1、为交换机分配ip 输入分配给交换机的IP地址为*.*.*.*,掩码为255.255.255.0,类型为System 命令:system-view
Interface vlan-interface 1
Undo ip addre
Ip addre 172.28.1.33 255.255.255.0
2、定义vlan 101(name caiwu),vlan 102(name diaodu),名字,端口
命令:vlan 101
Interface vlan-interface 101
Ip addre 192.168.1.1 255.255.255.0
Port e1/0/1 to e1/0/24
Vlan 102
Interface vlan-interface 102
Ip addre 192.168.2.1 255.255.255.0
Port e1/0/25 to e1/0/47
3、定义vlan的接口地址。
4、在两个vlan之间增加路由。
命令:ip route-static 0.0.0.0 255.255.255.255 192.168.1.254
5、为交换机添加默认网关。
将以太网端口Ethernet1/0/1设置为Trunk端口。 system-view System View: return to User View with Ctrl+Z.[H3C] interface ethernet 1/0/1 [H3C-Ethernet1/0/1] port link-type trunk
ip addre 172.16.21.1 255.255.255.0
可能这样配的话意思是VLAn130的IP就是172.16.21.2—172.16.21.254 而172.16.21.1则是这个网段的网关。
将Trunk端口Ethernet1/0/1加入到VLAN
2、VLAN
4、VLAN50~VLAN 100中。 system-view System View: return to User View with Ctrl+Z.[H3C] interface ethernet 1/0/1 [H3C-Ethernet1/0/1] port link-type trunk [H3C-Ethernet1/0/1] port trunk permit vlan 2 4 50 to 100 Please wait...Done.
取消某个trunk端口的命令 undo port link-type
远程登录方式: 配置web用户
[h3c] local-user admin(配置用户名admin)---本地用户admin [h3c] service-type telnet level 3(设置级别为3)----服务类型telnet 级别3 [h3c] paword simple admin(设置密码为admin)----密码简单型admin
配置telnet用户
[h3c] user-interface vty 0 4(进入虚拟终端)----用户接口 vty 0 4 [h3c] authentication-mode scheme(配置本地或远端用户名认证方式—鉴定)----鉴定模式scheme(鉴定) [h3c] user privilege level 3(配置登录用户的级别3)---用户特权级别3 [h3c] local-user huawei(配置用户名huawei)---本地用户huawei [h3c] service-type telnet level 3(设置级别为3)----服务类型telnet级别3 [h3c] paword simple admin(设置密码admin)----密码简单型admin
User-interface vty 0 4 Authentication-mode scheme User privilege level 3 Local-user huawei Service-type telnet level 3 Paword simple admin
华为交换机配置用户名和密码
2009-09-18 02:16 华为交换机配置用户名和密码
(1)telnet只需输入paword即可远程登陆交换机。
进入用户界面视图
[SwitchA]user-interface vty 0 4 设置认证方式为密码验证方式 [SwitchA-ui-vty0-4]authentication-mode paword
设置登陆验证的paword为明文密码”huawei”
[SwitchA-ui-vty0-4]set authentication paword simple huawei 配置登陆用户的级别为最高级别3(缺省为级别1) [SwitchA-ui-vty0-4]user privilege level 3/1 [switchA]super paword simple ddddd
(2)telnet需要输入username和paword才可以登陆交换机。
进入用户界面视图
[SwitchA]user-interface vty 0 4
配置本地或远端用户名和口令认证
[SwitchA-ui-vty0-4]authentication-mode scheme
配置本地TELNET用户,用户名为”huawei”,密码为”huawei”,权限为最高级别3(缺省为级别1) [SwitchA]local-user huawei [SwitchA-user-huawei]paword simple huawei [SwitchA-user-huawei]service-type telnet level 3 (3)通过con口只需输入paword即可远程登陆交换机。
进入用户界面视图
[Quidway]user-interface aux 0
设置认证方式为密码验证方式
[Quidway-ui-aux0] authentication-mode paword
设置登陆验证的paword为明文密码”huawei”
[Quidway-ui-aux0] set authentication paword simple huawei 配置登陆用户的级别为最高级别3(缺省为级别1) [Quidway-ui-aux0] user privilege level 3
(4)通过con口需要输入username和paword才可以登陆交换机。 [Quidway]user-interface aux 0
配置本地或远端用户名和口令认证
[Quidway-ui-aux0] authentication-mode scheme
配置本地TELNET用户,用户名为”huawei”,密码为”huawei”,权限为最高级别3(缺省为级别1) [SwitchA]local-user huawei [SwitchA-user-huawei]paword simple huawei [SwitchA-user-huawei]service-type telnet level 3
display arp int g6/1/4
Type: S-Static D-Dynamic IP Addre
MAC Addre VLAN ID Port Name
Aging Type 10.2.209.4
001d-0f80-68f1 200
GigabitEthernet6/1/4
N/A S 192.168.0.7
0050-c21e-f941 900
GigabitEthernet6/1/4
14 D 192.168.0.6
0050-c21f-1a0b 900
GigabitEthernet6/1/4
14 D 192.168.0.8
0050-c21f-19fc 900
GigabitEthernet6/1/4
14 D 10.2.213.107 0025-1185-8bb8 700
GigabitEthernet6/1/4
19 D 10.2.209.251 0023-cd22-f263 210
GigabitEthernet6/1/4
11 D 10.2.209.123 001e-e576-9c9f 200
GigabitEthernet6/1/4
17 D 10.2.209.122 0015-e907-98c7 200
GigabitEthernet6/1/4
20 D 10.2.208.132 0023-893e-2b94 10
GigabitEthernet6/1/4
[DC-HX-S9508-WW-01]int g6/1/4
[DC-HX-S9508-WW-01-GigabitEthernet6/1/4]display this # interface GigabitEthernet6/1/4 description connect to DC-JR-S3600-WW-0401_g1/1/3
[DC-JR-S3600-WW-0401]display mac-addre vlan 200 MAC ADDR
VLAN ID STATE
PORT INDEX
AGING TIME(s) 0000-5e00-0114 200
Learned
GigabitEthernet1/1/3 AGING 0015-587f-185c 200
Learned
GigabitEthernet1/1/3 AGING 0015-e907-98c7 200
Learned
Ethernet2/0/44
AGING 0016-177e-b336 200
Learned
GigabitEthernet1/1/3 AGING 0016-d332-81a9 200
Learned
GigabitEthernet1/1/3 AGING 0016-d336-b3ce 200
Learned
GigabitEthernet1/1/3 AGING 0019-21bd-99a3 200
Learned
GigabitEthernet1/1/3 AGING 001a-a039-fa46 200
Learned
GigabitEthernet1/1/3 AGING 001d-0934-4f2f 200
Learned
GigabitEthernet1/1/3 AGING 001d-0f80-68f1 200
Learned
Ethernet2/0/41
AGING 001d-7280-2303 200
Learned
GigabitEthernet1/1/3 AGING 001e-e576-9c9f 200
Learned
Ethernet2/0/43
AGING 0023-8938-c0e8 200
Learned
GigabitEthernet1/1/3 AGING 0023-8938-c178 200
Learned
GigabitEthernet1/1/3 AGING 0023-8948-c220 200
Learned
Ethernet1/0/6
AGING 0026-b981-d498 200
Learned
GigabitEthernet1/1/3 AGING 0027-1962-e5ab 200
Learned
GigabitEthernet1/1/3 AGING
配置举例及步骤:仅允许来自10.10.1.66和lO.10.1.78的TELNET用户访问交换机:
#定义基本访问控制列表。
[Quidway]acl number 2008 match-order config [Quidway-acl—basic-2008]rule 1 permit source lO.1O.1.66 O [Quidway—acl-basic-2008]rule 2 permit source 1O.1O.1.78 O [Quidway-acl-basic-2008]quit #引用访问控制列表。
[Quidway]user-interface vty 0 4 [Quidway-user-interface-vty0-4]acl 2OO8 inbound
H3C交换机恢复出厂设置
reset saved-configuration The saved configuration will be erased.Are you sure?[Y/N]y /提示是否擦除配置文件/ Configuration in the device is being cleared.Please wait ......Configuration in the device is cleared.
reboot
This command will reboot the system.Since the current configuration may have b een changed, all changes may be lost if you continue.Continue? [Y/N] Y /提示是否重启设备,按Y将重新启动/ 【提示】
1、可以只键入reset sa,reset sa是reset saved-configuration的缩写。
2、擦除配置文件后,必须要重启设备后才能恢复到出厂设置。
修改交换机的系统时间
clock datetime hh:mm: mm/dd/yy
11、访问控制列表 基于接口的ACL 1000-1999
基本的ACL 2000-2999
acl number acl-num [match-order {config|auto}]
rule [rule-id] {permit|deny} [source sour-add sour-wildcard|any] [time-range time-name] [logging] [fragment] [vpn-instance vpn-instance-name]
高级的ACL 3000-3999
acl number acl-num [match-order {config|auto}]
rule [rule-id] {permit|deny} protocol [source sour-add sour-wildcard|any] [destination dest-add dest-wildcard|any] [source-port operator port1
[port2]]
[dest-port
operator
port1
[port2]]
[icmp-type
{icmp-type icmp-code|icmp-meage}] [precedence pre] [time-range time-name] [logging] [fragment] [vpn-instance vpn-instance-name]
基于MAC地址ACL 4000-4999
ACL访问控制列表
公司企业网通过Switch的端口实现各部门之间的互连。研发部门由GigabitEthernet1/1/1接入交换机,工资查询服务器的地址为192.168.1.2。要求正确配置ACL,禁止研发部门在工作日8:00至18:00访问工资服务器。 配置步骤 (1)定义时间段
# 定义8:00至18:00的周期时间段。 system-view
[H3C] time-range test 8:00 to 18:00 working-day (2) 定义到工资服务器的ACL # 进入ACL3000视图。 [H3C] acl number 3000
# 定义其它部门到工资服务器的访问规则。
[H3C-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [H3C-acl-adv-3000] quit (3) 在端口上应用ACL # 在端口上应用ACL 3000。
[H3C] interface gigabitethernet1/1/1
[H3C-GigabitEthernet1/1/1] packet-filter inbound ip-group 3000
IP-MAC绑定方法:
[switch-Ethernet1/0/24]am user-bind mac-addr AAAA-AAAA-AAAA ip-addr 192.168.x.x IP MAC switch-Ethernet1/0/24]arp static 192.168.1.1 AAAA-AAAA-AAAA 2 [switchA]undo arp 192.168.1.1
解除绑定