设为首页收藏本站
切换到窄版

博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
博威---云架构决胜云计算»广场 云计算 华为技术 华为路由器+华为3928上网实例
返回列表 发新帖
查看: 2304|回复: 1

华为路由器+华为3928上网实例

[复制链接]
发表于 2007-7-31 16:24:43 | 显示全部楼层 |阅读模式
客户要求:

        部分VLAN可上网,部分VLAN不可以上网(均指外网),
        而且同一VLAN中部分PC可上,部分PC不能上。
        VLAN中有AD服务器做管理。

机      型:

        华为路由器(接入)+ 华为3928P-EI  +  傻瓜TP-LINK若干

        鉴于该机子的特点(部分命令不支持)及华为交换机的“特别”性-------
        划开的各个VLAN间默认是通的,而且没有命令可以关掉,

最终配置如下:

路由器配置
<Miguel>dis cu              
#
sysname Miguel               
#
radius scheme system                    
#
domain system            
#
local-user admin               
password cipher .]@USE=B,53Q=^Q`MAF4<1!!                                         
service-type telnet terminal                             
level 3        
service-type ftp                 
#
acl number 2000               
rule 0 permit source 192.168.0.0 0.0.255.255                                             
#
interface Aux0              
async mode flow               
#
interface Ethernet0/0                     
ip address *.35.40.2 255.255.255.252                                       
nat outbound 2000                  
#
interface Ethernet0/1                     
ip address 192.168.1.1                       
#
interface Serial0/0                  
clock DTECLK1              
link-protocol ppp
ip address dhcp-alloc
#
interface NULL0
#
FTP server enable
#
ip route-static 0.0.0.0 0.0.0.0 *.35.40.1 preference 60
ip route-static 192.168.0.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.3.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.5.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.6.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.7.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.8.0 255.255.255.0 192.168.1.2 preference 60
ip route-static 192.168.100.0 255.255.255.0 192.168.1.2 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return

-----------------------------------------------------------------------------------
交换机配置
<Sylvia>dis cu
#
local-server nas-ip 127.0.0.1 key huawei
#
domain default enable system
#
queue-scheduler wrr 1 2 3 4 5 9 13 15
#
radius scheme system
#
domain system
#
acl number 3002
rule 0 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
rule 1 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
rule 2 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
rule 3 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.8.0 0.0.0.255
acl number 3003
rule 0 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 1 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 2 deny ip source 192.168.7.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
acl number 3004
rule 0 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.5.0 0.0.0.255
acl number 3005
rule 0 deny ip source 192.168.5.0 0.0.0.255 destination 192.168.7.0 0.0.0.255
rule 1 deny ip source 192.168.6.0 0.0.0.255 destination 192.168.7.0 0.0.0.255
#
vlan 1
#
vlan 2
#
vlan 3
#
vlan 4
#
vlan 5
#
vlan 6
#
vlan 100
#
vlan 200
#
interface Vlan-interface2
ip address 192.168.8.1 255.255.255.0
#
interface Vlan-interface3
#
interface Vlan-interface3
ip address 192.168.0.1 255.255.255.0
#
interface Vlan-interface4
ip address 192.168.5.1 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.6.1 255.255.255.0
#
interface Vlan-interface6
ip address 192.168.7.1 255.255.255.0
#
interface Vlan-interface100
ip address 192.168.100.1 255.255.255.0
#
interface Vlan-interface200
ip address 192.168.1.2 255.255.255.0
#
interface Aux1/0/0
#
interface Ethernet1/0/1
port access vlan 200
#
#
interface Ethernet1/0/2
port access vlan 2
packet-filter inbound ip-group 3002 rule 0
packet-filter inbound ip-group 3002 rule 1
packet-filter inbound ip-group 3002 rule 2
packet-filter inbound ip-group 3002 rule 3
packet-filter outbound ip-group 3002 rule 0
packet-filter outbound ip-group 3002 rule 1
packet-filter outbound ip-group 3002 rule 2
packet-filter outbound ip-group 3002 rule 3
#
interface Ethernet1/0/3
port access vlan 2
packet-filter inbound ip-group 3002 rule 0
packet-filter inbound ip-group 3002 rule 1
packet-filter inbound ip-group 3002 rule 2
packet-filter inbound ip-group 3002 rule 3
packet-filter outbound ip-group 3002 rule 0
packet-filter outbound ip-group 3002 rule 1
packet-filter outbound ip-group 3002 rule 2
packet-filter outbound ip-group 3002 rule 3
#
packet-filter outbound ip-group 3002 rule 3
#
interface Ethernet1/0/4
port access vlan 2
packet-filter inbound ip-group 3002 rule 0
packet-filter inbound ip-group 3002 rule 1
packet-filter inbound ip-group 3002 rule 2
packet-filter inbound ip-group 3002 rule 3
packet-filter outbound ip-group 3002 rule 0
packet-filter outbound ip-group 3002 rule 1
packet-filter outbound ip-group 3002 rule 2
packet-filter outbound ip-group 3002 rule 3
#
interface Ethernet1/0/5
port access vlan 3
packet-filter inbound ip-group 3003 rule 0
packet-filter inbound ip-group 3003 rule 1
packet-filter inbound ip-group 3003 rule 2
packet-filter outbound ip-group 3003 rule 0
packet-filter outbound ip-group 3003 rule 1
packet-filter outbound ip-group 3003 rule 2
#
interface Ethernet1/0/6
port access vlan 3
port access vlan 3
packet-filter inbound ip-group 3003 rule 0
packet-filter inbound ip-group 3003 rule 1
packet-filter inbound ip-group 3003 rule 2
packet-filter outbound ip-group 3003 rule 0
packet-filter outbound ip-group 3003 rule 1
packet-filter outbound ip-group 3003 rule 2
#
interface Ethernet1/0/7
port access vlan 4
packet-filter inbound ip-group 3004 rule 0
packet-filter outbound ip-group 3004 rule 0
#
interface Ethernet1/0/8
port access vlan 4
packet-filter inbound ip-group 3004 rule 0
packet-filter outbound ip-group 3004 rule 0
#
interface Ethernet1/0/9
port access vlan 4
packet-filter inbound ip-group 3004 rule 0
packet-filter outbound ip-group 3004 rule 0
#
interface Ethernet1/0/10
port access vlan 4
packet-filter inbound ip-group 3004 rule 0
packet-filter outbound ip-group 3004 rule 0
#
interface Ethernet1/0/11
port access vlan 5
#
interface Ethernet1/0/12
port access vlan 5
#
interface Ethernet1/0/13
port access vlan 5
#
interface Ethernet1/0/14
port access vlan 5
#
interface Ethernet1/0/15
port access vlan 6
packet-filter inbound ip-group 3005 rule 0
packet-filter inbound ip-group 3005 rule 1
packet-filter outbound ip-group 3005 rule 0
packet-filter outbound ip-group 3005 rule 1
#
interface Ethernet1/0/16
port access vlan 6
packet-filter inbound ip-group 3005 rule 0
packet-filter inbound ip-group 3005 rule 1
packet-filter outbound ip-group 3005 rule 0
packet-filter outbound ip-group 3005 rule 1
#
interface Ethernet1/0/17
#
interface Ethernet1/0/18
#
interface Ethernet1/0/19
#
interface Ethernet1/0/20
#
interface Ethernet1/0/21
port access vlan 100
#
interface Ethernet1/0/22
port access vlan 100
#
#
interface Ethernet1/0/23
port access vlan 100
#
interface Ethernet1/0/24
port access vlan 100
#
interface GigabitEthernet1/1/1
#
interface GigabitEthernet1/1/2
#
interface GigabitEthernet1/1/3
#
interface GigabitEthernet1/1/4
#
sysname Sylvia
undo irf-fabric authentication-mode
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.1.1 preference 60
#
user-interface aux 0 7
user-interface vty 0 4
#
return
回复

使用道具 举报

发表于 2007-7-31 16:29:56 | 显示全部楼层
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 02:50 , Processed in 0.883786 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表