sys
sysname huijuA
# 创建vlan
vlan batch 10 20 30 40
# 端口分配
int e0/0/1
port link-type access
port default vlan 10
int e0/0/2
port link-type access
port default vlan 20
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
int e0/0/4
port link-type trunk
port trunk allow-pass vlan all
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
huijuB
sys
sysname huijuB
# 创建vlan
vlan batch 10 20 30 40
# 端口分配
int e0/0/1
port link-type access
port default vlan 30
int e0/0/2
port link-type access
port default vlan 40
int e0/0/3
port link-type trunk
port trunk allow-pass vlan all
int e0/0/4
port link-type trunk
port trunk allow-pass vlan all
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
核心层
coreA
sys
sysname coreA
# 创建vlan
vlan batch 10 20 30 40 50
# 端口分配
int g0/0/1
port link-type access
port default vlan 50
int g0/0/3
port link-type trunk
port trunk allow-pass vlan all
int g0/0/4
port link-type trunk
port trunk allow-pass vlan all
# 创建vlan
vlan batch 10 20 30 40
# 链路聚合
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
# 加入
int g0/0/23
eth-trunk 1
int g0/0/24
eth-trunk 1
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
quit
# mstp 根桥指定
stp instance 1 root primary
stp instance 2 root secondary
# vrrp配置
int vlan 10
ip address 192.168.10.252 24
vrrp vrid 10 virtual-ip 192.168.10.254
vrrp vrid 10 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 10 track interface g0/0/1 reduced 50
int vlan 20
ip address 192.168.20.252 24
vrrp vrid 20 virtual-ip 192.168.20.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 20 track interface g0/0/1 reduced 50
int vlan 30
ip address 192.168.30.252 24
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 30 track interface g0/0/1 reduced 50
int vlan 40
ip address 192.168.40.252 24
vrrp vrid 40 virtual-ip 192.168.40.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 40 track interface g0/0/1 reduced 50
## 这里配置完,建议display ip int brief
## 顺带验证vlan pc间是否能够通信
# 上联接口vlan
int vlan 50
ip address 192.168.252.1 24
# 配置ospf
ospf 100 router-id 1.1.1.1
area 0
network 0.0.0.0 255.255.255.255
core B
sys
sysname coreB
# 创建vlan
vlan batch 10 20 30 40 60
# 端口分配
int g0/0/1
port link-type access
port default vlan 60
int g0/0/3
port link-type trunk
port trunk allow-pass vlan all
int g0/0/4
port link-type trunk
port trunk allow-pass vlan all
# 链路聚合
int Eth-Trunk 1
port link-type trunk
port trunk allow-pass vlan 10 20 30 40
# 加入
int g0/0/23
eth-trunk 1
int g0/0/24
eth-trunk 1
# mstp
stp region-configuration
region-name wlgc
instance 1 vlan 10 30
instance 2 vlan 20 40
active region-configuration
quit
# mstp 根桥指定
stp instance 2 root primary
stp instance 1 root secondary
# vrrp 配置
int vlan 10
ip address 192.168.10.253 24
vrrp vrid 10 virtual-ip 192.168.10.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 10 track interface g0/0/1 reduced 50
int vlan 20
ip address 192.168.20.253 24
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 20 track interface g0/0/1 reduced 50
int vlan 30
ip address 192.168.30.253 24
vrrp vrid 30 virtual-ip 192.168.30.254
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 30 track interface g0/0/1 reduced 50
int vlan 40
ip address 192.168.40.253 24
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 110
# 配置上联接口检测,直连接口(配置的是本机的端口)检测不通时,降级
vrrp vrid 40 track interface g0/0/1 reduced 50
## 这里配置完,建议display ip int brief,验证vlan ip
## 顺带验证vlan pc间是否能够通信
# 上联接口vlan
int vlan 60
ip address 192.168.253.1 24
# 配置ospf
ospf 100 router-id 2.2.2.2
area 0
network 0.0.0.0 255.255.255.255
对外
防火墙
sys
sysname FW
int g1/0/0
undo shutdown
ip address 192.168.252.2 24
service-manage ping permit
int g1/0/1
undo shutdown
ip address 192.168.253.2 24
service-manage ping permit
int g1/0/2
undo shutdown
ip address 56.29.2.21 24
service-manage ping permit
int g1/0/3
undo shutdown
ip address 120.36.2.21 24
service-manage ping permit
# 信任接口区域配置
firewall zone trust
add interface g1/0/0
add interface g1/0/1
# 非信任接口区域配置
firewall zone untrust
add interface g1/0/2
add interface g1/0/3
# ospf
ospf 100 router-id 3.3.3.3
# 默认路由重分布
default-route-advertise
area 0
network 192.168.0.0 0.0.255.255
# 默认路由
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 56.29.2.22
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/3 120.36.2.22 preference 70
# nat 配置
nat-policy
rule name nat-56
egress-interface GigabitEthernet1/0/2
source-address 192.168.0.0 mask 255.255.0.0
action source-nat easy-ip
nat-policy
rule name nat-120
egress-interface GigabitEthernet1/0/3
source-address 192.168.0.0 mask 255.255.0.0
action source-nat easy-ip
# pbr配置
policy-based-route
rule name pbr-56 1
ingress-interface GigabitEthernet1/0/0
ingress-interface GigabitEthernet1/0/1
source-address 192.168.10.0 mask 255.255.255.0
action pbr egress-interface GigabitEthernet1/0/2 next-hop 56.29.2.22
rule name pbr-120 2
ingress-interface GigabitEthernet1/0/0
ingress-interface GigabitEthernet1/0/1
source-address 192.168.20.0 mask 255.255.255.0
action pbr egress-interface GigabitEthernet1/0/3 next-hop 120.36.2.22
# 允许ping的安全策略
security-policy
rule name ping
source-zone dmz
source-zone local
source-zone trust
source-zone untrust
destination-zone dmz
destination-zone local
destination-zone trust
destination-zone untrust
service icmp
action permit
接口配置、接口区域配置
ospf新建区域时,不要选择认证模式
静态路由
策略路由
安全策略
NAT 配置
ISP
ISP-1
sys
sysname ISP-2
int g0/0/0
ip address 56.29.2.22 24
int g0/0/1
ip address 12.1.1.1 24
ISP-2
sys
sysname ISP-2
int g0/0/0
ip address 120.36.2.22 24
int g0/0/1
ip address 23.1.1.1 24
internet
sys
sysname internet
int g0/0/1
ip address 12.1.1.2 24
int g0/0/0
ip address 23.1.1.2 24
int g2/0/0
ip address 8.8.8.254 24
# 互联网部分ospf
ospf 111
area 0
network 0.0.0.0 255.255.255.255
