以下是一些华为实例配置命令:
- 配置主机名:
[HUAWEI] sysname ExampleRouter
- 配置 IP 地址和子网掩码:
[HUAWEI] interface GigabitEthernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip address 192.168.1.1 255.255.255.0
- 配置默认路由器:
[HUAWEI] ip route-static 0.0.0.0 0.0.0.0 192.168.1.254
- 配置 DHCP 服务器:
[HUAWEI] dhcp enable
[HUAWEI] interface GigabitEthernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp server excluded-address low-end-ip high-end-ip
[HUAWEI-GigabitEthernet0/0/1] dhcp select global
[HUAWEI-GigabitEthernet0/0/1] quit
- 配置 VLAN:
[HUAWEI] vlan batch 10
[HUAWEI-vlan10] quit
[HUAWEI]interface GigabitEthernet 10//24
[HUAWEI-GigabitEthernet10//24 ] port link-type access
[HUAWEI-GigabitEthernet10//24 ] port default vlan 10
- 配置 NAT:
# 创建一个地址池 pool_191,其中包含了公网 IP 地址段。
[HUAWEIGateway-Acl-nat-pool-191-03]int nat pool pool_191 start-ip 100.0.0.1 end-ip 100.0.0.254
# 创建一个 ACL 规则,将内网地址段 NAT 到 pool_191 中的公网 IP 地址中。
[HUAWEI-Gateway-Acl-nat-pool-191-03]int acl 2001
[HUAWEI-Gateway-Acl-basic-2001]rule permit ip source 192.168.10.0 0.0.0.255
[HUAWEI-Gateway-Acl-basic-2001]quit
# 创建一个 NAT 策略,将规则应用到 GigabitEthernet 接口上。
[HUAWEIGateway-Acl-nat-pool-191-03]int nat policy nat_191 outbound interface GigabitEthernet1/0/0
[HUAWEIGateway-Acl-nat-pool-191-03-NAT-policy-nat_191]nat address-group pool_191
- 配置 ACL:
#创建一个 ACL 规则,拒绝来自主机 192.168.10.x 的 ICMP 请求。
[HUAWEI-acl-basic-2001] rule deny icmp source 192.168.10.x 0 destination any
[HUAWEI-acl-basic-2001] quit
# 将该 ACL 应用到接口上。
[HUAWEI]interface GigabitEthernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2 ] packet-filter inbound acl basic 2001
- 配置 VPN:
#创建一个 IPSec 安全策略,并配置加密算法和预共享密钥。
[USG5505]interface IPSecPolicy 10
[USG5505-ipsec-policy-10]security-proposal esp
[USG5505-ipsec-policy-10-proposal-esp]encryption-algorithm aes128
[USG5505-ipsec-policy-10-proposal-esp]authentication-algorithm sha1
[USG5505-ipsec-policy-10-proposal-esp]quit
[USG5505]interface IPSecProposal 2
[USG5505-ipsec-proposal-2]pre-shared-key cipher %^%#IUoeB+Tg;Vz/>l)~y8ud,}o`<e3mF"@M,8rA$JkR9D}$=K_&<4O:?IjP%^%#
[USG5505-ipsec-proposal-2]quit
#创建一个 IPSec 策略,并将安全策略和远程 VPN 端点信息关联起来。
[USG5505]interface IPSecPolicy 1
[USG5505-ipsec-policy-1] pre-shared-key cipher %^%#=lj$pNPTf!BVd^6wL0,/p<R+U{bHxWtQ@2|3)oi7E4S8qZ(>%KuM91ym-%^%#
[USG5505-ipsec-policy-1] security-proposal esp
[USG5505-ipsec-policy-1-proposal-esp] encryption-algorithm aes256
[USG5505-ipsec-policy-1-proposal-esp] authentication-algorithm sha512
[USG5505-ipsec-policy-1-proposal-esp] quit