pim dm //组播协议需开启的功能
igmp enable//组播协议需开启的功能
zone trust//定义VLAN是信任区域
#
interface Vlanif30
ip address 10.10.10.1 255.255.255.252 //定义vlan的网关地址和子网掩码
pim dm //组播协议需开启的功能
dhcp server excluded-ip-address 172.23.69.201 172.23.69.252 //定义手动获取的IP地址段
dhcp server dns-list 61.139.2.69 //定义该VLAN段IP的DNS
#
interface Ethernet0/0/0 //物理端端口0
nat server protocol tcp global current-interface 10003 inside 172.23.68.222 10003
nat server protocol tcp global current-interface 10004 inside 172.23.68.222 10004
nat server protocol udp global current-interface 11005 inside 172.23.68.222 11005
nat server protocol udp global current-interface 11006 inside 172.23.68.222 11006
#
aaa //默认视图窗口定义本地登录帐号和密码
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
zone untrust //定义该VLAN为不信任区域
#
interface Vlanif50
ip address 172.23.69.100 255.255.255.0 //定义vlan的网关地址和子网掩码
pim dm //组播协议需开启的功能
igmp enable //组播协议需开启的功能
dhcp select interface //开启本VLAN的DHCP功能并选择端口为定义的网关地址
#
interface Ethernet0/0/2 //物理端端口2
port link-type access //定义该端口类型
port default vlan 20 //定义端口所在VLAN
qos gts cir 6000 cbs 600000 //定义该端口数据缓存带宽范围
#
interface Ethernet0/0/3 //物理端端口3
local-user huawei password cipher RY,UPVHCMV+Q=^Q`MAF4<1!! //新建用户dfwd密码
local-user huawei ftp-directory flash: //该用户名默认配置指向的ftp路径
local-user huawei service-type ftp //该用户采用FTP访问
port link-type access //定义该端口类型
port default vlan 10 //定义端口所在VLAN
#
interface GigabitEthernet0/0/0 //三层口不在任何一个VLAN中，有映射功能。
ip address 125.69.71.128 255.255.255.0 //定义该端口的网关地址和子网掩码
nat server protocol tcp global current-interface 10001 inside 172.23.68.222 10001 //允许内网IP端口映射到外网
nat server protocol tcp global current-interface 10002 inside 172.23.68.222 10002
dhcp select interface //自动分配该VLAN网关所在的地址段IP
dhcp server excluded-ip-address 172.23.68.201 172.23.69.254 //定义该段IP不自动分配
dhcp server dns-list 61.139.2.69 //定义该VLAN所在IP地址段的DNS地址
华为
1.
[GZ]dis cu
[V200R001C00SPC200]//路由器软件版本，可从官方网站下载
#
sysname GZ //路由器名字GZ
ftp server enable //ftp服务开通以便拷贝出配置文件备份
#
voice
#
http server port 1025 //http
undo http server enable
nat server protocol tcp global current-interface 10005 inside 172.23.68.222 10005
nat server protocol tcp global current-interface 10006 inside 172.23.68.222 10006
#
firewall zone trust //定义信任区域
priority 15 //定义信任区域下的策略
#
firewall zone untrust //定义不信任区域
priority 1 //定义不信任区域下的策略
#
firewall interzone trust untrust //配置安全域间
#
ip vpn-instance 1
ipv4-family
#
acl number 2000
rule 10 permit
#
acl number 2001 //以太网访问规则列表。
rule 6 permit source 172.23.68.0 0.0.0.255 //允许此网段访问外网
rule 7 permit source 172.23.69.0 0.0.0.255 //允许此网段访问外网
firewall enable//该安全域间启用防火墙
packet-filter 3001 inbound //入口执行3001规则
packet-filter 3001 outbound //出口执行3001规则
packet-filter default deny outbound
#
interface Vlanif10
port link-type access
port default vlan 30
#
interface Ethernet0/0/4 //物理端端口4
port link-type access //定义该端口类型
port default vlan 40 //定义端口所在VLAN
#
interface Ethernet0/0/5 //物理端端口5
port link-type access //定义该端口类型
port default vlan 50 //定义端口所在VLAN
#
interface Ethernet0/0/6 //物理端端口6
port link-type access //定义该端口类型
#
interface Ethernet0/0/7 //物理端端口6
nat server protocol udp global current-interface 11001 inside 172.23.68.222 11001
nat server protocol udp global current-interface 11002 inside 172.23.68.222 11002
igmp enable //组播协议需开启的功能
zone trust //ace Vlanif40
ip address 172.23.68.100 255.255.255.0 //定义vlan的网关地址和子网掩码
pim dm //组播协议需开启的功能
igmp enable //组播协议需开启的功能
5
#
acl number 3001//定义两个网段主机互不访问，学生不能访问65网段。
rule 5 deny ip source 172.23.65.0 0.0.0.255 destination 172.23.68.0 0.0.0.255
rule 10 deny ip source 172.23.68.0 0.0.0.255 destination 172.23.65.0 0.0.0.255
port link-type access //定义该端口类型
port default vlan 10 //定义端口所在VLAN
#
interface Ethernet0/0/1 //物理端端口1
port link-type access //定义该端口类型
port default vlan 30 //定义端口所在VLAN
nat server protocol udp global current-interface 11003 inside 172.23.68.222 11003
nat server protocol udp global current-interface 11004 inside 172.23.68.222 11004