- 相關(guān)推薦
2016年H3C交換機(jī)簡單配置案例
本文為大家?guī)淼氖荋3C交換機(jī)簡單配置案例,這里使用的H3C交換機(jī)是H126A,僅僅只做了最基本的配置以滿足使用。
配置中可以通過display current-configura命令來顯示當(dāng)前使用的配置內(nèi)容。
# 配置VLAN 1
System View:return to User View with Ctrl+Z.
[Sysname]vlan 1
[Sysname-vlan1]quit
[Sysname]management-vlan1
[Sysname]interfaceVlan-interface 1
[Sysname-Vlan-interface1]ip address 10.0.1.201 255.255.255.0
# 顯示VLAN 接口1 的相關(guān)信息。
# 創(chuàng)建VLAN(H3C不支持cisco的VTP,所以只能添加靜態(tài)VLAN)
System View:return to User View with Ctrl+Z.
[H3C_TEST]vlan 99
[H3C_TEST-vlan99]nameseicoffice
[H3C_TEST-vlan99]quit
# 把交換機(jī)的端端口劃分到相應(yīng)的Vlan中
[H3C_TEST]interfaceethernet1/0/2//進(jìn)入端口模式
[H3C_TEST-Ethernet1/0/2]portlink-type access //設(shè)置端口的類型為access
[H3C_TEST-Ethernet1/0/2]portaccess vlan 99//把當(dāng)前端口劃到vlan 99
[H3C_TEST]vlan 99
[H3C_TEST-vlan99]portethernet1/0/1 to ethernet1/0/24//把以及網(wǎng)端口1/0/1到1/0/24劃到vlan99
[H3C_TEST-vlan99]quit
[H3C_TEST-GigabitEthernet1/2/1]porttrunk permit vlan 1 99 // {ID|All} 設(shè)置trunk端口允許通過的VLAN
------------------------------------
# 配置本地用戶
System View:return to User View with Ctrl+Z.
[Sysname]local-userh3c
New local useradded.
[Sysname-luser-h3c]service-typetelnet level 3
[Sysname-luser-h3c]passwordsimple h3c
# 配置歡迎信息
[H3C_TEST]headerlogin %Welcome to login h3c!%
# 配置用戶認(rèn)證方式telnet(vty 0-4)
[H3C_TEST]user-interfacevty 0 4
[H3C_TEST-ui-vty0-4]authentication-modescheme
[H3C_TEST-ui-vty0-4]protocolinbound telnet
[H3C_TEST-ui-vty0-4]superauthentication-mode super-password
[H3C_TEST-ui-vty0-4]quit
[H3C_TEST]superpassword level 3 simple h3c //用戶登陸后提升權(quán)限的密碼
# 配置Radius策略
[H3C_TEST]radiusscheme radius1
New Radius scheme
[H3C_TEST-radius-radius1]primaryauthentication 10.0.1.253 1645
[H3C_TEST-radius-radius1]primaryaccounting 10.0.1.253 1646
[H3C_TEST-radius-radius1]secondaryauthentication 127.0.0.1 1645
[H3C_TEST-radius-radius1]secondaryaccounting 127.0.0.1 1646
[H3C_TEST-radius-radius1]timer5
[H3C_TEST-radius-radius1]keyauthentication h3c
[H3C_TEST-radius-radius1]keyaccounting h3c
[H3C_TEST-radius-radius1]server-typeextended
[H3C_TEST-radius-radius1]user-name-formatwithout-domain
# 配置域
[H3C_TEST]domainh3c
[H3C_TEST-isp-h3c]authenticationradius-scheme radius1 local
[H3C_TEST-isp-h3c]schemeradius-scheme radius1 local
[H3C_TEST]domaindefault enable h3c
# 配置在遠(yuǎn)程認(rèn)證失敗時(shí),本地認(rèn)證的key
[H3C_TEST]local-servernas-ip 127.0.0.1 key h3c
telnet僅用密碼登錄,管理員權(quán)限
[Router]user-interfacevty 0 4[Router-ui-vty0-4]user privilege level 3[Router-ui-vty0-4]setauthentication password simple abc
telnet僅用密碼登錄,非管理員權(quán)限
[Router]superpassword level 3 simple super
[Router]user-interfacevty 0 4[Router-ui-vty0-4]user privilege level 1[Router-ui-vty0-4]setauthentication password simple abc
telnet使用路由器上配置的用戶名密碼登錄,管理員權(quán)限
[Router]local-useradmin password simple admin[Router]local-user admin service-typetelnet[Router]local-user admin level 3
[Router]user-interfacevty 0 4[Router-ui-vty0-4]authentication-mode local
telnet使用路由器上配置的用戶名密碼登錄,非管理員權(quán)限
[Router]superpassword level 3 simple super
[Router]local-usermanage password simple manage[Router]local-user manage service-typetelnet[Router]local-user manage level 2
[Router]user-interfacevty 0 4[Router-ui-vty0-4]authentication-mode local
對console口設(shè)置密碼,登錄后使用管理員權(quán)限
[Router]user-interfacecon 0[Router-ui-console0]user privilege level 3[Router-ui-console0]setauthentication password simple abc
對console口設(shè)置密碼,登錄后使用非管理員權(quán)限
[Router]superpassword level 3 simple super
[Router]user-interfacecon 0[Router-ui-console0]user privilege level 1[Router-ui-console0]setauthentication password simple abc
對console口設(shè)置用戶名和密碼,登錄后使用管理員權(quán)限
[Router]local-useradmin password simple admin[Router]local-user admin service-typeterminal[Router]local-user admin level 3
[Router]user-interfacecon 0[Router-ui-console0]authentication-mode local
對console口設(shè)置用戶名和密碼,登錄后使用非管理員權(quán)限
[Router]superpassword level 3 simple super
[Router]local-usermanage password simple manage[Router]local-user manage service-typeterminal[Router]local-user manage level 2
[Router]user-interfacecon 0[Router-ui-console0]authentication-mode local
simple 是明文顯示,cipher 是加密顯示
路由器不設(shè)置telnet登錄配置時(shí),用戶無法通過telnet登錄到路由器上
[Router-ui-vty0-4]acl2000 inbound可以通過acl的規(guī)則只允許符合條件的用戶遠(yuǎn)程登錄路由器
路由器命令
~~~~~~~~~~
[Quidway]displayversion 顯示版本信息
[Quidway]displaycurrent-configuration 顯示當(dāng)前配置
[Quidway]displayinterfaces 顯示接口信息
[Quidway]displayip route 顯示路由信息
[Quidway]sysnameaabbcc 更改主機(jī)名
[Quidway]superpasswrod 123456 設(shè)置口令
[Quidway]interfaceserial0 進(jìn)入接口
[Quidway-serial0]ipaddress
[Quidway-serial0]undoshutdown 激活端口
[Quidway]link-protocolhdlc 綁定hdlc協(xié)議
[Quidway]user-interfacevty 0 4
[Quidway-ui-vty0-4]authentication-modepassword
[Quidway-ui-vty0-4]setauthentication-mode password simple 222
[Quidway-ui-vty0-4]userprivilege level 3
[Quidway-ui-vty0-4]quit
[Quidway]debugginghdlc all serial0 顯示所有信息
[Quidway]debugginghdlc event serial0 調(diào)試事件信息
[Quidway]debugginghdlc packet serial0 顯示包的信息
靜態(tài)路由:
[Quidway]iproute-static
例如:
[Quidway]iproute-static 129.1.0.0 16 10.0.0.2
[Quidway]iproute-static 129.1.0.0 255.255.0.0 10.0.0.2
[Quidway]iproute-static 129.1.0.0 16 Serial 2
[Quidway]ip route-static0.0.0.0 0.0.0.0 10.0.0.2
動(dòng)態(tài)路由:
[Quidway]rip
[Quidway]rip work
[Quidway]rip input
[Quidway]ripoutput
[Quidway-rip]network1.0.0.0 可以all
[Quidway-rip]network2.0.0.0
[Quidway-rip]peerip-address
[Quidway-rip]summary
[Quidway]ripversion 1
[Quidway]ripversion 2 multicast
[Quidway-Ethernet0]ripsplit-horizon 水平分隔
[Quidway]router idA.B.C.D 配置路由器的ID
[Quidway]ospfenable 啟動(dòng)OSPF協(xié)議
[Quidway-ospf]import-routedirect 引入直聯(lián)路由
[Quidway-Serial0]ospfenable area
標(biāo)準(zhǔn)訪問列表命令格式如下:
acl
rule[normal|special]{permit|deny} [source source-addr source-wildcard|any]
例:
[Quidway]acl 10
[Quidway-acl-10]rulenormal permit source 10.0.0.0 0.0.0.255
[Quidway-acl-10]rulenormal deny source any
擴(kuò)展訪問控制列表配置命令
配置TCP/UDP協(xié)議的擴(kuò)展訪問列表:
rule{normal|special}{permit|deny}{tcp|udp}source {
[operate]
配置ICMP協(xié)議的擴(kuò)展訪問列表:
rule{normal|special}{permit|deny}icmp source {
[icmp-code][logging]
擴(kuò)展訪問控制列表操作符的含義
equalportnumber 等于
greater-thanportnumber 大于
less-thanportnumber 小于
not-equalportnumber 不等
range portnumber1portnumber2 區(qū)間
擴(kuò)展訪問控制列表舉例
[Quidway]acl 101
[Quidway-acl-101]ruledeny souce any destination any
[Quidway-acl-101]rulepermit icmp source any destination any icmp-type echo
[Quidway-acl-101]rulepermit icmp source any destination any icmp-type echo-reply
[Quidway]acl 102
[Quidway-acl-102]rulepermit ip source 10.0.0.1 0.0.0.0 destination 202.0.0.1 0.0.0.0
[Quidway-acl-102]ruledeny ip source any destination any
[Quidway]acl 103
[Quidway-acl-103]rulepermit tcp source any destination 10.0.0.1 0.0.0.0 destination-port equal ftp
[Quidway-acl-103]rulepermit tcp source any destination 10.0.0.2 0.0.0.0 destination-port equal www
[Quidway]firewallenable
[Quidway]firewalldefault permit|deny
[Quidway]int e0
[Quidway-Ethernet0]firewallpacket-filter 101 inbound|outbound
地址轉(zhuǎn)換配置舉例
[Quidway]firewallenable
[Quidway]firewalldefault permit
[Quidway]acl 101
[Quidway-acl-101]ruledeny ip source any destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.4 0 destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.1 0 destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.2 0 destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.3 0 destination any
[Quidway]acl 102
[Quidway-acl-102]rulepermit tcp source 202.39.2.3 0 destination 202.38.160.1 0
[Quidway-acl-102]rulepermit tcp source any destination 202.38.160.1 0 destination-port great-than
1024
[Quidway-Ethernet0]firewallpacket-filter 101 inbound
[Quidway-Serial0]firewallpacket-filter 102 inbound
[Quidway]nataddress-group 202.38.160.101 202.38.160.103 pool1
[Quidway]acl 1
[Quidway-acl-1]rulepermit source 10.110.10.0 0.0.0.255
[Quidway-acl-1]ruledeny source any
[Quidway-acl-1]intserial 0
[Quidway-Serial0]natoutbound 1 address-group pool1
[Quidway-Serial0]natserver global 202.38.160.101 inside 10.110.10.1 ftp tcp
[Quidway-Serial0]natserver global 202.38.160.102 inside 10.110.10.2 www tcp
[Quidway-Serial0]natserver global 202.38.160.102 8080 inside 10.110.10.3 www tcp
[Quidway-Serial0]natserver global 202.38.160.103 inside 10.110.10.4 smtp udp
PPP驗(yàn)證:
主驗(yàn)方:pap|chap
[Quidway]local-useru2 password {simple|cipher} aaa
[Quidway]interfaceserial 0
[Quidway-serial0]pppauthentication-mode {pap|chap}
[Quidway-serial0]pppchap user u1 //pap時(shí),不用此句
pap被驗(yàn)方:
[Quidway]interfaceserial 0
[Quidway-serial0]ppppap local-user u2 password {simple|cipher} aaa
chap被驗(yàn)方:
[Quidway]interfaceserial 0
[Quidway-serial0]pppchap user u1
[Quidway-serial0]local-useru2 password {simple|cipher} aaa
----------------------------------------------------
H3C路由器配置方案注解
#
version 5.20,Release 1719 //版本信息,自動(dòng)顯示
#
sysname H3C //給設(shè)備命名為H3C
#
super passwordlevel 3 cipher 7WC1<3E`[Y)./a!1$H@GYA!! //設(shè)置super密碼
#
domain defaultenable system
#
telnet serverenable
#
vlan 1
#
domain system
access-limitdisable
state active
idle-cut disable
self-service-urldisable
#
user-group system//從此以上未標(biāo)注的為默認(rèn)配置,不用去理解
#
local-user admin//添加用戶名為admin的用戶
password cipher.]@USE=B,53Q=^Q`MAF4<1!! //設(shè)置密碼(密文)
authorization-attributelevel 3 //設(shè)置用戶權(quán)限為3級(最高)
service-typetelnet //設(shè)置用戶的模式為telnet用戶
local-user share//從此往下四行同上
password cipher[HM$GH8P1GSQ=^Q`MAF4<1!!
authorization-attributelevel 1
service-type telnet
#
controller E1 0/0//進(jìn)入E1物理端口(兩兆口)
using e1 //設(shè)置端口模式為E1(設(shè)置后下面會(huì)出現(xiàn)interface Serial0/0:0)
#
interface Aux0 //從此以下三行為主控板aux口默認(rèn)配置
async mode flow
link-protocol ppp
#
interfaceEthernet0/0 //進(jìn)入E0/0接口(以太網(wǎng)口)
port link-moderoute //配置該接口為路由模式
#
interface Serial0/0:0//進(jìn)入Serial0/0:0端口(前面用using e1命令后產(chǎn)生,對應(yīng)E1端口)
link-protocol ppp//配置鏈路協(xié)議為ppp(默認(rèn))
ip address74.1.63.170 255.255.255.252 //配置該接口IP地址
#
interface NULL0
#
interfaceVlan-interface1 //lan口vlan地址(lan口地址)
ip address192.168.1.1 255.255.255.0
#
interfaceEthernet0/1
port link-modebridge
#
interfaceEthernet0/2
port link-modebridge
#
interfaceEthernet0/3
port link-modebridge
#
interfaceEthernet0/4
port link-modebridge
#
ip route-static74.1.8.0 255.255.255.0 74.1.63.169 //配置靜態(tài)路由
#
user-interface aux0
user-interface vty0 4 //進(jìn)入vty接口(遠(yuǎn)程登陸接口)0-4通道
authentication-modescheme //配置登陸驗(yàn)證類型為scheme(用戶驗(yàn)證型)
user privilegelevel 1 //設(shè)置當(dāng)驗(yàn)證模式不是scheme類型時(shí)的登錄級別(廢配置)
#
return
-----------------------------------------------
H3C路由器基本配置命令
[Quidway]displayversion 顯示版本信息
[Quidway]displaycurrent-configuration 顯示當(dāng)前配置
[Quidway]displayinterfaces 顯示接口信息
[Quidway]displayip route 顯示路由信息
[Quidway]sysnameaabbcc 更改主機(jī)名
[Quidway]superpasswrod 123456 設(shè)置口令
[Quidway]interfaceserial0 進(jìn)入接口
[Quidway-serial0]ipaddress
[Quidway-serial0]undoshutdown 激活端口
[Quidway]link-protocolhdlc 綁定hdlc協(xié)議
[Quidway]user-interfacevty 0 4
[Quidway-ui-vty0-4]authentication-modepassword
[Quidway-ui-vty0-4]setauthentication-mode password simple 222
[Quidway-ui-vty0-4]userprivilege level 3
[Quidway-ui-vty0-4]quit
[Quidway]debugginghdlc all serial0 顯示所有信息
[Quidway]debugginghdlc event serial0 調(diào)試事件信息
[Quidway]debugginghdlc packet serial0 顯示包的信息
靜態(tài)路由:
[Quidway]iproute-static
例如:
[Quidway]iproute-static 129.1.0.0 16 10.0.0.2
[Quidway]iproute-static 129.1.0.0 255.255.0.0 10.0.0.2
[Quidway]iproute-static 129.1.0.0 16 Serial 2
[Quidway]iproute-static 0.0.0.0 0.0.0.0 10.0.0.2
動(dòng)態(tài)路由:
[Quidway]rip
[Quidway]rip work
[Quidway]rip input
[Quidway]ripoutput
[Quidway-rip]network1.0.0.0 ;可以all
[Quidway-rip]network2.0.0.0
[Quidway-rip]peerip-address
[Quidway-rip]summary
[Quidway]ripversion 1
[Quidway]ripversion 2 multicast
[Quidway-Ethernet0]ripsplit-horizon ;水平分隔
[Quidway]router idA.B.C.D 配置路由器的ID
[Quidway]ospfenable 啟動(dòng)OSPF協(xié)議
[Quidway-ospf]import-routedirect 引入直聯(lián)路由
[Quidway-Serial0]ospfenable area
標(biāo)準(zhǔn)訪問列表命令格式如下:
acl
rule[normal|special]{permit|deny} [source source-addr source-wildcard|any]
例:
[Quidway]acl 10
[Quidway-acl-10]rulenormal permit source 10.0.0.0 0.0.0.255
[Quidway-acl-10]rulenormal deny source any
擴(kuò)展訪問控制列表配置命令
配置TCP/UDP協(xié)議的擴(kuò)展訪問列表:
rule{normal|special}{permit|deny}{tcp|udp}source {
[operate]
配置ICMP協(xié)議的擴(kuò)展訪問列表:
rule{normal|special}{permit|deny}icmp source {
[icmp-code][logging]
擴(kuò)展訪問控制列表操作符的含義
equalportnumber 等于
greater-thanportnumber 大于
less-thanportnumber 小于
not-equalportnumber 不等
range portnumber1portnumber2 區(qū)間
擴(kuò)展訪問控制列表舉例
[Quidway]acl 101
[Quidway-acl-101]ruledeny souce any destination any
[Quidway-acl-101]rulepermit icmp source any destination any icmp-type echo
[Quidway-acl-101]rulepermit icmp source any destination any icmp-type echo-reply
[Quidway]acl 102
[Quidway-acl-102]rulepermit ip source 10.0.0.1 0.0.0.0 destination 202.0.0.1 0.0.0.0
[Quidway-acl-102]ruledeny ip source any destination any
[Quidway]acl 103
[Quidway-acl-103]rulepermit tcp source any destination 10.0.0.1 0.0.0.0 destination-port equal ftp
[Quidway-acl-103]rulepermit tcp source any destination 10.0.0.2 0.0.0.0 destination-port equal www
[Quidway]firewallenable
[Quidway]firewalldefault permit|deny
[Quidway]int e0
[Quidway-Ethernet0]firewallpacket-filter 101 inbound|outbound
地址轉(zhuǎn)換配置舉例
[Quidway]firewallenable
[Quidway]firewalldefault permit
[Quidway]acl 101
[Quidway-acl-101]ruledeny ip source any destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.4 0 destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.1 0 destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.2 0 destination any
[Quidway-acl-101]rulepermit ip source 129.38.1.3 0 destination any
[Quidway]acl 102
[Quidway-acl-102]rulepermit tcp source 202.39.2.3 0 destination 202.38.160.1 0
[Quidway-acl-102]rulepermit tcp source any destination 202.38.160.1 0 destination-port great-than
1024
[Quidway-Ethernet0]firewallpacket-filter 101 inbound
[Quidway-Serial0]firewallpacket-filter 102 inbound
[Quidway]nataddress-group 202.38.160.101 202.38.160.103 pool1
[Quidway]acl 1
[Quidway-acl-1]rulepermit source 10.110.10.0 0.0.0.255
[Quidway-acl-1]ruledeny source any
[Quidway-acl-1]intserial 0
[Quidway-Serial0]natoutbound 1 address-group pool1
[Quidway-Serial0]natserver global 202.38.160.101 inside 10.110.10.1 ftp tcp
[Quidway-Serial0]natserver global 202.38.160.102 inside 10.110.10.2 www tcp
[Quidway-Serial0]natserver global 202.38.160.102 8080 inside 10.110.10.3 www tcp
[Quidway-Serial0]natserver global 202.38.160.103 inside 10.110.10.4 smtp udp
PPP驗(yàn)證:
主驗(yàn)方:pap|chap
[Quidway]local-useru2 password {simple|cipher} aaa
[Quidway]interfaceserial 0
[Quidway-serial0]pppauthentication-mode {pap|chap}
[Quidway-serial0]pppchap user u1 //pap時(shí),不用此句
pap被驗(yàn)方:
[Quidway]interfaceserial 0
[Quidway-serial0]ppppap local-user u2 password {simple|cipher} aaa
chap被驗(yàn)方:
[Quidway]interfaceserial 0
[Quidway-serial0]pppchap user u1
[Quidway-serial0]local-useru2 password {simple|cipher} aaa
【H3C交換機(jī)簡單配置案例】相關(guān)文章:
H3C交換機(jī)清空配置07-27
h3c交換機(jī)清除配置命令01-27
h3c交換機(jī)保存配置命令09-13
h3c交換機(jī)配置telnet實(shí)例教程04-01
交換機(jī)VLAN接口靜態(tài)IP地址配置「案例」03-30
H3C路由器簡單配置04-06
h3c交換機(jī)清除密碼09-08