华为AR201系列配置
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
华为AR201系列配置
AR201-S的基本配置
一、启有web管理:
1.配置管理的IP地址和网关
interface Vlanif1
ip address 10.20.69.1 255.255.255.0
2.使用FTP上传web管理的配置文件web.zip ftp server enable
aaa
local-user user1 password cipher user1 local-user user1 service-type ftp
local-user user1 ftp-directory flash:/
电脑上传web.zip
ftp> binary 使用二进制上传
ftp> put web.zip
3.启用web管理,创建web管理的用户http server enable
http server load web.zip 加载web管理文件aaa
local-user user2 password cipher user2 local-user user2 service-type http
local-user user2 privilege level 3
二、配置DHCP服务:
1.全局启用dhcp
dhcp enable
#
ip pool lan
gateway-list 10.20.69.1
network 10.20.69.0 mask 255.255.255.0
excluded-ip-address 10.20.69.2 10.20.69.100 excluded-ip-address 10.20.69.200 10.20.69.254 dns-list 172.16.10.25 172.16.10.21
#
dns resolve
dns proxy enable
#
interface Vlanif1
dhcp select global
2.只在接口上启用dhcp
interface Vlanif1
ip address 10.20.69.1 255.255.255.0
dhcp select interface
dhcp server dns-list 172.16.10.25 172.16.10.21 #
三、ppoe客户端配置:
1.配置nat转换:
acl number 3000
rule 10 deny ip source 10.20.69.0 0.0.0.255 destination 172.16.0.0 0.7.255.255
rule 20 deny ip source 10.20.69.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 30 permit ip source 192.168.254.0 0.0.0.255
rule 40 permit ip source 10.20.69.0 0.0.0.255
2.配置执行ppoe的物理接口
interface Ethernet0/0/8
pppoe-client dial-bundle-number 1 on-demand
undo shutdown
3.配置ppoe
dialer-rule
dialer-rule 1 ip permit
interface Dialer1
link-protocol ppp
ppp chap user 2100771@xmadsl
ppp chap password cipher xmgov123
ppp pap local-user 2100771@xmadsl password cipher xmgov123
tcp adjust-mss 1400
ip address ppp-negotiate
dialer user 2100771@xmadsl
dialer bundle 1
dialer queue-length 8
dialer timer idle 300
dialer-group 1
nat outbound 3000 启用nat
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
4.检查ppoe状态
display pppoe-client session summarydisplay pppoe-client session summary
四、在配置ike vpn
1.配置感兴趣流
acl number 3002
rule 10 permit ip source 10.20.69.0 0.0.0.255 destination 172.16.0.0 0.7.255.255
rule 20 permit ip source 10.20.69.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
2. 在Router上配置进行IKE协商时需要的本机ID和IKE Peer。
ike peer jfgf v1
pre-shared-key simple XMgovVPNPS
ike-proposal 10
r
emote-address 28.5.6.29
野蛮模式中,如果local-id-type取值为name的时候,对于发起协商端需要增加remote-adress x.x.x.x的配置。
[ 显示配置信息:display ike peer name jfgf verbose ]
3.创建安全提议:
ipsec proposal xmjf
ike peer 10 v2 这个应该可以不用,因为前面有ike peer jfgf v1
ike proposal 10
authentication-algorithm md5
执行display ipsec proposal会显示所配置的信息
4.配置安全策略
ipsec policy map 10 isakmp
security acl 3002
ike-peer jfgf
proposal xmjf
执行display ipsec policy会显示所配置的信息
5.应用安全策略
interface Dialer1
ipsec policy map
display ipsec sa会显示所配置的信息
display ike sa会显示所配置的信息
五、路由器管理配置:
clock timezone utc add 08:00:00
aaa
local-user xmjf password cipher xmjf
local-user xmjf privilege level 3
local-user xmjf service-type telnet telnet ssh http local-user admin password cipher admin
local-user admin service-type telnet http
user-interface con 0
authentication-mode password
set authentication password cipher admin user-interface vty 0 4
authentication-mode aaa
user privilege level 15。