防火墙

#
sysname USG2200
#
l2tp domain suffix-separator @
#
ip df-unreachables enable
#
undo firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
dns server 8.8.8.8
#
firewall statistic system enable
#
dns proxy enable
#
license-server domain lic.huawei.com
#
web-manager enable
web-manager security enable port 8443
undo web-manager config-guide enable
#
user-manage web-authentication security port 8888
#
acl number 3000
rule 5 permit ip source address-set yibao
#
interface Cellular0/1/0
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.0
ip policy-based-route yibao
#
interface GigabitEthernet0/0/1
ip address 117.172.236.*** 255.255.255.0
nat enable
detect ftp
#
interface GigabitEthernet6/0/0
ip address 135.1.22.*** 255.255.255.0
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall zone name yibao
set priority 90
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
add interface GigabitEthernet6/0/0
#
firewall interzone local trust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone local untrust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone local dmz
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone trust untrust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone trust dmz
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone dmz untrust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
#
aaa
password-policy mandatory enable
local-user admin password cipher %$%$N$Xf10LlyINDefL*[7^!TA8/%$%$
local-user admin service-type web terminal telnet ssh
local-user admin level 15
local-user system password irreversible-cipher %@%@4}YDX:nVQP[‘uOHz;t|O’^ULt8U}Hi{NWG,iGg.Jd7{;(d[V%@%@
local-user system service-type ftp web terminal telnet ssh
local-user system level 15
local-user system ftp-directory flash:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1

#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 117.172.236.1
ip route-static 172.168.0.0 255.255.0.0 10.10.1.1
#
banner enable
#
user-interface con 0
user-interface tty 2
authentication-mode password
modem both
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
policy-based-route yibao permit node 0
if-match acl 3000
apply ip-address next-hop 135.1.22.1
policy-based-route yibao permit node 1
apply ip-address next-hop 117.172.236.1
#
ip address-set yibao type group
address 0 range 172.168.6.1 172.168.8.254
address 1 range 172.168.5.1 172.168.5.254
#
sa
#
slb
#
cwmp
#
right-manager server-group
#

#
sysname USG2200
#
l2tp domain suffix-separator @
#
ip df-unreachables enable
#
undo firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
dns server 8.8.8.8
#
firewall statistic system enable
#
dns proxy enable
#
license-server domain lic.huawei.com
#
web-manager enable
web-manager security enable port 8443
undo web-manager config-guide enable
#
user-manage web-authentication security port 8888
#
traffic-policy enable
#
acl number 3000
rule 5 permit ip source address-set yibao
#
acl number 3001
rule 5 permit ip source 192.168.120.34 0
#
acl number 3002
rule 5 permit ip source 192.168.120.0 0.0.0.255
#
interface Cellular0/1/0
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 10.10.1.2 255.255.255.0
ip policy-based-route yibao
#
interface GigabitEthernet0/0/1
ip address 117.172.236.148 255.255.255.0
nat enable
detect ftp
#
interface GigabitEthernet6/0/0
ip address 135.1.22.181 255.255.255.0
#
interface NULL0
alias NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
add interface GigabitEthernet0/0/0
#
firewall zone untrust
set priority 5
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
add interface GigabitEthernet0/0/1
#
firewall zone dmz
set priority 50
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall zone name yibao
set priority 90
detect ftp
detect rtsp
detect mms
detect mgcp
detect sip
detect pptp
detect sqlnet
detect h323
detect qq
detect msn
detect dns
detect ils
detect netbios
add interface GigabitEthernet6/0/0
#
firewall interzone local trust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone local untrust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone local dmz
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone trust untrust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone trust dmz
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
firewall interzone dmz untrust
detect ftp
detect mms
detect mgcp
detect pptp
detect sip
detect sqlnet
detect h323
detect rtsp
detect qq
detect msn
detect dns
detect ils
detect netbios
#
#
aaa
password-policy mandatory enable
local-user admin password cipher %$%$N$Xf10LlyINDefL*[7^!TA8/%$%$
local-user admin service-type web terminal telnet ssh
local-user admin level 15
local-user system password irreversible-cipher %@%@n=B9T23]A@|yTqNf7>e@.90’R6u<MYtK,<C&cL)jv`P-t~61%@%@
local-user system service-type ftp web terminal telnet ssh
local-user system level 15
local-user system ftp-directory flash:
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1

#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 117.172.236.1
ip route-static 10.163.26.60 255.255.255.255 135.1.22.1
ip route-static 10.163.26.69 255.255.255.255 135.1.22.1
ip route-static 10.163.33.61 255.255.255.255 135.1.22.1
ip route-static 172.168.0.0 255.255.0.0 10.10.1.1
ip route-static 192.168.120.34 255.255.255.255 135.1.22.1
ip route-static 192.168.120.50 255.255.255.255 135.1.22.1
#
banner enable
#
user-interface con 0
user-interface tty 2
authentication-mode password
modem both
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
policy-based-route yibao permit node 0
if-match acl 3000
apply ip-address next-hop 135.1.22.1
policy-based-route yibao permit node 1
apply ip-address next-hop 117.172.236.1
#
ip address-set yibao type group
address 0 range 172.168.6.1 172.168.8.254
address 1 range 172.168.5.1 172.168.5.254
#
sa
#
slb
#
cwmp
#
right-manager server-group
#
car-class 下载 type per-ip
connection-number 2000
car max 6000 guaranteed 3000
car-class 上传 type per-ip
connection-number 1500
car max 3000 guaranteed 2000
#
traffic-policy interzone trust untrust inbound per-ip
policy 0
action car
policy destination range 172.168.3.2 172.168.3.254
policy car-type destination-ip
policy car-class 下载
traffic-policy interzone trust untrust outbound per-ip
policy 0
action car
policy source range 172.168.3.2 172.168.3.254
policy car-type source-ip
policy car-class 上传
#
nat-policy interzone yibao trust inbound
policy 0
action source-nat
policy destination 192.168.120.34 mask 32
policy destination 192.168.120.50 mask 32
policy destination 10.163.26.69 mask 32
policy destination 10.163.33.61 mask 32
policy destination 10.163.26.60 mask 32
easy-ip GigabitEthernet6/0/0
#
return

核心三层

#
sysname core
#
vlan batch 2 to 6 10
#
stp instance 0 root primary
#
undo http server enable
undo http secure-server enable
#
dhcp enable
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %@%@LP)=1G)99,gy={‘H]tmASQSK%@%@
local-user admin privilege level 15
local-user admin service-type telnet http
#
interface Vlanif1
ip address 10.10.1.1 255.255.255.0
#
interface Vlanif2
ip address 172.168.3.1 255.255.255.0
dhcp select interface
dhcp server dns-list 61.236.159.99 8.8.8.8
#
interface Vlanif3
ip address 172.168.5.1 255.255.255.0
dhcp select interface
dhcp server dns-list 61.236.159.99 8.8.8.8
#
interface Vlanif4
ip address 172.168.6.1 255.255.255.0
dhcp select interface
dhcp server dns-list 61.236.159.99 8.8.8.8
#
interface Vlanif5
ip address 172.168.7.1 255.255.255.0
dhcp select interface
dhcp server dns-list 61.236.159.99 8.8.8.8
#
interface Vlanif6
ip address 172.168.8.1 255.255.255.0
dhcp select interface
dhcp server dns-list 61.236.159.99 8.8.8.8
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/6
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/7
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/8
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/9
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/10
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/11
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/12
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/13
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/14
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/15
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/16
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/17
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/18
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/19
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/20
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/21
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/22
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
user-interface con 0
authentication-mode password
set authentication password cipher %@%@0@7g,@&e^51\ZY@SIsi*,”j+9DSlSC”cMBTy@~#{T<%X”j.,%@%@
user-interface vty 0 4
authentication-mode aaa
user-interface vty 16 20
#
return