网络系统集成基础（实验学时）——实验七

公司、校园网设计1

实验内容：

1、交换机、路由器链路聚合实验
2、Ipv6基础实验。
3、根据前期实验公司网络提出的客户需求分析，对所提需求完成网络规划和技术设计，完成公司网络系统集成设计（2000台电脑），总公司、分公司地跨两个不同城市。

实验报告：

要求独立完成，报告需包含模拟器配置文件
使用华为模拟器或思科模拟器完成

实验1、链路聚合

拓扑图

配置前STP信息

[Huawei]dis stp  brief 
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/1        ROOT  FORWARDING      NONE
   0    GigabitEthernet0/0/2        ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/3        ALTE  DISCARDING      NONE
   0    GigabitEthernet0/0/4        DESI  LEARNING        NONE
[Huawei]

配置

[Huawei]undo info-center enable 
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]eth-trunk 1
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/3]

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]int Eth-Trunk 1
[Huawei-Eth-Trunk1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]eth-trunk 1
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei-GigabitEthernet0/0/3]

查看状态：

[Huawei-GigabitEthernet0/0/3]dis stp b
 MSTID  Port                        Role  STP State     Protection
   0    GigabitEthernet0/0/4        DESI  FORWARDING      NONE
   0    Eth-Trunk1                  ROOT  FORWARDING      NONE
[Huawei-GigabitEthernet0/0/3]

ping通

PC1

PC2

intg0/0/1没有包。

对三个接口抓包，只有最后一个走流量。

配置

[Huawei-GigabitEthernet0/0/3]dis current-configuration 
#
sysname Huawei
#
undo info-center enable
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Eth-Trunk1
#
interface GigabitEthernet0/0/1
 eth-trunk 1
#
interface GigabitEthernet0/0/2
 eth-trunk 1
#
interface GigabitEthernet0/0/3
 eth-trunk 1
#
interface GigabitEthernet0/0/4
#
...
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

[Huawei-GigabitEthernet0/0/3]

实验2、ipv6基础实验

基础知识

IPv6地址表示方法可以分为三种:

1. 冒分十六进制表示法

格式为 X:X:X:X:X:X:X:X，其中每个X表示地址中的16位，以十六进制表示。例如:

ABCD:EF01:2345:6789:ABCD:EF01:2345:6789

在这种表示法中，每个X的前导零是可以省略的，例如:

2001:0DB8:0000:0023:0008:0800:200C:417A → 2001:DB8:0:23:8:800:200C:417A

2. 0位压缩表示法

如果一个IPv6地址中间包含很长的一段连续零，可以把这一段连续的零压缩为::。但是为了保证地址解析的唯一性，地址中::只能出现一次。例如:

FF01:0:0:0:0:0:0:1101 → FF01::1101
0:0:0:0:0:0:0:1 → ::1
0:0:0:0:0:0:0:0 → ::

3. 内嵌IPv4地址表示法

为了实现IPv4-IPv6互通，IPv4地址可以嵌入IPv6地址中，此时地址常表示为 X:X:X:X:X:X:d.d.d.d，前96位采用冒分十六进制表示，而最后32位地址则使用IPv4的点分十进制表示。例如:

::192.168.0.1
::FFFF:192.168.0.1

注意，在前96位中，压缩0位的方法依旧适用。

一些特殊地址的说明:

注① ::1 表示本地环回地址，类似于IPv4的127.x.x.x
注②  :: 相当于IPv4的0.0.0.0
注③ 以FF开头的地址表示组播IPv6地址，例如FF::5类似于IPv4的224.0.0.5

拓扑图

IPv6分配

你说得对,根据图中的拓扑,R1只有两个接口。我修改一下配置:

配置如下:

• PC1 和 R1 连接在 2001:db8:acad:1::/64 子网
• R1 和 R2 通过 2001:db8:acad:2::/64 子网相连
• PC2 连接到 R2 上,位于 2001:db8:acad:3::/64 子网

路由配置为:

R1:

[Huawei]ipv6 route-static 2001:db8:acad:3:: 64 2001:db8:acad:2::2

R2:

[Huawei]ipv6 route-static 2001:db8:acad:1:: 64 2001:db8:acad:2::1

配置

PC1:

PC2:

R1

<Huawei>SYS
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf    
[Huawei]undo info-center en    
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]ipv6
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ipv6 enable
[Huawei-GigabitEthernet0/0/0]ipv6 add 2001:db8:acad:1::1 64
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ipv6 enable
[Huawei-GigabitEthernet0/0/1]ipv6 address 2001:db8:acad:2::1 64

R2

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]ipv6
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ipv6 enable
[Huawei-GigabitEthernet0/0/0]ipv6 addr 2001:db8:acad:2::2 64
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ipv6 enable
[Huawei-GigabitEthernet0/0/1]ipv6 addr 2001:db8:acad:3::1 64
[Huawei-GigabitEthernet0/0/1]

路由配置为:

R1:

[Huawei]ipv6 route-static 2001:db8:acad:3:: 64 2001:db8:acad:2::2

缺省

ipv6 route-s :: 0 2001:db8:acad:2::2

R2:

[Huawei]ipv6 route-static 2001:db8:acad:1:: 64 2001:db8:acad:2::1

缺省

ipv6 route-s :: 0 2001:db8:acad:2::1

测试

成功ping通。

抓包

配置

R1

[Huawei]dis current-configuration 
[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
ipv6 
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ipv6 enable 
 ipv6 address 2001:DB8:ACAD:1::1/64 
#
interface GigabitEthernet0/0/1
 ipv6 enable 
 ipv6 address 2001:DB8:ACAD:2::1/64 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ipv6 route-static :: 0 2001:DB8:ACAD:2::2 
ipv6 route-static 2001:DB8:ACAD:3:: 64 2001:DB8:ACAD:2::2 
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]
[Huawei]

R1

[Huawei]dis current-configuration 
[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
ipv6 
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ipv6 enable 
 ipv6 address 2001:DB8:ACAD:2::2/64 
#
interface GigabitEthernet0/0/1
 ipv6 enable 
 ipv6 address 2001:DB8:ACAD:3::1/64 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ipv6 route-static :: 0 2001:DB8:ACAD:2::1 
ipv6 route-static 2001:DB8:ACAD:1:: 64 2001:DB8:ACAD:2::1 
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]

3、根据前期实验公司网络提出的客户需求分析，对所提需求完成网络规划和技术设计，完成公司网络系统集成设计（2000台电脑），总公司、分公司地跨两个不同城市。

需求分析-山东科技大学

一、客户需求分析

山东科技大学有青岛校区(主校区)、泰安校区和济南校区，需要构建一个覆盖约2000台电脑的校园网络。主要需求如下:

1. 三个校区之间需要建立高速、安全、稳定的网络互联。可选用IPsec VPN或租用运营商专线连接。
2. 网络须划分不同网段，如服务器网段、教学区网段、办公区网段、学生宿舍网段等，做到网段之间安全隔离又互通。
3. 各校区内部需further细分子网，如教学楼、实验室、机房等，做到网段职责明确、边界清晰、便于管理。
4. 网络应具备良好的可扩展性，要便于日后网络升级改造和新建筑接入等。
5. 应提供完善的网络安全防护措施，如防火墙、入侵检测、病毒防范等，保障校园网络安全。
6. 网络要易于管理维护，需要部署一系列网管软硬件，实现对全网的集中管控、运维、故障排除等。

二、网络拓扑结构设计

根据客户需求，本方案设计了一个三层树状网络拓扑结构。

1. 核心层:在青岛主校区机房部署两台高性能三层核心交换机，采用VRRP实现冗余备份，负责连接三个校区和出口。
2. 汇聚层:在各校区机房部署两台以太网交换机作为区域汇聚交换机，通过多链路捆绑冗余上联到核心交换机。负责校区各楼宇的汇聚。
3. 接入层:每个楼宇部署两台以太网交换机作为接入交换机，双上联到汇聚层，通过MSTP实现链路备份。负责接入各楼层终端。
4. 服务器通过双网卡以级联方式接入核心交换机，实现负载均衡和高可用。
5. 网管平台、安全设备部署在核心机房，直接接入核心层。
6. 校区之间通过IPsec VPN或租用专线连接，通过核心交换机互联。

三、IP地址规划

本设计参考提供的信息，对山东科技大学校园网络进行了统一的IP地址规划。

1. 172.16.0.0/22划分给青岛主校区使用。

• 172.16.0.0/24网段用于服务器。
• 172.16.1.0/24网段用于网络管理。
• 172.16.2.0/24和172.16.3.0/24网段用于办公和教学。

2. 172.30.0.0/16划分给泰安校区使用。

• 172.30.0.0/24网段用于网络设备互联。
• 172.30.132.0/24网段分配给1C401~1C403机房。
• 172.30.128.0/24网段分配给1B区机房。
• 其他172.30.0.0/16内的子网可供教学楼、办公楼、实验室等使用。

3. 172.29.0.0/16划分给济南校区使用，子网划分方式类似泰安校区。
4. 10.0.0.0/24、192.168.0.0/24作为设备管理网段，不对外。

四、设备选型配置

1. 核心交换机:选用华为 CE12800系列高端路由交换机，配置大容量电源、主控引擎、线卡、电口等，配双机热备。
2. 汇聚交换机:选用华为S5720-56C-HI-48S系列交换机，配置48个万兆SFP+，4个40G QSFP+上行口。
3. 接入交换机:选用华为S5720-28X-SI-24S-AC系列，配24个千兆SFP，4个万兆SFP+上行口。
4. 服务器、存储:采用华为FusionServer、OceanStor系列，具体配置略。
5. VPN网关:使用华为USG6680 firewall作为IPsec VPN网关。
6. 上网行为管理设备:使用上海恒扬的iNBox ACG-5000E集中管理型上网行为管理设备。
7. 网管工作站:选用曙光天阔I620-G30工作站，Windows Server系统，部署网管软件。

五、网络安全设计

本方案提供了较为完善的网络安全防护措施:

1. 部署USG6680下一代防火墙，提供IPS、IDS、AV、URL filtering等安全功能。
2. iNBox ACG-5000E可对全网HTTP、HTTPS、SSH等流量进行识别过滤和行为管控。
3. 网络设备统一修改缺省设置，配置强密码AAA认证，只允许特定管理IP登录管理。
4. 开启DHCP snooping、DAI、IP source guard等三层设备安全特性。
5. 部署LanScope Net端点准入系统，对接入终端进行安全检查与准入控制。
6. 制定安全管理制度，落实责任人制度，定期开展网络安全评估。

六、网络管理设计

为便于对全网进行统一管控，本方案提供了全面的网管系统:

1. 使用华为eSight网管平台，对网络设备、服务器存储等进行集中配置、监控、维护。
2. 使用卓讯统一运维管理系统，结合工单、CMDB、监控等各功能模块，实现网络自动化运维。
3. 使用Splunk进行集中日志管理，对核心网络设备、安全设备的日志进行统一采集、分析。
4. 使用华为iMaster NCE智能分析平台，利用大数据、AI等技术，实现网络智能分析、故障诊断。
5. 使用NETCONF、YANG等网管协议和数据建模语言，实现网络的可编程自动化。
6. 建设集中的网管中心，配备专业网管人员7*24值守，负责日常巡检、变更管理、故障处理等。

接下来还需进一步讨论细化方案，包括方案的可行性论证、投资预算、建设进度等。在后续的实施过程中，还需要与学校各部门密切配合，做好勘察、施工、培训、验收等各环节的工作。期待与贵校携手将这一方案落地实施，助力学校的数字化转型和高质量发展。

VLAN划分信息

进一步细化和完善山东科技大学校园网络的设计方案，特别是在VLAN划分、IP地址规划、网络拓扑等方面提供更详尽的设计。以下是修订后的详细方案:

一、VLAN规划与IP地址分配

为实现网络安全隔离和管理灵活，本方案采用VLAN对校园网络进行广泛划分，每个VLAN对应一个IP子网。

1. 青岛校区VLAN规划

青岛校区共划分了13个用户VLAN，1个核心VLAN，可满足各业务系统分离的需求。各VLAN采用的IP网段均为172.16.0.0/16的子网，掩码为255.255.255.0。其中VLAN 1000不配IP地址，专用于三层设备间互联。

服务器区包括教务系统、OA系统、图书馆、VOD点播、IPTV系统、DNS、DHCP、电子邮件等各类核心业务服务器，统一划入VLAN 10，分配在172.16.0.0/24网段内。

网络管理平台包括网管服务器、日志服务器、计费服务器划入VLAN 20，分配在172.16.1.0/24网段内。

不同教学楼办公区根据地理位置就近划入VLAN 30或40，分别分配172.16.2.0/24和172.16.3.0/24网段。后续可灵活调整办公VLAN数量。

不同教学楼实验室区根据教学要求划入VLAN 50或60，分别分配172.16.4.0/24和172.16.5.0/24网段。教学区与办公区做到VLAN隔离。

不同学生宿舍楼划入VLAN 70或80，分别分配172.16.6.0/24和172.16.7.0/24网段。可灵活调整宿舍VLAN数量。

其他配套网络如访客、打印、语音、视频监控、无线网络管理等，均划分单独的VLAN，互不干扰。

每个VLAN配置3层SVI，在核心交换机上终结VLAN并提供三层网关，负责本VLAN与其他VLAN通信。

2. 泰安校区VLAN规划

泰安校区根据建筑物和业务类型划分VLAN，核心交换机通过三层SVI为各VLAN提供网关。共划分13个VLAN，分配有172.30.0.0/16网段的13个子网。

1B机房接入VLAN 20，1C401-403机房分别接入VLAN 30-50，IP地址连续分配。

办公区划分为三个VLAN，分属信息中心、主楼、图书馆，互不影响。

学生宿舍划分两个VLAN，每个VLAN掩码为255.255.240.0，可用地址4094个，1-15栋和16-30栋宿舍分属两个VLAN。

教学区根据教学楼栋号划分为三个VLAN，1-3栋、4-6栋、实验室各一个VLAN，互不影响。每个VLAN掩码为255.255.240.0，保证充足的IP地址。

VLAN 10专用于网络设备管理，不分配IP地址。

3. 济南校区VLAN规划
   济南校区VLAN规划与泰安校区类似，主要有教学区、办公区、实验区、学生宿舍区，共划分约15个VLAN。考虑到IP地址使用需求，建议济南校区采用172.29.0.0/16网段，各VLAN掩码均为255.255.240.0，可充分满足4000余个地址的使用需求。下面是关键的VLAN规划:

二、网络拓扑设计

根据VLAN规划，本方案对山东科技大学校园网提出以下网络拓扑设计:

核心层设计:
在青岛主校区数据中心，部署两台华为 CloudEngine 12800高端核心交换机，型号为CE12816。每台核心交换机配置2个主控引擎， 4个48口万兆线卡，4个48口千兆线卡，4个双口100G QSFP28线卡。

两台核心交换机采用VRRP协议实现网关冗余，避免单点故障。上联分别通过2个100G端口以LACP方式汇聚互联，下联分别以LACP方式汇聚连接汇聚层交换机，实现链路冗余和增加带宽。

核心层配置OSPF动态路由协议，与三个校区的汇聚层交换机建立邻居，相互学习路由。

核心交换机采用SVF双机堆叠虚拟化技术，两台物理设备形成一台逻辑设备，统一管理和配置。

汇聚层设计:
在青岛校区数据中心，部署华为S6720-54C汇聚交换机，每台配置48个万兆SFP+光口和6个40G QSFP+光口。

每个汇聚交换机采用2个40G QSFP+光口以LACP方式上联到核心交换机，4个40G QSFP+光口以级联方式互联。

每个汇聚交换机用于连接青岛校区10-20个接入交换机，根据需要横向扩展。

在泰安、济南校区的中心机房，也各部署2台华为S6720-54C作为汇聚交换机，通过IPSec VPN或租用专线以10G或更高带宽双上联到青岛校区核心交换机，实现三地互通。

每个异地汇聚交换机再以万兆LACP方式下联到本校区的各接入交换机。

汇聚层交换机采用堆叠或者VRRP实现冗余备份，避免单点故障。开启OSPF协议，作为区域汇聚节点。

接入层设计:
在青岛校区，根据各建筑物的面积和网点数量，每栋楼宇部署2-4台S5720-28X-SI-24S-AC接入交换机。

每个接入交换机上联口采用2-4个万兆SFP+光口以LACP捆绑上联到汇聚层，下联通过24个千兆RJ45电口接入办公电脑、AP、IP电话、监控等各类终端，可满足千兆接入需求。

在泰安、济南校区，每个教学楼、办公楼、宿舍楼也部署2台S5720-28X-SI-24S-AC作为楼宇接入交换机，根据网点数量配置。

每幢楼的接入交换机采用MSTP生成树协议防止环路，通过双上联方式提供冗余备份。

接入交换机开启IGMP Snooping和MLD Snooping，结合组播和VLAN，实现组播复制和隔离，提升组播效率。

无线网络设计:
结合有线网络规划，在青岛校区和泰安校区教学楼、办公楼、图书馆等重点区域，规划部署华为AP6050DN无线AP，平均每8-12个房间一个AP。

在学生宿舍和公共活动场所，部署吸顶式AP2050DN-S，平均每3-4个房间一个AP。

无线AP统一采用POE供电，接入二层接入交换机的POE口。无线AP管理VLAN划分为VLAN130。

具体分析

山东科技大学的网络如下：
分青岛校区（主校区）、泰安校区、济南校区。

192.168.0.0/24 作为服务器网段

172.16-31 作为客户端网段。

10.0.0. 作为交换机网段

在泰安有这样的划分：172.30.132.0/24 分配个1C401 1C402 1C403的机房。 172.30.128.0/24分配给 1B区的机房。

从泰安ping到192.168.111.7 (http反代服务器的traceroute如下

路由追踪：

root@ovovoov:~# traceroute 192.168.111.7
traceroute to 192.168.111.7 (192.168.111.7), 30 hops max, 60 byte packets
 1  10.31.0.1 (10.31.0.1)  0.305 ms  0.278 ms  0.263 ms （本地路由器）
 2  172.29.110.254 (172.29.110.254)  11.057 ms  11.105 ms  10.980 ms
 3  172.29.231.2 (172.29.231.2)  6.611 ms  6.573 ms  6.556 ms
 4  172.16.0.6 (172.16.0.6)  0.622 ms  0.769 ms  0.541 ms
 5  * * *
 6  * * *
 7  172.16.0.113 (172.16.0.113)  12.178 ms  12.318 ms  12.547 ms
 8  192.168.111.7 (192.168.111.7)  10.567 ms  10.584 ms  10.620 ms

实际延迟：

root@ovovoov:~# ping 192.168.111.7
PING 192.168.111.7 (192.168.111.7) 56(84) bytes of data.
64 bytes from 192.168.111.7: icmp_seq=1 ttl=57 time=10.7 ms
64 bytes from 192.168.111.7: icmp_seq=2 ttl=57 time=10.5 ms
64 bytes from 192.168.111.7: icmp_seq=3 ttl=57 time=10.5 ms

青岛和泰安之间可能通过以下两个方法进行链接：

1. IPsec隧道
2. 光纤直连。

实际测试路由：（访问山科镜像站，通过内网DNS192.168.100.8解析地址），该服务器为反代服务器。

教育网出口路由追踪：

对于2000台主机，划分VLAN即可，分配172.16-31网段即可进行划分与分配。

对于172.16/12可以分配的空间为：

• 网络地址: 172.16.0.0/12
• IP 范围: 172.16.0.0 - 172.31.255.255
• 可用 IP 范围: 172.16.0.1 - 172.31.255.254
• 总地址数: $2^{20} = 1,048,576$

地址空间完全够用，并且可以用/24进行多次划分，区分房间。

一个可行的案例，实际上的划分需要根据客户实际需求来进行划分

备注:

• 教学区、办公区主机数量较多,每个VLAN分配了/21的子网,可用IP 2046个,预留足够的增长空间。
• 学生宿舍区主机数略少于办公教学区,分配/22子网,可用IP 1022个,满足需求。
• 机房、服务器、网管等区域设备相对固定,分配/24子网,可用IP 254个,满足使用。
• 整个校园网可用IP地址数量合计约14336个,相比之前方案大幅缩减,但依然能满足2000台主机的规模需求,并预留30%的增长空间。

简单拓扑图如下：

该拓扑忽略了，一些公网出口核心交换机，GIWIFI路由等，同时教育网出口在图中没有表达出来。

进行配置：

路由器配置

AR5

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf    
[Huawei]undo info-center en    
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.30.30.1 24
[Huawei-GigabitEthernet0/0/1]ip addr 10.1.1.1 24
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.30.30.1 24
[Huawei-GigabitEthernet0/0/0]rip
[Huawei-rip-1]version 2
[Huawei-rip-1]network 10.0.0.0
[Huawei-rip-1]

AR2：

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.1.1.2 24
[Huawei-GigabitEthernet0/0/0]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.2.2.2 24
[Huawei-GigabitEthernet0/0/1]int g0/0/2
[Huawei-GigabitEthernet0/0/2]ip addr 10.20.20.1 24
[Huawei-GigabitEthernet0/0/2]rip 1
[Huawei-rip-1]vers    
[Huawei-rip-1]version 2
[Huawei-rip-1]netwo    
[Huawei-rip-1]network 10.0.0.0
[Huawei-rip-1]

AR3

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]int g0/0/0
[Huawei-GigabitEthernet0/0/0]ip addr 10.2.2.3 24
[Huawei-GigabitEthernet0/0/0]
Jun 18 2024 18:27:37-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[0]:The line protocol
 IP on the interface GigabitEthernet0/0/0 has entered the UP state. 
[Huawei-GigabitEthernet0/0/0]undo in    
[Huawei-GigabitEthernet0/0/0]undo inf    
[Huawei-GigabitEthernet0/0/0]q
[Huawei]undo inf    
[Huawei]undo info-center en    
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]int g0/0/1
[Huawei-GigabitEthernet0/0/1]ip addr 10.10.10.1 24
[Huawei-GigabitEthernet0/0/1]rip 1
[Huawei-rip-1]vers    
[Huawei-rip-1]version 2
[Huawei-rip-1]netw    
[Huawei-rip-1]network 10.0.0.0
[Huawei-rip-1]

泰安：核心交换机VLAN相互连通

核心交换机

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf    
[Huawei]undo info-center en    
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 130
[Huawei-Vlanif130]ip addr 172.30.130.1
                                       ^
Error:Incomplete command found at '^' position.
[Huawei-Vlanif130]ip addr 172.30.130.1 24
[Huawei-Vlanif130]int vlanif 128
[Huawei-Vlanif128]ip addr 172.30.128.1
                                       ^
Error:Incomplete command found at '^' position.
[Huawei-Vlanif128]ip addr 172.30.128.1 24
[Huawei-Vlanif128]int vlanif 132
[Huawei-Vlanif132]ip addr 172.30.132.1 24
[Huawei-Vlanif132]int vlanif 300
[Huawei-Vlanif300]ip addr 172.20.20.1 24
[Huawei-Vlanif300]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l t
[Huawei-GigabitEthernet0/0/1]p l a v a
                             ^
Error:Ambiguous command found at '^' position.
[Huawei-GigabitEthernet0/0/1]p t a v a
[Huawei-GigabitEthernet0/0/1]

LSW4

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo inf    
[Huawei]undo info-center en    
[Huawei]undo info-center enable 
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int e0/0/3
[Huawei-Ethernet0/0/3]p l a
[Huawei-Ethernet0/0/3]p d v 132
[Huawei-Ethernet0/0/3]int e0/0/4
[Huawei-Ethernet0/0/4]p l a
[Huawei-Ethernet0/0/4]p d v 128
[Huawei-Ethernet0/0/4]int e0/0/5
[Huawei-Ethernet0/0/5]p l a 
[Huawei-Ethernet0/0/5]p d v 128
[Huawei-Ethernet0/0/5]int e 0/0/2
[Huawei-Ethernet0/0/2]p l t
[Huawei-Ethernet0/0/2]p t a v a
[Huawei-Ethernet0/0/2]int e0/0/1
[Huawei-Ethernet0/0/1]p l t
[Huawei-Ethernet0/0/1]p t a v a

LSW5

[Huawei]undo in e
Info: Information center is disabled.
[Huawei]int e0/0/1
[Huawei-Ethernet0/0/1]p l t
[Huawei-Ethernet0/0/1]p t a v a
[Huawei-Ethernet0/0/1]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int e0/0/2
[Huawei-Ethernet0/0/2]p l a
[Huawei-Ethernet0/0/2]p d v 130
[Huawei-Ethernet0/0/2]

测试VLAN可以正常通信

济南：核心交换机配置

核心交换机配置：

[Huawei]undo in en
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan b 130 128 132 300 160 2110 2111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 2110
[Huawei-Vlanif2110]ip addr 172.21.10.1 24
[Huawei-Vlanif2110]int vlanif 2111
[Huawei-Vlanif2111]ip addr 172.21.11.1 24
[Huawei-Vlanif2111]int g0/0/3
[Huawei-GigabitEthernet0/0/3]p l a
[Huawei-GigabitEthernet0/0/3]p d v 2111
[Huawei-GigabitEthernet0/0/3]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a 
[Huawei-GigabitEthernet0/0/2]p d v 2110

可以ping通

青岛：核心交换机

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo in en
Info: Information center is disabled.
[Huawei]vlan b 130 128 132 300 160 2110 2111
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan b 130 128 132 300 160 2110 2111 170
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]
[Huawei]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a 
[Huawei-GigabitEthernet0/0/2]p d v 160
[Huawei-GigabitEthernet0/0/2]int g0/0/3
[Huawei-GigabitEthernet0/0/3]p l a
[Huawei-GigabitEthernet0/0/3]p d v 170
[Huawei-GigabitEthernet0/0/3]int vlanif 160
[Huawei-Vlanif160]ip addr 172.16.0.1 24
[Huawei-Vlanif160]int vlanif 170
[Huawei-Vlanif170]ip addr 172.17.0.1 24
[Huawei-Vlanif170]

可以ping通

配置IP

泰安：

核心交换机静态路由

[Huawei-GigabitEthernet0/0/2]int vlanif 300
[Huawei-Vlanif300]ip addr 10.200.200.2 24
[Huawei-Vlanif300]int g0/0/2
[Huawei-GigabitEthernet0/0/2]p l a
[Huawei-GigabitEthernet0/0/2]p d v 300

[Huawei]ip route-static 0.0.0.0 0 10.200.200.1

路由器：

[Huawei]sysname art
[art]int g0/0/0
[art-GigabitEthernet0/0/0]int g0/0/1
[art-GigabitEthernet0/0/0]ip addr 10.200.200.1 24

[art-GigabitEthernet0/0/0]int g0/0/1
[art-GigabitEthernet0/0/1]ip addr 10.20.20.2 24

[arq]ip route-static 0.0.0.0 0.0.0.0 10.20.20.1

青岛

核心交换机静态路由

[Huawei]vlan b 301
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 301
[Huawei-Vlanif301]ip addr 10.100.100.2 24
[Huawei-Vlanif301]int g0/0/1
[Huawei-GigabitEthernet0/0/1]p l a
[Huawei-GigabitEthernet0/0/1]p d v 301
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0 10.100.100.1

Enter system view, return user view with Ctrl+Z.
[Huawei]sysname ar1
[ar1]sysname arq
[arq]undo info en
Info: Information center is disabled.
[arq]int g0/0/0
[arq-GigabitEthernet0/0/0]ip addr 10.10.10.2 24
[arq-GigabitEthernet0/0/0]int g0/0/1
[arq-GigabitEthernet0/0/1]ip addr 10.100.100.1 24

[arq]ip route-static 0.0.0.0 0.0.0.0 10.10.10.1

济南：

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname arj
[arj]int g0/0/1
[arj-GigabitEthernet0/0/1]ip addr 10.30.30.2 24
[arj-GigabitEthernet0/0/1]q
[arj]undo info en
Info: Information center is disabled.
[arj]ip route-s    
[arj]ip route-static 0.0.0.0 0.0.0.0 10.30.30.1

公网可以与青岛、济南相互ping通：

配置IPSEC

泰安

[art]acl 3000
[art-acl-adv-3000]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255.255
[art-acl-adv-3000]rule 100 deny ip
[art-acl-adv-3000]ipsec proposal test
[art-ipsec-proposal-test]encapsulation-mode tunnel
[art-ipsec-proposal-test]transform esp
[art-ipsec-proposal-test]esp authentication-algorithm sha1
[art-ipsec-proposal-test]esp encryption-algorithm 3des
[art-ipsec-proposal-test]ike proposal 1
[art-ike-proposal-1]authentication-method pre-share
[art-ike-proposal-1]authentication-algorithm md5
[art-ike-proposal-1]dh group2
[art-ike-proposal-1]ike peer test v2 
[art-ike-peer-test]pre-shared-key cipher gdeie
[art-ike-peer-test]remote-address 10.10.10.2
[art-ike-peer-test]ipsec policy RT-RQ-IPSecVPN 1 isakmp
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]ike-peer test
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]proposal test
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]security acl 3000
[art-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]int g0/0/1
[art-GigabitEthernet0/0/1]ipsec policy RT-RQ-IPSecVPN


[art]ip route-static 172.30.0.0 255.255.0.0 10.200.200.2

青岛

<arq>sys
Enter system view, return user view with Ctrl+Z.
[arq]acl 3000
[arq-acl-adv-3000]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255.255
[arq-acl-adv-3000]rule 100 deny ip
[arq-acl-adv-3000]ipsec proposal test
[arq-ipsec-proposal-test]encapsulation-mode tunnel
[arq-ipsec-proposal-test]transform esp
[arq-ipsec-proposal-test]esp authentication-algorithm sha1
[arq-ipsec-proposal-test]esp encryption-algorithm 3des
[arq-ipsec-proposal-test]ike proposal 1
[arq-ike-proposal-1]authentication-method pre-share
[arq-ike-proposal-1]authentication-algorithm md5
[arq-ike-proposal-1]dh group2
[arq-ike-proposal-1]ike peer test v2 
[arq-ike-peer-test]pre-shared-key cipher gdeie
[arq-ike-peer-test]remote-address 10.20.20.2
[arq-ike-peer-test]ipsec policy RT-RQ-IPSecVPN 1 isakmp
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]ike-peer test
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]proposal test
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]security acl 3000
[arq-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]int g0/0/0
[arq-GigabitEthernet0/0/0]ipsec policy RT-RQ-IPSecVPN

[arq]ip route-static 172.16.0.0 255.255.0.0 10.100.100.2
[arq]ip route-static 172.17.0.0 255.255.0.0 10.100.100.2

济南

济南和青岛再次建立IPSEC隧道：

核心交换机

[Huawei]vlan b 302 
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]int vlanif 302
[Huawei-Vlanif302]ip addr 10.50.50.2 24
[Huawei-Vlanif302]p d a
Error: Domain does not exist.Please make sure whether the input is correct.
[Huawei-Vlanif302]int g0/0/1
[Huawei-GigabitEthernet0/0/1] p l a
[Huawei-GigabitEthernet0/0/1]p d v 302
[Huawei-GigabitEthernet0/0/1]q

[Huawei]ip route-static 0.0.0.0 0 10.50.50.1 

[Huawei]ping 10.50.50.1
  PING 10.50.50.1: 56  data bytes, press CTRL_C to break
    Reply from 10.50.50.1: bytes=56 Sequence=1 ttl=255 time=30 ms
    Reply from 10.50.50.1: bytes=56 Sequence=2 ttl=255 time=40 ms
    Reply from 10.50.50.1: bytes=56 Sequence=3 ttl=255 time=40 ms
    Reply from 10.50.50.1: bytes=56 Sequence=4 ttl=255 time=50 ms
    Reply from 10.50.50.1: bytes=56 Sequence=5 ttl=255 time=20 ms

  --- 10.50.50.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/36/50 ms

[Huawei]

济南路由器

单IP多隧道容易出现问题，此处可能存在问题，可以直接忽略本步骤

[arj]int g0/0/0
[arj-GigabitEthernet0/0/0]ip addr 10.50.50.1 24


[arj-GigabitEthernet0/0/0]acl 3000
[arj-acl-adv-3000]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255.255
[arj-acl-adv-3000]rule 100 deny ip
[arj-acl-adv-3000]ipsec proposal test
[arj-ipsec-proposal-test]encapsulation-mode tunnel
[arj-ipsec-proposal-test]transform esp
[arj-ipsec-proposal-test]esp authentication-algorithm sha1
[arj-ipsec-proposal-test]esp encryption-algorithm 3des
[arj-ipsec-proposal-test]ike proposal 1
[arj-ike-proposal-1]authentication-method pre-share
[arj-ike-proposal-1]authentication-algorithm md5
[arj-ike-proposal-1]dh group2
[arj-ike-proposal-1]ike peer test v2 
[arj-ike-peer-test]pre-shared-key cipher gdeie
[arj-ike-peer-test]remote-address 10.10.20.2
[arj-ike-peer-test]ipsec policy RT-RQ-IPSecVPN 1 isakmp
[arj-ipsec-policy-isakmp-RT-RQ-IPSecVPN-1]ipsec policy RJ-RQ-IPSecVPN 1 isakmp
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]ike-peer test
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]proposal test
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]security acl 3000
[arj-ipsec-policy-isakmp-RJ-RQ-IPSecVPN-1]int g0/0/1
[arj-GigabitEthernet0/0/1]ipsec policy RJ-RQ-IPSecVPN
[arj-GigabitEthernet0/0/1]ip route-static 172.121.0.0 255.255.0.0 10.50.50.2
[arj]ip route-static 172.21.0.0 255.255.0.0 10.50.50.2
[arj]undo ip route-static 172.121.0.0 255.255.0.0 10.50.50.2

路由可以ping通核心交换机下面的地址：

青岛，第二个IPSEC，与济南进行连通

需要第二个IP，单IP多隧道容易出现问题。此处可能存在问题，可以直接忽略本步骤

[arq]acl 3001 
[arq-acl-adv-3001]rule permit ip source 172.16.0.0 0.15.255.255 destination 172.21.0.0 0.0.255.255
[arq-acl-adv-3001]rule deny ip
[arq-acl-adv-3001]ipsec proposal rq-rj
[arq-ipsec-proposal-rq-rj]encapsulation-mode tunnel
[arq-ipsec-proposal-rq-rj]transform esp
[arq-ipsec-proposal-rq-rj]esp authentication-algorithm sha1
[arq-ipsec-proposal-rq-rj]esp encryption-algorithm 3des
[arq-ipsec-proposal-rq-rj]ike proposal 2
[arq-ike-proposal-2]authentication-method pre-share  
[arq-ike-proposal-2]authentication-algorithm md5
[arq-ike-proposal-2]dh group2
[arq-ike-proposal-2]ike peer rq-rj v2 
[arq-ike-peer-rq-rj]remote-address 10.30.30.2
[arq-ike-peer-rq-rj]ipsec policy RQ-RJ-IPsecVPN 1 isakmp
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]ike-peer rq-rj
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]proposal rq-rj
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]security acl 3001
[arq-ipsec-policy-isakmp-RQ-RJ-IPsecVPN-1]int g0/0/2
[arq-GigabitEthernet0/0/2]ipsec policy RQ-RJ-IPsecVPN

查看状态：

路由器可以ping通子网172

ARQ:

ART：

IPSEC测试：泰安云中心成功通过IPSEC，ping通青岛172.16.0.0/16网段！成功PING通

泰安云中心成功ping通青岛172.16.0.0/16网段！成功PING通

具体公网抓包：

IPSEC测试2：泰安校区云中心成功通过IPSEC，ping通青岛172.17.0.0/16网段。

抓包。

大拓扑：配置文件

AR5

[Huawei]dis current-configuration 
[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.30.30.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
rip 1
 version 2
 network 10.0.0.0
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]
[Huawei]

AR2

[Huawei]dis current-configuration 
[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.1.1.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.2.2.2 255.255.255.0 
#
interface GigabitEthernet0/0/2
 ip address 10.20.20.1 255.255.255.0 
#
interface NULL0
#
rip 1
 version 2
 network 10.0.0.0
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]

AR3

[Huawei]dis current-configuration 
[V200R003C00]
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.2.2.3 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.10.10.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
rip 1
 version 2
 network 10.0.0.0
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
[Huawei]

ARJ

<arj>dis current-configuration 
[V200R003C00]
#
 sysname arj
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255 
 rule 100 deny ip 
#
ipsec proposal test
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 1
 dh group2
 authentication-algorithm md5
#
ike peer test v2
 pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
 remote-address 10.10.10.2
#
ipsec policy RJ-RQ-IPSecVPN 1 isakmp
 security acl 3000
 ike-peer test
 proposal test
ipsec policy RT-RQ-IPSecVPN 1 isakmp
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.50.50.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.30.30.2 255.255.255.0 
 ipsec policy RJ-RQ-IPSecVPN
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.30.30.1
ip route-static 172.21.0.0 255.255.0.0 10.50.50.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<arj>

ART

<art>save
  The current configuration will be written to the device. 
  Are you sure to continue? (y/n)[n]:y
  It will take several minutes to save configuration file, please wait........
  Configuration file had been saved successfully
  Note: The configuration file will take effect after being activated
<art>
<art>

  Please check whether system data has been changed, and save data in time

  Configuration console time out, please press any key to log on

<art>dis cu    
<art>dis current-configuration 
[V200R003C00]
#
 sysname art
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255 
 rule 100 deny ip 
#
ipsec proposal test
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 1
 dh group2
 authentication-algorithm md5
#
ike peer test v2
 pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
 remote-address 10.10.10.2
#
ipsec policy RT-RQ-IPSecVPN 1 isakmp
 security acl 3000
 ike-peer test
 proposal test
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.200.200.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.20.20.2 255.255.255.0 
 ipsec policy RT-RQ-IPSecVPN
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.20.20.1
ip route-static 172.30.0.0 255.255.0.0 10.200.200.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<art>

ARQ

<arq>dis current-configuration 
[V200R003C00]
#
 sysname arq
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255 
 rule 100 deny ip 
acl number 3001  
 rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.21.0.0 0.0.255.
255 
 rule 10 deny ip 
#
ipsec proposal test
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
ipsec proposal rq-rj
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 1
 dh group2
 authentication-algorithm md5
#
ike proposal 2
 dh group2
 authentication-algorithm md5
#
ike peer rq-rj v2
 remote-address 10.30.30.2
ike peer test v2
 pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
 remote-address 10.20.20.2
#
ipsec policy RQ-RJ-IPsecVPN 1 isakmp
 security acl 3001
 ike-peer rq-rj

<arq>
<arq>
<arq>dis cu    
<arq>dis current-configuration 
[V200R003C00]
#
 sysname arq
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 undo info-center enable
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
acl number 3000  
 rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.16.0.0 0.15.255
.255 
 rule 100 deny ip 
acl number 3001  
 rule 5 permit ip source 172.16.0.0 0.15.255.255 destination 172.21.0.0 0.0.255.
255 
 rule 10 deny ip 
#
ipsec proposal test
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
ipsec proposal rq-rj
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike proposal 1
 dh group2
 authentication-algorithm md5
#
ike proposal 2
 dh group2
 authentication-algorithm md5
#
ike peer rq-rj v2
 remote-address 10.30.30.2
ike peer test v2
 pre-shared-key cipher %$%$u#%,6(dQAZ/e99XOocC@,.2n%$%$
 remote-address 10.20.20.2
#
ipsec policy RQ-RJ-IPsecVPN 1 isakmp
 security acl 3001
 ike-peer rq-rj
 proposal rq-rj
ipsec policy RT-RQ-IPSecVPN 1 isakmp
 security acl 3000
 ike-peer test
 proposal test
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface GigabitEthernet0/0/0
 ip address 10.10.10.2 255.255.255.0 
 ipsec policy RT-RQ-IPSecVPN
#
interface GigabitEthernet0/0/1
 ip address 10.100.100.1 255.255.255.0 
 ipsec policy RQ-RJ-IPsecVPN
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.10.1
ip route-static 172.16.0.0 255.255.0.0 10.100.100.2
ip route-static 172.17.0.0 255.255.0.0 10.100.100.2
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
<arq>

LSW3

<Huawei>dis current-configuration 
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 302 2110 to 2111
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif302
 ip address 10.50.50.2 255.255.255.0
#
interface Vlanif2110
 ip address 172.21.10.1 255.255.255.0
#
interface Vlanif2111
 ip address 172.21.11.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 302
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 2110
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 2111
#
...
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.50.50.1
#
user-interface con 0
user-interface vty 0 4
#
return

<Huawei>

LSW1

<Huawei>dis current-configuration 
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 2110
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif128
 ip address 172.30.128.1 255.255.255.0
#
interface Vlanif130
 ip address 172.30.130.1 255.255.255.0
#
interface Vlanif132
 ip address 172.30.132.1 255.255.255.0
#
interface Vlanif300
 ip address 10.200.200.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 300
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
...
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.200.200.1
#
user-interface con 0
user-interface vty 0 4
#
return

<Huawei>
<Huawei>

LSW4

<Huawei>save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
<Huawei>
<Huawei>dis cur    
<Huawei>dis current-configuration 
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 2110
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/3
 port link-type access
 port default vlan 132
#
interface Ethernet0/0/4
 port link-type access
 port default vlan 128
#
interface Ethernet0/0/5
 port link-type access
 port default vlan 128
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
...
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

<Huawei>
<Huawei>

LSW5

<Huawei> DIS CUR
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 300 2110
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 130
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
...
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return

<Huawei>

LSW2

<Huawei>dis current-configuration 
#
sysname Huawei
#
undo info-center enable
#
vlan batch 128 130 132 160 170 300 to 301 2110 to 2111
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif160
 ip address 172.16.0.1 255.255.255.0
#
interface Vlanif170
 ip address 172.17.0.1 255.255.255.0
#
interface Vlanif301
 ip address 10.100.100.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 301
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 160
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 170
#
interface GigabitEthernet0/0/4
#
...

interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.100.100.1
#
user-interface con 0
user-interface vty 0 4
#
return

<Huawei>
<Huawei>

0xff：文件下载

https://p.dabbit.net/blog/pic_bed/sharex/_pn-2024-06-18-21-00-45_Bluebreastedkookaburra_Unwilling_Opaque.7z