配置參數[GZ]dis cu[V200R001C00SPC200] //路由器軟體版本,可從官方網站下載下傳
#
sysname GZ //路由器名字GZ
ftpserver enable //ftp 服務開通以便拷貝出配置檔案備份
voice
http server port 1025 //http
undo http server enable
drop illegal-mac alarm
l2tp aging 0
vlan batch 10 20 30 40 50 //本路由器設定的VLAN ID
igmp global limit 256
multicast routing-enable //開啟多點傳播
dhcp enable //全局下開啟DHCP服務然後在各VLAN上開啟單獨的DHCP
ipvpn-instance 1
ipv4-family
acl number 2000
rule 10 permit
acl number 2001 //以太網通路規則清單。
rule6 permit source 172.23.68.0 0.0.0.255 //允許此網段通路外網
rule7 permit source 172.23.69.0 0.0.0.255 //允許此網段通路外網
rule 8 permit source 172.23.65.0 0.0.0.3 //允許此網段的前三個IP通路外網
rule9 deny //不允許其他網段通路外網
acl number 3000 //此規則并未應用
rule 40 permit ip source 172.23.65.00.0.0.255 destination 172.23.69.0 0.0.0.25
5
acl number 3001//定義兩個網段主機互不通路,學生不能通路65網段。
rule 5 deny ip source 172.23.65.0 0.0.0.255destination 172.23.68.0 0.0.0.255
rule 10 deny ip source 172.23.68.00.0.0.255 destination 172.23.65.0 0.0.0.255
aaa //預設視圖視窗定義本地登入帳号和密碼
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domaindefault_admin
local-user admin password cipher ]MQ;4\]B+4Z,YWX*NZ55OA!!
local-user admin service-type telnet webhttp
local-userdfwd password cipher'VE5U!@7QCO;V2HX\\\']\\,1!!
local-userdfwd privilege level 15
local-userdfwd service-type telnet terminalweb http
local-userhuawei password cipherRY,UPVHCMV+Q=^Q`MAF4<1!! //建立使用者dfwd密碼
local-user huawei ftp-directory flash: //該使用者名預設配置指向的ftp路徑
local-user huawei service-type ftp // 該使用者采用FTP通路
firewall zone trust //定義信任區域
priority 15 //定義信任區域下的政策
firewall zone untrust //定義不信任區域
priority 1 //定義不信任區域下的政策
firewall interzone trust untrust //配置安全域間
firewall enable//該安全域間啟用防火牆
packet-filter 3001 inbound //入口執行3001規則
packet-filter 3001 outbound //出口執行3001規則
packet-filter default deny outbound
interface Vlanif10
ip address 172.23.65.100 255.255.255.0 //定義vlan的網關位址和子網路遮罩
pimdm //多點傳播協定需開啟的功能
igmp enable //多點傳播協定需開啟的功能
zonetrust //定義VLAN是信任區域
interface Vlanif20
ip address 172.23.1.1 255.255.255.240 //定義vlan的網關位址和子網路遮罩
igmp enable//多點傳播協定需開啟的功能
zonetrust//定義VLAN是信任區域
interface Vlanif30
ip address 10.10.10.1 255.255.255.252 //定義vlan的網關位址和子網路遮罩
#
interface Vlanif40
ip address 172.23.68.100 255.255.255.0 //定義vlan的網關位址和子網路遮罩
dhcp select interface //自動配置設定該VLAN網關所在的位址段IP
dhcp server excluded-ip-address172.23.68.201 172.23.69.254 //定義該段IP不自動配置設定
dhcp server dns-list 61.139.2.69 //定義該VLAN所在IP位址段的DNS位址
zoneuntrust //定義該VLAN為不信任區域
interface Vlanif50
ip address 172.23.69.100 255.255.255.0 //定義vlan的網關位址和子網路遮罩
dhcp select interface //開啟本VLAN的DHCP功能并選擇端口為定義的網關位址
dhcp server excluded-ip-address172.23.69.201 172.23.69.252 //定義手動擷取的IP位址段
dhcp server dns-list 61.139.2.69 //定義該VLAN段IP的DNS
interface Ethernet0/0/0 //實體端端口0
portlink-type access //定義該端口類型
portdefault vlan 10 //定義端口所在VLAN
interface Ethernet0/0/1 //實體端端口1
portdefault vlan 30 //定義端口所在VLAN
interface Ethernet0/0/2 //實體端端口2
portlink-type access // 定義該端口類型
portdefault vlan 20 //定義端口所在VLAN
qosgtscir 6000 cbs 600000 //定義該端口資料緩存帶寬範圍
interface Ethernet0/0/3 //實體端端口3
port link-type access
port default vlan 30
interface Ethernet0/0/4 //實體端端口4
portdefault vlan 40 //定義端口所在VLAN
interface Ethernet0/0/5 //實體端端口5
portdefault vlan 50 //定義端口所在VLAN
interface Ethernet0/0/6 //實體端端口6
interface Ethernet0/0/7 //實體端端口6
interface GigabitEthernet0/0/0 //三層口不在任何一個VLAN中,有映射功能。
ip address 125.69.71.128 255.255.255.0 //定義該端口的網關位址和子網路遮罩
nat server protocol tcp globalcurrent-interface 10001 inside 172.23.68.222 10001 //允許内網IP端口映射到外網
nat server protocol tcp globalcurrent-interface 10002 inside 172.23.68.222 10002
nat server protocol tcp globalcurrent-interface 10003 inside 172.23.68.222 10003
nat server protocol tcp globalcurrent-interface 10004 inside 172.23.68.222 10004
nat server protocol tcp globalcurrent-interface 10005 inside 172.23.68.222 10005
nat server protocol tcp globalcurrent-interface 10006 inside 172.23.68.222 10006
nat server protocol tcp globalcurrent-interface 10007 inside 172.23.68.222 10007
nat server protocol tcp globalcurrent-interface 10008 inside 172.23.68.222 10008
nat server protocol tcp globalcurrent-interface 10009 inside 172.23.68.222 10009
nat server protocol tcp globalcurrent-interface 10010 inside 172.23.68.222 10010
nat server protocol udp globalcurrent-interface 11001 inside 172.23.68.222 11001
nat server protocol udp globalcurrent-interface 11002 inside 172.23.68.222 11002
nat server protocol udp globalcurrent-interface 11003 inside 172.23.68.222 11003
nat server protocol udp globalcurrent-interface 11004 inside 172.23.68.222 11004
nat server protocol udp globalcurrent-interface 11005 inside 172.23.68.222 11005
nat server protocol udp globalcurrent-interface 11006 inside 172.23.68.222 11006
nat server protocol udp globalcurrent-interface 11007 inside 172.23.68.222 11007
nat server protocol udp globalcurrent-interface 11008 inside 172.23.68.222 11008
nat server protocol udp globalcurrent-interface 11009 inside 172.23.68.222 11009
nat server protocol udp global current-interface11010 inside 172.23.68.222 11010
nat outbound 2001 //在該端口上執行編号為2001的通路規則
interface GigabitEthernet0/0/1 //三層口不在任何一個VLAN中,有映射功能。
ip address 10.10.10.6 255.255.255.252 //定義該端口的網關位址和子網路遮罩
undonegotiation auto //關閉端口自動協商功能
zonetrust //定義該端口是信任區域
interface Cellular0/0/0
link-protocolppp
interface Cellular0/0/1
interface NULL0
igmp
pim
c-bsr GigabitEthernet0/0/0
c-rp GigabitEthernet0/0/0 group-policy 2000
c-rp GigabitEthernet0/0/1 group-policy 2000
ip route-static 0.0.0.0 0.0.0.0125.71.213.1 //新增靜态路由清單,通路外網
ip route-static 10.1.187.0 255.255.255.010.10.10.2
ip route-static 10.102.0.0 255.255.0.0172.23.1.2
ip route-static 10.110.0.0 255.255.0.0172.23.1.2
ip route-static 172.23.66.0 255.255.255.010.10.10.2
ip route-static 172.23.67.0 255.255.255.010.10.10.5
ip route-static 192.168.14.0 255.255.255.0172.23.1.2
ip route-static 192.168.18.0 255.255.255.0172.23.1.2
ip route-static 192.168.20.0 255.255.255.0172.23.1.2
super password level 3 cipherEO2\:%&(X.$'CLYaDZ]EJ1!!
user-interface con 0
user-interfacevty 0 4
authentication-modeaaa
user-interfacevty 16 20
port-group 1
group-member Ethernet0/0/0
group-member Ethernet0/0/1
group-member Ethernet0/0/2
group-member Ethernet0/0/3
group-member Ethernet0/0/4
group-member Ethernet0/0/5
group-member Ethernet0/0/6
group-member Ethernet0/0/7
port-group eth0/0/2
Return
本文轉自 是阿傑啊 51CTO部落格,原文連結:http://blog.51cto.com/jschinamobile/1945260
![高防伺服器、高防IP與高防CDN的差別[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)