路由器: AR1-AR15 (15台)
交换机: LSW1-LSW6 (6台)
无线控制器: AC1 (1台)
无线接入点: AP1, AP2 (2台)
服务器: Server1, Server2 (2台)
PC: PC1-PC6 (6台)
防火墙: FW1 (1台)
xxxxxxxxxxAR1(0)--AR13(2) AR1(1)--AR12(2) AR1(2)--AR10(0)AR2(0)--AR10(1) AR2(1)--AR3(0)AR3(1)--AR10(2) AR3(2)--AR4(0)AR4(1)--AR9(0) AR4(2)--AR8(1)AR5(0)--AR9(1) AR5(1)--AR11(1) AR5(2)--AR7(0)AR6(0)--AR9(2) AR6(1)--AR11(0) AR6(2)--AR8(0)AR7(1)--AR11(2) AR7(2)--AR14(1)AR8(2)--AR14(0)AR12(0)--AR13(1) AR12(1)--LSW2(4)AR13(0)--LSW1(3)AR14(2)--AR15(1)AR15(0)--AC1(1) AR15(2)--FW1(0)
xxxxxxxxxxLSW1(1)--LSW3(5) LSW1(2)--LSW2(1)LSW2(2)--LSW3(6) LSW2(3)--Server1(0)LSW3(1)--PC1 LSW3(2)--PC2 LSW3(3)--PC3 LSW3(4)--PC4LSW4(2)--SERVER2 LSW4(3)--LSW6(1) LSW4(4)--LSW5(1)LSW5(2)--LSW6(2) LSW6(3)--pc5 LSW6(4)--pc6
xxxxxxxxxxAC1(2)--AP1(0) AC1(3)--AP2(0)
xxxxxxxxxxFW1(1)--LSW4(1)
AR区域1: 10.1.0.0/16 (AR1-AR5)
AR区域2: 10.2.0.0/16 (AR6-AR10)
AR区域3: 10.3.0.0/16 (AR11-AR15)
互联网络: 192.168.0.0/16
VLAN 10: 管理VLAN (10.10.10.0/24)
VLAN 20: 用户VLAN (10.20.20.0/24)
VLAN 30: 服务器VLAN (10.30.30.0/24)
VLAN 40: 无线VLAN (10.40.40.0/24)
VLAN 50: DMZ VLAN (10.50.50.0/24)
AS 100: 核心区域 (AR1-AR5)
AS 200: 分布区域 (AR6-AR10)
AS 300: 接入区域 (AR11-AR15)
xxxxxxxxxx# 进入系统视图system-view# 设置主机名sysname AR1# 配置接口IP# 配置连接AR13的接口interface GigabitEthernet0/0/0 ip address 10.1.1.1 255.255.255.252# Link-to-AR13description Link-to-AR13# 配置连接AR12的接口interface GigabitEthernet0/0/1 ip address 10.1.1.5 255.255.255.252# Link-to-AR12description Link-to-AR12# 配置连接AR10的接口interface GigabitEthernet0/0/2 ip address 10.1.1.9 255.255.255.252# Link-to-AR10description Link-to-AR10# 配置环回接口用于BGPinterface Loopback0 ip address 1.1.1.1 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 启用MPLSmpls lsr-id 1.1.1.1mplsmpls ldp# 配置SNMPsnmp-agentsnmp-agent community read publicsnmp-agent community write privatesnmp-agent sys-info version all# 退出系统视图quit# 保存配置savexxxxxxxxxxsystem-viewsysname AR2# 配置连接AR10的接口interface GigabitEthernet0/0/0 ip address 10.1.2.1 255.255.255.252# Link-to-AR10description Link-to-AR10# 配置连接AR3的接口interface GigabitEthernet0/0/1 ip address 10.1.2.5 255.255.255.252# Link-to-AR3description Link-to-AR3# 配置环回接口interface Loopback0 ip address 2.2.2.2 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 2.2.2.2mplsmpls ldp# 配置SNMPsnmp-agentsnmp-agent community read publicsnmp-agent community write private# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR3# 配置连接AR2的接口interface GigabitEthernet0/0/0 ip address 10.1.2.6 255.255.255.252# Link-to-AR2description Link-to-AR2# 配置连接AR10的接口interface GigabitEthernet0/0/1 ip address 10.1.3.1 255.255.255.252# Link-to-AR10description Link-to-AR10# 配置连接AR4的接口interface GigabitEthernet0/0/2 ip address 10.1.3.5 255.255.255.252# Link-to-AR4description Link-to-AR4# 配置环回接口interface Loopback0 ip address 3.3.3.3 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 3.3.3.3mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR4# 配置连接AR3的接口interface GigabitEthernet0/0/0 ip address 10.1.3.6 255.255.255.252# Link-to-AR3description Link-to-AR3# 配置连接AR9的接口interface GigabitEthernet0/0/1 ip address 10.1.4.1 255.255.255.252# Link-to-AR9description Link-to-AR9# 配置连接AR8的接口interface GigabitEthernet0/0/2 ip address 10.1.4.5 255.255.255.252# Link-to-AR8description Link-to-AR8# 配置环回接口interface Loopback0 ip address 4.4.4.4 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 4.4.4.4mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR5# 配置连接AR9的接口interface GigabitEthernet0/0/0 ip address 10.1.5.1 255.255.255.252# Link-to-AR9description Link-to-AR9# 配置连接AR11的接口interface GigabitEthernet0/0/1 ip address 10.1.5.5 255.255.255.252# Link-to-AR11description Link-to-AR11# 配置连接AR7的接口interface GigabitEthernet0/0/2 ip address 10.1.5.9 255.255.255.252# Link-to-AR7description Link-to-AR7# 配置环回接口interface Loopback0 ip address 5.5.5.5 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 5.5.5.5mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR6# 配置连接AR9的接口interface GigabitEthernet0/0/0 ip address 10.2.1.1 255.255.255.252# Link-to-AR9description Link-to-AR9# 配置连接AR11的接口interface GigabitEthernet0/0/1 ip address 10.2.1.5 255.255.255.252# Link-to-AR11description Link-to-AR11# 配置连接AR8的接口interface GigabitEthernet0/0/2 ip address 10.2.1.9 255.255.255.252# Link-to-AR8description Link-to-AR8# 配置环回接口interface Loopback0 ip address 6.6.6.6 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 6.6.6.6mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR7# 配置连接AR5的接口interface GigabitEthernet0/0/0 ip address 10.1.5.10 255.255.255.252# Link-to-AR5description Link-to-AR5# 配置连接AR11的接口interface GigabitEthernet0/0/1 ip address 10.2.2.1 255.255.255.252# Link-to-AR11description Link-to-AR11# 配置连接AR14的接口interface GigabitEthernet0/0/2 ip address 10.3.1.1 255.255.255.252# Link-to-AR14description Link-to-AR14# 配置环回接口interface Loopback0 ip address 7.7.7.7 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 7.7.7.7mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR8# 配置连接AR6的接口interface GigabitEthernet0/0/0 ip address 10.2.1.10 255.255.255.252# Link-to-AR6description Link-to-AR6# 配置连接AR4的接口interface GigabitEthernet0/0/1 ip address 10.1.4.6 255.255.255.252# Link-to-AR4description Link-to-AR4# 配置连接AR14的接口interface GigabitEthernet0/0/2 ip address 10.3.2.1 255.255.255.252# Link-to-AR14description Link-to-AR14# 配置环回接口interface Loopback0 ip address 8.8.8.8 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 8.8.8.8mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR9# 配置连接AR4的接口interface GigabitEthernet0/0/0 ip address 10.1.4.2 255.255.255.252# Link-to-AR4description Link-to-AR4# 配置连接AR5的接口interface GigabitEthernet0/0/1 ip address 10.1.5.2 255.255.255.252# Link-to-AR5description Link-to-AR5# 配置连接AR6的接口interface GigabitEthernet0/0/2 ip address 10.2.1.2 255.255.255.252# Link-to-AR6description Link-to-AR6# 配置环回接口interface Loopback0 ip address 9.9.9.9 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 9.9.9.9mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR10# 配置连接AR1的接口interface GigabitEthernet0/0/0 ip address 10.1.1.10 255.255.255.252# Link-to-AR1description Link-to-AR1# 配置连接AR2的接口interface GigabitEthernet0/0/1 ip address 10.1.2.2 255.255.255.252# Link-to-AR2description Link-to-AR2# 配置连接AR3的接口interface GigabitEthernet0/0/2 ip address 10.1.3.2 255.255.255.252# Link-to-AR3description Link-to-AR3# 配置环回接口interface Loopback0 ip address 10.10.10.10 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 10.10.10.10mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR11# 配置连接AR6的接口interface GigabitEthernet0/0/0 ip address 10.2.1.6 255.255.255.252# Link-to-AR6description Link-to-AR6# 配置连接AR5的接口interface GigabitEthernet0/0/1 ip address 10.1.5.6 255.255.255.252# Link-to-AR5description Link-to-AR5# 配置连接AR7的接口interface GigabitEthernet0/0/2 ip address 10.2.2.2 255.255.255.252# Link-to-AR7description Link-to-AR7# 配置环回接口interface Loopback0 ip address 11.11.11.11 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 11.11.11.11mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR12# 配置连接AR1的接口interface GigabitEthernet0/0/0 ip address 10.1.1.6 255.255.255.252# Link-to-AR1description Link-to-AR1# 配置连接AR13的接口interface GigabitEthernet0/0/1 ip address 10.3.3.1 255.255.255.252# Link-to-AR13description Link-to-AR13# 配置连接LSW2的接口interface GigabitEthernet0/0/2 ip address 192.168.12.1 255.255.255.252# Link-to-LSW2description Link-to-LSW2# 配置环回接口interface Loopback0 ip address 12.12.12.12 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR13# 配置连接AR12的接口interface GigabitEthernet0/0/0 ip address 10.3.3.2 255.255.255.252# Link-to-AR12description Link-to-AR12# 配置连接LSW1的接口interface GigabitEthernet0/0/1 ip address 192.168.13.1 255.255.255.252# Link-to-LSW1description Link-to-LSW1# 配置连接AR1的接口interface GigabitEthernet0/0/2 ip address 10.1.1.2 255.255.255.252# Link-to-AR1description Link-to-AR1# 配置环回接口interface Loopback0 ip address 13.13.13.13 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR14# 配置连接AR8的接口interface GigabitEthernet0/0/0 ip address 10.3.2.2 255.255.255.252# Link-to-AR8description Link-to-AR8# 配置连接AR7的接口interface GigabitEthernet0/0/1 ip address 10.3.1.2 255.255.255.252# Link-to-AR7description Link-to-AR7# 配置连接AR15的接口interface GigabitEthernet0/0/2 ip address 10.3.4.1 255.255.255.252# Link-to-AR15description Link-to-AR15# 配置环回接口interface Loopback0 ip address 14.14.14.14 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 14.14.14.14mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-viewsysname AR15# 配置连接AR14的接口interface GigabitEthernet0/0/0 ip address 10.3.4.2 255.255.255.252# Link-to-AR14description Link-to-AR14# 配置连接AC1的接口interface GigabitEthernet0/0/1 ip address 192.168.15.1 255.255.255.252# Link-to-AC1description Link-to-AC1# 配置连接FW1的接口interface GigabitEthernet0/0/2 ip address 192.168.100.1 255.255.255.252# Link-to-FW1description Link-to-FW1# 配置环回接口interface Loopback0 ip address 15.15.15.15 255.255.255.255# BGP-Router-IDdescription BGP-Router-ID# 配置MPLSmpls lsr-id 15.15.15.15mplsmpls ldp# 退出系统视图quitsavexxxxxxxxxxsystem-view# 启用OSPF进程1ospf 1 router-id 1.1.1.1 area 0.0.0.0 # 连接AR13的网络 network 10.1.1.0 0.0.0.3 # 连接AR12的网络 network 10.1.1.4 0.0.0.3 # 连接AR10的网络 network 10.1.1.8 0.0.0.3 # 环回接口 network 1.1.1.1 0.0.0.0# 配置OSPF认证area 0.0.0.0 # 简单认证 authentication-mode simple # MD5认证 authentication-mode md5 1 cipher huawei# 配置OSPF开销值interface GigabitEthernet0/0/0 ospf cost 10interface GigabitEthernet0/0/1 ospf cost 20interface GigabitEthernet0/0/2 ospf cost 15# OSPF邻居会自动发现,无需手动配置(除非在NBMA网络中)xxxxxxxxxxsystem-viewospf 1 router-id 2.2.2.2 area 0.0.0.0 # 连接AR10 network 10.1.2.0 0.0.0.3 # 连接AR3 network 10.1.2.4 0.0.0.3 # 环回接口 network 2.2.2.2 0.0.0.0# 注意:骨干区域(Area 0)不能配置为stub区域# 如需stub区域,应使用非骨干区域# 配置OSPF区域类型(示例)area 0.0.0.1 # 配置为stub区域 stub # 不发送汇总LSA no-summaryxxxxxxxxxxsystem-viewospf 1 router-id 3.3.3.3 area 0.0.0.0 network 10.1.2.4 0.0.0.3 network 10.1.3.0 0.0.0.3 network 10.1.3.4 0.0.0.3 network 3.3.3.3 0.0.0.0# 配置NSSA区域area 0.0.0.1 # 发布默认路由 nssa default-route-advertise # 转换LSA类型7到类型5 translate-type type7-to-type5xxxxxxxxxxsystem-viewospf 1 router-id 4.4.4.4 area 0.0.0.0 network 10.1.3.4 0.0.0.3 network 10.1.4.0 0.0.0.3 network 10.1.4.4 0.0.0.3 network 4.4.4.4 0.0.0.0# 注意:虚链路不能在骨干区域中配置# 如需虚链路,应在非骨干区域中配置# 配置虚连接示例area 0.0.0.1 # 与AR1建立虚连接 vlink-peer 1.1.1.1xxxxxxxxxxsystem-viewospf 1 router-id 5.5.5.5 area 0.0.0.0 network 10.1.5.0 0.0.0.3 network 10.1.5.4 0.0.0.3 network 10.1.5.8 0.0.0.3 network 5.5.5.5 0.0.0.0# 配置多区域area 0.0.0.2 # 区域2网络 network 10.2.0.0 0.0.255.255xxxxxxxxxxsystem-view# 启用OSPF进程1ospf 1 router-id 6.6.6.6 area 0.0.0.0 # 连接AR9的网络 network 10.2.1.0 0.0.0.3 # 连接AR11的网络 network 10.2.1.4 0.0.0.3 # 连接AR8的网络 network 10.2.1.8 0.0.0.3 # 环回接口 network 6.6.6.6 0.0.0.0# 配置OSPF接口开销interface GigabitEthernet0/0/0 ospf cost 10interface GigabitEthernet0/0/1 ospf cost 20interface GigabitEthernet0/0/2 ospf cost 15xxxxxxxxxxsystem-viewospf 1 router-id 7.7.7.7 area 0.0.0.0 # 连接AR5的网络 network 10.1.5.8 0.0.0.3 # 连接AR11的网络 network 10.2.2.0 0.0.0.3 # 连接AR14的网络 network 10.3.1.0 0.0.0.3 # 环回接口 network 7.7.7.7 0.0.0.0# 配置OSPF区域类型area 0.0.0.1 # 配置为NSSA区域 nssa default-route-advertisexxxxxxxxxxsystem-viewospf 1 router-id 8.8.8.8 area 0.0.0.0 # 连接AR6的网络 network 10.2.1.8 0.0.0.3 # 连接AR4的网络 network 10.1.4.4 0.0.0.3 # 连接AR14的网络 network 10.3.2.0 0.0.0.3 # 环回接口 network 8.8.8.8 0.0.0.0# 配置OSPF认证area 0.0.0.0 # MD5认证 authentication-mode md5 1 cipher huaweixxxxxxxxxxsystem-viewospf 1 router-id 9.9.9.9 area 0.0.0.0 # 连接AR4的网络 network 10.1.4.0 0.0.0.3 # 连接AR5的网络 network 10.1.5.0 0.0.0.3 # 连接AR6的网络 network 10.2.1.0 0.0.0.3 # 环回接口 network 9.9.9.9 0.0.0.0# 配置OSPF多区域area 0.0.0.2 # 区域2网络 network 172.16.0.0 0.0.255.255xxxxxxxxxxsystem-viewospf 1 router-id 10.10.10.10 area 0.0.0.0 # 连接AR1的网络 network 10.1.1.8 0.0.0.3 # 连接AR2的网络 network 10.1.2.0 0.0.0.3 # 连接AR3的网络 network 10.1.3.0 0.0.0.3 # 环回接口 network 10.10.10.10 0.0.0.0# 配置OSPF路由汇总area 0.0.0.0 # ABR路由汇总 abr-summary 10.1.0.0 255.255.0.0xxxxxxxxxxsystem-viewospf 1 router-id 11.11.11.11 area 0.0.0.0 # 连接AR6的网络 network 10.2.1.4 0.0.0.3 # 连接AR5的网络 network 10.1.5.4 0.0.0.3 # 连接AR7的网络 network 10.2.2.0 0.0.0.3 # 环回接口 network 11.11.11.11 0.0.0.0# 注意:虚链路不能在骨干区域中配置# 如需虚链路,应在非骨干区域中配置# 配置OSPF虚连接示例area 0.0.0.1 # 与AR6建立虚连接 vlink-peer 6.6.6.6xxxxxxxxxxsystem-viewospf 1 router-id 12.12.12.12 area 0.0.0.0 # 连接AR1的网络 network 10.1.1.4 0.0.0.3 # 连接AR13的网络 network 10.3.3.0 0.0.0.3 # 环回接口 network 12.12.12.12 0.0.0.0# 配置OSPF多实例ospf 2 router-id 12.12.12.12 area 0.0.0.0 # 连接LSW2的网络 network 192.168.12.0 0.0.0.3xxxxxxxxxxsystem-viewospf 1 router-id 13.13.13.13 area 0.0.0.0 # 连接AR12的网络 network 10.3.3.0 0.0.0.3 # 连接AR1的网络 network 10.1.1.0 0.0.0.3 # 环回接口 network 13.13.13.13 0.0.0.0# 配置OSPF多实例ospf 2 router-id 13.13.13.13 area 0.0.0.0 # 连接LSW1的网络 network 192.168.13.0 0.0.0.3xxxxxxxxxxsystem-viewospf 1 router-id 14.14.14.14 area 0.0.0.0 # 连接AR8的网络 network 10.3.2.0 0.0.0.3 # 连接AR7的网络 network 10.3.1.0 0.0.0.3 # 连接AR15的网络 network 10.3.4.0 0.0.0.3 # 环回接口 network 14.14.14.14 0.0.0.0# 注意:骨干区域(Area 0)不能配置为stub区域# 如需stub区域,应使用非骨干区域# 配置OSPF区域类型(示例)area 0.0.0.3 # 配置为stub区域 stub # 不发送汇总LSA no-summaryxxxxxxxxxxsystem-viewospf 1 router-id 15.15.15.15 area 0.0.0.0 # 连接AR14的网络 network 10.3.4.0 0.0.0.3 # 环回接口 network 15.15.15.15 0.0.0.0# 配置OSPF多实例ospf 2 router-id 15.15.15.15 area 0.0.0.0 # 连接AC1的网络 network 192.168.15.0 0.0.0.3 # 连接FW1的网络 network 192.168.100.0 0.0.0.3x
system-view# 启用RIP版本2rip 1 version 2 # 宣告主类网络 network 10.0.0.0 # 宣告环回接口网络 network 1.0.0.0# 配置RIP认证interface GigabitEthernet0/0/0 # 简单认证 rip authentication-mode simple huawei # MD5认证 rip authentication-mode md5 usual huawei# 配置水平分割interface GigabitEthernet0/0/0 # 关闭水平分割 undo rip split-horizon# 配置路由汇总rip 1 # 汇总路由 summary 10.0.0.0xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 2.0.0.0# 配置被动接口interface GigabitEthernet0/0/1 # 配置为被动接口 silent-interfacerip 1 # 在RIP进程中配置被动接口 silent-interface GigabitEthernet0/0/1# 配置路由过滤rip 1 # 出方向过滤 filter-policy ip-prefix RIP_FILTER exportip ip-prefix RIP_FILTER index 10 permit 10.1.0.0 16xxxxxxxxxxsystem-view# 启用RIP版本2rip 1 version 2 # 宣告主类网络 network 10.0.0.0 # 宣告环回接口网络 network 3.0.0.0# 配置RIP认证interface GigabitEthernet0/0/0 # MD5认证 rip authentication-mode md5 usual huaweiinterface GigabitEthernet0/0/1 rip authentication-mode md5 usual huaweiinterface GigabitEthernet0/0/2 rip authentication-mode md5 usual huawei# 配置路由重分发ospf 1 # OSPF重分发RIP路由 import-route rip 1rip 1 # RIP重分发OSPF路由 import-route ospf 1xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 4.0.0.0# 配置RIP接口开销interface GigabitEthernet0/0/0 rip metric-value 10interface GigabitEthernet0/0/1 rip metric-value 15interface GigabitEthernet0/0/2 rip metric-value 20# 配置水平分割interface GigabitEthernet0/0/1 # 关闭水平分割 undo rip split-horizonxxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 5.0.0.0# 配置被动接口interface GigabitEthernet0/0/1 silent-interfaceinterface GigabitEthernet0/0/2 silent-interfacerip 1 silent-interface GigabitEthernet0/0/1 silent-interface GigabitEthernet0/0/2# 配置路由汇总rip 1 # 汇总路由 summary 10.1.0.0xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 6.0.0.0# 配置RIP认证interface GigabitEthernet0/0/0 rip authentication-mode md5 usual huaweiinterface GigabitEthernet0/0/1 rip authentication-mode md5 usual huaweiinterface GigabitEthernet0/0/2 rip authentication-mode md5 usual huawei# 配置路由过滤rip 1 # 出方向过滤 filter-policy ip-prefix RIP_FILTER exportip ip-prefix RIP_FILTER index 10 permit 10.2.0.0 16xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 7.0.0.0# 配置RIP多实例rip 2 version 2 network 172.16.0.0# 配置路由重分发rip 1 import-route rip 2rip 2 import-route rip 1xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 8.0.0.0# 配置RIP定时器rip 1 # 更新定时器 timers rip update 30 # 老化定时器 timers rip age 180 # 垃圾收集定时器 timers rip garbage-collect 120xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 9.0.0.0# 配置RIP邻居rip 1 # 指定邻居 peer 10.1.4.1 peer 10.1.5.1# 配置路由重分发ospf 1 import-route rip 1rip 1 import-route ospf 1xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0# 配置路由汇总rip 1 summary 10.1.0.0 summary 10.2.0.0xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 11.0.0.0# 配置RIP认证interface GigabitEthernet0/0/0 rip authentication-mode simple huaweiinterface GigabitEthernet0/0/1 rip authentication-mode simple huaweiinterface GigabitEthernet0/0/2 rip authentication-mode simple huawei# 配置水平分割interface GigabitEthernet0/0/0 undo rip split-horizonxxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 12.0.0.0# 配置RIP多实例rip 2 version 2 network 192.168.0.0# 配置路由重分发rip 1 import-route rip 2rip 2 import-route rip 1# 配置被动接口interface GigabitEthernet0/0/2 silent-interfacerip 1 silent-interface GigabitEthernet0/0/2xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 13.0.0.0# 配置RIP接口开销interface GigabitEthernet0/0/0 rip metric-value 5interface GigabitEthernet0/0/1 rip metric-value 10interface GigabitEthernet0/0/2 rip metric-value 5# 配置路由过滤rip 1 filter-policy ip-prefix RIP_FILTER exportip ip-prefix RIP_FILTER index 10 permit 192.168.0.0 16xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 14.0.0.0# 配置RIP认证interface GigabitEthernet0/0/0 rip authentication-mode md5 usual huaweiinterface GigabitEthernet0/0/1 rip authentication-mode md5 usual huaweiinterface GigabitEthernet0/0/2 rip authentication-mode md5 usual huawei# 配置路由汇总rip 1 summary 10.3.0.0xxxxxxxxxxsystem-viewrip 1 version 2 network 10.0.0.0 network 15.0.0.0# 配置RIP多实例rip 2 version 2 network 192.168.0.0# 配置路由重分发rip 1 import-route rip 2rip 2 import-route rip 1# 配置被动接口interface GigabitEthernet0/0/1 silent-interfaceinterface GigabitEthernet0/0/2 silent-interfacerip 1 silent-interface GigabitEthernet0/0/1 silent-interface GigabitEthernet0/0/2xxxxxxxxxxsystem-view# 启用ISIS进程isis 1 # 配置为Level-1-2路由器 is-level level-1-2 # NET地址 network-entity 49.0001.0000.0000.0001.00# 在接口上启用ISISinterface GigabitEthernet0/0/0 isis enable 1 # 接口类型 isis circuit-type level-2 # 接口开销 isis cost 10interface GigabitEthernet0/0/1 isis enable 1 isis cost 20interface Loopback0 isis enable 1 # 被动接口 isis passive# 配置ISIS路由汇总isis 1 # 汇总路由 summary 10.1.0.0 255.255.0.0 level-1-2xxxxxxxxxxsystem-viewisis 1 # Level-1路由器 is-level level-1 network-entity 49.0001.0000.0000.0002.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1interface GigabitEthernet0/0/1 isis enable 1xxxxxxxxxxsystem-view# 启用ISIS进程isis 1 # Level-1-2路由器 is-level level-1-2 # NET地址 network-entity 49.0001.0000.0000.0003.00# 在接口上启用ISISinterface GigabitEthernet0/0/0 isis enable 1 # 接口类型 isis circuit-type level-1 # 接口开销 isis cost 15interface GigabitEthernet0/0/1 isis enable 1 isis circuit-type level-2 isis cost 20interface GigabitEthernet0/0/2 isis enable 1 isis cost 25interface Loopback0 isis enable 1 # 被动接口 isis passive# 配置ISIS路由汇总isis 1 # Level-1汇总 summary 10.1.0.0 255.255.0.0 level-1 # Level-2汇总 summary 10.1.0.0 255.255.0.0 level-2xxxxxxxxxxsystem-viewisis 1 # Level-2路由器 is-level level-2 network-entity 49.0002.0000.0000.0004.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-2 isis cost 10interface GigabitEthernet0/0/1 isis enable 1 isis cost 15interface GigabitEthernet0/0/2 isis enable 1 isis cost 20interface Loopback0 isis enable 1 isis passive# 配置ISIS认证isis 1 # 域认证 domain-authentication-mode md5 cipher huawei level-2xxxxxxxxxxsystem-viewisis 1 # Level-1路由器 is-level level-1 network-entity 49.0001.0000.0000.0005.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 12interface GigabitEthernet0/0/1 isis enable 1 isis cost 18interface GigabitEthernet0/0/2 isis enable 1 isis cost 22interface Loopback0 isis enable 1 isis passive# 配置ISIS多实例isis 2 is-level level-2 network-entity 49.0002.0000.0000.0005.00xxxxxxxxxxsystem-viewisis 1 # Level-1-2路由器 is-level level-1-2 network-entity 49.0001.0000.0000.0006.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 8interface GigabitEthernet0/0/1 isis enable 1 isis circuit-type level-2 isis cost 12interface GigabitEthernet0/0/2 isis enable 1 isis cost 16interface Loopback0 isis enable 1 isis passive# 配置ISIS路由泄漏isis 1 # Level-1路由泄漏到Level-2 import-route isis level-1 into level-2xxxxxxxxxxsystem-viewisis 1 # Level-1路由器 is-level level-1 network-entity 49.0001.0000.0000.0007.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 14interface GigabitEthernet0/0/1 isis enable 1 isis cost 20interface GigabitEthernet0/0/2 isis enable 1 isis cost 24interface Loopback0 isis enable 1 isis passive# 配置ISIS认证isis 1 # 区域认证 area-authentication-mode md5 cipher huawei level-1xxxxxxxxxxsystem-viewisis 1 # Level-2路由器 is-level level-2 network-entity 49.0002.0000.0000.0008.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-2 isis cost 11interface GigabitEthernet0/0/1 isis enable 1 isis cost 17interface GigabitEthernet0/0/2 isis enable 1 isis cost 21interface Loopback0 isis enable 1 isis passive# 配置ISIS开销类型isis 1 # 宽度量开销 cost-style widexxxxxxxxxxsystem-viewisis 1 # Level-1-2路由器 is-level level-1-2 network-entity 49.0001.0000.0000.0009.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 9interface GigabitEthernet0/0/1 isis enable 1 isis circuit-type level-1 isis cost 13interface GigabitEthernet0/0/2 isis enable 1 isis circuit-type level-2 isis cost 17interface Loopback0 isis enable 1 isis passive# 配置ISIS路由汇总isis 1 summary 10.1.0.0 255.255.0.0 level-1 summary 10.2.0.0 255.255.0.0 level-2xxxxxxxxxxsystem-viewisis 1 # Level-2路由器 is-level level-2 network-entity 49.0002.0000.0000.0010.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-2 isis cost 7interface GigabitEthernet0/0/1 isis enable 1 isis cost 11interface GigabitEthernet0/0/2 isis enable 1 isis cost 15interface Loopback0 isis enable 1 isis passive# 配置ISIS多进程isis 2 is-level level-1 network-entity 49.0003.0000.0000.0010.00xxxxxxxxxxsystem-viewisis 1 # Level-1路由器 is-level level-1 network-entity 49.0001.0000.0000.0011.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 10interface GigabitEthernet0/0/1 isis enable 1 isis cost 16interface GigabitEthernet0/0/2 isis enable 1 isis cost 19interface Loopback0 isis enable 1 isis passive# 配置ISIS认证isis 1 area-authentication-mode md5 cipher huawei level-1 domain-authentication-mode md5 cipher huawei level-2xxxxxxxxxxsystem-viewisis 1 # Level-1-2路由器 is-level level-1-2 network-entity 49.0001.0000.0000.0012.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 6interface GigabitEthernet0/0/1 isis enable 1 isis circuit-type level-2 isis cost 12interface GigabitEthernet0/0/2 isis enable 1 isis cost 18interface Loopback0 isis enable 1 isis passive# 配置ISIS路由重分发isis 1 # 重分发直连路由 import-route direct cost 10 # 重分发静态路由 import-route static cost 20xxxxxxxxxxsystem-viewisis 1 # Level-2路由器 is-level level-2 network-entity 49.0002.0000.0000.0013.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-2 isis cost 8interface GigabitEthernet0/0/1 isis enable 1 isis cost 14interface GigabitEthernet0/0/2 isis enable 1 isis cost 10interface Loopback0 isis enable 1 isis passive# 配置ISIS开销类型isis 1 cost-style widexxxxxxxxxxsystem-viewisis 1 # Level-1路由器 is-level level-1 network-entity 49.0001.0000.0000.0014.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 13interface GigabitEthernet0/0/1 isis enable 1 isis cost 17interface GigabitEthernet0/0/2 isis enable 1 isis cost 21interface Loopback0 isis enable 1 isis passive# 配置ISIS路由汇总isis 1 summary 10.3.0.0 255.255.0.0 level-1xxxxxxxxxxsystem-viewisis 1 # Level-1-2路由器 is-level level-1-2 network-entity 49.0001.0000.0000.0015.00interface GigabitEthernet0/0/0 isis enable 1 isis circuit-type level-1 isis cost 15interface GigabitEthernet0/0/1 isis enable 1 isis circuit-type level-2 isis cost 20interface GigabitEthernet0/0/2 isis enable 1 isis circuit-type level-2 isis cost 25interface Loopback0 isis enable 1 isis passive# 配置ISIS多实例isis 2 is-level level-2 network-entity 49.0002.0000.0000.0015.00# 配置ISIS认证isis 1 area-authentication-mode md5 cipher huawei level-1 domain-authentication-mode md5 cipher huawei level-2xxxxxxxxxxsystem-view# 启用BGP进程bgp 100 router-id 1.1.1.1 peer 2.2.2.2 as-number 100 # IBGP邻居 peer 3.3.3.3 as-number 100 peer 4.4.4.4 as-number 100 peer 5.5.5.5 as-number 100# 配置BGP邻居peer 2.2.2.2 connect-interface Loopback0peer 2.2.2.2 description IBGP-Neighbor-AR2 # MD5认证peer 2.2.2.2 password cipher huawei# 配置EBGP邻居 # 与AS200建立EBGPpeer 10.10.10.10 as-number 200 # 允许非直连EBGPpeer 10.10.10.10 ebgp-max-hop 2# 配置路由宣告network 1.1.1.1 32network 10.1.0.0 255.255.0.0# 配置BGP路由聚合 # 聚合路由aggregate 10.1.0.0 255.255.0.0 as-set# 配置路由策略route-policy BGP_EXPORT permit node 10 if-match ip-prefix BGP_PREFIX # 设置本地优先级 apply local-preference 200peer 2.2.2.2 route-policy BGP_EXPORT exportxxxxxxxxxxsystem-viewbgp 200 router-id 6.6.6.6 peer 7.7.7.7 as-number 200 peer 8.8.8.8 as-number 200 peer 9.9.9.9 as-number 200 peer 10.10.10.10 as-number 200# 配置路由反射器 # 配置为路由反射器客户端peer 10.10.10.10 reflect-client# 配置MED属性peer 10.10.10.10 route-policy MED_POLICY exportroute-policy MED_POLICY permit node 10 # 设置MED值 apply med 100# 配置AS_PATH过滤peer 10.10.10.10 filter-policy as-path-filter AS_PATH_FILTER importip as-path-filter AS_PATH_FILTER permit _100$xxxxxxxxxxsystem-viewbgp 300 router-id 11.11.11.11 peer 12.12.12.12 as-number 300 peer 13.13.13.13 as-number 300 peer 14.14.14.14 as-number 300 peer 15.15.15.15 as-number 300# 配置团体属性route-policy COMMUNITY_POLICY permit node 10 # 添加团体属性 apply community 100:1peer 12.12.12.12 route-policy COMMUNITY_POLICY export# 配置BGP多跳peer 15.15.15.15 ebgp-max-hop 10 # TTL安全peer 15.15.15.15 ttl-security hops 10# 配置BGP软重置 # 设置优先级peer 12.12.12.12 preference 150xxxxxxxxxxsystem-view# 启用MPLS TEmpls mpls te # 启用CSPF计算 mpls te cspf# 配置MPLS TE隧道interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 5.5.5.5 mpls te tunnel-id 1 # 显式路径 mpls te path explicit-path TO_AR5# 配置显式路径explicit-path TO_AR5 # 下一跳地址 next hop 10.1.1.2 next hop 10.1.1.6 next hop 10.1.5.6# 配置TE隧道属性mpls te # 带宽(kbps) bandwidth 10000 # 亲和属性 affinity 0x0 # 建立和保持优先级 priority 1 1# 配置快速重路由mpls te # 启用FRR fast-reroutexxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE链路属性interface GigabitEthernet0/0/0 mpls te max-link-bandwidth 100000 # 最大带宽 mpls te link-admin-weight 10 # 管理权重# 配置MPLS TE自动隧道mpls te auto-tunnel p2p tunnel-id min 100 max 200xxxxxxxxxxsystem-view# 启用MPLS TE(基于已配置的MPLS LDP)mpls mpls te mpls te cspf# 配置MPLS TE隧道到AR5interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 5.5.5.5 mpls te tunnel-id 301 mpls te path explicit-path AR3_TO_AR5# 配置显式路径explicit-path AR3_TO_AR5 next hop 10.1.3.2 # AR10 next hop 10.1.3.6 # AR4 next hop 10.1.4.2 # AR9 next hop 10.1.5.2 # AR9到AR5# 配置TE隧道属性mpls te bandwidth 50000 affinity 0x0 priority 2 2# 配置接口TE属性interface GigabitEthernet0/0/1 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 15xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR7interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 7.7.7.7 mpls te tunnel-id 401# 配置动态路径mpls te auto-tunnel p2p tunnel-id min 400 max 450# 配置TE链路属性interface GigabitEthernet0/0/0 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 10interface GigabitEthernet0/0/1 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 12interface GigabitEthernet0/0/2 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 18xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR3(反向隧道)interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 3.3.3.3 mpls te tunnel-id 501# 配置快速重路由mpls te fast-reroute backup-tunnel# 配置TE隧道保护interface Tunnel1 mpls te fast-reroutexxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR8interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 8.8.8.8 mpls te tunnel-id 601# 配置显式路径explicit-path AR6_TO_AR8 next hop 10.2.1.2 # AR9 next hop 10.1.4.6 # AR8# 配置TE属性mpls te bandwidth 30000 priority 3 3xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR14interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 14.14.14.14 mpls te tunnel-id 701# 配置多路径TEmpls te path-selection metric te# 配置接口TE属性interface GigabitEthernet0/0/2 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 20xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR6(反向)interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 6.6.6.6 mpls te tunnel-id 801# 配置TE隧道组mpls te tunnel-group TE_GROUP member Tunnel1# 配置负载均衡mpls te load-balance per-flowxxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR10interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 10.10.10.10 mpls te tunnel-id 901# 配置TE重优化mpls te reoptimization timer 3600# 配置接口TE属性interface GigabitEthernet0/0/0 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 8interface GigabitEthernet0/0/1 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 10interface GigabitEthernet0/0/2 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 12xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR1interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 1.1.1.1 mpls te tunnel-id 1001# 配置显式路径explicit-path AR10_TO_AR1 next hop 10.1.1.10 # 直连AR1# 配置TE属性mpls te bandwidth 80000 affinity 0xFFFFFFFF priority 1 1xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR6interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 6.6.6.6 mpls te tunnel-id 1101# 配置TE隧道绑定mpls te binding-sid 16000# 配置接口TE属性interface GigabitEthernet0/0/0 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 10xxxxxxxxxxsystem-view# AR12连接交换机,不配置MPLS TE# 如需MPLS,可配置基础MPLSmpls lsr-id 12.12.12.12mplsmpls ldp# 配置MPLS VPN(如果需要)ip vpn-instance VPN1 route-distinguisher 100:12 vpn-target 100:12 export-extcommunity vpn-target 100:12 import-extcommunityxxxxxxxxxxsystem-view# AR13连接交换机,不配置MPLS TE# 如需MPLS,可配置基础MPLSmpls lsr-id 13.13.13.13mplsmpls ldp# 配置MPLS VPNip vpn-instance VPN1 route-distinguisher 100:13 vpn-target 100:13 export-extcommunity vpn-target 100:13 import-extcommunityxxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR8interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 8.8.8.8 mpls te tunnel-id 1401# 配置显式路径explicit-path AR14_TO_AR8 next hop 10.3.2.2 # 直连AR8# 配置TE属性mpls te bandwidth 60000 priority 2 3# 配置接口TE属性interface GigabitEthernet0/0/0 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 15interface GigabitEthernet0/0/1 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 17interface GigabitEthernet0/0/2 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 20xxxxxxxxxxsystem-viewmpls mpls te mpls te cspf# 配置MPLS TE隧道到AR14interface Tunnel1 ip address unnumbered interface Loopback0 tunnel-protocol mpls te destination 14.14.14.14 mpls te tunnel-id 1501# 配置动态MPLS TEmpls te auto-tunnel p2p tunnel-id min 1500 max 1600# 配置TE快速重路由mpls te fast-reroute backup-tunnel# 配置接口TE属性interface GigabitEthernet0/0/0 mpls te max-link-bandwidth 100000 mpls te link-admin-weight 18xxxxxxxxxxsystem-view# 创建VLANvlan batch 10 20 30 40 50# 配置管理VLANvlan 10 name Management description Management-VLAN# 配置用户VLANvlan 20 name Users description User-VLAN# 配置服务器VLANvlan 30 name Servers description Server-VLAN# 配置接口模式interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 20 30 40 50 description Link-to-LSW3interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 20 30 40 50 description Link-to-LSW2interface GigabitEthernet0/0/3 port link-type access port default vlan 10 description Link-to-AR13# 配置VLAN接口interface Vlanif10 ip address 10.10.10.1 255.255.255.0 description Management-Interfaceinterface Vlanif20 ip address 10.20.20.1 255.255.255.0 description User-Interface# 配置VRRPinterface Vlanif20 vrrp vrid 1 virtual-ip 10.20.20.254 # 主网关 vrrp vrid 1 priority 120xxxxxxxxxxsystem-viewvlan batch 10 20 30 40 50# 配置链路聚合interface Eth-Trunk1 # LACP静态模式 mode lacp-static # 负载均衡模式 load-balance src-dst-mac# 将成员端口加入Eth-Trunkinterface GigabitEthernet0/0/1 eth-trunk 1interface GigabitEthernet0/0/2 eth-trunk 1# 配置端口安全interface GigabitEthernet0/0/3 port link-type access port default vlan 30 # 启用端口安全 port-security enable # 最大MAC地址数 port-security max-mac-num 2 # 粘滞MAC port-security mac-address sticky# 配置DHCP中继interface Vlanif20 ip address 10.20.20.2 255.255.255.0 # DHCP中继模式 dhcp select relay # DHCP服务器地址 dhcp relay server-address 10.30.30.100xxxxxxxxxxsystem-viewvlan batch 20 30# 配置接入端口interface GigabitEthernet0/0/1 port link-type access port default vlan 20 description PC1-Port port-security enable port-security max-mac-num 1interface GigabitEthernet0/0/2 port link-type access port default vlan 20 description PC2-Portinterface GigabitEthernet0/0/3 port link-type access port default vlan 20 description PC3-Portinterface GigabitEthernet0/0/4 port link-type access port default vlan 30 description PC4-Port# 配置STP # 使用RSTP模式stp mode rstp # 设置优先级stp priority 4096# 配置端口快速转发interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/4 # 边缘端口 stp edged-port enablexxxxxxxxxxsystem-viewvlan batch 30 40 50# 配置单臂路由子接口interface GigabitEthernet0/0/1.100 dot1q termination vid 100 ip address 192.168.100.1 255.255.255.252 description Link-to-FW1interface GigabitEthernet0/0/2.30 dot1q termination vid 30 ip address 10.30.30.1 255.255.255.0 description Server2-VLAN30# 配置DHCP服务器dhcp enableip pool VLAN30 gateway-list 10.30.30.1 network 10.30.30.0 mask 255.255.255.0 dns-list 8.8.8.8 8.8.4.4 lease day 8interface Vlanif30 # 全局地址池 dhcp select globalxxxxxxxxxxsystem-viewvlan batch 40 50# 配置QoS # CAR限速qos car 1000 cir 10000 cbs 2000 ebs 0 green pass red discard# 应用QoS策略interface GigabitEthernet0/0/1 # 入方向限速 qos car inbound 1000 # 出方向限速 qos car outbound 1000# 配置风暴控制interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/2 # 广播风暴控制 storm-control broadcast min-ratio 20 # 组播风暴控制 storm-control multicast min-ratio 20 # 未知单播风暴控制 storm-control unknown-unicast min-ratio 20xxxxxxxxxxsystem-viewvlan batch 40 50# 配置端口隔离 # 启用端口隔离模式port-isolate modeinterface GigabitEthernet0/0/3 # 加入隔离组1 port-isolate enable group 1interface GigabitEthernet0/0/4 port-isolate enable group 1# 配置MAC地址限制 # 最大MAC地址数mac-address limit maximum 500 # 超限动作mac-address limit action discard# 配置ARP检测 # 网关重复IP检测arp anti-attack gateway-duplicate enable # 用户绑定检查arp anti-attack check user-bind enablexxxxxxxxxxsystem-view# 配置STP模式 # 快速生成树协议stp mode rstp # 设置为根桥 (优先级最高)stp priority 0# 配置STP保护 # BPDU保护stp bpdu-protection # 环路保护stp loop-protection# 配置边缘端口interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/3 # 边缘端口 stp edged-port enable # 根保护 stp root-protection# 配置STP计时器 # Hello时间stp timer hello 2 # 最大老化时间stp timer max-age 20 # 转发延迟stp timer forward-delay 15xxxxxxxxxxsystem-viewstp mode rstp # 备份根桥stp priority 4096# 配置MSTP # 多生成树协议stp mode mstpstp region-configuration region-name MSTP-Region instance 1 vlan 10 20 instance 2 vlan 30 40 50 active region-configuration# 配置端口角色interface GigabitEthernet0/0/1 # 实例1端口优先级 stp instance 1 port-priority 0 # 实例2端口优先级 stp instance 2 port-priority 64xxxxxxxxxxsystem-view# 配置STP模式(基于已有RSTP配置)stp mode rstp # 设置优先级(已有4096)stp priority 4096# 配置STP保护功能 # BPDU保护stp bpdu-protection # TC保护stp tc-protection enablestp tc-protection threshold 5# 配置边缘端口(基于已有配置)interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/4 stp edged-port enable # BPDU过滤 stp bpdu-filter enable# 配置端口安全增强interface GigabitEthernet0/0/1 # 根保护(连接核心层) stp root-protection # 环路保护 stp loop-protectionxxxxxxxxxxsystem-view# 配置STP模式stp mode mstp # 设置优先级(中等优先级)stp priority 8192# 配置MSTP区域stp region-configuration region-name LSW4-Region # VLAN 30映射到实例1 instance 1 vlan 30 # VLAN 40映射到实例2 instance 2 vlan 40 # VLAN 50映射到实例2 instance 2 vlan 50 revision-level 1 active region-configuration# 配置子接口STPinterface GigabitEthernet0/0/1.100 # 禁用STP(子接口通常不参与STP) stp disableinterface GigabitEthernet0/0/2.30 stp disable# 配置物理接口STPinterface GigabitEthernet0/0/1 # 实例1端口优先级 stp instance 1 port-priority 32 # 实例2端口优先级 stp instance 2 port-priority 64interface GigabitEthernet0/0/2 # 实例1端口优先级(VLAN30) stp instance 1 port-priority 16 # 边缘端口 stp edged-port enablexxxxxxxxxxsystem-view# 配置STP模式stp mode rstp # 设置优先级(较低优先级)stp priority 12288# 配置STP计时器优化 # Hello时间stp timer hello 1 # 最大老化时间stp timer max-age 15 # 转发延迟stp timer forward-delay 10# 配置端口STP属性interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/2 # 边缘端口(连接终端) stp edged-port enable # BPDU保护 stp bpdu-protection# 配置风暴控制与STP联动interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/2 # 当风暴触发时禁用端口 storm-control broadcast min-ratio 20 storm-control action shutdown # STP与端口状态联动 stp edged-port enablexxxxxxxxxxsystem-view# 配置STP模式stp mode mstp # 设置优先级(最低优先级)stp priority 16384# 配置MSTP区域(与LSW4保持一致)stp region-configuration region-name LSW4-Region instance 1 vlan 30 instance 2 vlan 40 50 revision-level 1 active region-configuration# 配置端口隔离与STPinterface GigabitEthernet0/0/3 # 端口隔离组1 port-isolate enable group 1 # STP边缘端口 stp edged-port enable # BPDU过滤 stp bpdu-filter enableinterface GigabitEthernet0/0/4 # 端口隔离组1 port-isolate enable group 1 stp edged-port enable stp bpdu-filter enable# 配置MAC地址限制与STP联动interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/2 # 实例1端口优先级 stp instance 1 port-priority 64 # 实例2端口优先级 stp instance 2 port-priority 96 # 根保护 stp root-protection# 配置ARP检测与STP安全arp anti-attack gateway-duplicate enablearp anti-attack check user-bind enable# 配置TC保护增强stp tc-protection enablestp tc-protection threshold 3stp tc-protection interval 10xxxxxxxxxxsystem-view# 启用DHCP服务dhcp enable# 配置VLAN20地址池ip pool VLAN20 gateway-list 10.20.20.254 network 10.20.20.0 mask 255.255.255.0 dns-list 8.8.8.8 114.114.114.114 domain-name example.com lease day 7 excluded-ip-address 10.20.20.1 10.20.20.10 # 排除地址# 配置VLAN30地址池ip pool VLAN30 gateway-list 10.30.30.254 network 10.30.30.0 mask 255.255.255.0 dns-list 8.8.8.8 8.8.4.4 lease day 14 option 43 sub-option 3 ascii 192.168.1.100 # AC地址# 配置DHCP服务器接口interface Vlanif20 ip address 10.20.20.254 255.255.255.0 dhcp select globalinterface Vlanif30 ip address 10.30.30.254 255.255.255.0 dhcp select global# 配置DHCP安全dhcp server check ip-address # IP地址检查dhcp server check mac-address # MAC地址检查xxxxxxxxxxsystem-view# 启用DHCP中继dhcp enable# 配置VLAN20中继interface Vlanif20 ip address 10.20.20.2 255.255.255.0 dhcp select relay dhcp relay server-address 10.30.30.254 # DHCP服务器地址 dhcp relay server-select 10.30.30.254 # 主服务器 dhcp relay server-select 10.30.30.253 # 备份服务器# 配置DHCP中继安全dhcp relay security enable # 启用安全功能dhcp relay security static # 静态绑定 dhcp relay security static ip-address 10.20.20.100 mac-address 0011-2233-4455xxxxxxxxxxsystem-view# 配置DHCP中继dhcp enableinterface GigabitEthernet0/0/2 ip address 192.168.12.1 255.255.255.252 dhcp select relay dhcp relay server-address 192.168.13.1 # 指向DHCP服务器# 配置DHCP选项dhcp relay option 60 insert # 插入选项60dhcp relay option 77 replace # 替换选项77xxxxxxxxxxsystem-view# 配置VLAN20的VRRPinterface Vlanif20 ip address 10.20.20.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.20.20.254 # 虚拟IP vrrp vrid 1 priority 120 # 主网关优先级 vrrp vrid 1 preempt-mode delay 300 # 抢占延迟 vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 30# 配置VLAN30的VRRPinterface Vlanif30 ip address 10.30.30.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.30.30.254 # 备网关优先级 vrrp vrid 2 priority 100 # 禁用抢占 vrrp vrid 2 preempt-mode disable# 配置VRRP认证interface Vlanif20 vrrp vrid 1 authentication-mode simple cipher huaweixxxxxxxxxxsystem-view# 配置VLAN20的VRRP备份interface Vlanif20 ip address 10.20.20.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.20.20.254 vrrp vrid 1 priority 100 # 备网关 vrrp vrid 1 preempt-mode delay 300# 配置VLAN30的VRRP主interface Vlanif30 ip address 10.30.30.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.30.30.254 vrrp vrid 2 priority 120 # 主网关 vrrp vrid 2 track interface GigabitEthernet0/0/3 reduced 20# 配置VRRP监控vrrp vrid 1 track interface GigabitEthernet0/0/4 reduced 40xxxxxxxxxxsystem-view# 配置NAT地址池nat address-group 1 202.100.10.10 202.100.10.20 # 公网地址池# 配置ACL匹配内网地址acl number 2000 rule 5 permit source 10.0.0.0 0.255.255.255 # 允许所有内网 rule 10 deny source any # 拒绝其他# 配置PAT端口地址转换interface GigabitEthernet0/0/0 nat outbound 2000 address-group 1 # 出方向NAT nat server protocol tcp global 202.100.10.10 80 inside 10.30.30.100 80 # 端口映射# 配置NAT ALGnat alg ftp enable # FTP ALGnat alg sip enable # SIP ALGnat alg h323 enable # H323 ALG# 配置NAT日志nat log enable # 启用NAT日志nat log session all # 记录所有会话xxxxxxxxxxsystem-view# 配置Easy IPacl number 2000 rule 5 permit source 10.40.0.0 0.0.255.255 # 无线网络interface GigabitEthernet0/0/2 nat outbound 2000 # Easy IP模式# 配置NAT服务器nat server protocol tcp global 192.168.100.1 3389 inside 10.30.30.100 3389 # RDP映射nat server protocol udp global 192.168.100.1 53 inside 10.30.30.100 53 # DNS映射# 配置NAT策略路由policy-based-route NAT_POLICY permit node 10 if-match acl 3000 apply nat address-group 1xxxxxxxxxxsystem-view# 启用BFDbfd# 配置BFD会话 # 与AR13的BFDbfd 1 bind peer-ip 10.1.1.2 interface GigabitEthernet0/0/0 discriminator local 1 discriminator remote 2 # 最小发送间隔 min-transmit-interval 200 min-receive-interval 200 # 最小接收间隔 detect-multiplier 3 # 检测倍数# 配置BFD与OSPF联动ospf 1 # OSPF BFD联动 bfd all-interfaces enable bfd min-transmit-interval 200 bfd min-receive-interval 200 bfd detect-multiplier 3# 配置BFD与BGP联动bgp 100 # BGP BFD联动 peer 2.2.2.2 bfd enable peer 2.2.2.2 bfd min-transmit-interval 300xxxxxxxxxxsystem-viewbfd# 配置多跳BFD # 多跳BFDbfd 2 bind peer-ip 2.2.2.2 discriminator local 2 discriminator remote 1 # 多跳模式 hop multi-hop# 配置BFD与LDP联动mpls ldp # LDP BFD联动 bfd enable bfd min-transmit-interval 100 bfd detect-multiplier 5# 配置BFD快速检测 # 默认BFD会话bfd session bind peer-ip defaultxxxxxxxxxxsystem-view# 启用BFDbfd# 配置BFD会话 - 与AR4bfd 301 bind peer-ip 10.1.3.6 interface GigabitEthernet0/0/2 discriminator local 301 discriminator remote 401 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 3# 配置BFD会话 - 与AR2bfd 302 bind peer-ip 10.1.2.5 interface GigabitEthernet0/0/0 discriminator local 302 discriminator remote 201 min-transmit-interval 200 min-receive-interval 200 detect-multiplier 3# 配置BFD会话 - 与AR10bfd 303 bind peer-ip 10.1.3.2 interface GigabitEthernet0/0/1 discriminator local 303 discriminator remote 1001 min-transmit-interval 100 min-receive-interval 100 detect-multiplier 5# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 150 bfd min-receive-interval 150 bfd detect-multiplier 3# 配置BFD与ISIS联动isis 1 bfd enable bfd min-transmit-interval 200 bfd detect-multiplier 3xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR3(反向)bfd 401 bind peer-ip 10.1.3.5 interface GigabitEthernet0/0/0 discriminator local 401 discriminator remote 301 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 3# 配置BFD会话 - 与AR9bfd 402 bind peer-ip 10.1.4.2 interface GigabitEthernet0/0/1 discriminator local 402 discriminator remote 901 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 4# 配置BFD会话 - 与AR8bfd 403 bind peer-ip 10.1.4.6 interface GigabitEthernet0/0/2 discriminator local 403 discriminator remote 801 min-transmit-interval 180 min-receive-interval 180 detect-multiplier 3# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 120 bfd min-receive-interval 120 bfd detect-multiplier 4# 配置BFD快速检测bfd fast-detect enablexxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR9bfd 501 bind peer-ip 10.1.5.2 interface GigabitEthernet0/0/0 discriminator local 501 discriminator remote 905 min-transmit-interval 100 min-receive-interval 100 detect-multiplier 5# 配置BFD会话 - 与AR11bfd 502 bind peer-ip 10.1.5.6 interface GigabitEthernet0/0/1 discriminator local 502 discriminator remote 1101 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 3# 配置BFD会话 - 与AR7bfd 503 bind peer-ip 10.1.5.10 interface GigabitEthernet0/0/2 discriminator local 503 discriminator remote 701 min-transmit-interval 200 min-receive-interval 200 detect-multiplier 3# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 100 bfd min-receive-interval 100 bfd detect-multiplier 5# 配置BFD与BGP联动bgp 100 peer 2.2.2.2 bfd enable peer 2.2.2.2 bfd min-transmit-interval 250xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR9bfd 601 bind peer-ip 10.2.1.2 interface GigabitEthernet0/0/0 discriminator local 601 discriminator remote 906 min-transmit-interval 80 min-receive-interval 80 detect-multiplier 5# 配置BFD会话 - 与AR11bfd 602 bind peer-ip 10.2.1.6 interface GigabitEthernet0/0/1 discriminator local 602 discriminator remote 1102 min-transmit-interval 100 min-receive-interval 100 detect-multiplier 4# 配置BFD会话 - 与AR8bfd 603 bind peer-ip 10.2.1.10 interface GigabitEthernet0/0/2 discriminator local 603 discriminator remote 802 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 3# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 80 bfd min-receive-interval 80 bfd detect-multiplier 5# 配置多跳BFDbfd 604 bind peer-ip 7.7.7.7 discriminator local 604 discriminator remote 704 hop multi-hop min-transmit-interval 300 min-receive-interval 300 detect-multiplier 3xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR5(反向)bfd 701 bind peer-ip 10.1.5.9 interface GigabitEthernet0/0/0 discriminator local 701 discriminator remote 503 min-transmit-interval 200 min-receive-interval 200 detect-multiplier 3# 配置BFD会话 - 与AR11bfd 702 bind peer-ip 10.2.2.2 interface GigabitEthernet0/0/1 discriminator local 702 discriminator remote 1103 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD会话 - 与AR14bfd 703 bind peer-ip 10.3.1.2 interface GigabitEthernet0/0/2 discriminator local 703 discriminator remote 1401 min-transmit-interval 180 min-receive-interval 180 detect-multiplier 3# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 150 bfd min-receive-interval 150 bfd detect-multiplier 4# 配置BFD与ISIS联动isis 1 bfd enable bfd min-transmit-interval 200 bfd detect-multiplier 3xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR6(反向)bfd 801 bind peer-ip 10.2.1.9 interface GigabitEthernet0/0/0 discriminator local 801 discriminator remote 603 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 3# 配置BFD会话 - 与AR4(反向)bfd 802 bind peer-ip 10.1.4.5 interface GigabitEthernet0/0/1 discriminator local 802 discriminator remote 403 min-transmit-interval 180 min-receive-interval 180 detect-multiplier 3# 配置BFD会话 - 与AR14bfd 803 bind peer-ip 10.3.2.2 interface GigabitEthernet0/0/2 discriminator local 803 discriminator remote 1402 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 120 bfd min-receive-interval 120 bfd detect-multiplier 4# 配置BFD与LDP联动mpls ldp bfd enable bfd min-transmit-interval 100 bfd detect-multiplier 5xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR4(反向)bfd 901 bind peer-ip 10.1.4.1 interface GigabitEthernet0/0/0 discriminator local 901 discriminator remote 402 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 4# 配置BFD会话 - 与AR5(反向)bfd 905 bind peer-ip 10.1.5.1 interface GigabitEthernet0/0/1 discriminator local 905 discriminator remote 501 min-transmit-interval 100 min-receive-interval 100 detect-multiplier 5# 配置BFD会话 - 与AR6(反向)bfd 906 bind peer-ip 10.2.1.1 interface GigabitEthernet0/0/2 discriminator local 906 discriminator remote 601 min-transmit-interval 80 min-receive-interval 80 detect-multiplier 5# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 80 bfd min-receive-interval 80 bfd detect-multiplier 5# 配置BFD与静态路由联动ip route-static 10.4.0.0 255.255.0.0 10.1.4.6 track bfd-session 901xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR3(反向)bfd 1001 bind peer-ip 10.1.3.1 interface GigabitEthernet0/0/2 discriminator local 1001 discriminator remote 303 min-transmit-interval 100 min-receive-interval 100 detect-multiplier 5# 配置BFD会话 - 与AR1bfd 1002 bind peer-ip 10.1.1.1 interface GigabitEthernet0/0/0 discriminator local 1002 discriminator remote 101 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 3# 配置BFD会话 - 与AR2bfd 1003 bind peer-ip 10.1.2.1 interface GigabitEthernet0/0/1 discriminator local 1003 discriminator remote 202 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 4# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 100 bfd min-receive-interval 100 bfd detect-multiplier 5# 配置BFD与BGP联动bgp 200 peer 6.6.6.6 bfd enable peer 6.6.6.6 bfd min-transmit-interval 200xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR6(反向)bfd 1101 bind peer-ip 10.2.1.5 interface GigabitEthernet0/0/0 discriminator local 1101 discriminator remote 602 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 3# 配置BFD会话 - 与AR5(反向)bfd 1102 bind peer-ip 10.1.5.5 interface GigabitEthernet0/0/1 discriminator local 1102 discriminator remote 502 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 3# 配置BFD会话 - 与AR7(反向)bfd 1103 bind peer-ip 10.2.2.1 interface GigabitEthernet0/0/2 discriminator local 1103 discriminator remote 702 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 150 bfd min-receive-interval 150 bfd detect-multiplier 3# 配置BFD与BGP联动bgp 300 peer 12.12.12.12 bfd enable peer 12.12.12.12 bfd min-transmit-interval 250xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR1bfd 1201 bind peer-ip 10.1.1.6 interface GigabitEthernet0/0/0 discriminator local 1201 discriminator remote 102 min-transmit-interval 200 min-receive-interval 200 detect-multiplier 3# 配置BFD会话 - 与AR13bfd 1202 bind peer-ip 10.3.3.2 interface GigabitEthernet0/0/1 discriminator local 1202 discriminator remote 1301 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD与VRRP联动interface Vlanif20 vrrp vrid 1 bfd enable bfd min-transmit-interval 100 bfd detect-multiplier 3# 配置BFD与静态路由联动ip route-static 192.168.13.0 255.255.255.0 192.168.12.2 track bfd-session 1202xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR12(反向)bfd 1301 bind peer-ip 10.3.3.1 interface GigabitEthernet0/0/0 discriminator local 1301 discriminator remote 1202 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD会话 - 与AR1bfd 1302 bind peer-ip 10.1.1.2 interface GigabitEthernet0/0/2 discriminator local 1302 discriminator remote 103 min-transmit-interval 180 min-receive-interval 180 detect-multiplier 3# 配置BFD与VRRP联动interface Vlanif20 vrrp vrid 1 bfd enable bfd min-transmit-interval 100 bfd detect-multiplier 3# 配置BFD快速检测bfd fast-detect enablexxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR7(反向)bfd 1401 bind peer-ip 10.3.1.1 interface GigabitEthernet0/0/1 discriminator local 1401 discriminator remote 703 min-transmit-interval 180 min-receive-interval 180 detect-multiplier 3# 配置BFD会话 - 与AR8(反向)bfd 1402 bind peer-ip 10.3.2.1 interface GigabitEthernet0/0/0 discriminator local 1402 discriminator remote 803 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD会话 - 与AR15bfd 1403 bind peer-ip 10.3.4.2 interface GigabitEthernet0/0/2 discriminator local 1403 discriminator remote 1501 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 4# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 120 bfd min-receive-interval 120 bfd detect-multiplier 4# 配置BFD与MPLS TE联动mpls te bfd enable bfd min-transmit-interval 100 bfd detect-multiplier 5xxxxxxxxxxsystem-viewbfd# 配置BFD会话 - 与AR14(反向)bfd 1501 bind peer-ip 10.3.4.1 interface GigabitEthernet0/0/0 discriminator local 1501 discriminator remote 1403 min-transmit-interval 120 min-receive-interval 120 detect-multiplier 4# 配置BFD会话 - 与AC1bfd 1502 bind peer-ip 192.168.15.2 interface GigabitEthernet0/0/1 discriminator local 1502 discriminator remote 2001 min-transmit-interval 200 min-receive-interval 200 detect-multiplier 3# 配置BFD会话 - 与FW1bfd 1503 bind peer-ip 192.168.100.2 interface GigabitEthernet0/0/2 discriminator local 1503 discriminator remote 3001 min-transmit-interval 150 min-receive-interval 150 detect-multiplier 4# 配置BFD与OSPF联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval 120 bfd min-receive-interval 120 bfd detect-multiplier 4# 配置BFD与静态路由联动ip route-static 0.0.0.0 0.0.0.0 192.168.100.2 track bfd-session 1503xxxxxxxxxxsystem-view# 配置主接口interface GigabitEthernet0/0/2 ip address 192.168.12.1 255.255.255.252 description Link-to-LSW2# 配置子接口interface GigabitEthernet0/0/2.10 dot1q termination vid 10 # VLAN 10 ip address 10.10.12.1 255.255.255.0 description VLAN10-Subinterface arp broadcast enable # 启用ARP广播interface GigabitEthernet0/0/2.20 dot1q termination vid 20 # VLAN 20 ip address 10.20.12.1 255.255.255.0 description VLAN20-Subinterface dhcp select relay # DHCP中继 dhcp relay server-address 10.30.30.254interface GigabitEthernet0/0/2.30 dot1q termination vid 30 # VLAN 30 ip address 10.30.12.1 255.255.255.0 description VLAN30-Subinterface# 配置子接口路由ip route-static 10.10.0.0 255.255.0.0 GigabitEthernet0/0/2.10ip route-static 10.20.0.0 255.255.0.0 GigabitEthernet0/0/2.20ip route-static 10.30.0.0 255.255.0.0 GigabitEthernet0/0/2.30xxxxxxxxxxsystem-view# 配置子接口封装interface GigabitEthernet0/0/1.40 dot1q termination vid 40 ip address 10.40.13.1 255.255.255.0 description VLAN40-Wireless dhcp select relay dhcp relay server-address 10.30.30.254interface GigabitEthernet0/0/1.50 dot1q termination vid 50 ip address 10.50.13.1 255.255.255.0 description VLAN50-DMZ# 配置QoS策略qos car 40Mbps cir 40000 cbs 8000 ebs 0 green pass red discardinterface GigabitEthernet0/0/1.40 qos car inbound 40Mbpsxxxxxxxxxxsystem-view# 配置前缀列表ip ip-prefix OSPF_PREFIX index 10 permit 10.1.0.0 16 le 24ip ip-prefix BGP_PREFIX index 10 permit 10.0.0.0 8 le 16ip ip-prefix DENY_PREFIX index 10 deny 0.0.0.0 0 le 32# 配置路由策略route-policy OSPF_TO_BGP permit node 10 if-match ip-prefix OSPF_PREFIX apply local-preference 200 apply community 100:1route-policy BGP_TO_OSPF permit node 10 if-match ip-prefix BGP_PREFIX apply cost 20 apply tag 100# 配置策略路由policy-based-route PBR_POLICY permit node 10 if-match acl 3000 apply output-interface GigabitEthernet0/0/0 apply ip-address next-hop 10.1.1.2# 配置ACLacl number 3000 rule 5 permit ip source 10.20.20.0 0.0.0.255 destination 10.30.30.0 0.0.0.255 rule 10 deny ip# 应用策略路由interface GigabitEthernet0/0/1 ip policy-based-route PBR_POLICY inboundxxxxxxxxxxsystem-view# 配置路由重分发策略route-policy RIP_IMPORT permit node 10 if-match ip-prefix RIP_ALLOWED apply cost 15 apply tag 200# 配置路由过滤ip ip-prefix RIP_ALLOWED index 10 permit 10.2.0.0 16ip ip-prefix RIP_DENIED index 10 deny 10.1.0.0 16# 应用路由策略rip 1 import-route ospf 1 route-policy RIP_IMPORT filter-policy ip-prefix RIP_DENIED importxxxxxxxxxxsystem-view# 配置BGP路由策略route-policy BGP_EXPORT permit node 10 if-match community-filter 100 apply local-preference 150 apply origin igproute-policy BGP_IMPORT permit node 10 if-match as-path-filter 100 apply med 100 apply community no-export# 配置团体属性过滤器ip community-filter 100 permit 100:1ip as-path-filter 100 permit ^100$# 应用BGP策略bgp 100 peer 4.4.4.4 route-policy BGP_EXPORT export peer 4.4.4.4 route-policy BGP_IMPORT importxxxxxxxxxxsystem-view# 启用IPv6转发ipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1::1 64 # IPv6地址 ipv6 address auto link-local # 自动链路本地地址interface Loopback0 ipv6 enable ipv6 address 2001:1:1::1 128# 配置IPv6 OSPFv3ospfv3 1 router-id 1.1.1.1 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 BGPbgp 100 router-id 1.1.1.1 peer 2001:1:2::2 as-number 100 address-family ipv6 unicast peer 2001:1:2::2 enable network 2001:1::/64# 配置IPv6静态路由ipv6 route-static 2001:2::/64 2001:1::2xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:2::1 64interface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:3::1 64# 配置IPv6 RIPngripng 1 network 2001:2::/64 network 2001:3::/64# 配置IPv6 DHCPv6中继dhcpv6 enableinterface GigabitEthernet0/0/0 dhcpv6 relay destination 2001:1:1::1xxxxxxxxxxsystem-view# 启用IPv6转发ipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:3::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:10::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:1:4::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:1:3::3 128# 配置IPv6 OSPFv3ospfv3 1 router-id 3.3.3.3 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 IS-ISisis 1 ipv6 enable ipv6 topologies ipv6interface GigabitEthernet0/0/0 isis ipv6 enable 1interface GigabitEthernet0/0/1 isis ipv6 enable 1interface GigabitEthernet0/0/2 isis ipv6 enable 1interface Loopback0 isis ipv6 enable 1xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:4::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:9::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:1:8::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:1:4::4 128# 配置IPv6 OSPFv3ospfv3 1 router-id 4.4.4.4 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 RIPngripng 1 network 2001:1:4::/64 network 2001:1:9::/64 network 2001:1:8::/64xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:9::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:11::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:1:7::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:1:5::5 128# 配置IPv6 OSPFv3ospfv3 1 router-id 5.5.5.5 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 BGPbgp 100 router-id 5.5.5.5 peer 2001:1:11::11 as-number 100 address-family ipv6 unicast peer 2001:1:11::11 enable network 2001:1:5::/64 network 2001:1:9::/64xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:2:1::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:2:1::5 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:2:1::9 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:2:6::6 128# 配置IPv6 OSPFv3ospfv3 1 router-id 6.6.6.6 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6隧道interface Tunnel1 ipv6 enable ipv6 address 2001:100::6/64 tunnel-protocol ipv6-ipv4 source 10.2.1.1 destination 10.2.1.10# 配置IPv6静态路由ipv6 route-static 2001:3::/64 2001:2:1::2xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:7::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:2:2::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:3:1::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:7::7 128# 配置IPv6 OSPFv3ospfv3 1 router-id 7.7.7.7 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 IS-ISisis 1 ipv6 enable ipv6 topologies ipv6interface GigabitEthernet0/0/2 isis ipv6 enable 1xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:2:1::10 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:8::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:3:2::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:8::8 128# 配置IPv6 OSPFv3ospfv3 1 router-id 8.8.8.8 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6隧道(反向)interface Tunnel1 ipv6 enable ipv6 address 2001:100::8/64 tunnel-protocol ipv6-ipv4 source 10.2.1.10 destination 10.2.1.1xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:9::3 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:9::4 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:2:1::2 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:9::9 128# 配置IPv6 OSPFv3ospfv3 1 router-id 9.9.9.9 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 RIPngripng 1 network 2001:1:9::/64 network 2001:2:1::/64xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:10::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:2::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:1:10::3 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:1:10::10 128# 配置IPv6 OSPFv3ospfv3 1 router-id 10.10.10.10 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 BGPbgp 200 router-id 10.10.10.10 peer 2001:1:10::1 as-number 100 address-family ipv6 unicast peer 2001:1:10::1 enable network 2001:1:10::/64xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:2:1::6 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:1:11::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:2:2::2 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:11::11 128# 配置IPv6 OSPFv3ospfv3 1 router-id 11.11.11.11 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 BGPbgp 300 router-id 11.11.11.11 peer 2001:1:11::1 as-number 100 address-family ipv6 unicast peer 2001:1:11::1 enable network 2001:3:11::/64xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:1:12::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:3:3::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:12::12 128# 配置IPv6 DHCPv6中继dhcpv6 enableinterface GigabitEthernet0/0/0 dhcpv6 relay destination 2001:1:1::1# 配置IPv6静态路由ipv6 route-static 2001:1::/64 2001:1:12::2ipv6 route-static 2001:3::/64 2001:3:3::2# 配置IPv6隧道interface Tunnel1 ipv6 enable ipv6 address 2001:100::12/64 tunnel-protocol ipv6-ipv4 source 10.1.1.6 destination 10.1.1.1xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:3:3::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:1:13::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:13::13 128# 配置IPv6 DHCPv6服务器dhcpv6 enableip pool pool1 address 2001:1:13::/64 gateway-address 2001:1:13::1 dns-server 2001:4860:4860::8888interface GigabitEthernet0/0/2 dhcpv6 server pool1# 配置IPv6静态路由ipv6 route-static 2001:1::/64 2001:1:13::2ipv6 route-static 2001:3::/64 2001:3:3::1xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:3:2::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:3:1::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:3:4::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:3:14::14 128# 配置IPv6 OSPFv3ospfv3 1 router-id 14.14.14.14 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 IS-ISisis 1 ipv6 enable ipv6 topologies ipv6interface GigabitEthernet0/0/0 isis ipv6 enable 1interface GigabitEthernet0/0/1 isis ipv6 enable 1xxxxxxxxxxsystem-viewipv6# 配置IPv6地址interface GigabitEthernet0/0/0 ipv6 enable ipv6 address 2001:3:4::2 64 ipv6 address auto link-localinterface GigabitEthernet0/0/1 ipv6 enable ipv6 address 2001:4:15::1 64 ipv6 address auto link-localinterface GigabitEthernet0/0/2 ipv6 enable ipv6 address 2001:4:100::1 64 ipv6 address auto link-localinterface Loopback0 ipv6 enable ipv6 address 2001:4:15::15 128# 配置IPv6 OSPFv3ospfv3 1 router-id 15.15.15.15 area 0.0.0.0 interface GigabitEthernet0/0/0 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/1 ospfv3 1 area 0.0.0.0 interface GigabitEthernet0/0/2 ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0# 配置IPv6 NAT64nat64 enablenat64 prefix 2001:db8::/96# 配置IPv6静态路由ipv6 route-static ::/0 2001:4:100::2xxxxxxxxxxsystem-view# 启用DNS服务dns server enable# 配置DNS正向解析zone example.com type master file example.com.zone allow-update { 10.20.20.0/24; }# 配置DNS反向解析zone 20.168.192.in-addr.arpa type master file 192.168.20.zone# 配置DNS转发dns forwarder 8.8.8.8dns forwarder 114.114.114.114# 配置DNS记录dns record www A 10.30.30.100dns record mail A 10.30.30.101dns record ftp A 10.30.30.102dns record @ NS ns1.example.comdns record ns1 A 10.30.30.254xxxxxxxxxxsystem-view# 配置DNS中继dns resolvedns server 10.30.30.254 # 主DNS服务器dns server 8.8.8.8 # 备用DNS服务器# 配置DNS缓存dns cache enabledns cache max-size 1000 # 最大缓存条目# 配置DNS轮询dns round-robin enablexxxxxxxxxxsystem-view# 配置DNS客户端dns resolvedns server 10.30.30.254dns domain example.com# 配置DNS静态解析dns host www.example.com 10.30.30.100dns host mail.example.com 10.30.30.101xxxxxxxxxxsystem-view# 配置IKE策略ike proposal 1 encryption-algorithm aes-256 # 加密算法 authentication-algorithm sha2-256 # 认证算法 dh group14 # DH组 authentication-method pre-share # 预共享密钥# 配置IKE对等体ike peer AR6 pre-shared-key cipher Huawei@123 remote-address 10.2.1.1 ike-proposal 1# 配置IPSec策略ipsec proposal 1 esp encryption-algorithm aes-256 esp authentication-algorithm sha2-256 transform esp # ESP模式# 配置IPSec策略集ipsec policy IPSEC_POLICY 1 isakmp security acl 3000 ike-peer AR6 proposal 1# 配置ACL匹配VPN流量acl number 3000 rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 10.2.0.0 0.0.255.255# 应用IPSec策略interface GigabitEthernet0/0/0 ipsec policy IPSEC_POLICY# 配置IPSec监控ipsec policy IPSEC_POLICY ike keepalive 10 3 # IKE保活xxxxxxxxxxsystem-view# 配置IKE策略ike proposal 1 encryption-algorithm aes-256 authentication-algorithm sha2-256 dh group14 authentication-method pre-share# 配置IKE对等体ike peer AR1 pre-shared-key cipher Huawei@123 remote-address 10.1.1.1 ike-proposal 1# 配置IPSec策略ipsec proposal 1 esp encryption-algorithm aes-256 esp authentication-algorithm sha2-256 transform espipsec policy IPSEC_POLICY 1 isakmp security acl 3000 ike-peer AR1 proposal 1acl number 3000 rule 5 permit ip source 10.2.0.0 0.0.255.255 destination 10.1.0.0 0.0.255.255interface GigabitEthernet0/0/0 ipsec policy IPSEC_POLICYxxxxxxxxxxsystem-view# 配置GRE隧道interface Tunnel0 ip address 172.16.1.1 255.255.255.252 tunnel-protocol gre source 10.2.2.1 destination 10.3.1.1# 配置GRE over IPSecacl number 3100 rule 5 permit gre source 10.2.2.1 0 destination 10.3.1.1 0ipsec policy GRE_IPSEC 1 isakmp security acl 3100 ike-peer AR7 proposal 1interface Tunnel0 ipsec policy GRE_IPSEC# 配置隧道路由ospf 1 area 0.0.0.0 network 172.16.1.0 0.0.0.3xxxxxxxxxxsystem-view# 配置SSL VPNsslvpn enablesslvpn policy SSL_POLICY gateway domain sslvpn.example.com certificate sslvpn-cert# 配置SSL VPN用户aaa local-user ssluser password cipher Huawei@123 local-user ssluser service-type sslvpn# 配置SSL VPN资源池sslvpn resource-pool SSL_POOL ip-pool 10.40.50.0 255.255.255.0 dns-server 8.8.8.8 wins-server 10.30.30.254xxxxxxxxxxsystem-view# 配置OSPF路由汇聚ospf 1 area 0.0.0.0 abr-summary 10.1.0.0 255.255.0.0 # ABR路由汇聚 nssa summary 10.2.0.0 255.255.0.0 # NSSA汇聚# 配置BGP路由汇聚bgp 100 aggregate 10.0.0.0 255.0.0.0 as-set # 汇聚路由 aggregate 172.16.0.0 255.240.0.0 summary-only # 仅发送汇总路由# 配置静态路由汇聚ip route-static 10.0.0.0 255.0.0.0 NULL0 # 黑洞路由ip route-static 172.16.0.0 255.240.0.0 NULL0xxxxxxxxxxsystem-view# 配置RIP路由汇聚rip 1 summary 10.1.0.0 255.255.0.0 # RIP V2路由汇聚# 配置ISIS路由汇聚isis 1 summary 10.2.0.0 255.255.0.0 level-1 # Level-1汇聚 summary 10.3.0.0 255.255.0.0 level-2 # Level-2汇聚# 配置超网路由ip ip-prefix SUPERNET index 10 permit 10.0.0.0 8 le 16route-policy SUPERNET_POLICY permit node 10 if-match ip-prefix SUPERNET apply cost 10xxxxxxxxxxsystem-view# 配置CIDR路由ip route-static 10.0.0.0 255.224.0.0 10.1.3.6 # /11超网ip route-static 172.16.0.0 255.240.0.0 10.1.3.6 # /12超网# 配置路由过滤ip ip-prefix CIDR_FILTER index 10 permit 10.0.0.0 8 ge 12 le 16filter-policy ip-prefix CIDR_FILTER exportxxxxxxxxxxsystem-view# 配置LACP链路汇聚interface Eth-Trunk1 mode lacp-static # LACP静态模式 load-balance src-dst-ip # 基于源目的IP负载均衡 max bandwidth 2000Mbps # 最大带宽 description Link-to-LSW2# 添加成员端口interface GigabitEthernet0/0/1 eth-trunk 1 lacp priority 1000 # LACP优先级interface GigabitEthernet0/0/2 eth-trunk 1 lacp priority 1000# 配置LACP系统优先级lacp priority 1000xxxxxxxxxxsystem-view# 配置手动负载均衡interface Eth-Trunk1 mode manual load-balance # 手动负载均衡模式 load-balance src-dst-mac # 基于MAC负载均衡# 配置成员端口interface GigabitEthernet0/0/1 eth-trunk 1interface GigabitEthernet0/0/2 eth-trunk 1# 配置链路汇聚监控interface Eth-Trunk1 # LACP超时时间 lacp timeout shortxxxxxxxxxxsystem-view# 配置静态链路汇聚interface Eth-Trunk2 # 静态模式 mode static description Link-to-PCs# 配置端口聚合组interface range GigabitEthernet0/0/1 to GigabitEthernet0/0/2 # 端口组 port-group 1 port link-type access port default vlan 20xxxxxxxxxxsystem-view# 配置AC基本参数wlan # AC模式 ac-mode ac ac-name AC1 ac-id 1# 配置AP组ap-group name default # AP1 MAC ap-mac 0011-2233-4455 # AP2 MAC ap-mac 0011-2233-4466# 配置WLAN服务集wlan service-set name SSID_OFFICE ssid Huawei-Office # WPA2-PSK安全 security-profile wpa2-psk pass-phrase Huawei@123 # 绑定VLAN 40 vlan 40# 配置AP配置文件ap-profile name AP_PROFILE radio-profile name RADIO_PROFILE # 信道6 channel 6 # 功率20dBm power 20 # 信标间隔 beacon-interval 100# 应用配置ap-group default ap-profile AP_PROFILE service-set SSID_OFFICExxxxxxxxxx# AP1自动从AC获取配置# 配置完成后AP会自动注册到AC# 无需手动配置APxxxxxxxxxx# AP2自动从AC获取配置# 配置5GHz频段wlan ap-group default radio 5GHz profile RADIO_5G channel 36 power 15xxxxxxxxxxsystem-view# 配置无线网络路由interface GigabitEthernet0/0/1.40 dot1q termination vid 40 ip address 10.40.40.1 255.255.255.0 description Wireless-Network# 配置无线用户认证aaa local-user wireless password cipher Huawei@123 local-user wireless service-type wlan# 配置无线QoSqos wlan 10 cir 1000 # 限速1Mbps cbs 2000xxxxxxxxxxsystem-view# 配置安全区域firewall zone trust set priority 85 add interface GigabitEthernet0/0/0firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1firewall zone dmz set priority 50 add interface GigabitEthernet0/0/2# 配置安全策略security-policy rule name Trust_to_Untrust source-zone trust destination-zone untrust action permit profile ips # 启用IPS rule name DMZ_to_Untrust source-zone dmz destination-zone untrust action permit profile av # 启用防病毒 rule name Deny_All action deny# 配置NAT策略nat-policy rule name Trust_NAT source-zone trust destination-zone untrust action source-nat address-group 202.100.10.10-202.100.10.20# 配置IPS策略ips signature-set update # 更新签名库 policy IPS_Policy signature-set high # 高风险签名 action block # 阻断动作xxxxxxxxxxsystem-view# 配置访问控制列表acl number 3000 rule 5 permit tcp source 10.40.40.0 0.0.0.255 destination 10.30.30.100 0 destination-port eq 80 rule 10 permit tcp source 10.40.40.0 0.0.0.255 destination 10.30.30.101 0 destination-port eq 443 rule 15 deny ip source 10.40.40.0 0.0.0.255 destination 10.30.30.0 0.0.0.255 rule 20 permit ip# 配置端口安全interface GigabitEthernet0/0/1 port-security enable port-security max-mac-num 100 port-security mac-address sticky# 配置ARP防护arp anti-attack gateway-duplicate enablearp anti-attack check user-bind enablearp anti-attack check src-mac enablexxxxxxxxxxsystem-view# 启用SNMP Agentsnmp-agent# 配置SNMP团体名snmp-agent community read public # 只读团体名snmp-agent community write private # 读写团体名# 配置SNMP版本snmp-agent sys-info version all # 支持所有版本# 配置SNMP Trapsnmp-agent target-host trap-hostname NMS address 10.30.30.200 # NMS地址 params securityname public v2c # v2c安全参数 trap-enable standard # 启用标准Trap trap-enable authentication # 启用认证Trap# 配置SNMP视图snmp-agent mib-view included iso # 包含所有MIBsnmp-agent community read public mib-view isoxxxxxxxxxxsystem-viewsnmp-agentsnmp-agent community read publicsnmp-agent community write private# 配置SNMP用户snmp-agent usm-user v3 huawei authentication-mode sha Huawei@123 privacy-mode aes128 Huawei@123# 配置SNMP组snmp-agent group v3 huawei privacy read-view iso write-view iso# 配置Trapsnmp-agent target-host trap-hostname Switch-NMS address 10.30.30.200 params securityname huawei v3 privacy trap-enable linkdown # 链路down Trap trap-enable linkup # 链路up Trapxxxxxxxxxx# 配置网络监控系统# (此为Linux服务器配置,非华为设备命令)# 安装SNMP工具yum install net-snmp net-snmp-utils# 配置SNMP监控snmpwalk -v2c -c public 10.10.10.1snmpget -v2c -c public 10.10.10.1 1.3.6.1.2.1.1.1.0# 配置Trap接收snmptrapd -c /etc/snmp/snmptrapd.conf -Lf /var/log/snmptrapd.logxxxxxxxxxx# Ping测试 # 测试VLAN20连通性ping 10.20.20.1 # 测试服务器连通性ping 10.30.30.100 # 测试外网连通性ping 8.8.8.8# Traceroute测试 # 路由跟踪tracert 10.30.30.100 # 外网路由跟踪tracert 8.8.8.8xxxxxxxxxx# 查看路由表 # IPv4路由表display ip routing-table # IPv6路由表display ipv6 routing-table# 查看具体路由 # 查看特定网段路由display ip routing-table 10.20.20.0 # 查看OSPF路由display ip routing-table protocol ospf # 查看BGP路由display ip routing-table protocol bgpxxxxxxxxxx# OSPF状态 # OSPF邻居状态display ospf peer # OSPF链路状态数据库display ospf lsdb# BGP状态 # BGP邻居状态display bgp peer # BGP路由表display bgp routing-table# MPLS状态 # MPLS LSP状态display mpls lsp # MPLS TE隧道状态display mpls te tunnelxxxxxxxxxx# 接口状态 # 接口简要状态display interface brief # 接口详细信息display interface GigabitEthernet0/0/0# VLAN状态 # VLAN信息display vlan # 端口VLAN信息display port vlanxxxxxxxxxxdisplay vrrp # VRRP状态display vrrp brief # VRRP简要状态xxxxxxxxxxdisplay nat session # NAT会话display nat address-group # NAT地址池xxxxxxxxxxdisplay ike peer # IKE对等体状态display ipsec policy # IPSec策略状态display ipsec sa # IPSec安全联盟状态xxxxxxxxxx# 检查路由 # 详细路由信息display ip routing-table verbosedisplay fib# 检查ARP # ARP表display arpdisplay arp all # 所有ARP信息# 检查ICMP # 发送10个1000字节ping包ping -c 10 -s 1000 10.20.20.1xxxxxxxxxx# 检查MAC地址 # MAC地址表display mac-address # 动态MAC地址display mac-address dynamic# 检查端口状态 # 端口详细信息display interface GigabitEthernet0/0/0 # 端口统计信息display interface statisticsxxxxxxxxxx# 检查DNS # DNS解析测试nslookup www.example.com # DNS服务器配置display dns server# 检查DHCP # DHCP地址池display ip pool # DHCP服务器状态display dhcp serverxxxxxxxxxx# 检查ACL # 所有ACLdisplay acl all # 特定ACLdisplay acl 3000# 检查防火墙 # 防火墙会话表display firewall session table # 安全策略display security-policyxxxxxxxxxxdisplay cpu-usage # CPU使用率display memory # 内存使用情况display devicexxxxxxxxxxdisplay interface GigabitEthernet0/0/0 # 接口流量display statistics interface # 接口统计xxxxxxxxxxdisplay ospf interface # OSPF接口性能display bgp routing-table statistics # BGP路由统计display mpls lsp statistics # MPLS LSP统计xxxxxxxxxx# 保存当前配置# 退出系统视图quitsave # 保存配置到启动文件display current-configuration # 显示当前配置# 备份到TFTP服务器tftp 10.30.30.200 put config.cfg backup.cfgxxxxxxxxxx# 恢复配置tftp 10.30.30.200 get backup.cfg config.cfgreboot # 重启设备xxxxxxxxxx# 检查系统时间 # 系统时间display clock # 设置时间clock datetime 20:30:00 2025-03-22# 检查日志 # 日志缓冲区display logbuffer # Trap缓冲区display trapbufferxxxxxxxxxx# 清理ARP表 # 清空ARP表undo arp all# 清理MAC地址表 # 清空MAC地址表undo mac-address all# 重置接口 # 重置接口计数器reset interface GigabitEthernet0/0/0xxxxxxxxxx# 检查设备状态 # 设备状态display device # 环境状态display environment# 检查链路状态 # 链路聚合状态display link # STP状态display stp briefxxxxxxxxxx# 恢复出厂设置 # 清空保存的配置reset saved-configuration # 重启设备reboot# 紧急关闭接口 # 关闭接口shutdown interface GigabitEthernet0/0/0本文档提供了完整的ENSP网络实验配置,涵盖了网络工程师需要掌握的所有主要技术:
路由协议: OSPF、RIP、ISIS、BGP
MPLS技术: MPLS LDP、MPLS TE、MPLS VPN
交换技术: VLAN、STP、链路汇聚、端口安全
网络服务: DHCP、DNS、NAT、VRRP
安全技术: ACL、IPSec、防火墙、端口安全
IPv6技术: IPv6路由、IPv6隧道、IPv6 NAT
无线网络: AC+AP配置、WLAN安全
网络管理: SNMP、日志、监控
QoS技术: 流量控制、优先级设置
高可用性: VRRP、BFD、链路备份
所有配置都包含详细的中文注释,便于理解和学习。通过这些实验配置,可以全面掌握企业级网络的部署和管理技能。
xxxxxxxxxx# 路由器基础配置模板system-viewsysname RouterX # 设置主机名# 配置环回接口interface Loopback0 ip address X.X.X.X 255.255.255.255 description Loopback-Interface# 配置NTPntp-service unicast-server 10.30.30.254 # NTP服务器clock timezone Beijing add 08:00:00 # 时区设置# 配置域名解析dns resolvedns server 10.30.30.254dns server 8.8.8.8# 启用SSH服务stelnet server enableuser-interface vty 0 4 authentication-mode aaa protocol inbound sshxxxxxxxxxx# 物理接口配置模板interface GigabitEthernet0/0/X description Link-to-Device ip address X.X.X.X 255.255.255.252 ospf cost X ospf authentication-mode md5 1 cipher Huawei@123 mpls mpls ldp# 子接口配置模板interface GigabitEthernet0/0/X.Y dot1q termination vid Y ip address X.X.X.X 255.255.255.0 arp broadcast enablexxxxxxxxxx# 交换机基础配置模板system-viewsysname SwitchX# 创建VLANvlan batch 10 20 30 40 50# 配置管理VLAN接口interface Vlanif10 ip address 10.10.10.X 255.255.255.0 description Management-VLAN# 配置默认网关ip route-static 0.0.0.0 0.0.0.0 10.10.10.254# 启用Telnet服务user-interface vty 0 4 authentication-mode password set authentication password cipher Huawei@123 user privilege level 3xxxxxxxxxx# Trunk端口配置模板interface GigabitEthernet0/0/X port link-type trunk port trunk allow-pass vlan 10 20 30 40 50 description Trunk-Port# Access端口配置模板interface GigabitEthernet0/0/X port link-type access port default vlan 20 description Access-Port-VLAN20 port-security enable port-security max-mac-num 2# Eth-Trunk配置模板interface Eth-TrunkX mode lacp-static load-balance src-dst-mac description Link-Aggregationxxxxxxxxxx# OSPF基础配置模板ospf 1 router-id X.X.X.X area 0.0.0.0 network X.X.X.X 0.0.0.3 network X.X.X.X 0.0.0.0 authentication-mode md5 1 cipher Huawei@123# OSPF接口配置interface GigabitEthernet0/0/X ospf enable 1 ospf cost X ospf network-type broadcast ospf authentication-mode md5 1 cipher Huawei@123xxxxxxxxxx# BGP基础配置模板bgp XXX router-id X.X.X.X peer X.X.X.X as-number XXX peer X.X.X.X connect-interface Loopback0 peer X.X.X.X description Peer-Description peer X.X.X.X password cipher Huawei@123# BGP路由策略route-policy BGP_POLICY permit node 10 if-match ip-prefix BGP_PREFIX apply local-preference 200 apply community 100:1peer X.X.X.X route-policy BGP_POLICY exportxxxxxxxxxx# RIP配置模板rip 1 version 2 network X.X.X.X network X.X.X.X undo summaryxxxxxxxxxx# ISIS配置模板isis 1 is-level level-1-2 network-entity 49.XXXX.XXXX.XXXX.XXXX.00interface GigabitEthernet0/0/X isis enable 1 isis circuit-type level-2 isis cost Xxxxxxxxxxx# 基础ACL配置模板acl number XXXX rule X permit ip source X.X.X.X X destination X.X.X.X X rule X deny ip source any destination any# 高级ACL配置模板acl number XXXX rule X permit tcp source X.X.X.X X destination X.X.X.X X destination-port eq 80 rule X permit udp source X.X.X.X X destination X.X.X.X X destination-port eq 53 rule X deny ip source any destination anyxxxxxxxxxx# NAT地址池配置nat address-group 1 X.X.X.X X.X.X.X# PAT配置interface GigabitEthernet0/0/X nat outbound XXXX address-group 1# NAT服务器配置nat server protocol tcp global X.X.X.X 80 inside X.X.X.X 80xxxxxxxxxx# IKE配置模板ike proposal 1 encryption-algorithm aes-256 authentication-algorithm sha2-256 dh group14 authentication-method pre-shareike peer PEER_NAME pre-shared-key cipher Huawei@123 remote-address X.X.X.X ike-proposal 1# IPSec配置模板ipsec proposal 1 esp encryption-algorithm aes-256 esp authentication-algorithm sha2-256 transform espipsec policy IPSEC_POLICY 1 isakmp security acl XXXX ike-peer PEER_NAME proposal 1xxxxxxxxxx# AC基础配置wlan ac-mode ac ac-name ACX ac-id X# AP组配置ap-group name default ap-mac XXXX-XXXX-XXXX# WLAN服务集配置wlan service-set name SSID_NAME ssid SSID-NAME security-profile wpa2-psk pass-phrase Huawei@123 vlan XX# AP配置文件ap-profile name AP_PROFILE radio-profile name RADIO_PROFILE channel X power X beacon-interval Xxxxxxxxxxx# CAR配置模板qos car CAR_NAME cir XXXX cbs XXXX ebs 0 green pass red discard# 应用CAR到接口interface GigabitEthernet0/0/X qos car inbound CAR_NAME qos car outbound CAR_NAMExxxxxxxxxx# 流量分类traffic classifier CLASSIFIER_NAME if-match acl XXXX# 流量行为traffic behavior BEHAVIOR_NAME queue af bandwidth percent XX remark dscp XX# 流量策略traffic policy POLICY_NAME classifier CLASSIFIER_NAME behavior BEHAVIOR_NAME# 应用流量策略interface GigabitEthernet0/0/X traffic-policy POLICY_NAME inboundxxxxxxxxxx# SNMP基础配置snmp-agentsnmp-agent community read publicsnmp-agent community write privatesnmp-agent sys-info version all# SNMP Trap配置snmp-agent target-host trap-hostname NMS address X.X.X.X params securityname public v2c trap-enable standard trap-enable authenticationxxxxxxxxxx# 日志配置info-center source default channel 0 log level informationalinfo-center loghost X.X.X.Xinfo-center timestamp log boot# 系统日志配置info-center console channel 0info-center monitor channel 0xxxxxxxxxx# VRRP主配置interface VlanifXX ip address X.X.X.X 255.255.255.0 vrrp vrid X virtual-ip X.X.X.X vrrp vrid X priority 120 vrrp vrid X preempt-mode delay 300 vrrp vrid X track interface GigabitEthernet0/0/X reduced XX# VRRP备配置interface VlanifXX ip address X.X.X.X 255.255.255.0 vrrp vrid X virtual-ip X.X.X.X vrrp vrid X priority 100 vrrp vrid X preempt-mode delay 300xxxxxxxxxx# BFD会话配置bfdbfd X bind peer-ip X.X.X.X interface GigabitEthernet0/0/X discriminator local X discriminator remote X min-transmit-interval XXX min-receive-interval XXX detect-multiplier X# BFD与协议联动ospf 1 bfd all-interfaces enable bfd min-transmit-interval XXX bfd min-receive-interval XXX bfd detect-multiplier Xxxxxxxxxxx# MPLS基础配置mpls lsr-id X.X.X.Xmplsmpls ldp# MPLS接口配置interface GigabitEthernet0/0/X mpls mpls ldpxxxxxxxxxx# VPN实例配置ip vpn-instance VPN_NAME route-distinguisher XXXX:XX vpn-target XXXX:XX export-extcommunity vpn-target XXXX:XX import-extcommunity# VPN接口配置interface GigabitEthernet0/0/X.X dot1q termination vid X ip binding vpn-instance VPN_NAME ip address X.X.X.X 255.255.255.0xxxxxxxxxx# IPv6基础配置ipv6# IPv6地址配置interface GigabitEthernet0/0/X ipv6 enable ipv6 address XXXX::X 64 ipv6 address auto link-localxxxxxxxxxx# OSPFv3配置ospfv3 1 router-id X.X.X.X area 0.0.0.0 interface GigabitEthernet0/0/X ospfv3 1 area 0.0.0.0 interface Loopback0 ospfv3 1 area 0.0.0.0xxxxxxxxxx# Ping测试 # 发送5个1000字节ping包ping -c 5 -s 1000 X.X.X.X # 详细ping测试ping -v X.X.X.X# Traceroute测试 # 路由跟踪tracert X.X.X.X # 详细路由跟踪tracert -v X.X.X.Xxxxxxxxxxx# OSPF验证display ospf peerdisplay ospf lsdbdisplay ospf routing# BGP验证display bgp peerdisplay bgp routing-tabledisplay bgp routing-table statistics# MPLS验证display mpls lspdisplay mpls te tunneldisplay mpls ldp peerxxxxxxxxxx# 路由检查display ip routing-tabledisplay fibdisplay arp all# 接口检查display interface briefdisplay interface GigabitEthernet0/0/Xdisplay interface statisticsxxxxxxxxxx# MAC地址检查display mac-addressdisplay mac-address dynamic# VLAN检查display vlandisplay port vlanxxxxxxxxxx# DHCP检查display ip pooldisplay dhcp server# DNS检查display dns servernslookup www.example.comxxxxxxxxxx# CPU和内存监控display cpu-usagedisplay memorydisplay device# 日志监控display logbufferdisplay trapbufferxxxxxxxxxx# 接口流量监控display interface GigabitEthernet0/0/Xdisplay statistics interface# 协议流量监控display ospf interfacedisplay bgp routing-table statisticsxxxxxxxxxx# 保存配置# 退出系统视图quitsave# 备份到TFTP服务器tftp X.X.X.X put config.cfg backup.cfg# 配置比较compare configurationdisplay current-configuration# 退出系统视图quitdisplay saved-configurationxxxxxxxxxx# 恢复配置tftp X.X.X.X get backup.cfg config.cfgreboot# 重置配置# 退出系统视图quitreset saved-configurationrebootxxxxxxxxxx# 核心路由器AR1快速配置脚本system-viewsysname AR1interface Loopback0 ip address 1.1.1.1 255.255.255.255interface GigabitEthernet0/0/0 ip address 10.1.1.1 255.255.255.252interface GigabitEthernet0/0/1 ip address 10.1.1.5 255.255.255.252interface GigabitEthernet0/0/2 ip address 10.1.1.9 255.255.255.252ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.1.1.0 0.0.0.3 network 10.1.1.4 0.0.0.3 network 10.1.1.8 0.0.0.3 network 1.1.1.1 0.0.0.0bgp 100 router-id 1.1.1.1 peer 2.2.2.2 as-number 100# 退出系统视图quitsavexxxxxxxxxx# 接入交换机LSW3快速配置脚本system-viewsysname LSW3vlan batch 20 30interface Vlanif20 ip address 10.20.30.1 255.255.255.0interface Vlanif30 ip address 10.30.30.1 255.255.255.0interface GigabitEthernet0/0/1 port link-type access port default vlan 20interface GigabitEthernet0/0/2 port link-type access port default vlan 20interface GigabitEthernet0/0/3 port link-type access port default vlan 20interface GigabitEthernet0/0/4 port link-type access port default vlan 30# 退出系统视图quitsavexxxxxxxxxx# 防火墙FW1快速配置脚本system-viewfirewall zone trust set priority 85 add interface GigabitEthernet0/0/0firewall zone untrust set priority 5 add interface GigabitEthernet0/0/1security-policy rule name Trust_to_Untrust source-zone trust destination-zone untrust action permitnat-policy rule name Trust_NAT source-zone trust destination-zone untrust action source-nat address-group 202.100.10.10-202.100.10.20# 退出系统视图quitsave主机名配置
环回接口配置
物理接口IP地址配置
路由协议配置(OSPF/BGP/RIP/ISIS)
MPLS配置(如需要)
安全配置(ACL/NAT/IPSec)
监控配置(SNMP/日志)
高可用性配置(VRRP/BFD)
配置保存
主机名配置
VLAN配置
端口模式配置(Access/Trunk)
STP配置
链路聚合配置(如需要)
端口安全配置
VRRP配置(如需要)
DHCP中继配置(如需要)
配置保存
AC基础配置
AP组配置
WLAN服务集配置
安全配置(WPA2-PSK)
VLAN绑定配置
AP配置文件
配置保存
安全区域配置
安全策略配置
NAT策略配置
IPS/AV配置(如需要)
配置保存
xxxxxxxxxx# 检查步骤 # 检查OSPF接口状态display ospf interface # 检查接口状态display ip interface brief # 检查连通性ping X.X.X.X # 检查OSPF配置display current-configuration | include ospf# 常见解决方案1. 检查接口IP地址是否在同一网段2. 检查OSPF进程ID是否一致3. 检查Area ID是否一致4. 检查认证配置是否一致5. 检查接口是否启用OSPFxxxxxxxxxx# 检查步骤 # 检查BGP邻居状态display bgp peer # 检查TCP连接状态display tcp status # 检查连通性ping X.X.X.X# 常见解决方案1. 检查AS号配置是否正确2. 检查路由器ID是否唯一3. 检查TCP端口179是否可达4. 检查BGP认证配置5. 检查路由策略配置xxxxxxxxxx# 检查步骤 # 检查VLAN配置display vlan # 检查端口VLAN配置display port vlan # 检查VLAN接口状态display interface VlanifX# 常见解决方案1. 检查VLAN接口IP地址配置2. 检查VLAN接口是否启用3. 检查路由配置4. 检查ACL配置5. 检查端口VLAN绑定xxxxxxxxxx# 检查步骤 # 检查地址池display ip pool # 检查DHCP服务器display dhcp server # 检查DHCP中继display dhcp relay# 常见解决方案1. 检查DHCP服务器配置2. 检查地址池是否可用3. 检查DHCP中继配置4. 检查网络连通性5. 检查ACL配置xxxxxxxxxx# 场景:企业网核心层配置# 设备:AR1-AR5作为核心路由器# 技术:OSPF + BGP + MPLS VPN + 高可用性# 核心路由器配置模板system-viewsysname Core-Routermpls lsr-id X.X.X.Xmplsmpls ldpospf 1 router-id X.X.X.X area 0.0.0.0 network X.X.X.X 0.0.0.3 network X.X.X.X 0.0.0.0bgp 100 router-id X.X.X.X peer X.X.X.X as-number 100xxxxxxxxxx# 场景:数据中心网络配置# 设备:LSW1-LSW3作为数据中心交换机# 技术:VLAN + VRRP + 链路聚合 + 端口安全# 数据中心交换机配置模板system-viewsysname DataCenter-Switchvlan batch 100 200 300interface Eth-Trunk1 mode lacp-static load-balance src-dst-ipinterface Vlanif100 ip address 10.100.1.254 255.255.255.0 vrrp vrid 1 virtual-ip 10.100.1.1 vrrp vrid 1 priority 120xxxxxxxxxx# 场景:分支机构网络配置# 设备:AR11-AR15作为分支路由器# 技术:IPSec VPN + NAT + DHCP + 无线# 分支路由器配置模板system-viewsysname Branch-Routerinterface GigabitEthernet0/0/X ip address X.X.X.X 255.255.255.252 nat outbound 2000ipsec policy IPSEC_POLICY 1 isakmp security acl 3000 ike-peer HQ proposal 1基础配置: 主机名、接口IP、VLAN
静态路由: 基本路由配置
交换技术: VLAN配置、端口模式
基础安全: ACL配置、端口安全
动态路由: OSPF、RIP配置
网络服务: DHCP、DNS、NAT
高可用性: VRRP、链路备份
QoS: 基础流量控制
高级路由: BGP、ISIS、路由策略
MPLS技术: MPLS VPN、流量工程
安全技术: IPSec、防火墙
IPv6: 双栈、隧道技术
网络设计: 大型网络架构设计
故障排查: 复杂网络故障处理
性能优化: 网络性能调优
自动化: 网络自动化配置
基础网络概念
路由交换基础配置
网络安全基础
WLAN基础
高级路由协议
网络服务配置
安全技术深入
网络优化
网络规划设计
复杂故障排查
网络自动化
最新技术趋势
通过这些单元化配置命令和模板,您可以快速构建各种网络实验场景,提高配置效率和学习效果。建议按照学习路径逐步掌握各项技术,最终达到网络专家水平。