华为配置实例

图[localimg=400,293]1[/localimg]简单说明：网络当中可以把NE20去掉，但是客户要求把购买的设备全部用上，所以NE20仅仅做了一个DHCP服务器，另外，ne20以后会做广域网链路的专线互联（未在此次配置中）；防火墙做NAT,VPN、及相关安全配置，65仅使用了其vlan功能。（最简单的组网，因为是政府单位，客户端不到50个）


下面附各个设备的配置文件：<f100>dis cur
#
sysname f100
#
super password level 3 simple tycdc
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
connection-limit enable
connection-limit default permit
connection-limit default amount upper-limit 50 lower-limit 20
#
nat address-group 1 211.*.*.* 211.*.*.*
nat address-group 2 218.*.*.* 218.*.*.*
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain system                             
#
local-user admin
password simple admin
service-type telnet
level 3
local-user ty9
password cipher '*]&X!U8#U7Q=^Q`MAF4<1!!
#
detect-group 2
detect-list 1 ip address 211.142.25.209
#
acl number 2001
rule 0 permit source 192.168.0.0 0.0.255.255
rule 1 permit source 10.0.0.0 0.0.0.255
rule 2 permit source 172.16.0.0 0.0.0.255
#
acl number 3002
rule 0 deny tcp source-port eq 3127
rule 1 deny tcp source-port eq 1025
rule 2 deny tcp source-port eq 5554
rule 3 deny tcp source-port eq 9996
rule 4 deny tcp source-port eq 1068
rule 5 deny tcp source-port eq 135
rule 6 deny udp source-port eq 135      
rule 7 deny tcp source-port eq 137
rule 8 deny udp source-port eq netbios-ns
rule 9 deny tcp source-port eq 138
rule 10 deny udp source-port eq netbios-dgm
rule 11 deny tcp source-port eq 139
rule 12 deny udp source-port eq netbios-ssn
rule 13 deny tcp source-port eq 593
rule 14 deny tcp source-port eq 4444
rule 15 deny tcp source-port eq 5800
rule 16 deny tcp source-port eq 5900
rule 18 deny tcp source-port eq 8998
rule 19 deny tcp source-port eq 445
rule 20 deny udp source-port eq 445
rule 21 deny udp source-port eq 1434
rule 30 deny tcp destination-port eq 3127
rule 31 deny tcp destination-port eq 1025
rule 32 deny tcp destination-port eq 5554
rule 33 deny tcp destination-port eq 9996
rule 34 deny tcp destination-port eq 1068
rule 35 deny tcp destination-port eq 135
rule 36 deny udp destination-port eq 135
rule 37 deny tcp destination-port eq 137
rule 38 deny udp destination-port eq netbios-ns
rule 39 deny tcp destination-port eq 138
rule 40 deny udp destination-port eq netbios-dgm
rule 41 deny tcp destination-port eq 139
rule 42 deny udp destination-port eq netbios-ssn
rule 43 deny tcp destination-port eq 593
rule 44 deny tcp destination-port eq 4444
rule 45 deny tcp destination-port eq 5800
rule 46 deny tcp destination-port eq 5900
rule 48 deny tcp destination-port eq 8998
rule 49 deny tcp destination-port eq 445
rule 50 deny udp destination-port eq 445
rule 51 deny udp destination-port eq 1434
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description link to ne20
tcp mss 1024
ip address 10.0.0.1 255.255.255.252
firewall packet-filter 3002 inbound
#
interface Ethernet0/1
description like to s6506(fuwuqi)
ip address 10.0.0.129 255.255.255.128   
ip policy route-policy fuwuqi
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0
description link to yidong
tcp mss 1024
ip address 211.*.*.* 255.255.255.240
firewall packet-filter 3002 inbound
nat outbound 2001 address-group 1
nat server protocol tcp global 211*.*.* www inside 10.0.0.130 www
nat server protocol tcp global 211.*.*.* 8080 inside 10.0.0.130 8080
nat server protocol tcp global 211.*.*.* 27 inside 10.0.0.130 ftp
nat server protocol tcp global 211.*.*.* 8081 inside 10.0.0.130 8081
#
interface Ethernet1/1
description link to wangtong
ip address 218.*.*.* 255.255.255.240
firewall packet-filter 3002 inbound
nat outbound 2001 address-group 2
#
interface Ethernet1/2                     
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
add interface Ethernet1/1
set priority 5
#
firewall zone DMZ
add interface Ethernet0/1
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ              
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 218.26.176.17 preference 60
ip route-static 172.16.0.0 255.255.255.0 10.0.0.2 preference 60
ip route-static 192.168.0.0 255.255.0.0 10.0.0.2 preference 60
#
snmp-agent
snmp-agent local-engineid 000063A27F000001000018CB
snmp-agent sys-info version all
#
firewall defend land
firewall defend smurf
firewall defend fraggle
firewall defend winnuke
firewall defend icmp-redirect
firewall defend icmp-unreachable
firewall defend source-route
firewall defend route-record
firewall defend tracert                  
firewall defend ping-of-death
firewall defend tcp-flag
firewall defend ip-fragment
firewall defend large-icmp
firewall defend teardrop
firewall defend ip-sweep
firewall defend port-scan
firewall defend arp-spoofing
firewall defend arp-reverse-query
firewall defend arp-flood
firewall defend frag-flood
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
#
user-interface con 0
authentication-mode password
user-interface aux 0
user-interface vty 0 4
set authentication password simple tytytyty
#
return
这个配置与拓扑不太一样，公网线路增加到两条，一条专门用来提供服务器的对外映射，一条专门用来上外网

路由器配置

[ne20]dis cur
#
sysname ne20
#
super password level 3 simple abcde
#
diffserv domain
#
controller E1 2/0/0
#
controller E1 2/0/1
#
controller E1 2/0/2
#
controller E1 2/0/3
#
controller Cpos3/0/0
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0/0
description link to fw100
ip address 10.0.0.2 255.255.255.252      
#
interface Ethernet0/0/1
#
interface Ethernet0/0/1.1
vlan-type dot1q 101
ip address 192.168.1.254 255.255.255.0
dhcp select interface
dhcp server dns-list 202.99.192.68 211.138.106.3
dhcp server expired day 7
#
interface Ethernet0/0/1.2
vlan-type dot1q 102
ip address 192.168.2.254 255.255.255.0
dhcp select interface
dhcp server dns-list 202.99.192.68 211.138.106.3
dhcp server expired day 7
#
interface Ethernet0/0/1.3
vlan-type dot1q 103
ip address 192.168.3.254 255.255.255.0
dhcp select interface
dhcp server dns-list 202.99.192.68 211.138.106.3
dhcp server expired day 7               
#
interface Ethernet0/0/1.4
vlan-type dot1q 104
ip address 192.168.4.254 255.255.255.0
dhcp select interface
dhcp server dns-list 202.99.192.68 211.138.106.3
dhcp server expired day 7
#
interface Ethernet0/0/1.5
vlan-type dot1q 105
ip address 192.168.5.254 255.255.255.0
dhcp select interface
dhcp server dns-list 202.99.192.68 211.138.106.3
dhcp server expired day 7
#
interface Ethernet0/0/1.6
vlan-type dot1q 106
ip address 192.168.6.254 255.255.255.0
dhcp select interface
dhcp server dns-list 202.99.192.68 211.138.106.3
dhcp server expired day 7
#
interface Ethernet0/0/1.10               
vlan-type dot1q 110
ip address 192.168.0.254 255.255.255.0
#
interface Ethernet0/0/1.255
vlan-type dot1q 255
ip address 172.16.0.254 255.255.255.0
#
interface Ethernet1/0/0
#
interface Ethernet1/0/1
#
interface Ethernet1/0/2
#
interface Ethernet1/0/3
#
interface NULL0
#
aaa
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default               
#
domain default
#
#
dhcp server forbidden-ip 192.168.1.1 192.168.1.20
dhcp server forbidden-ip 192.168.2.1 192.168.2.20
dhcp server forbidden-ip 192.168.3.1 192.168.3.20
dhcp server forbidden-ip 192.168.4.1 192.168.4.20
dhcp server forbidden-ip 192.168.5.1 192.168.5.20
dhcp server forbidden-ip 192.168.6.1 192.168.6.20
dhcp server forbidden-ip 192.168.6.235 192.168.6.254
dhcp server forbidden-ip 192.168.5.235 192.168.5.254
dhcp server forbidden-ip 192.168.4.235 192.168.4.254
dhcp server forbidden-ip 192.168.3.235 192.168.3.254
dhcp server forbidden-ip 192.168.2.235 192.168.2.254
dhcp server forbidden-ip 192.168.1.235 192.168.1.254
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
ip route-static 192.168.0.0 255.255.0.0 Ethernet0/0/1
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4                    
set authentication password simple abcde
#
return


最后是交换机配置

[6506]  dis cur
#
sysname 6506
#
super password level 3 cipher _Na_-5-[*"#Q=^Q`MAF4<1!!
#
local-server nas-ip 127.0.0.1 key huawei
#
domain default enable system
#
temperature-limit 0 10 70
temperature-limit 1 10 70
temperature-limit 2 10 70
temperature-limit 3 10 70
#
poe power max-value 2400
#
radius scheme system
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
vlan-assignment-mode integer
access-limit disable                     
state active
idle-cut disable
self-service-url disable
messenger time disable
#
stp TC-protection enable
#
vlan 1
#
vlan 100
#
vlan 101
#
vlan 102
#
vlan 103
#
vlan 104
#
vlan 105
#
vlan 106
#                                         
vlan 107
#
vlan 108
#
vlan 110
#
vlan 200
#
vlan 255
#
interface Vlan-interface1
#
interface Vlan-interface100
description waiwang server
#
interface Vlan-interface255
ip address 172.16.0.1 255.255.255.0
#
interface Aux0/0/0
#
interface M-Ethernet0/0/0
#
interface Ethernet3/0/1                  
#
interface Ethernet3/0/2
#
interface Ethernet3/0/3
port access vlan 100
#
interface Ethernet3/0/4
#
interface Ethernet3/0/5
port access vlan 200
#
interface Ethernet3/0/6
#
interface Ethernet3/0/7
#
interface Ethernet3/0/8
#
interface Ethernet3/0/9
#
interface Ethernet3/0/10
#
interface Ethernet3/0/11                  
#
interface Ethernet3/0/12
#
interface Ethernet3/0/13
#
interface Ethernet3/0/14
port link-type trunk
port trunk permit vlan all
#
interface Ethernet3/0/15
#
interface Ethernet3/0/16
port access vlan 101
#
interface Ethernet3/0/17
port link-type trunk
port trunk permit vlan all
#
interface Ethernet3/0/18
#
interface Ethernet3/0/19
description link to 1~2 lou              
port access vlan 101
#
interface Ethernet3/0/20
#
interface Ethernet3/0/21
description link to 3~4 lou
port access vlan 102
#
interface Ethernet3/0/22
#
interface Ethernet3/0/23
description link to 6 lou
port access vlan 103
#
interface Ethernet3/0/24
#
interface Ethernet3/0/25
description link to louxiajiahuanji
port access vlan 104
#
interface Ethernet3/0/26
#                                         
interface Ethernet3/0/27
port access vlan 105
#
interface Ethernet3/0/28
#
interface Ethernet3/0/29
#
interface Ethernet3/0/30
#
interface Ethernet3/0/31
#
interface Ethernet3/0/32
#
interface Ethernet3/0/33
#
interface Ethernet3/0/34
#
interface Ethernet3/0/35
#
interface Ethernet3/0/36
#
interface Ethernet3/0/37                  
#
interface Ethernet3/0/38
#
interface Ethernet3/0/39
#
interface Ethernet3/0/40
#
interface Ethernet3/0/41
#
interface Ethernet3/0/42
#
interface Ethernet3/0/43
#
interface Ethernet3/0/44
#
interface Ethernet3/0/45
#
interface Ethernet3/0/46
#
interface Ethernet3/0/47
port access vlan 102
#                                         
interface Ethernet3/0/48
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet2/0/1
port access vlan 110
#
interface GigabitEthernet2/0/2
port access vlan 100
#
interface GigabitEthernet2/0/3
port access vlan 110
#
interface GigabitEthernet2/0/4
port access vlan 110
#                                         
interface GigabitEthernet2/0/5
#
interface GigabitEthernet2/0/6
#
interface GigabitEthernet2/0/7
#
interface GigabitEthernet2/0/8
#
interface GigabitEthernet2/0/9
#
interface GigabitEthernet2/0/10
#
interface GigabitEthernet2/0/11
#
interface GigabitEthernet2/0/12
port access vlan 102
#
interface GigabitEthernet2/0/13
#
interface GigabitEthernet2/0/14
#
interface GigabitEthernet2/0/15           
#
interface GigabitEthernet2/0/16
port access vlan 106
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.0.254 preference 60
#
user-interface aux 0
user-interface vty 0 4
set authentication password cipher _Na_-5-[*"#Q=^Q`MAF4<1!!
#
return