H3C 3600及3100交换机配置方法.doc

进入管理模式system-view显示正在运行的配置信息H3C dis cur保存配置信息H3Cquitsave配置telnet 管理的用户和口令H3Clocal-user adminH3C-password simple password123H3C-service-type telnetH3C-level 3H3C-quitH3Cuser-interface vty 0 4H3C-authentication-mode scheme一、 H3C 3600交换机1、 划分VLAN，并对VLAN进行IP路由创建vlan 1H3Cvlan 1H3Cint vlan 1H3C-Vlan-interface1ip add 53 H3C-Vlan-interface1quitH3Cint e1/0/1H3C-Ethernet1/0/1port access vlan 1H3C-Ethernet1/0/1quitH3Cint e1/0/2H3C-Ethernet1/0/2port access vlan 1H3C-Ethernet1/0/2quit创建vlan 2H3Cvlan 2H3Cint vlan 2H3C-Vlan-interface1ip add 53 H3C-Vlan-interface1quitH3Cint e1/0/3H3C-Ethernet1/0/3port access vlan 2H3C-Ethernet1/0/3quitH3Cint e1/0/4H3C-Ethernet1/0/4port access vlan 2H3C-Ethernet1/0/4quitH3Cint g1/0/1H3C-G1/0/1port access vlan 2H3C-G1/0/1quit3100及3600交换机TRUNK口应用：两台交换机级联SwitchA与SwitchB用trunk互连，相同VLAN的PC之间可以互访，不同VLAN的PC之间禁止互访l 配置方法：# 进入GigabitEthernet 1/1 以太网端口视图。SWA interface GigabitEthernet 1/1# 配置端口GigabitEthernet 1/1为Trunk端口 并允许VLAN10、VLAN 20的报文通过。SWA-Gthernet1/0/1 port link-type trunkSWA-Gthernet1/0/1 port trunk permit vlan 10 20SWAint e10/1SWA-E1/0/1port acc vlan 10SWA-E1/0/2port acc vlan 20注：SWB交换机配置相同增加路由H3Cip route 54H3Cquitsave端口映像:H3Cmirroring-group 1 localH3Cmirroring-group 1 monitor-port GigabitEthernet 1/1/4H3Cmirroring-group 1 mirroring-port GigabitEthernet 1/1/1 both端口汇聚：system-viewH3Clink-aggregation group 1 mode manualH3Cinterface ethernet1/0/1H3C-Ethernet1/0/1 port link-aggregation group 1H3C-Ethernet1/0/1 interface ethernet1/0/2H3C-Ethernet1/0/2 port link-aggregation group 1H3C-Ethernet1/0/2 interface ethernet1/0/3H3C-Ethernet1/0/3 port link-aggregation group 12、 IPMAC端口绑定H3Cinterface Ethernet1/0/1H3C-Ethernet1/0/1am user-bind mac-addr 0001-0002-0003 ip-addr 3、 IPMAC绑定arp static ip-address mac-address vlan-id interface-typeinterface-number 4、 ACL访问控制列表公司企业网通过Switch的端口实现各部门之间的互连。研发部门由GigabitEthernet1/1/1接入交换机，工资查询服务器的地址为。要求正确配置ACL，禁止研发部门在工作日8:00至18:00访问工资服务器。配置步骤(1)定义时间段# 定义8:00至18:00的周期时间段。 system-viewH3C time-range test 8:00 to 18:00 working-day(2)定义到工资服务器的ACL# 进入ACL3000视图。H3C acl number 3000# 定义其它部门到工资服务器的访问规则。H3C-acl-adv-3000 rule 1 deny ip destination 0 time-range testH3C-acl-adv-3000 quit(3)在端口上应用ACL# 在端口上应用ACL 3000。H3C interface gigabitethernet1/1/1H3C-GigabitEthernet1/1/1 packet-filter inbound ip-group 3000二、 H3C 3100交换机1、广播抑制H3Cint e1/0/1H3Cbroadcast-suppression 5H3Cint e1/0/2H3Cbroadcast-suppression 52、配置web管理H3Cint vlan 1H3C-ip add 53 H3C-quitH3Cundo ip http shutdownH3Clocal-user adminH3C-password simple password123H3C-service-type telnetH3C-level 3H3C-quitH3Cuser-interface vty 0 4H3C-authentication-mode schemeH3C-quitH3Cquitsave华为（H3C）交换机常用配置命令S5000 交换机33用户名：admin删除设备配置reset saved-configuration重启reboot看当前配置文件display current-configuration 改设备名sysname保存配置save进入特权模式sysview华为只有2层模式 不像cisco enale之后还要conf t定义aclacl nubmere XXXX（3000以上）进入以后rule permit/deny IP/TCP/UDP等 source XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX(反向)destination XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX(反向) eq注意 华为默认没有deny any any 防火墙上端口加载ACLQuidway-Ethernet0/0firewall packet-filter 3000 inbound 防火墙上新增加用户 local-user XXX（用户名） password simple XXX（密码）local-user XXX service-type ppp删除某条命令undo（类似与cisco的no）静态路由ip route-static XXX.XXX.XXX.XXX 对vpdn用户设置acl的接口inte*ce Virtual-Template1查看路由表display ip routing-table设定telnet密码user-inte*ce vty 0 4 user privilege level 3set authentication password simple XXX启动/关闭启动 un shut关闭 shut动态nat设置acl number 3000rule 0 permit ip source XXX.XXX.XXX.XXXrule 1 permit ip source XXX.XXX.XXX.XXXrule 2 permit ip source XXX.XXX.XXX.XXXinte*ce Ethernet1/0description =To-Internet(WAN)=ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXXnat outbound 3000ipsec policy policy1利用acl来做 符合acl的IP地址可以出去（注意 此处的ACL隐含了deny any any）不符合的IP地址不可以出去创建vlanshzb-crsw-s6506-1vlan 100华为vlan不支持name将port放入vlan创建了vlan后 进入vlan模式shzb-crsw-s6506-1-vlan100port GigabitEthernet 1/0/1 to GigabitEthernet 1/0/8表示从G1/0/1 到1/0/8放入VLAN 100创建trunkinte*ce GigabitEthernet1/0/1duplex full speed 1000* port link-type trunk* port trunk permit vlan allport link-aggregation group 1带*号的是创建trunk链路的语句vlan地址指定inte*ce Vlan-inte*ce2description serverip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX vrrp vrid 2 virtual-ip XXX.XXX.XXX.XXX vrrp vrid 2 priority 120vrrp vrid 2 preempt-mode timer delay 10其中vrrp语句指定vrrp 类似与hsrp使用vrrp要注意的是华为不支持pvst只能一台完全是主，一台完全是备份 在主vrrp设备上要指定stp instance 0 root primarystp TC-protection enablestp enable在从vrrp设备上要指定stp instance 0 root secondarystp TC-protection enablestp enable交换机下面绑acl首先进入接口模式，输入qos命令shzb-crsw-s6506-1-GigabitEthernet1/0/1qos在输入如下命令shzb-crsw-s6506-1-qoss-GigabitEthernet1/0/1packet-filter inbound ip-group 3000 华为交换机只能指定inbound方向启用ospfshzb-crsw-s6506-1ospf 100shzb-crsw-s6506-1-ospf-100area 0shzb-crsw-s6506-1-ospf-100-area-network XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 配置ospf重发布shzb-crs