总体模版
sys
user-interface vty 0 4
authentication-mode password
set authentication password cipher sdsy/sdsy user privilege level 15 qui
user-interface conso 0
authentication-mode password
set authentication password cipher sdsy/sdsy qui
ip route-static 0.0.0.0 0.0.0.0 10.1.1.3
vlan 39 qui
int vlan 1 qui
undo int vlan 1 vlan 255 int vlan 255
ip add 10.1.1.202 24
int g0/0/8
port link-type trunk
port trunk allow-pass vlan all qui
int range g0/0/1 to g0/0/7 port link-typ access port defaul vlan 39 stp edged-port enable loopback-detection enable exit
errdisable recovery cause loopback-detetion errdisable recovery interval 60
dhcp-snooping enable
int range g0/0/8 dhcp-snooping trust dhcp enable
3A认证
Aaa
local-user meng password cipher meng privilege level 15 User-interface vty 0 4 Authentication mode aaa
端口聚合
创建聚合组命令如下:
[S9303]interface Eth-Trunk1 //聚合组名称为ETH-Trunk1 [S9303-Eth-Trunk1]description To-S9303-2 //描述
[S9303-Eth-Trunk1]undo port hybrid vlan 1 //去掉VLAN1的透传 [S9303-Eth-Trunk1]port hybrid tagged vlan 100 to 200 //VLAN透传 3
进入端口,将端口加入聚合组,命令如下:
[S9303]interface GigabitEthernet1/1/16 //进入G1/1/16端口 [S9303-GigabitEthernet1/1/16]description To-S7810-G7/0/31 //端口描述
[S9303-GigabitEthernet1/1/16]eth-trunk 1 //加入聚合组1 [S9303]interface GigabitEthernet1/1/17 //进入G1/1/17端口 [S9303-GigabitEthernet1/1/17]description To-S7810-G7/0/30 //端口描述
[S9303-GigabitEthernet1/1/17]eth-trunk 1 //加入聚合组1
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 192.168.1.200 ---保留手动分配的地址,不加保留的手动分配的地址没法使用
user-bind static ip-address 192.168.1.201 mac-address 4c1f-cc58-379e --保留手动分配的地址和MAC地址捆绑 #
interface Vlanif1000
ip address 192.168.1.1 255.255.255.0 dhcp select interface
dhcp server excluded-ip-address 192.168.1.200 192.168.1.254 ---保留手动分配的地址段
expired day 0 hour 5
dhcp server forbidden-ip 192.168.2.201 192.168.2.253 display dhcp client #
interface GigabitEthernet0/0/1 port link-type access port default vlan 1000
ip source check user-bind enable
ip source check user-bind check-item ip-address mac-address dhcp snooping enable
dhcp snooping check user-bind enable
expired day 0 hour 5
dhcp server forbidden-ip 192.168.2.201 192.168.2.253 display dhcp client
镜像命令:
Mirroring-group 2 local 创建组 Int g0/0/1
Mirroring-group 2 mirroring-port both 设置被监控对象 Int g0/0/2
Mirroring-group 2 monitor-port Sniffer口
备份和恢复
Tftp 1.1.1.1 put vrpcfg.cfg 22-hw-22.cfg 下载
Tftp 2.2.2.2 get 23-hw22.cfg vrpcfg.vfg
Privilege levle
sysname HuaWei_test
super password level 1 cipher 456123
DHCPIP-MAC绑定#############################
dhcp snooping bind-table static ip-address 192.168.6.254 mac-address 0000-1111-1234 interface Ethernet 0/0/2
(1)将IP192.168.1.100 mac 0001-0002-0003 固定到接口上interface GigabitEthernet 0/0/1 user-bind static ip-address 192.168.1.100 mac-address 0001-0002-0003 interface GigabitEthernet 0/0/1 vlan 10 (2)接口上启用:
ip source check user-bind enable 即可:
具体配置过程如下:
Ip+mac+端口绑定
Enter system view, return user view with Ctrl+Z.
[Huawei]
[Huawei]vlan 10 //在设备上创建vlan 10 [Huawei-vlan10]quit
[Huawei]inter gi0/0/1 //进入接口视图
[Huawei-GigabitEthernet0/0/1]port link-type access //指定接口为access类型:可直接接电脑或是服务器的那种类型
[Huawei-GigabitEthernet0/0/1]port default vlan 10 // 将接口划入vlan 10; [Huawei-GigabitEthernet0/0/1]quit
[Huawei]user-bind static ip-address 192.168.1.100 mac-address 0001-0002-0003 interface GigabitEthernet 0/0/1 vlan 10
//在全局模式下,将IP地址(192.168.1.100),MAC地址(0001-0002-0003),具体接口(GigabitEthernet 0/0/1),
//和接口所属vlan(10),绑定到一起。
[Huawei]inter gi0/0/1
[Huawei-GigabitEthernet0/0/1]ip source check user-bind enable
// 在本接口上,检查通过的IP源地址,即启用源地址检查功能; Info: Add permit rule for dynamic snooping bind-table, please wait a minute!done.
[Huawei-GigabitEthernet0/0/1]di this //查看接口配置: #
interface GigabitEthernet0/0/1 port link-type access port default vlan 10
ip source check user-bind enable
# return
[Huawei-GigabitEthernet0/0/1]
查看防ARP/DHCP/ICMP收到的数量
display auto-defend attack-source detail
----------------------------------------------------
MAC Address XXXX-XXXX-XXXX-XXXX Interface GigabitEthernet0/0/2 VLAN: Outer/Inner 0 ARP: 16 DHCP: 980592 ICMP: 982336 Total 1962944 ---------------------------------------------------- ----------------------------------------------------
MAC Address XXXX-e623-7bce Interface GigabitEthernet0/0/2 VLAN: Outer/Inner 0 DHCP: 34416 ICMP: 12352 Total 46768 ----------------------------------------------------
Pppoe设置
interface Dialer1 link-protocol ppp
ppp pap local-user 28#######1 password simple …………&……&9 ip address ppp-negotiate dialer user 28#######1 dialer bundle 1 dialer-group 1 nat outbound 3001 #
interface Ethernet0/1
pppoe-client dial-bundle-number 1