enable ip address 192.168.15.252 255.255.255.0 ipv6 address 2001:192:168:15::252/64

ipv6 address 2001:192:168:15::252/64 ospfv3 32 area 0.0.0.0 vrrp vrid 15 virtual-ip 192.168.15.254 vrrp6 vrid 15 virtual-ip FE80::15 link-local vrrp6 vrid 15 virtual-ip 2001:192:168:15::254 dhcp select global#interface Vlanif16 ipv6 enable ip address 192.168.16.252 255.255.255.0 ipv6 address 2001:192:168:16::252/64 ospfv3 32 area 0.0.0.0 vrrp vrid 16 virtual-ip 192.168.16.254 vrrp vrid 16 priority 105 vrrp vrid 16 preempt-mode timer delay 60 vrrp vrid 16 track bfd-session session-name 1 reduced 20 vrrp6 vrid 16 virtual-ip FE80::16 link-local vrrp6 vrid 16 virtual-ip 2001:192:168:16::254 vrrp6 vrid 16 priority 105 vrrp6 vrid 16 preempt-mode timer delay 60 dhcp select global#interface Vlanif200 ipv6 enable ip address 10.2.1.2 255.255.255.252 ipv6 address 2001:10:2:1::2/64 ospfv3 32 area 0.0.0.0#interface Vlanif201 ip address 10.23.100.2 255.255.255.0#interface Eth-Trunk12 port link-type trunk port trunk allow-pass vlan 11 to 16#

interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 10 to 16#interface GigabitEthernet0/0/10 eth-trunk 12#interface GigabitEthernet0/0/11 eth-trunk 12#interface GigabitEthernet0/0/20 port link-type access port default vlan 200#

sysname LSW3#vlan batch 11 to 16#stp region-configuration region-name QYW revision-level 12 instance 11 vlan 11 instance 12 vlan 12 instance 13 vlan 13 instance 14 vlan 14 instance 15 vlan 15 instance 16 vlan 16 active region-configuration#interface Ethernet0/0/11 port link-type access port default vlan 11 stp edged-port enable#interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 11 to 16#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 11 to 16#5 LSW4配置

sysname LSW8#vlan batch 10 to 16#stp region-configuration region-name QYW revision-level 12 instance 11 vlan 11 instance 12 vlan 12 instance 13 vlan 13 instance 14 vlan 14 instance 15 vlan 15 instance 16 vlan 16 active region-configuration#interface Ethernet0/0/1 port link-type trunk port trunk pvid vlan 10 port trunk allow-pass vlan 2 to 4094#interface Ethernet0/0/11 port link-type access port default vlan 16#interface GigabitEthernet0/0/1 port link-type trunk port trunk pvid vlan 10 port trunk allow-pass vlan 2 to 4094#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 to 16#

security-profile visitors ap-group name ap-group1 radio 0 vap-profile visitors wlan 1 radio 1 vap-profile visitors wlan 1 ap-id 0 type-id 35 ap-mac 00e0-fc1e-65b0 ap-sn 21FF534D33 ap-name area_1 ap-group ap-group1 radio 0 channel 20mhz 6 eirp 127 radio 1 channel 20mhz 149 eirp 127# AR3配置配置NAT，SSH，IPv6 over IPv4 GRE隧道，GRE over IPsec VPN，OSPFV2 和 OSPFV3路由协议。# sysname AR3#stelnet server enable

rsa local-key-pair create

Input the bits in the modulus[default = 512]:1024#aaa local-user user-ssh password cipher huawei local-user user-ssh privilege level 15 local-user user-ssh service-type ssh

#user-interface vty 0 4authentication-mode aaaprotocol inbound ssh

quitssh user user-ssh authentication-type all#acl number 2001

rule 5 permit source 192.168.17.0 0.0.0.255#acl number 3000

rule 5 permit ip source 200.2.1.1 0 destination 200.1.1.1 0acl number 3001

#ipsec proposal 1 encapsulation-mode transport esp authentication-algorithm sha2-256 esp encryption-algorithm aes-192#ike proposal 1 encryption-algorithm aes-cbc-128 dh group14#ike peer 1 v1 pre-shared-key cipher huawei ike-proposal 1 remote-address 200.1.1.1#ipsec policy BTOA 1 isakmp security acl 3000 ike-peer 1 proposal 1#ospfv3 32 router-id 172.16.1.33 import-route static#interface GigabitEthernet0/0/0

ip address 200.2.1.1 255.255.255.248 ipsec policy BTOA nat outbound 2001#interface GigabitEthernet0/0/1 ipv6 enable ip address 10.3.1.1 255.255.255.252 ipv6 address 2001:10:3:1::1/64 ospfv3 32 area 0.0.0.0#interface LoopBack0 ip address 172.16.1.33 255.255.255.255#interface Tunnel0/0/1 ip address 100.1.1.2 255.255.255.252 tunnel-protocol gre source 200.2.1.1 destination 200.1.1.1#interface Tunnel0/0/2 ipv6 enable ipv6 address 2001:1313::3/64 tunnel-protocol ipv6-ipv4 source 200.2.1.1 destination 200.1.1.1#ospf 32 default-route-advertise area 0.0.0.0 network 10.3.1.0 0.0.0.3 network 172.16.1.33 0.0.0.0#ip route-static 0.0.0.0 0.0.0.0 200.2.1.2ip route-static 10.6.6.4 255.255.255.252 Tunnel0/0/1

ip route-static 192.168.0.0 255.255.0.0 Tunnel0/0/1#ipv6 route-static 2001:192:168:11:: 64 Tunnel0/0/2ipv6 route-static 2001:192:168:12:: 64 Tunnel0/0/2ipv6 route-static 2001:192:168:13:: 64 Tunnel0/0/2ipv6 route-static 2001:192:168:14:: 64 Tunnel0/0/2ipv6 route-static 2001:192:168:15:: 64 Tunnel0/0/2#9 LSW9配置配置DHCP服务器，IPV6，OSPFV2 和 OSPFV3路由协议。#ipv6#vlan batch 17 300#stelnet server enable

rsa local-key-pair create

Input the bits in the modulus[default = 512]:1024#aaa local-user user-ssh password cipher huawei local-user user-ssh privilege level 15 local-user user-ssh service-type ssh

#user-interface vty 0 4authentication-mode aaaprotocol inbound ssh

quitssh user user-ssh authentication-type all#ospfv3 32 router-id 172.16.1.9#

dhcp enable#ip pool 17 gateway-list 192.168.17.254 network 192.168.17.0 mask 255.255.255.0 dns-list 8.8.8.8#interface Vlanif17 ipv6 enable ip address 192.168.17.254 255.255.255.0 ipv6 address 2001:192:168:17::254/64 ospfv3 32 area 0.0.0.0 dhcp select global#interface Vlanif300 ipv6 enable ip address 10.3.1.2 255.255.255.252 ipv6 address 2001:10:3:1::2/64 ospfv3 32 area 0.0.0.0#interface MEth0/0/1#interface GigabitEthernet0/0/1 port link-type access port default vlan 300#interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 17#interface LoopBack0 ip address 172.16.1.9 255.255.255.255#ospf 32 area 0.0.0.0