华为AR1220路由器配置参数实际应用实例解说一.docx
《华为AR1220路由器配置参数实际应用实例解说一.docx》由会员分享,可在线阅读,更多相关《华为AR1220路由器配置参数实际应用实例解说一.docx(10页珍藏版)》请在冰豆网上搜索。
![华为AR1220路由器配置参数实际应用实例解说一.docx](https://file1.bdocx.com/fileroot1/2023-2/24/5f661bf7-dd7c-4c0e-99ae-359edb40e5a0/5f661bf7-dd7c-4c0e-99ae-359edb40e5a01.gif)
华为AR1220路由器配置参数实际应用实例解说一
华为AR1220路由器配置参数实际应用实例解说一
1.配置参数
[GZ]discu
[V200R001C00SPC200]〃路由器软件版本,可从官方网站下载
#
sysnameGZ//路由器名字GZ
ftpseiverenable//ftp服务开通以便拷贝出配置文件备份
#
voice
#
httpseiverport1025//http
undohttpserverenable
#
dropillegal-macalann
#
12tpaging0
#
vlanbatch1020304050〃本路由器设置的ATANID
#
igmpgloballimit256
#
multicastrouting-enable〃开启组播
dhcpenable〃全局下开启DHCP服务然后在各ATAN上开启单独的DHCP
#
ipvpn-instance1
ipv4-family
#
aclnumber2000
nile10pennit
#
aclnumber2001//以太网访问规则列表。
nile6pennitsource172.23.6&00.0.0.255〃允许此网段访问外网
nile7pennitsource172.23.69.00.0.0.255〃允许此网段访问外网
nile8pennitsource172.23.65.00.0.0.3//允许此网段的前三个IP访问外网
nile9deny〃不允许其他网段访问外网
#
aclnumber3000〃此规则并未应用
nile40pennitipsotuce172.23.65.00.0.0.255destination172.23.69.00.0.0.25
5
#
aclnumber3001//定义两个网段主机互不访问,学生不能访问65网段。
nile5denyipsource172.23.65.00.0.0.255destination172.23.6&00.0.0.255
nile10denyipsource172.23.6&00.0.0.255destination172.23.65.00.0.0.255
#
authentication-schemedefault
authorization-schemedefault
accounting-schemedefault
domaindefault
domaindefault_adinin
local-useradminpasswordcipher]MQ;4\]B+4Z,YWX*NZ55OA!
!
local-useradminseivice-typetelnetwebhttp
local-userdfvvdpasswordcipherrVE5U!
@7QCO:
\'2HX\']\l!
!
local-userdfwdprivilegelevel15
local-userdfwdseivice-typetelnettenninalwebhttp
local-userhuaweipasswordcipherRY,UP\'HCM\^+Q=AQ'MAF4<1!
!
〃新建用户
df\vd密码
local-userhuaweiftp-diiectoryflash:
〃该用户名默认配置指向的ftp路径
local-userhuaweisendee-typeftp//该用户采用FTP访问
#
firewallzonetmst〃定义信任区域
priority15〃定义信任区域下的策略
#
firewallzoneuntmst〃定义不信任区域
priority1〃定义不信任区域下的策略
#
firewallinterzonetrustuntmst〃配置安全域间
firewallenable//该安全域间启用防火墙
packet-filter3001inbotmd//入口执彳亍3001规则
packet-filter3001outbound//出口执彳亍3001规则
packet-filterdefaultdenyoutboimd
interfaceA'laniflO
ipaddress172.23.65.100255.255.255.0〃定义vlan的网关地址和子网掩码pimdm〃组播协议需开启的功能
igmpenable〃组播协议需开启的功能
zonetrust//定义VLAN是信任区域
#
interface\'lanif20
ipaddress172.23.1.1255.255.255.240〃定义vlan的网关地址和子网掩码pimdm〃组播协议需开启的功能
igmpenable//组播协议需开启的功能
zonetrust//定义A'LAN是信任区域
#
interface\'lanif30
ipaddress10.10.10.1255.255.255.252〃定义vlan的网关地址和子网掩码pimdm〃组播协议需开启的功能
igmpenable〃组播协议需开启的功能
zonetmst〃定义\TAN是信任区域
#
interface\'lanif40
ipaddress172.23.68.100255.255.255.0〃定义vlan的网关地址和子网掩码pimdm〃组播协议需开启的功能
igmpenable〃组播协议需开启的功能
dhcpselectinterface〃自动分配该A'LAN网关所在的地址段IP
dlicpser\Terexcluded-ip-address172.23.6&201172.23.69.254//定义该段IP不自动分配
dlicpserverdns-list61.139.2.69〃定义该\TLAN所在IP地址段的DNS地址
zoneluitmst//定义该ATAN为不信任区域
#
interface\lanif50
ipaddress172.23.69.100255.255.255.0〃定义vlan的网关地址和子网掩码
pimdm〃组播协议需开启的功能
igmpenable〃组播协议需开启的功能
dhcpselectinterface〃开启本ATAN的DHCP功能并选择端口为定义的网关地址
dlicpser\Terexcluded-ip-address172.23.69.201172.23.69.252〃定义手动获取的IP地址段
dhcpserverdns-list61.139.2.69//定义该A'LAN段IP的DNS
#
interfaceEthenietO/O/O〃物理端端口0
portlink-typeaccess〃定义该端口类型
portdefaultvlan10//定义端口所在ATAN
#
interfaceEtheniet0/0/l〃物理端端口1
portlink-typeaccess〃定义该端口类型
portdefaultvlan30//定义端口所在ATAN
#
interfaceEtheniet0/0/2〃物理端端口2
portlink-typeaccess//定义该端口类型
portdefaultvlan20〃定义端口所在ATAN
qosgtscir6000cbs600000〃定义该端口数据缓存带宽范围
#
interfaceEtheniet0/0/3〃物理端端口3
portlink-typeaccess
portdefaultvlan30
#
interfaceEtheniet0/0/4〃物理端端口4
portlink-typeaccess〃定义该端口类型
portdefaultvlan40〃定义端口所在ATAN
#
interfaceEtheniet0/0/5〃物理端端口5
portlink-typeaccess〃定义该端口类型
portdefaultvlan50〃定义端口所在ATAN
#
interfaceEtheniet0/0/6〃物理端端口6
portlink-typeaccess〃定义该端口类型
#
interfaceEtheniet0/0/7〃物理端端口6
portlink-typeaccess〃定义该端口类型
portdefaultvlan10〃定义端口所在ATAN
#
interfaceGigabitEthemet0/0/0//三层口不在任何一个VLAN中,有映射功能。
ipaddress125.69.71.128255.255.255.0//定义该端口的网关地址和子网掩码
natseiverprotocoltcpglobalciUTent-iiiterface10001inside172.23.68.22210001//
允许内网IP端口映射到外网
natseiverprotocoltcpglobalciUTent-iiiterface10002inside172.23.68.22210002
natseiverprotocoltcpglobalciUTent-iiiterface10003inside172.23.68.22210003
natseiverprotocoltcpglobalciUTent-iiiterface10004inside172.23.68.22210004
natseiverprotocoltcpglobalciUTent-iiiterface10005inside172.23.68.22210005
natseiverprotocoltcpglobalciUTent-iiiterface10006inside172.23.68.22210006
natseiverprotocoltcpglobalciUTent-iiiterface10007inside172.23.68.22210007
natseiverprotocoltcpglobalciUTent-iiiterface10008inside172.23.68.22210008
natseiverprotocoltcpglobalciUTent-iiiterface10009inside172.23.68.22210009
natseiverprotocoltcpglobalciUTent-iiiterface10010inside172.23.68.22210010
natseiverprotocoludpglobalcuiTent-interface11001inside172.23.68.22211001
natseiverprotocoludpglobalcuiTent-interface11002inside172.23.68.22211002
natseiverprotocoludpglobalcuiTent-interface11003inside172.23.68.22211003
natseiverprotocoludpglobalcuiTent-interface11004inside172.23.6&22211004
natseiverprotocoludpglobalcuiTent-interface11005inside172.23.68.22211005
natseiverprotocoludpglobalcuiTent-interface11006inside172.23.68.22211006
natseiverprotocoludpglobalcuiTent-interface11007inside172.23.68.22211007
natseiverprotocoludpglobalcuiTent-interface11008inside172.23.68.22211008
natseiverprotocoludpglobalcuiTent-interface11009inside172.23.6&22211009
natseiverprotocoludpglobalcuiTent-interface11010inside172.23.68.22211010
natoutbound2001〃在该端口上执彳亍编号为2001的访问规则
#
interfaceGigabitEthemetO/0/l〃三层口不在任何一个ATAN中,有映射功能。
ipaddress10.10.10.6255.255.255.252〃定义该端口的网关地址和子网掩码
pimdm〃组播协议需开启的功能
igmpenable〃组播协议需开启的功能
undonegotiationauto〃关闭端口自动协商功能
zonetnist〃定义该端口是信任区域
#
interfaceCellularO/O/O
link-protocolppp
#
interfaceCellularO/O/1
link-protocolppp
#
interfaceNULLO
#
igmp
#
pim
c-bsrGigabitEthenietO/O/O
c-rpGigabitEthenietO/O/Ogioup-policy2000
c-rpGigabitEthenietO/O/1gioup-policy2000
#
iproute-static0.0.0.00.0.0.0125.71.213.1〃新增静态路由列表,访问外网
iproute-static10.1.187.0255.255.255.010.10.10.2
iproute-static10.102.0.0255.255.0.0172.23.1.2
iproute-static172.23.66.0255.255.255.010.10.10.2
iproute-static172.23.67.0255.255.255.010.10.10.5
iproute-static192.168.14.0255.255.255.0172.23.1.2
iproute-static192.168.1&0255.255.255.0172.23.1.2
iproute-static192.16&20.0255.255.255.0172.23.1.2
#
superpasswordlevel3cipherEO2\:
%&(X$CLYaDZ]EJl!
!
user-interfacecon0
user-interfacevty04
authentication-modeaaa
user-interfacevty1620
#
port-gioup1
gioup-memberEthenietO/0/0
group-memberEthenietO/O/1
gioup-memberEtheniet0/0/2
gioup-memberEtheniet0/0/3
gioup-memberEtheniet0/0/4
gioup-memberEtheniet0/0/5
gioup-memberEtheniet0/0/6
group-memberEthemetO/O/7
#
port-gioupeth0/0/2
Return