都是一些基础的东西，该标的图中差不多都标注出来了。详细的各个机器的配置放在附页中了。正文简单说下图中没有展现的。

技术组成

路由(静态,策略)

    ENSP策略路由对于设备本身发出的包是不生效的。刚开始在FW-BJ做了[s:192.168.100.0/24 d:10.0.0.0/24 --> 192.168.40.2]这样一条策略路由。FW-BJ和FW-TJ两边建立IPSec后，由192.168.100.2 ping 10.0.0.1，此时ping reply包通过VPN解密后直接通过默认路由发往了1.1.1.1。

NAT(SNAT,DNAT)

    ENSP里面是先做SNAT，再匹配IPSec感兴趣流的。

VPN(IPSec VPN,PPTP VPN)

    站点到站点这种使用IPSec，出差这种点到站点的使用PPTP VPN。下面是PPTP VPN的教程。上面链接是服务端配置，下面链接是win10客户端的配置。
    使用PPTP VPN有弊端。linux客户端拨号的号，是不能更改分配给的IP的。多个linux客户端接入PPTP VPN服务器是会起冲突的。

• PPTP VPN配置方法 https://image.ruijie.com.cn/Upload/Article/3c783452-800d-4f86-9dcb-2fff6d9ec8dc/%E3%80%90Smart%E7%B3%BB%E5%88%97%E3%80%91NBR700%E7%B3%BB%E5%88%97&NBR800GW%E5%AE%9E%E6%96%BD%E4%B8%8A%E7%82%B9%E6%89%8B%E5%86%8C&%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98/%E3%80%90Smart%E7%B3%BB%E5%88%97%E3%80%91NBR700%E7%B3%BB%E5%88%97&NBR800GW%E5%AE%9E%E6%96%BD%E4%B8%8A%E7%82%B9%E6%89%8B%E5%86%8C&%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98/43.html

• Windows 10系统自带Virtual Private Network客户端配置连接PPTP 服务器_1 https://blog.51cto.com/u_15266039/2896864

交换(VLAN(TRUNK,ACCESS),STP,堆叠)

    这里说下堆叠。实验用的24口交换机。实际使用这么个交换机往往捉襟见肘。堆叠可以使两个交换机合二为一。ENSP无法堆叠实验，我用HCL搭建了一下，具体可以参考这个链接：
    HCL配置 IRF 堆叠实验 https://blog.csdn.net/long_up/article/details/107471388

WALN(AP,AC)

    无线信号这个圈会被调色板盖住的。刚开始一直没出现这个圈，我以为是我哪里配的有问题，重搭了3遍，哈哈哈哈哈哈。无线部分的搭建可以参考这个链接：
    eNSP-无线技术原理 https://blog.csdn.net/weixin_51491005/article/details/119514373

IP-MAC绑定

    这里说的是DHCP的预留地址。需要分配固定IP的主机。服务器或者前端的主机。
    延申一下，说一下局域网IP冲突问题，如果都是DHCP不会有冲突，但显然是不可能的。非法的机器先开机抢走了IP，正常的机器无法上网。  关键的服务器部分和办公区分开。冲突主要集中在有线网办公区，办公区比较大，人比较多的话再划vlan，再细分几个网段，将排错环境调小点。使用静态IP时，有意识地先ping一下，确定没人用再用。网络问题，规划和管理很重要。

DHCP

    ENSP图形化界面开启DHCP Server保存时，还要命令行到接口下打DHCP select interface。

DDNS

    ISP大多为我们提供动态IP，DDNS捕获用户每次变化的IP，然后将其与域名相对应。方便实惠的内网穿透解决办法。

FTP

    带宽不够用，网关限速。局域网内经常传大文件可以搭建个FTP服务器。

补充内容

    这里说一下状态防火墙为什么能快速转发。防火墙会对数据流的第一个包的五元组做一个hash,后续的包五元组hash值相同，不再检测，直接转发。

常用命令

# windows
# tracert
# nslookup
# arp查看和清空
arp -a/d
# ipconfig
# 清空DNS缓存
ipconfig /flushdns
# 所有DHCP网卡重新获取地址
ipconfig /release_all
ipconfig /renew_all
# 查看端口号是否被占用
netstat -ano | findstr <端口号>
# 查看路由表
route print
# 添加路由
route add 192.168.1.2 mask 255.255.255.0 192.168.1.1 -p
# 添加主机路由
route add -host 192.168.1.2 192.168.1.1 -p
# 删除路由
route delete 192.168.1.2 mask 255.255.255.0 192.168.1.1
​
# linux
# 查看路由表
route -n
# 添加静态路由
route add -net 10.20.30.40 netmask 255.255.255.0 gw 192.168.0.1
# 添加默认路由
route add default gw 192.168.0.1
# 添加主机路由
route add -host 10.20.30.40 gw 192.168.0.1
​
# huawei switch/router
​
# 查看内存配置文件/当前窗口配置
dis cu/th
# 查看路由表
dis ip routing-table
# 查看各个接口的IP
dis ip int b
# 查看vlan
dis vlan b
# 配置端口类型(trunk为例)
p l t
# 配置允许通过vlan(trunk为例)
p t a v xx xx 
# 保存
CTRL+Z save

附页

FW-BJ.cfg

​
!Software Version V500R005C10SPC300
!Last configuration was saved at 2023-03-21 10:17:14 UTC
#
sysname FW-BJ
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 23:18
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
dhcp enable
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 22:40
 update schedule av-sdb daily 22:40
 update schedule sa-sdb daily 22:40
 update schedule cnc daily 22:40
 update schedule file-reputation daily 22:40
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%5bIr:B4|[9sEFC&]CoG&<L1%u.[F;n"k'Tgazf.:GXpAL1(<@%@%
  service-type web terminal 
  level 15 
​
 manager-user api-admin 
  password cipher @%@%9gL|,]3)i7UN:@+0{o@)zfYuW93fLW<#6I;<NASML~*RfYxz@%@%
  level 15 
​
 manager-user admin 
  password cipher @%@%s2$z4ztu0~~g#&8^{d[X4%nefKeM<il4L$b5$8SQ*pz/%nh4@%@%
  service-type web terminal 
  level 15 
​
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip address 192.168.20.1 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 192.168.30.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 dhcp select interface
 dhcp server ip-range 192.168.30.100 192.168.30.200
 dhcp server gateway-list 192.168.30.1 
 dhcp server dns-list 114.114.114.114 
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.10.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/3
 undo shutdown
 ip address 10.0.0.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
 ip address 192.168.40.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 1.1.1.2 255.255.255.252
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
 add interface GigabitEthernet1/0/3
 add interface GigabitEthernet1/0/5
 add interface GigabitEthernet1/0/6
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/6 1.1.1.1
ip route-static 192.168.100.0 255.255.255.0 GigabitEthernet1/0/5 192.168.40.2 preference 40
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name "DNAT UDP 4500"
  destination-address 1.1.1.2 mask 255.255.255.255
  service protocol udp source-port 0 to 65535 destination-port 4500
  action destination-nat static address-to-address address 192.168.40.2 
 rule name "DNAT UDP 500"
  destination-address 1.1.1.2 mask 255.255.255.255
  service protocol udp source-port 0 to 65535 destination-port 500
  action destination-nat static address-to-address address 192.168.40.2 
 rule name SNAT
  egress-interface GigabitEthernet1/0/6
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return  

FW-TJ.cfg

​
!Software Version V500R005C10SPC300
!Last configuration was saved at 2023-03-20 03:08:31 UTC
#
sysname FW-TJ
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 06:15
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 03:45
 update schedule av-sdb daily 03:45
 update schedule sa-sdb daily 03:45
 update schedule cnc daily 03:45
 update schedule file-reputation daily 03:45
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 192.168.100.0 0.0.0.255 destination 10.0.0.0 0.255.255.255 
#
ipsec proposal prop20311533248
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike20311533248
 exchange-mode auto
 pre-shared-key %^%#>mGX3/DEMS&za9Jnk*bRt,}z#/hGw3G%+&=`X5W.%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 1.1.1.2
 local-id 2.2.2.2
 dpd type periodic
 remote-address 1.1.1.2 
#
ipsec policy ipsec203115330 1 isakmp
 security acl 3000
 ike-peer ike20311533248
 proposal prop20311533248
 tunnel local applied-interface
 alias ipsec-tj 
 sa trigger-mode auto
 sa duration traffic-based 10485760
 sa duration time-based 3600
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%V5ix8UyTG44K4PG,2<=!HbIpg$ob2`4>h7sk-Y)R\R(%bIsH@%@%
  service-type web terminal 
  level 15 
​
 manager-user api-admin 
  password cipher @%@%Sr|_@R.p/LMKFfN6p.Y8[bXVfYB/BA(0RKv6b+"KTbo*bXY[@%@%
  level 15 
​
 manager-user admin 
  password cipher @%@%uV\t'gaj,+|v/x4=c@~J`[/lVnLSR95o7Y,*-/SHTp0Y[/o`@%@%
  service-type web terminal 
  level 15 
​
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.20.13 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 2.2.2.2 255.255.255.252
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 ipsec policy ipsec203115330
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.100.1 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 2.2.2.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
 rule name "NOT SNAT FOR 192.168.100.0/24"
  egress-interface GigabitEthernet1/0/1
  source-address 192.168.100.0 mask 255.255.255.0
  destination-address 10.0.0.0 mask 255.255.255.0
  action no-nat
 rule name SNAT
  egress-interface GigabitEthernet1/0/1
  action source-nat easy-ip
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return  

VPN.cfg

​
!Software Version V500R005C10SPC300
!Last configuration was saved at 2023-03-21 09:24:01 UTC
#
sysname VPN
#
 l2tp domain suffix-separator @
#
 ipsec sha2 compatible enable 
#
undo telnet server enable
undo telnet ipv6 server enable
#
 update schedule location-sdb weekly Sun 06:17
#
 firewall defend action discard
#
 banner enable
#
 user-manage web-authentication security port 8887
 undo privacy-statement english
 undo privacy-statement chinese
page-setting
 user-manage security version tlsv1.1 tlsv1.2
password-policy
 level high
user-manage single-sign-on ad
user-manage single-sign-on tsm
user-manage single-sign-on radius
user-manage auto-sync online-user
#
 web-manager security version tlsv1.1 tlsv1.2
 web-manager enable
 web-manager security enable
#
firewall dataplane to manageplane application-apperceive default-action drop
#
 undo ips log merge enable
#
 decoding uri-cache disable
#
 update schedule ips-sdb daily 22:40
 update schedule av-sdb daily 22:40
 update schedule sa-sdb daily 22:40
 update schedule cnc daily 22:40
 update schedule file-reputation daily 22:40
#
ip vpn-instance default
 ipv4-family
#
 time-range worktime
  period-range 08:00:00 to 18:00:00 working-day   
#
acl number 3000
 rule 5 permit ip source 10.0.0.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 
#
ipsec proposal prop21316393881
 encapsulation-mode auto
 esp authentication-algorithm sha2-256 
 esp encryption-algorithm aes-256 
#
ike proposal default
 encryption-algorithm aes-256 aes-192 aes-128 
 dh group14 
 authentication-algorithm sha2-512 sha2-384 sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
ike proposal 1
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
ike peer ike213163938816
 exchange-mode auto
 pre-shared-key %^%#%"=T17GK4LSHF(WP_,I0EaC^QoiS=4/)sJ>O6>2'%^%#
 ike-proposal 1
 remote-id-type ip
 remote-id 2.2.2.2
 local-id 1.1.1.2
 dpd type periodic
 remote-address 2.2.2.2 
#
ipsec policy ipsec2131639384 1 isakmp
 security acl 3000
 ike-peer ike213163938816
 proposal prop21316393881
 tunnel local applied-interface
 alias ipsec-bj 
 sa trigger-mode auto
 sa duration traffic-based 10485760
 sa duration time-based 3600
#
aaa
 authentication-scheme default
 authentication-scheme admin_local
 authentication-scheme admin_radius_local
 authentication-scheme admin_hwtacacs_local
 authentication-scheme admin_ad_local
 authentication-scheme admin_ldap_local
 authentication-scheme admin_radius
 authentication-scheme admin_hwtacacs
 authentication-scheme admin_ad
 authorization-scheme default
 accounting-scheme default
 domain default
  service-type internetaccess ssl-vpn l2tp ike
  internet-access mode password
  reference user current-domain
 manager-user audit-admin 
  password cipher @%@%8azD3YE\e,CQ6;ZW^{f:X'Ih-=\<8OxpM@0Y:3HF4Am@'IkX@%@%
  service-type web terminal 
  level 15 
​
 manager-user api-admin 
  password cipher @%@%igXR#;oDGKmbC1DxfUL1Rq)>k}.]48\e`+/5G2Yj2PsPq)AR@%@%
  level 15 
​
 manager-user admin 
  password cipher @%@%`>i59$y0";%C<kGmm6UMhVgg|~$RADLAjP{l>]Xd^Vo6Vgjh@%@%
  service-type web terminal 
  level 15 
​
 role system-admin
 role device-admin
 role device-admin(monitor)
 role audit-admin
 bind manager-user audit-admin role audit-admin
 bind manager-user admin role system-admin
#
l2tp-group default-lns
#
interface GigabitEthernet0/0/0
 undo shutdown
 ip binding vpn-instance default
 ip address 192.168.20.12 255.255.255.0
 alias GE0/METH
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/0
 undo shutdown
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 80.0.0.2 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.40.2 255.255.255.0
 service-manage http permit
 service-manage https permit
 service-manage ping permit
 service-manage ssh permit
 service-manage snmp permit
 service-manage telnet permit
 ipsec policy ipsec2131639384
#
interface GigabitEthernet1/0/3
 undo shutdown
#
interface GigabitEthernet1/0/4
 undo shutdown
#
interface GigabitEthernet1/0/5
 undo shutdown
#
interface GigabitEthernet1/0/6
 undo shutdown
#
interface Virtual-if0
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/0
 add interface GigabitEthernet1/0/1
 add interface GigabitEthernet1/0/2
#
firewall zone untrust
 set priority 5
#
firewall zone dmz
 set priority 50
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 192.168.40.1
#
undo ssh server compatible-ssh1x enable
ssh authentication-type default password
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256 sha1
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256 sha1
#
firewall detect ftp
#
user-interface con 0
 authentication-mode aaa
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
 mode proportion-of-weight
#
right-manager server-group
#
device-classification
 device-group pc
 device-group mobile-terminal
 device-group undefined-group
#
user-manage server-sync tsm
#
security-policy
 default action permit
#
auth-policy
#
traffic-policy
#
policy-based-route
#
nat-policy
#
quota-policy
#
pcp-policy
#
dns-transparent-policy
#
rightm-policy
#
return  

SW.cfg

​
#
sysname SW
#
vlan batch 10 20 30 40 50
#
stp disable
#
cluster enable
ntdp enable
ndp enable
#
undo nap slave enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
vlan 10
 description guanli
vlan 20
 description bangong
vlan 30
 description server
vlan 40
 description wuxian-yewu
vlan 50
 description wuxian-guanli
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password simple admin
 local-user admin service-type http
 local-user telnet password cipher A-+=WM`TG,)NZPO3JBXBHA!!
 local-user telnet service-type telnet
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.20.254 255.255.255.0 
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 40
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 10 40 50
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 50
 port trunk allow-pass vlan 40 50
#
interface GigabitEthernet0/0/4
 port link-type access
#
interface GigabitEthernet0/0/5
 port link-type access
#
interface GigabitEthernet0/0/6
 port link-type access
#
interface GigabitEthernet0/0/7
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/8
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/9
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/11
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/12
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/13
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/14
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/15
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/16
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/17
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/18
 port link-type access
 port default vlan 30
#
interface GigabitEthernet0/0/19
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/20
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/21
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/22
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/23
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/24
 port link-type access
 port default vlan 10
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1
#
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
#
port-group bangong
 group-member GigabitEthernet0/0/7
 group-member GigabitEthernet0/0/8
 group-member GigabitEthernet0/0/9
 group-member GigabitEthernet0/0/10
 group-member GigabitEthernet0/0/11
 group-member GigabitEthernet0/0/12
#
port-group guanli
 group-member GigabitEthernet0/0/19
 group-member GigabitEthernet0/0/20
 group-member GigabitEthernet0/0/21
 group-member GigabitEthernet0/0/22
 group-member GigabitEthernet0/0/23
 group-member GigabitEthernet0/0/24
#
port-group server
 group-member GigabitEthernet0/0/13
 group-member GigabitEthernet0/0/14
 group-member GigabitEthernet0/0/15
 group-member GigabitEthernet0/0/16
 group-member GigabitEthernet0/0/17
 group-member GigabitEthernet0/0/18
#
return 

AC.cfg

​
[V200R007C10SPC300]
#
 sysname AC
#
 set memory-usage threshold 0
#
ssl renegotiation-rate 1 
#
vlan batch 10 40 50
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name macportal_authen_profile
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
pki realm default
 rsa local-key-pair default
 enrollment self-signed
#
ike proposal default
 encryption-algorithm aes-256 
 dh group14 
 authentication-algorithm sha2-256 
 authentication-method pre-share
 integrity-algorithm hmac-sha2-256 
 prf hmac-sha2-256 
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 local-user admin password irreversible-cipher $1a$.#W$6hAnhG$"jIhCdQ%gEBM$n,Hn|pY\"d(%$ayJ+'5}vIYY<<S$
 local-user admin privilege level 15
 local-user admin service-type http
#
interface Vlanif10
 ip address 192.168.20.253 255.255.255.0
#
interface Vlanif40
 ip address 192.168.30.254 255.255.255.0
#
interface Vlanif50
 ip address 192.168.50.254 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 40 50
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
 undo negotiation auto
 duplex half
#
interface GigabitEthernet0/0/8
 undo negotiation auto
 duplex half
#
interface NULL0
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
ssh server secure-algorithms cipher aes256_ctr aes128_ctr
ssh server key-exchange dh_group14_sha1
ssh client secure-algorithms cipher aes256_ctr aes128_ctr
ssh client secure-algorithms hmac sha2_256
ssh client key-exchange dh_group14_sha1
#
ip route-static 0.0.0.0 0.0.0.0 192.168.20.1
#
capwap source interface vlanif50
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
 protocol inbound all
user-interface vty 16 20
 protocol inbound all
#
wlan
 traffic-profile name default
 security-profile name 1
 security-profile name default
 security-profile name default-wds
 security-profile name default-mesh
 ssid-profile name 1
  ssid 1
 ssid-profile name 2
  ssid 2
 ssid-profile name default
 vap-profile name 1
  service-vlan vlan-id 40
  ssid-profile 1
  security-profile 1
 vap-profile name 2
  service-vlan vlan-id 40
  ssid-profile 2
  security-profile 1
 vap-profile name default
 wds-profile name default
 mesh-handover-profile name default
 mesh-profile name default
 regulatory-domain-profile name area
 regulatory-domain-profile name default
 air-scan-profile name default
 rrm-profile name default
 radio-2g-profile name default
 radio-5g-profile name default
 wids-spoof-profile name default
 wids-profile name default
 wireless-access-specification
 ap-system-profile name default
 port-link-profile name default
 wired-port-profile name default
 serial-profile name preset-enjoyor-toeap 
 ap-group name AP
  regulatory-domain-profile area
 ap-group name we
  radio 0
   vap-profile 1 wlan 1
  radio 1
   vap-profile 2 wlan 2
 ap-group name default
 ap-id 0 type-id 69 ap-mac 00e0-fcfe-65d0 ap-sn 210235448310896B403C
  ap-group we
 provision-ap
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return

Server.cfg

​
[V200R003C00]
#
 sysname Server
#
 board add 0/2 1GEC 
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
stp disable
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
 ip address 10.0.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 80.0.0.2 255.255.255.0 
#
interface GigabitEthernet2/0/0
 ip address 192.168.20.10 255.255.255.0 
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

bangong-pc.cfg

​
[V200R003C00]
#
 sysname bangong-pc
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent 
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load flash:/portalpage.zip
#
 drop illegal-mac alarm
#
 wlan ac-global carrier id other ac id 0
#
 set cpu-usage threshold 80 restore 75
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface GigabitEthernet0/0/0
 ip address 192.168.10.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.10.1
#
user-interface con 0
 authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

写在最后

余生可能与动态路由和标签转发什么的无缘了，?，不再搭实验弄了。

网络项目要因地制宜，无论什么规模上来都套大的模板不太合适。能高效地解决用户的需求，最小代价实现需要的功能为主。

需要拓扑图的可以留个邮箱，私发给你们。机器启动时最好一个个开，否则可能丢配置。对了，实际工作中，别忘了配完保存一下，否则重启后新加的配置全没了，哈哈哈。

That's it, if my content is good for you, don't forget to subscribe to it! Bye！

本栏目推荐文章
• 网络攻击技术(二)——Cross-site scripting
• 微软企业库Unity学习笔记(一)
• 微软企业库Unity学习笔记(二)
• 网络攻击技术开篇——SQL Injection
• 数据可视化是如何帮助大型企业提高效率的？
• 数据驱动未来：公司运营数据分析大屏引领企业变革
• 探索短链接：让网络分享更便捷
• 详讲网络流
• 新版的Edge浏览器如何设置网络代理？
• Anolis 挂载网络共享文件夹

中小型 中小 企业 网络中小型 中小 企业 网络 中小企业 喜讯 中小企业 年度 中小 中小型 中小 企业 中小企业 中小 企业 中小型 中小 问题 企业 中小企业 模型 中小 数字 能带 中小企业 中小 企业 中小型 中小 系统 企业 人数 中小 企业erp