上一篇
下一篇
华为AR 18-22-24路由器配置实例
作者:晓风残月 日期:2008-06-18
静态IP地址ADSL下华为AR 18-22-24路由器配置实例
网络要求:
所有局域网机器都受AR18-22-24控制,下分二个VLAN,
分别是VLAN1(192.168.1.0,255.255.255.0),
VLAN2(192.168.2.0,255.255.255.0).
VLAN1不能上外网且不能访问VLAN2,
VLAN2能上外网且可以访问VLAN1中的192.168.1.2.
网络环境:
静态IP地址ADSL的IP是218.xxx.xxx.xxx
外网由ADSL MODEM进来,直接到达AR18-22-24的WAN0口,局域网中的电脑都是通过AR18-22-24相连的.
配置实例是:
acl number 2001
rule 0 permit source 192.168.2.0 0.0.0.255
rule 1 deny source any
#
acl number 2002
rule 0 deny source any
#
acl number 2003
rule 0 permit source 192.168.1.2 0
rule 1 deny source 192.168.1.0 0.0.0.255
#
firewall enable
#
interface Ethernet1/0
ip address 218.xxx.xxx.xxx 255.255.255.0
nat outbound 2001
#
interface Ethernet2/0
#
interface Ethernet3/0
promiscuous
ip address 192.168.10.1 255.255.255.0
#
interface ethernet3/0.1
vlan-type dot1q vid 1
ip address 192.168.1.1 255.255.255.0
firewall packet-filter 2002 outbound
#
interface ethernet3/0.2
vlan-type dot1q vid 2
ip address 192.168.2.1 255.255.255.0
firewall packet-filter 2003
#
interface Ethernet3/1
port link-type access
port access vlan 1
#
interface Ethernet3/2
port link-type access
port access vlan 1
#
interface Ethernet3/3
port link-type access
port access vlan 1
#
interface Ethernet3/4
port link-type access
port access vlan 1
#
interface Ethernet3/5
port link-type access
port access vlan 1
#
interface Ethernet3/6
port link-type access
port access vlan 1
#
interface Ethernet3/7
port link-type access
port access vlan 1
#
interface Ethernet3/8
port link-type access
port access vlan 1
#
interface Ethernet3/9
port link-type access
port access vlan 1
#
interface Ethernet3/10
port link-type access
port access vlan 1
#
interface Ethernet3/11
port link-type access
port access vlan 1
#
interface Ethernet3/12
port link-type access
port access vlan 1
#
interface Ethernet3/13
port link-type access
port access vlan 2
#
interface Ethernet3/14
port link-type access
port access vlan 2
#
interface Ethernet3/15
port link-type access
port access vlan 2
#
interface Ethernet3/16
port link-type access
port access vlan 2
#
interface Ethernet3/17
port link-type access
port access vlan 2
#
interface Ethernet3/18
port link-type access
port access vlan 2
#
interface Ethernet3/19
port link-type access
port access vlan 2
#
interface Ethernet3/20
port link-type access
port access vlan 2
#
interface Ethernet3/21
port link-type access
port access vlan 2
#
interface Ethernet3/22
port link-type access
port access vlan 2
#
interface Ethernet3/23
port link-type access
port access vlan 2
#
interface Ethernet3/24
port link-type access
port access vlan 2
#
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 218.xxx.xxx.1 preference 60
#
user-interface con 0
#
return
二.华为 AR 28-11的型号 基本适用多书华为路由 给各为不会配的参考
摘自:http://www.txwm.com/BBS417926.vhtml
《[原创]华为路由基本配置 需要的进》
Login authentication
Username:ztwindows (用户)
Password:
sys (进如系统视图)
System View: return to User View with Ctrl+Z.
[quidway]dis curr (查看当前系统配置信息)
#
sysname quidway (系统名称)
#
info-center loghost 192.168.0.232(指定信息中心配置信息,这个可以不要)
#
firewall enable(开起防火墙功能)
#
dns resolve (启动动态DNS解析功能)
dns server 202.98.198.168(指定域名服务器IP地址)
dns-proxy enable(启动动态DNS解析功能)
#
radius scheme system(指定radius配置信息 创建scheme方案或者修改方案属性)
radius scheme test (test方案名)
#
domain system
#
local-user ztwindows
password cipher L_'-D*ST]8Z)9JV9LS027A!!
service-type telnet terminal
level 3
关键地方来了!
#
acl number 2000 (设置一个基本的ACL数值为2000)
rule 0 permit source 192.168.0.0 0.0.0.255 (这里配置的时候你会知道其意思)
rule 1 deny
#
acl number 3001 (设置端口过滤 使得安全功能)
rule 0 deny tcp source-port eq 3127
rule 1 deny tcp source-port eq 1025
rule 2 deny tcp source-port eq 5554
rule 3 deny tcp source-port eq 9996
rule 4 deny tcp source-port eq 1068
rule 5 deny tcp source-port eq 135
rule 6 deny udp source-port eq 135
rule 7 deny tcp source-port eq 137
rule 8 deny udp source-port eq netbios-ns
rule 9 deny tcp source-port eq 138
rule 10 deny udp source-port eq netbios-dgm
rule 11 deny tcp source-port eq 139
rule 12 deny udp source-port eq netbios-ssn
rule 13 deny tcp source-port eq 593
rule 14 deny tcp source-port eq 4444
rule 15 deny tcp source-port eq 5800
rule 16 deny tcp source-port eq 5900
rule 18 deny tcp source-port eq 8998
rule 19 deny tcp source-port eq 445
rule 20 deny udp source-port eq 445
rule 21 deny udp source-port eq 1434
rule 30 deny tcp destination-port eq 3127
rule 31 deny tcp destination-port eq 1025
rule 32 deny tcp destination-port eq 5554
rule 33 deny tcp destination-port eq 9996
rule 34 deny tcp destination-port eq 1068
rule 35 deny tcp destination-port eq 135
rule 36 deny udp destination-port eq 135
rule 37 deny tcp destination-port eq 137
rule 38 deny udp destination-port eq netbios-ns
rule 39 deny tcp destination-port eq 138
rule 40 deny udp destination-port eq netbios-dgm
rule 41 deny tcp destination-port eq 139
rule 42 deny udp destination-port eq netbios-ssn
rule 43 deny tcp destination-port eq 593
rule 44 deny tcp destination-port eq 4444
rule 45 deny tcp destination-port eq 5800
rule 46 deny tcp destination-port eq 5900
rule 48 deny tcp destination-port eq 8998
rule 49 deny tcp destination-port eq 445
rule 50 deny udp destination-port eq 445
rule 51 deny udp destination-port eq 1434
#
interface Aux0 (这个不用解释了 自己看就知道了)
async mode flow
#
interface Ethernet0/0(设置以太网口0/0口)
speed 100(设置以太网的带宽为100M)
descrīption link_to_dianxin(以太网口标识 我设置的意思是这个口是接如点心)
tcp mss 2048(设置TCP 的MSS直最大为2048)
ip address 220.172.*.* 255.255.255.192(这里是设置这个口的外网IP以及子网)
nat outbound 2000(设置nat地址转换数值为2000)
nat server protocol tcp global 220.172.*.* 15000 inside 192.168.0.232 15000(这些是我做的端口隐射)
nat server protocol tcp global 220.172.*.* 15010 inside 192.168.0.232 15010
nat server protocol tcp global 220.172.*.* 15030 inside 192.168.0.232 15030
nat server protocol tcp global 220.172.*.* 15037 inside 192.168.0.232 15037
nat server protocol tcp global 220.172.*.* 15047 inside 192.168.0.232 15047
#
interface Ethernet0/1(上面说过接口了 这个是0/1口 看懂上面就应该看懂这里了吧)
speed 100
descrīption link_to_workgroup
tcp mss 1536
ip address 192.168.0.1 255.255.255.0
nat outbound 2000(内网口可以不设置这项)
#
interface Serial0/0(这个自己看说明就知道什么用了)
clock DTECLK1
link-protocol ppp
shutdown
ip address ppp-negotiate
#
interface Tunnel0
#
interface NULL0
#
time-range daily 08:30 to 18:30 daily
#
FTP server enable (FT[服务器为打开做FTP不用隐射直接打开还有下面一项设置就行了)
#
ftp source-interface Ethernet0/1(指向FTP连接借口为以太网0/1口)
#
undo arp check enable(使得能ARP表项检测,这个可以根据自己在加上其他参数实现)
#
ip route-static 0.0.0.0 0.0.0.0 220.172.225.129 preference 60(这里是加上外网IP的网关)
#
user-interface con 0
authentication-mode scheme
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[quidway]
好了 大家应该看得懂了吧 对了 支持中文方式 命令为 lan chin 缩写 只要命令不冲突 华为路由支持缩写 然后大家要查看相关命令OR功能的话 在命令行输入?就行了 查看连续命令的话
比如怎么转换中文就是lan空格?号就行了 然后查看本缩写的相关命令比如就是lan?没空格
回复:
你做了端口过滤,为什么不应用到接口上?
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
网络要求:
所有局域网机器都受AR18-22-24控制,下分二个VLAN,
分别是VLAN1(192.168.1.0,255.255.255.0),
VLAN2(192.168.2.0,255.255.255.0).
VLAN1不能上外网且不能访问VLAN2,
VLAN2能上外网且可以访问VLAN1中的192.168.1.2.
网络环境:
静态IP地址ADSL的IP是218.xxx.xxx.xxx
外网由ADSL MODEM进来,直接到达AR18-22-24的WAN0口,局域网中的电脑都是通过AR18-22-24相连的.
配置实例是:
acl number 2001
rule 0 permit source 192.168.2.0 0.0.0.255
rule 1 deny source any
#
acl number 2002
rule 0 deny source any
#
acl number 2003
rule 0 permit source 192.168.1.2 0
rule 1 deny source 192.168.1.0 0.0.0.255
#
firewall enable
#
interface Ethernet1/0
ip address 218.xxx.xxx.xxx 255.255.255.0
nat outbound 2001
#
interface Ethernet2/0
#
interface Ethernet3/0
promiscuous
ip address 192.168.10.1 255.255.255.0
#
interface ethernet3/0.1
vlan-type dot1q vid 1
ip address 192.168.1.1 255.255.255.0
firewall packet-filter 2002 outbound
#
interface ethernet3/0.2
vlan-type dot1q vid 2
ip address 192.168.2.1 255.255.255.0
firewall packet-filter 2003
#
interface Ethernet3/1
port link-type access
port access vlan 1
#
interface Ethernet3/2
port link-type access
port access vlan 1
#
interface Ethernet3/3
port link-type access
port access vlan 1
#
interface Ethernet3/4
port link-type access
port access vlan 1
#
interface Ethernet3/5
port link-type access
port access vlan 1
#
interface Ethernet3/6
port link-type access
port access vlan 1
#
interface Ethernet3/7
port link-type access
port access vlan 1
#
interface Ethernet3/8
port link-type access
port access vlan 1
#
interface Ethernet3/9
port link-type access
port access vlan 1
#
interface Ethernet3/10
port link-type access
port access vlan 1
#
interface Ethernet3/11
port link-type access
port access vlan 1
#
interface Ethernet3/12
port link-type access
port access vlan 1
#
interface Ethernet3/13
port link-type access
port access vlan 2
#
interface Ethernet3/14
port link-type access
port access vlan 2
#
interface Ethernet3/15
port link-type access
port access vlan 2
#
interface Ethernet3/16
port link-type access
port access vlan 2
#
interface Ethernet3/17
port link-type access
port access vlan 2
#
interface Ethernet3/18
port link-type access
port access vlan 2
#
interface Ethernet3/19
port link-type access
port access vlan 2
#
interface Ethernet3/20
port link-type access
port access vlan 2
#
interface Ethernet3/21
port link-type access
port access vlan 2
#
interface Ethernet3/22
port link-type access
port access vlan 2
#
interface Ethernet3/23
port link-type access
port access vlan 2
#
interface Ethernet3/24
port link-type access
port access vlan 2
#
interface NULL0
ip route-static 0.0.0.0 0.0.0.0 218.xxx.xxx.1 preference 60
#
user-interface con 0
#
return
二.华为 AR 28-11的型号 基本适用多书华为路由 给各为不会配的参考
摘自:http://www.txwm.com/BBS417926.vhtml
《[原创]华为路由基本配置 需要的进》
Login authentication
Username:ztwindows (用户)
Password:
sys (进如系统视图)
System View: return to User View with Ctrl+Z.
[quidway]dis curr (查看当前系统配置信息)
#
sysname quidway (系统名称)
#
info-center loghost 192.168.0.232(指定信息中心配置信息,这个可以不要)
#
firewall enable(开起防火墙功能)
#
dns resolve (启动动态DNS解析功能)
dns server 202.98.198.168(指定域名服务器IP地址)
dns-proxy enable(启动动态DNS解析功能)
#
radius scheme system(指定radius配置信息 创建scheme方案或者修改方案属性)
radius scheme test (test方案名)
#
domain system
#
local-user ztwindows
password cipher L_'-D*ST]8Z)9JV9LS027A!!
service-type telnet terminal
level 3
关键地方来了!
#
acl number 2000 (设置一个基本的ACL数值为2000)
rule 0 permit source 192.168.0.0 0.0.0.255 (这里配置的时候你会知道其意思)
rule 1 deny
#
acl number 3001 (设置端口过滤 使得安全功能)
rule 0 deny tcp source-port eq 3127
rule 1 deny tcp source-port eq 1025
rule 2 deny tcp source-port eq 5554
rule 3 deny tcp source-port eq 9996
rule 4 deny tcp source-port eq 1068
rule 5 deny tcp source-port eq 135
rule 6 deny udp source-port eq 135
rule 7 deny tcp source-port eq 137
rule 8 deny udp source-port eq netbios-ns
rule 9 deny tcp source-port eq 138
rule 10 deny udp source-port eq netbios-dgm
rule 11 deny tcp source-port eq 139
rule 12 deny udp source-port eq netbios-ssn
rule 13 deny tcp source-port eq 593
rule 14 deny tcp source-port eq 4444
rule 15 deny tcp source-port eq 5800
rule 16 deny tcp source-port eq 5900
rule 18 deny tcp source-port eq 8998
rule 19 deny tcp source-port eq 445
rule 20 deny udp source-port eq 445
rule 21 deny udp source-port eq 1434
rule 30 deny tcp destination-port eq 3127
rule 31 deny tcp destination-port eq 1025
rule 32 deny tcp destination-port eq 5554
rule 33 deny tcp destination-port eq 9996
rule 34 deny tcp destination-port eq 1068
rule 35 deny tcp destination-port eq 135
rule 36 deny udp destination-port eq 135
rule 37 deny tcp destination-port eq 137
rule 38 deny udp destination-port eq netbios-ns
rule 39 deny tcp destination-port eq 138
rule 40 deny udp destination-port eq netbios-dgm
rule 41 deny tcp destination-port eq 139
rule 42 deny udp destination-port eq netbios-ssn
rule 43 deny tcp destination-port eq 593
rule 44 deny tcp destination-port eq 4444
rule 45 deny tcp destination-port eq 5800
rule 46 deny tcp destination-port eq 5900
rule 48 deny tcp destination-port eq 8998
rule 49 deny tcp destination-port eq 445
rule 50 deny udp destination-port eq 445
rule 51 deny udp destination-port eq 1434
#
interface Aux0 (这个不用解释了 自己看就知道了)
async mode flow
#
interface Ethernet0/0(设置以太网口0/0口)
speed 100(设置以太网的带宽为100M)
descrīption link_to_dianxin(以太网口标识 我设置的意思是这个口是接如点心)
tcp mss 2048(设置TCP 的MSS直最大为2048)
ip address 220.172.*.* 255.255.255.192(这里是设置这个口的外网IP以及子网)
nat outbound 2000(设置nat地址转换数值为2000)
nat server protocol tcp global 220.172.*.* 15000 inside 192.168.0.232 15000(这些是我做的端口隐射)
nat server protocol tcp global 220.172.*.* 15010 inside 192.168.0.232 15010
nat server protocol tcp global 220.172.*.* 15030 inside 192.168.0.232 15030
nat server protocol tcp global 220.172.*.* 15037 inside 192.168.0.232 15037
nat server protocol tcp global 220.172.*.* 15047 inside 192.168.0.232 15047
#
interface Ethernet0/1(上面说过接口了 这个是0/1口 看懂上面就应该看懂这里了吧)
speed 100
descrīption link_to_workgroup
tcp mss 1536
ip address 192.168.0.1 255.255.255.0
nat outbound 2000(内网口可以不设置这项)
#
interface Serial0/0(这个自己看说明就知道什么用了)
clock DTECLK1
link-protocol ppp
shutdown
ip address ppp-negotiate
#
interface Tunnel0
#
interface NULL0
#
time-range daily 08:30 to 18:30 daily
#
FTP server enable (FT[服务器为打开做FTP不用隐射直接打开还有下面一项设置就行了)
#
ftp source-interface Ethernet0/1(指向FTP连接借口为以太网0/1口)
#
undo arp check enable(使得能ARP表项检测,这个可以根据自己在加上其他参数实现)
#
ip route-static 0.0.0.0 0.0.0.0 220.172.225.129 preference 60(这里是加上外网IP的网关)
#
user-interface con 0
authentication-mode scheme
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return
[quidway]
好了 大家应该看得懂了吧 对了 支持中文方式 命令为 lan chin 缩写 只要命令不冲突 华为路由支持缩写 然后大家要查看相关命令OR功能的话 在命令行输入?就行了 查看连续命令的话
比如怎么转换中文就是lan空格?号就行了 然后查看本缩写的相关命令比如就是lan?没空格
回复:
你做了端口过滤,为什么不应用到接口上?
firewall packet-filter 3001 inbound
firewall packet-filter 3001 outbound
文章来自: 
引用通告: 
Tags: 评论: 0 | 引用: 0 | 查看次数: -
发表评论