配置思路:
1、LSW1-LSW2做链路聚合并放通所有vlan,并做VRRP实现冗余备份
#链路聚合
[Huawei]sys LSW1
[LSW1]VLAN batch 20 30 40 60 70 80
[LSW1]DHCP enable
[LSW1]ospf router-id 1.1.1.1
[LSW1-ospf-1]area 0
[LSW1]int Eth-Trunk 1
[LSW1-GigabitEthernet0/0/6]eth-trunk 1
[LSW1-GigabitEthernet0/0/7]eth-trunk 1
[LSW1]int Eth-Trunk 1
[LSW1-Eth-Trunk1]port link-type trunk
[LSW1-Eth-Trunk1] port trunk allow-pass vlan 2 to 4094
[LSW1]port-group group-member g0/0/2 to g0/0/5
[LSW1-port-group]p l t
[LSW1-port-group]p t a v a
#VRRP
[LSW1]int vlan 40
[LSW1-Vlanif40]ip address 192.168.40.252 24
[LSW1-Vlanif40]vrrp vrid 40 virtual-ip 192.168.40.254
[LSW1-Vlanif40]vrrp vrid 40 priority 120
[LSW1-Vlanif40]ospf enable area 0
2、每台交换机做MSTP生成树防止环路
stp region-configuration
region-name 1
instance 1 vlan 20 30 40 60
active region-configuration3、连接PC的接入交换机设为access,打上标签,接入交换机连接的
核心交换机设为trunk放通所有
PC1为例:
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
port-group group-member g0/0/3 to g0/0/5
port link-type access
port default vlan 20
4、底层使用动态协议全网通5、PC动态获取IP地址
[LSW1]dhcp enable
[LSW1]int vlan 20
[LSW1-Vlanif20]dhcp select interface6、ACL:内部所有部门不能访问办公区
[LSW4]acl number 2000
[LSW4-acl-basic-2000] rule 5 deny source 192.168.20.0 0.0.0.255
[LSW4-acl-basic-2000] rule 10 deny source 192.168.40.0 0.0.0.255
[LSW4-acl-basic-2000] rule 15 deny source 192.168.60.0 0.0.0.255
[LSW4-acl-basic-2000]int g0/0/3
[LSW4-GigabitEthernet0/0/3]traffic-filter outbound acl 2000
[LSW4-GigabitEthernet0/0/3]int g0/0/4
[LSW4-GigabitEthernet0/0/4]traffic-filter outbound acl 2000
[LSW4-GigabitEthernet0/0/4]int g0/0/5
[LSW4-GigabitEthernet0/0/5]traffic-filter outbound acl 2000
#
sysname LSW1
#
vlan batch 20 30 40 60 70 80
#
dhcp enable
#
stp region-configuration
region-name 1
instance 1 vlan 20 30 40 60
active region-configuration
#
interface Vlanif20
ip address 192.168.20.252 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
vrrp vrid 20 priority 120
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif30
ip address 192.168.30.252 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
vrrp vrid 30 priority 120
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif40
ip address 192.168.40.252 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
vrrp vrid 40 priority 120
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif60
ip address 192.168.60.252 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
vrrp vrid 60 priority 120
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif70
ip address 10.0.10.1 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 70
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0#
sysname LSW2
#
vlan batch 20 30 40 60 70 80
#
dhcp enable
#
stp region-configuration
region-name 1
instance 1 vlan 20 30 40 60
active region-configuration
#
interface Vlanif20
ip address 192.168.20.253 255.255.255.0
vrrp vrid 20 virtual-ip 192.168.20.254
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif30
ip address 192.168.30.253 255.255.255.0
vrrp vrid 30 virtual-ip 192.168.30.254
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif40
ip address 192.168.40.253 255.255.255.0
vrrp vrid 40 virtual-ip 192.168.40.254
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif60
ip address 192.168.60.253 255.255.255.0
vrrp vrid 60 virtual-ip 192.168.60.254
ospf enable 1 area 0.0.0.0
dhcp select interface
#
interface Vlanif80
ip address 10.0.20.1 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk pvid vlan 80
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
eth-trunk 1
#
interface GigabitEthernet0/0/7
eth-trunk 1
#
ospf 1 router-id 2.2.2.2
area 0.0.0.0
##
sysname LSW3
#
vlan batch 20 30 40 60 70 80
#
stp region-configuration
region-name 1
instance 1 vlan 20 30 40 60
active region-configuration
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 20#
sysname LSW4
#
vlan batch 20 30 40 60 70 80
#
stp region-configuration
region-name 1
instance 1 vlan 20 30 40 60
active region-configuration
#
acl number 2000
rule 5 deny source 192.168.20.0 0.0.0.255
rule 10 deny source 192.168.40.0 0.0.0.255
rule 15 deny source 192.168.60.0 0.0.0.255
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
traffic-filter outbound acl 2000
#
interface GigabitEthernet0/0/4
port link-type access
port default vlan 30
traffic-filter outbound acl 2000
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 30
traffic-filter outbound acl 2000
##
sysname USG6000V1
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 192.168.10.254 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 192.168.50.254 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 10.0.10.2 255.255.255.0
ospf enable 1 area 0.0.0.0
#
interface GigabitEthernet1/0/3
undo shutdown
ip address 10.0.20.2 255.255.255.0
ospf enable 1 area 0.0.0.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/0
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
#
security-policy
default action permit
rule name trust-untrust
source-zone trust
destination-zone untrust
action permit
#测试图:
以上是部分配置命令。有需要完整配置以及设计拓扑的可以联系我
