华为srg2200配置1模板.doc

华为SRG2200路由器配置模板SRG2200作为华为新一代的业务路由器设备。其特点较之前用过的AR28-11等设备更为明显。全面支持了IPv4/IPv6双协议栈，提供了丰富的IPv4向IPv6过渡方案，包括双栈技术、隧道技术、地址转换技术（NAT-PT）等等。同时，其安全防护功能也大大加强。集成的状态检测防火墙功能在抵御各种网络攻击和DDoS攻击的同时，提供完备的网络地址转换（NAT）功能，还能对应用层攻击进行实时检测与防护；集成的反病毒AV（Anti-Virus）功能，采用Symantec强效病毒库，能够有效地保护网络抵御来自病毒、钓鱼、间谍软件、广告软件等的危险；集成的反垃圾邮件AS（Anti-Spam）功能，过滤垃圾邮件，阻止垃圾邮件和钓鱼攻击，支持外部反垃圾邮件联盟RBL邮件阻断扩展；集成的URL过滤和P2P/IM控制功能能更好的抵御对网络安全的威胁，减少对网络违规使用的行为，节约业务带宽，提高员工工作效率的同时也减少了访问违法内容所带来的法律风险。丰富的路由特性 SRG2200系列提供丰富的路由特性。IPv6作为下一代网络的基础协议以其鲜明的技术优势得到广泛的认可，SRG2200系列全面支持IPv4/IPv6双协议栈，提供了丰富的IPv4向IPv6过渡方案，包括双栈技术、隧道技术、地址转换技术（NAT-PT）等等。SRG2200系列支持通用的IPv4/1Pv6路由协议和IPv4组播路由协议，包括静态路由、RIPv2、RIPng、OSPFv2、OSPFv3、BGP-4、BGP-4+、IS-IS、IS-ISv6、PIM等等，同时支持MPLS、路由策略和路由迭代，从而使组网应用更加灵活。专业级安全防御 集成的状态检测防火墙功能在抵御各种网络攻击和DDoS攻击的同时，提供完备的网络地址转换（NAT）功能，还能对应用层攻击进行实时检测与防护； 集成的VPN（IPSec & SSL VPN）功能在高性能硬件加解密芯片保障下，加密性能在业界同类产品中处于领先位置，且支持DES、3DES、AES与RSA等多种加密算法，能够提供高强度加密传输的自由安全连接； 集成的入侵防御系统IPS能实时检测网络系统中的信息数据，并通过综合分析和比较，判断是否有入侵和可疑行为的发生，可采用多种方式实时告警，记录攻击行为，阻断攻击者的进攻，从而更好的防护网络外部和内部的攻击； 集成的反病毒AV（Anti-Virus）功能，采用Symantec强效病毒库，能够有效地保护网络抵御来自病毒、钓鱼、间谍软件、广告软件等的危险； 集成的反垃圾邮件AS（Anti-Spam）功能，过滤垃圾邮件，阻止垃圾邮件和钓鱼攻击，支持外部反垃圾邮件联盟RBL邮件阻断扩展； 集成的URL过滤和P2P/IM控制功能能更好的抵御对网络安全的威胁，减少对网络违规使用的行为，节约业务带宽，提高员工工作效率的同时也减少了访问违法内容所带来的法律风险。一 配置E1模块controller E1 1/0/0 channel-set 0 timeslot-list 1-31undo shut二 配置端口IP1 配置以太网子接口IPinterface GigabitEthernet0/0/0und shutinterface GigabitEthernet0/0/0.1 vlan-type dot1q 700 description description to_DEFAULT_VLAN ip address 10.6.215.54 255.255.255.248 ip relay address 10.6.200.1 ip relay address 10.6.200.9 dhcp select relayinterface GigabitEthernet0/0/0.2 vlan-type dot1q 751 description description to_BOSS_VPN ip address 10.6.158.190 255.255.255.240 ip relay address 10.6.200.1 ip relay address 10.6.200.9 dhcp select relayinterface GigabitEthernet0/0/0.5 vlan-type dot1q 810 description YYT_JK ip address 10.6.106.38 255.255.255.252interface GigabitEthernet0/0/0.6 vlan-type dot1q 820 description YYT_TYPT ip address 10.6.117.86 255.255.255.248 interface GigabitEthernet0/0/0.7 vlan-type dot1q 830 description YYT_PDJ ip address 10.6.252.86 255.255.255.248interface GigabitEthernet0/0/0.8 vlan-type dot1q 840 description YYT_ZZZD ip address 10.6.34.86 255.255.255.248interface LoopBack0 ip address 10.6.197.140 255.255.255.2553 配置广域网端口，启用OSPF协议。interface Serial1/0/0:0 link-protocol ppp description liqiaozhen-caishikou-2m ip address 10.4.244.142 255.255.255.252interface GigabitEthernet0/0/1.1 vlan-type dot1q 213 description to_wangjing_7613B ip address 10.4.236.142 255.255.255.252;其中每个营业厅都有一个DOT1Q封装时的VLAN号。营业厅之前不能混用。ospf 200 area 0.0.0.204 network 10.4.244.140 0.0.0.3 network 10.6.158.176 0.0.0.15 network 10.6.197.140 0.0.0.0 network 10.6.215.48 0.0.0.7 network 10.4.236.140 0.0.0.3 network 10.6.106.36 0.0.0.3 network 10.6.117.80 0.0.0.7 network 10.6.252.80 0.0.0.7 network 10.6.34.80 0.0.0.7 stub4 配置安全策略，实现营业厅各个网段（除广域网之外）两两不能互联。(1)将为各个接口设置安全策略等级，在设置防火墙策略时，priority值越高则安全级越高。优先级高的可以访问优先级低的区域，优先级低的不能访问优先级高的区域。firewall zone untrust set priority 5 add interface Serial1/0/0:0 add interface GigabitEthernet0/0/1.1 ； 默认untrust区域一般用于设置广域网端口。firewall zone name default set priority 90 add interface GigabitEthernet0/0/0.1 ；新增default区域匹配到对应端口firewall zone name boss set priority 80 add interface GigabitEthernet0/0/0.2 ；新增boss区域匹配到对应端口firewall zone name jk set priority 81 add interface GigabitEthernet0/0/0.5 ；新增 jk 区域匹配到对应端口firewall zone name typt set priority 82 add interface GigabitEthernet0/0/0.6 ；新增typt区域匹配到对应端口firewall zone name pdj set priority 83 add interface GigabitEthernet0/0/0.7 ；新增 pdj 区域匹配到对应端口firewall zone name zzzd set priority 84 add interface GigabitEthernet0/0/0.8 ；新增 zzzd 区域匹配到对应端口(2) 配置安全策略policy interzone default untrust outbound ；以下配置了default区域的策略 policy 1 action permit policy source 10.6.215.48 0.0.0.7 policy destination 10.4.41.1 0 policy destination 10.4.41.2 0 policy destination 10.4.41.5 0 policy destination 10.4.41.7 0 policy 2 action permit policy source 10.6.158.176 0.0.0.15 policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0.0.0.7 policy source 10.6.252.80 0.0.0.7 policy source 10.6.117.80 0.0.0.7 policy source 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0 policy source 10.6.215.48 0.0.0.7 policy source 10.4.244.140 0.0.0.3 policy destination any policy 3 action permit policy source 10.6.215.54 0 policy destination 10.6.200.1 0 policy destination 10.6.200.9 0 policy 4 action deny policy source any policy destination any policy interzone boss untrust outbound ；以下配置了boss区域的策略 policy 1 action permit policy source 10.6.215.48 0.0.0.7 policy destination 10.4.41.1 0 policy destination 10.4.41.2 0 policy destination 10.4.41.5 0 policy destination 10.4.41.7 0 policy 2 action permit policy source 10.6.158.176 0.0.0.15 policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0.0.0.7 policy source 10.6.252.80 0.0.0.7 policy source 10.6.117.80 0.0.0.7 policy source 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0 policy source 10.6.215.48 0.0.0.7 policy source 10.4.244.140 0.0.0.3 policy destination any policy 3 action permit policy source 10.6.215.54 0 policy destination 10.6.200.1 0 policy destination 10.6.200.9 0 policy 4 action deny policy source any policy destination anypolicy interzone jk untrust outbound ；以下配置了jk区域的策略 policy 1 action permit policy source 10.6.215.48 0.0.0.7 policy destination 10.4.41.1 0 policy destination 10.4.41.2 0 policy destination 10.4.41.5 0 policy destination 10.4.41.7 0 policy 2 action permit policy source 10.6.158.176 0.0.0.15 policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0.0.0.7 policy source 10.6.252.80 0.0.0.7 policy source 10.6.117.80 0.0.0.7 policy source 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0 policy source 10.6.215.48 0.0.0.7 policy source 10.4.244.140 0.0.0.3 policy destination any policy 3 action permit policy source 10.6.215.54 0 policy destination 10.6.200.1 0 policy destination 10.6.200.9 0 policy 4 action deny policy source any policy destination anypolicy interzone typt untrust outbound ；以下配置了typt 区域的策略 policy 1 action permit policy source 10.6.215.48 0.0.0.7 policy destination 10.4.41.1 0 policy destination 10.4.41.2 0 policy destination 10.4.41.5 0 policy destination 10.4.41.7 0 policy 2 action permit policy source 10.6.158.176 0.0.0.15 policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0.0.0.7 policy source 10.6.252.80 0.0.0.7 policy source 10.6.117.80 0.0.0.7 policy source 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0 policy source 10.6.215.48 0.0.0.7 policy source 10.4.244.140 0.0.0.3 policy destination any policy 3 action permit policy source 10.6.215.54 0 policy destination 10.6.200.1 0 policy destination 10.6.200.9 0 policy 4 action deny policy source any policy destination any policy interzone pdj untrust outbound ；以下配置了pdj区域的策略 policy 1 action permit policy source 10.6.215.48 0.0.0.7 policy destination 10.4.41.1 0 policy destination 10.4.41.2 0 policy destination 10.4.41.5 0 policy destination 10.4.41.7 0 policy 2 action permit policy source 10.6.158.176 0.0.0.15 policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0.0.0.7 policy source 10.6.252.80 0.0.0.7 policy source 10.6.117.80 0.0.0.7 policy source 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0 policy source 10.6.215.48 0.0.0.7 policy source 10.4.244.140 0.0.0.3 policy destination any policy 3 action permit policy source 10.6.215.54 0 policy destination 10.6.200.1 0 policy destination 10.6.200.9 0 policy 4 action deny policy source any policy destination anypolicy interzone zzzd untrust outbound ；以下配置了zzzd区域的策略 policy 1 action permit policy source 10.6.215.48 0.0.0.7 policy destination 10.4.41.1 0 policy destination 10.4.41.2 0 policy destination 10.4.41.5 0 policy destination 10.4.41.7 0 policy 2 action permit policy source 10.6.158.176 0.0.0.15 policy source 10.4.236.140 0.0.0.3 policy source 10.6.34.80 0.0.0.7 policy source 10.6.252.80 0.0.0.7 policy source 10.6.117.80 0.0.0.7 policy source 10.6.106.36 0.0.0.3 policy source 10.6.197.140 0 policy source 10.6.215.48 0.0.0.7 policy source 10.4.244.140 0.0.0.3 policy destination any policy 3 action permit policy source 10.6.215.54 0 policy destination 10.6.200.1 0 policy destination 10.6.200.9 0 policy 4 action deny policy source any policy destination any(3) 在全局应用策略，使得营业厅各网段两两不能互联。 firewall packet-filter default deny interzone default boss direction inbound firewall packet-filter default deny interzone default boss direction outbound firewall packet-filter default deny interzone default jk direction inbound firewall packet-filter default deny interzone default jk direction outbound firewall packet-filter default deny interzone default typt direction inbound firewall packet-filter default deny interzone default typt direction outbound firewall packet-filter default deny interzone default pdj direction inbound firewall packet-filter default deny interzone default pdj direction outbound firewall packet-filter default deny interzone default zzzd direction inbound firewall packet-filter default deny interzone default zzzd direction outbound firewall packet-filter default deny interzone jk boss direction inbound firewall packet-filter default deny interzone jk boss direction outbound firewall packet-filter default deny interzone typt boss direction inbound firewall packet-filter default deny interzone typt boss direction outbound firewall packet-filter default deny interzone pdj boss direction inbound firewall packet-filter default deny interzone pdj boss direction outbound firewall packet-filter default deny interzone zzzd boss direction inbound firewall packet-filter default deny interzone zzzd boss direction outbound firewall packet-filter default deny interzone typt jk direction inbound firewall packet-filter default deny interzone typt jk direction outbound firewall packet-filter default deny interzone pdj jk direction inbound firewall packet-filter default deny interzone pdj jk direction outbound firewall packet-filter default deny interzone zzzd jk direction inbound firewall packet-filter default deny interzone zzzd jk direction outbound firewall packet-filter default deny interzone pdj typt direction inbound firewall packet-filter default deny interzone pdj typt