华为AR1220路由器配置参数实际应用实例解说一1. 配置参数[GZ]dis cu[V200R001C00SPC200] //路由器软件版本，可从官方网站下载#sysname GZ //路由器名字GZftp server enable //ftp 服务开通以便拷贝出配置文件备份#voice#http server port 1025 //httpundo http server enable#drop illegal-mac alarm#l2tp aging 0#vlan batch 10 20 30 40 50 //本路由器设置的VLAN ID#igmp global limit 256#multicast routing-enable //开启组播#dhcp enable //全局下开启DHCP服务然后在各VLAN上开启单独的DHCP #ip vpn-instance 1ipv4-family#acl number 2000rule 10 permit#acl number 2001 //以太网访问规则列表。

rule 6 permit source 172.23.68.0 0.0.0.255 //允许此网段访问外网rule 7 permit source 172.23.69.0 0.0.0.255 //允许此网段访问外网rule 8 permit source 172.23.65.0 0.0.0.3 //允许此网段的前三个IP访问外网rule 9 deny //不允许其他网段访问外网#acl number 3000 //此规则并未应用rule 40 permit ip source 172.23.65.0 0.0.0.255 destination 172.23.69.0 0.0.0.255#acl number 3001//定义两个网段主机互不访问，学生不能访问65网段。

rule 5 deny ip source 172.23.65.0 0.0.0.255 destination 172.23.68.0 0.0.0.255rule 10 deny ip source 172.23.68.0 0.0.0.255 destination 172.23.65.0 0.0.0.255#aaa //默认视图窗口定义本地登录帐号和密码authentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!local-user admin service-type telnet web httplocal-user dfwd password cipher 'VE5U!@7QCO;V2HX\']\,1!!local-user dfwd privilege level 15local-user dfwd service-type telnet terminal web httplocal-user huawei password cipher RY,UPVHCMV+Q=^Q`MAF4<1!! //新建用户dfwd 密码local-user huawei ftp-directory flash: //该用户名默认配置指向的ftp路径local-user huawei service-type ftp // 该用户采用FTP访问#firewall zone trust //定义信任区域priority 15 //定义信任区域下的策略#firewall zone untrust //定义不信任区域priority 1 //定义不信任区域下的策略#firewall interzone trust untrust //配置安全域间firewall enable//该安全域间启用防火墙packet-filter 3001 inbound //入口执行3001规则packet-filter 3001 outbound //出口执行3001规则packet-filter default deny outbound#interface Vlanif10ip address 172.23.65.100 255.255.255.0 //定义vlan的网关地址和子网掩码pim dm //组播协议需开启的功能igmp enable //组播协议需开启的功能zone trust //定义VLAN是信任区域#interface Vlanif20ip address 172.23.1.1 255.255.255.240 //定义vlan的网关地址和子网掩码pim dm //组播协议需开启的功能igmp enable//组播协议需开启的功能zone trust//定义VLAN是信任区域#interface Vlanif30ip address 10.10.10.1 255.255.255.252 //定义vlan的网关地址和子网掩码pim dm //组播协议需开启的功能igmp enable //组播协议需开启的功能zone trust //定义VLAN是信任区域#interface Vlanif40ip address 172.23.68.100 255.255.255.0 //定义vlan的网关地址和子网掩码pim dm //组播协议需开启的功能igmp enable //组播协议需开启的功能dhcp select interface //自动分配该VLAN网关所在的地址段IPdhcp server excluded-ip-address 172.23.68.201 172.23.69.254 //定义该段IP不自动分配dhcp server dns-list 61.139.2.69 //定义该VLAN所在IP地址段的DNS地址zone untrust //定义该VLAN为不信任区域#interface Vlanif50ip address 172.23.69.100 255.255.255.0 //定义vlan的网关地址和子网掩码pim dm //组播协议需开启的功能igmp enable //组播协议需开启的功能dhcp select interface //开启本VLAN的DHCP功能并选择端口为定义的网关地址dhcp server excluded-ip-address 172.23.69.201 172.23.69.252 //定义手动获取的IP 地址段dhcp server dns-list 61.139.2.69 //定义该VLAN段IP的DNS#interface Ethernet0/0/0 //物理端端口0port link-type access //定义该端口类型port default vlan 10 //定义端口所在VLAN#interface Ethernet0/0/1 //物理端端口1port link-type access //定义该端口类型port default vlan 30 //定义端口所在VLAN#interface Ethernet0/0/2 //物理端端口2port link-type access // 定义该端口类型port default vlan 20 //定义端口所在VLANqos gts cir 6000 cbs 600000 //定义该端口数据缓存带宽范围#interface Ethernet0/0/3 //物理端端口3port link-type accessport default vlan 30#interface Ethernet0/0/4 //物理端端口4port link-type access //定义该端口类型port default vlan 40 //定义端口所在VLAN#interface Ethernet0/0/5 //物理端端口5port link-type access //定义该端口类型port default vlan 50 //定义端口所在VLAN#interface Ethernet0/0/6 //物理端端口6port link-type access //定义该端口类型#interface Ethernet0/0/7 //物理端端口6port link-type access //定义该端口类型port default vlan 10 //定义端口所在VLAN#interface GigabitEthernet0/0/0 //三层口不在任何一个VLAN中，有映射功能。

ip address 125.69.71.128 255.255.255.0 //定义该端口的网关地址和子网掩码nat server protocol tcp global current-interface 10001 inside 172.23.68.222 10001 //允许内网IP端口映射到外网nat server protocol tcp global current-interface 10002 inside 172.23.68.222 10002nat server protocol tcp global current-interface 10003 inside 172.23.68.222 10003nat server protocol tcp global current-interface 10004 inside 172.23.68.222 10004nat server protocol tcp global current-interface 10005 inside 172.23.68.222 10005nat server protocol tcp global current-interface 10006 inside 172.23.68.222 10006nat server protocol tcp global current-interface 10007 inside 172.23.68.222 10007nat server protocol tcp global current-interface 10008 inside 172.23.68.222 10008nat server protocol tcp global current-interface 10009 inside 172.23.68.222 10009nat server protocol tcp global current-interface 10010 inside 172.23.68.222 10010nat server protocol udp global current-interface 11001 inside 172.23.68.222 11001 nat server protocol udp global current-interface 11002 inside 172.23.68.222 11002 nat server protocol udp global current-interface 11003 inside 172.23.68.222 11003 nat server protocol udp global current-interface 11004 inside 172.23.68.222 11004 nat server protocol udp global current-interface 11005 inside 172.23.68.222 11005 nat server protocol udp global current-interface 11006 inside 172.23.68.222 11006 nat server protocol udp global current-interface 11007 inside 172.23.68.222 11007 nat server protocol udp global current-interface 11008 inside 172.23.68.222 11008 nat server protocol udp global current-interface 11009 inside 172.23.68.222 11009 nat server protocol udp global current-interface 11010 inside 172.23.68.222 11010 nat outbound 2001 //在该端口上执行编号为2001的访问规则#interface GigabitEthernet0/0/1 //三层口不在任何一个VLAN中，有映射功能。