华为路由器典型配置（附案例）

原创已于 2025-06-01 11:25:29 修改 · 552 阅读

CC 4.0 BY-SA版权

文章标签：

于 2025-06-01 11:14:26 首次发布

案例拓扑：
在这里插入图片描述
#主用路由器R_ShenZhen_1配置
<R_ShenZhen_1>display current-configuration
sysname R_ShenZhen_1
#SNAT 调用，将IPSEC流量排除
acl number 3000
rule 5 deny ip source 10.2.0.0 0.0.255.255 destination 10.4.0.0 0.0.255.255
rule 10 permit ip source 10.0.0.0 0.255.255.255
#这个是IPsec感兴趣流
acl number 3010
rule 10 permit ip source 10.2.0.0 0.0.255.255 destination 10.4.0.0 0.0.255.255
#匹配服务器对外提供访问的数据流
acl number 3200
rule 1 permit tcp source-port eq www
#匹配IPsec协议号
acl number 3201
rule 1 permit 50
#-------------以下是IPsec配置部分-------------

ipsec proposal tran1
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-128

ike proposal 5
encryption-algorithm aes-cbc-128
dh group5

ike peer RouterA v1
pre-shared-key cipher Huawei@123
ike-proposal 5
local-address 202.96.1.2
remote-address 61.1.1.2

ipsec policy map1 10 isakmp
security acl 3010
ike-peer RouterA
proposal tran1
tunnel local 202.96.1.2
route inject dynamic
#-------------以下是QoS配置部分,主要作用是为了保障HTTP对外提供流量至少有1Mbps，IPsec流量外网接口有512Kbps-------------
traffic classifier ipsecvpn operator or
if-match acl 3201
traffic classifier http operator or
if-match acl 3200

traffic behavior ipsecvpn
car cir 512 cbs 96256 pbs 160256 green pass yellow pass red discard
traffic behavior http
car cir 1000 cbs 188000 pbs 313000 green pass yellow pass red discard

traffic policy QOS
classifier http behavior http
classifier ipsecvpn behavior ipsecvpn

#-------------以下是路由器接口配置部分-------------
interface GigabitEthernet0/0/0
ip address 10.1.51.2 255.255.255.0
ospf cost 2
ospf authentication-mode md5 1 cipher Huawei@123

interface GigabitEthernet0/0/1
ip address 10.1.52.2 255.255.255.0
ospf cost 2
ospf authentication-mode md5 1 cipher Huawei@123

interface GigabitEthernet0/0/2
ip address 172.16.1.1 255.255.255.252

#-------------以下是路由器外网接口配置部分，首先做了DNAT映射，然后做了SNAT，调用了IPsec配置文件，在接口入方向调用了QoS策略-------------
interface GigabitEthernet1/0/0
ip address 202.96.1.2 255.255.255.252
traffic-policy QOS inbound
ipsec policy map1
nat server protocol tcp global current-interface www inside 10.2.100.100 www
nat outbound 3000

interface GigabitEthernet2/0/0
ip address 10.1.55.1 255.255.255.252
ospf authentication-mode md5 1 cipher Huawei@123

#-------------以下是BGP路由配置部分，主要注意双点双向重分发，路由环路的避免，以及次优路径的避免和路由选路-------------
bgp 65100
router-id 1.1.1.1
peer 10.1.55.2 as-number 65100
peer 172.16.1.2 as-number 65200

ipv4-family unicast
undo synchronization
#这条将BGP学到的路由的preference 改为140,OSPF 引入BGP路由后，优先级变成150,会造成次优路由
preference route-policy PRE
#将BGP路由聚合发布，并且抑制明细
aggregate 10.1.0.0 255.255.0.0 as-set detail-suppressed
#双点双向重分发，这里使用路由策略，过滤另外一个节点带有300标签的路由，而本节点产生的路由打上400标签;另一个一个节点倒过来操作即可。
import-route ospf 1 route-policy O2B
peer 10.1.55.2 enable
peer 10.1.55.2 next-hop-local
peer 172.16.1.2 enable
#通过控制LOCAL preference属性，控制IBGP邻居去往外部路由的优先级，优先选择本节点
peer 172.16.1.2 route-policy 3 import
#通过控制MED属性，通知EBGP邻居，到本地10.1.0.0/24路由，优先走本节点
peer 172.16.1.2 route-policy MED export
#-------------以下是OSPF路由协议配置部分，作为主出口路由器，这里将引入的默认路由优先级改为10，大于另外一个路由优先级，同样做双点双向重分布的路由的时候，过滤对端分布过来的带TAG 100标签的路由，本节点重分布的路由带TAG 200 ;对端节点倒过来设置------------
ospf 1 router-id 1.1.1.1
default-route-advertise cost 10 type 1
import-route bgp route-policy B2O
area 0.0.0.0
authentication-mode md5 1 cipher Huawei@123
network 10.1.51.2 0.0.0.0
network 10.1.52.2 0.0.0.0
network 10.1.55.1 0.0.0.0

route-policy PRE permit node 10
if-match ip-prefix 1
apply preference 140

route-policy O2B deny node 10
if-match tag 300

route-policy O2B permit node 20
apply tag 400

route-policy B2O deny node 10
if-match tag 100

route-policy B2O permit node 20
apply tag 200

route-policy 3 permit node 10
if-match ip-prefix 3
apply local-preference 1000

route-policy 3 permit node 20

route-policy MED permit node 10
if-match ip-prefix 101
apply cost 100

route-policy MED permit node 20
if-match ip-prefix 102
apply cost 200

#-------------以下前面匹配的3条都是位于本地的子网，后面2条是EBGP外部路由-------------
ip ip-prefix 1 index 10 permit 10.3.3.0 24
ip ip-prefix 1 index 20 permit 10.3.4.0 24
ip ip-prefix 3 index 10 permit 10.3.3.0 24
ip ip-prefix 101 index 10 permit 10.1.0.0 16
ip ip-prefix 102 index 10 permit 10.2.0.0 16

#-------------以下是2条静态路由，本节点出口作为主用出口，对端路由器节点作为备用出口，主默认路由调用了TRACK NQA，当TRACK失效的时候，静态路由随之失效-------------
ip route-static 0.0.0.0 0.0.0.0 202.96.1.1 track nqa admin icmp
ip route-static 0.0.0.0 0.0.0.0 10.1.55.2 preference 100

nqa test-instance admin icmp
test-type icmp
destination-address ipv4 202.96.1.1
frequency 5
interval seconds 2
timeout 1
probe-count 2
start now

#核心交换机S_ShenZhen_1配置文件
<S_ShenZhen_1>display current-configuration
sysname S_ShenZhen_1

ipv6

vlan batch 2 to 20 51 to 54 100 200

stp instance 1 priority 4096
stp instance 2 priority 8192
#dhcp各项功能的使用均要求开启DHCP 比如dhcp relay ；dhcp snooping
dhcp enable
#MSTP配合VRRP一起使用
stp region-configuration
region-name ShenZhen
instance 1 vlan 1 to 2 5 to 12 51 53 100
instance 2 vlan 3 to 4 13 to 20 52 54 200
active region-configuration

bfd

ospfv3 1
router-id 3.3.3.3
#业务网关1 VRRP主用延迟抢占
interface Vlanif1
ipv6 enable
ip address 10.1.1.1 255.255.255.0
ipv6 address 2001:AAAA:BBBB:1::1/64
ospfv3 1 area 0.0.0.0
vrrp vrid 1 virtual-ip 10.1.1.254
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 5
vrrp vrid 1 authentication-mode md5 Huawei
dhcp select relay
dhcp relay server-ip 10.2.1.2
#业务网关2 VRRP主用延迟抢占
interface Vlanif2
ipv6 enable
ip address 10.1.2.1 255.255.255.0
ipv6 address 2001:AAAA:BBBB:2::1/64
ospfv3 1 area 0.0.0.0
vrrp vrid 2 virtual-ip 10.1.2.254
vrrp vrid 2 priority 120
vrrp vrid 2 preempt-mode timer delay 5
vrrp vrid 2 authentication-mode md5 Huawei
dhcp select relay
dhcp relay server-ip 10.2.1.2
#业务网关3 VRRP备用，但是当BFD会话不通对端主路由器实IP时，优先级增加25，变成主用路由器
interface Vlanif3
ipv6 enable
ip address 10.1.3.1 255.255.255.0
ipv6 address 2001:AAAA:BBBB:3::1/64
ospfv3 1 area 0.0.0.0
vrrp vrid 3 virtual-ip 10.1.3.254
vrrp vrid 3 track bfd-session session-name vlan03 increased 25
vrrp vrid 3 authentication-mode md5 Huawei
dhcp select relay
dhcp relay server-ip 10.2.1.2
#业务网关4 VRRP备用，但是当BFD会话不通对端主路由器实IP时，优先级增加25，变成主用路由器
interface Vlanif4
ipv6 enable
ip address 10.1.4.1 255.255.255.0
ipv6 address 2001:AAAA:BBBB:4::1/64
ospfv3 1 area 0.0.0.0
vrrp vrid 1 virtual-ip 10.1.4.254
vrrp vrid 1 track bfd-session session-name vlan04 increased 25
vrrp vrid 1 authentication-mode md5 Huawei
dhcp select relay
dhcp relay server-ip 10.2.1.2
#设备路由协议互联口不用起VRRP，用于连接2台主备路由器
interface Vlanif51
ip address 10.1.51.1 255.255.255.0
ospf authentication-mode md5 1 cipher Huawei@123
#用于对接S_DMZ_3交换机用
interface Vlanif53
ipv6 enable
ip address 10.1.53.1 255.255.255.252
ipv6 address 2001:AAAA:BBBB:35::1/126
ospfv3 1 area 0.0.0.0
ospf authentication-mode md5 1 cipher Huawei@123
#下联口VRRP WLAN AP管理IP段
interface Vlanif100
ip address 10.1.100.1 255.255.255.0
vrrp vrid 5 virtual-ip 10.1.100.254
vrrp vrid 5 priority 120
vrrp vrid 5 authentication-mode md5 Huawei
#下联口VRRP WLAN 业务口
interface Vlanif200
ip address 10.1.200.1 255.255.255.0
vrrp vrid 6 virtual-ip 10.1.200.254
vrrp vrid 6 authentication-mode md5 Huawei
#接对端核心交换机
interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#连接入层交换机S_ShenZhen_3
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#连接入层交换机S_ShenZhen_4
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#连路由器R_ShenZhen_1 运行OSPF
interface GigabitEthernet0/0/3
port link-type access
port default vlan 51
#连路由器R_ShenZhen_2 运行OSPF
interface GigabitEthernet0/0/4
port link-type access
port default vlan 51
#连接无线控制器
interface GigabitEthernet0/0/5
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#连S_DMZ_3交换机
interface GigabitEthernet0/0/6
port link-type access
port default vlan 53
#接对端核心交换机
interface GigabitEthernet0/0/23
eth-trunk 1
#接对端核心交换机
interface GigabitEthernet0/0/24
eth-trunk 1
#BFD配合VRRP使用，快速检测
bfd vlan03 bind peer-ip 10.1.3.2 source-ip 10.1.3.1 auto
commit
#BFD配合VRRP使用，快速检测
bfd vlan04 bind peer-ip 10.1.4.2 source-ip 10.1.4.1 auto
commit
#核心交换机起OSPF 注意这边业务相关的SVI接口设置为了静默端口
ospf 1 router-id 3.3.3.3
silent-interface Vlanif3
silent-interface Vlanif4
silent-interface Vlanif1
silent-interface Vlanif2
silent-interface Vlanif100
silent-interface Vlanif200
area 0.0.0.0
authentication-mode md5 1 cipher Huawei@123
network 10.1.1.1 0.0.0.0
network 10.1.2.1 0.0.0.0
network 10.1.3.1 0.0.0.0
network 10.1.4.1 0.0.0.0
network 10.1.51.1 0.0.0.0
network 10.1.53.1 0.0.0.0
network 10.1.100.1 0.0.0.0
network 10.1.200.1 0.0.0.0
（5）接入交换机S_ShenZhen_3配置文件
[S_ShenZhen_3]display current-configuration
sysname S_ShenZhen_3
vlan batch 2 to 20 51 to 52 100 200
#dhcp各项功能的使用均要求开启DHCP 比如dhcp relay ；dhcp snooping
dhcp enable
#只要在接入层开启DHCP snooping ，其他地方不需要打开
dhcp snooping enable
#采用MSTP同一个域，简化设备运行环境
stp region-configuration
region-name ShenZhen
instance 1 vlan 1 to 2 5 to 12 51 100
instance 2 vlan 3 to 4 13 to 20 52 200
active region-configuration
#在具体某个VLAN启用DHCP SNOOPING
vlan 1
dhcp snooping enable
vlan 2
dhcp snooping enable
vlan 3
dhcp snooping enable
vlan 4
dhcp snooping enable
#这是管理端口的IP地址
interface Vlanif1
ip address 10.1.1.3 255.255.255.0
#面向终端的接口，开启端口安全，做ARP IPSG 绑定检查；必须依赖于DHCP SNOOPING,针对静态IP需要预先使用user-bind绑定IP-MAC
interface Ethernet0/0/1
port link-type access
port default vlan 2
stp edged-port enable
port-security enable
arp anti-attack check user-bind enable
ip source check user-bind enable

interface Ethernet0/0/2
port link-type access
port default vlan 3
stp edged-port enable
port-security enable
arp anti-attack check user-bind enable
ip source check user-bind enable
#接AP所连的POE交换机上行口
interface Ethernet0/0/22
port link-type trunk
port trunk pvid vlan 100
port trunk allow-pass vlan 100 200
#1口和2口接核心交换机，DHCP SNOOPING 设置成为trust
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
dhcp snooping enable
dhcp snooping trusted

interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
dhcp snooping enable
dhcp snooping trusted
#增加一条默认路由指向核心交换机
ip route-static 0.0.0.0 0.0.0.0 10.1.1.254

（7）无线控制器AC_ShenZhen_1配置文件
<AC_ShenZhen_1>display current-configuration
sysname AC_ShenZhen_1

vlan batch 2 to 20 51 to 54 100 200

stp enable

dhcp enable

stp region-configuration
region-name ShenZhen
instance 1 vlan 1 to 2 5 to 12 51 53 100
instance 2 vlan 3 to 4 13 to 20 52 54 200
active region-configuration

#可以看到AP设备管理和无线客户端的地址均通过AC控制分发
interface Vlanif100
ip address 10.1.100.3 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.1.100.254
dhcp server dns-list 10.2.100.100

interface Vlanif200
ip address 10.1.200.3 255.255.255.0
dhcp select interface
dhcp server gateway-list 10.1.200.254
dhcp server dns-list 10.2.100.100
#1口和2口接核心交换机去了
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094

interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094

ip route-static 0.0.0.0 0.0.0.0 10.1.100.254
#以下是无线部分的配置
capwap source interface vlanif100

wlan
traffic-profile name default
security-profile name default
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase Huawei@123
ssid-profile name wlan-net
ssid wlan-net
vap-profile name wlan-net
service-vlan vlan-id 200
ssid-profile wlan-net
security-profile wlan-net
ap-group name ap-group1
radio 0
vap-profile wlan-net wlan 1
radio 1
vap-profile wlan-net wlan 1
ap-id 0 type-id 56 ap-mac ac85-3d92-3340 ap-sn 210235448310DD5A8851
ap-name area_1
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 127
radio 1
channel 20mhz 149
eirp 127
ap-id 1 type-id 56 ap-mac ac85-3d92-1b60 ap-sn 2102354483107055E426
ap-name area_2
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 127
radio 1
channel 20mhz 153
eirp 127
provision-ap
案例摘自：《网络系统建设于运维（高级）》华为技术优先公司编著最后一章