华为交换机基础配置
1.华为交换机关闭http和https
undo http server enable
undo http secure-server enable
注:关闭时需先关闭http再关闭https;开启时需先开启https再开启http。
2.华为交换机修改密码:
[CN-HBCR-OA-1-2F419-ASW30-aaa] local-user admin password irreversible-cipher uxin777888
Please enter old password:
3.华为交换机SSH远程配置
rsa local-key-pair create # 生成RSA密钥对。
aaa
local-user admin password irreversible-cipher xinghen1216
local-user admin service-type ssh telnet
# 创建本地用户admin,并设置用户密码、服务类型
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound ssh
4.华为交换机配置ntp
clock timezone BJ add 8 #配置时区
ntp-service unicast-server 10.1.41.156 #配置时间服务器
dis ntp-service status #查看ntp状态
clock status: synchronized
clock stratum: 4
reference clock ID: 10.1.41.156
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 31.18 ms
root dispersion: 1.13 ms
peer dispersion: 1.95 ms
reference time: 02:41:38.856 UTC Nov 2 2021(E52B23E2.DB3ECCC4)
synchronization state: clock set
dis ntp-service sessions #查看ntp会话
clock source: 10.1.41.156
clock stratum: 3
clock status: configured, master, sane, valid
reference clock ID: 203.107.6.88
reach: 3
current poll: 64
now: 41
offset: -4.3416 ms
delay: 4.64 ms
disper: 1.01 ms
5.华为交换机配置snmp
snmp-agent sys-info version all #配置snmp版本
snmp-agent community read cipher uxinsnmp123 #配置snmp只读团体名称
snmp-agent trap enable #开启交换机主动发送trap消息功能
snmp-agent target-host trap address udp-domain 10.1.41.253 params securityname cipher uxinsnmp123 #配置告警主机
6.华为交换机管理员安全配置
1)举例:口令长度不低于12位,为数字、字母、特殊字符混合组合;密码有效期限为90天;输入密码次数过多后锁定。用户成功登录后10分钟内无任何操作,则断开该登录连接;三权(系统管理员、安全管理员、审计管理员)分开 。
[CN-HBDHY-OA-1-1F312-DSW01]undo user-interface password complexity-check disable #开启全局密码复杂度检测,此规则默认开启
[CN-HBDHY-OA-1-1F312-DSW01]set password min-length 12 #配置密码长度最短为12位
[CN-HBDHY-OA-1-1F312-DSW01]aaa
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-user admin idle-timeout 10 #配置本地管理员admin的闲置超时时间为为10分钟
[CN-HBDHY-OA-1-1F312-DSW01-aaa]user-password complexity-check #开启本地账号密码复杂度检测
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user wrong-password retry-interval 5 retry-time 5 block-time 5 #本地帐号用户的重试时间间隔为5分钟,本地帐号连续输入错误密码的限制次数为5次,本地帐号锁定时间为5分钟
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user password policy administrator #进入administrator密码策略视图
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password expire 90 #配置administrator密码策略的密码失效时间位90天
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password alert before-expire 30 #配置administrator密码策略的密码过期前30天提醒
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password history record number 5 #配置administrator密码策略的历史密码记录为5条
2)登录源IP限制
acl name sourlimit 2001
rule 11 permit source 10.1.13.100 0
rule 12 permit source 10.1.21.131 0
rule 15 permit source 10.1.41.170 0
rule 21 permit source 10.16.2.100 0
ssh server acl 2001
3)管理员三权分开
local-user admin password irreversible-cipher Abc123123# idle-timeout 10 0
local-user admin privilege level 15 #系统管理员分配管理级权限,即有全部权限
local-user admin service-type terminal ssh
local-user audit password irreversible-cipher Abc123123# idle-timeout 10 0
local-user audit privilege level 1 #审计管理员分配监控级权限,只有部门查看权限
local-user audit service-type terminal ssh
local-user security password irreversible-cipher Abc123123# idle-timeout 10 0
local-user security privilege level 2 #安全管理员分配配置级权限,有日常配置查看和修改的权限,不能进行FTP、文件下载、故障诊断等
local-user security service-type terminal ssh
7.华为交换机syslog配置
0-7共八个级别,0最高,7最低
1)保存到buffer
info-center logbuffer:开启Log信息向Log缓冲区的发送功能,此功能默认开启
2)保存到syslog服务器
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0
3)查看syslog配置
[CN-HBDHY-OA-1-1F312-DSW01]dis info-center
Information Center:enabled
Log host:
the interface name of the source address:Vlanif348
10.1.33.10, channel number 2, channel name loghost,
language English , host facility local0
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 512, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 97581
Trap buffer:
enabled,max buffer size 1024, current buffer size 256,
current messages 256, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 219323
logfile:
channel number : 9, channel name : channel9, language : English
Information timestamp setting:
log - date, trap - date, debug - date millisecond
Sent messages = 531626, Received messages = 531626
IO Reg messages = 0 IO Sent messages = 0
华为交换机VLAN与Trunk配置
通过eNSP新建如下网络拓扑
1、 配置第一台交换机sw1
undo ter moniter //关闭信息干扰
system-view //进入系统视图
[Huawei]sysname sw1 //修改交换机名字为sw1
[sw1]vlan batch 5 10 //创建vlan5和vlan10
[sw1]interface Ethernet 0/0/1 //进入端口1
[sw1-Ethernet0/0/1]port link-type access //为端口1配置access模式
[sw1-Ethernet0/0/1]port default vlan 5 //将端口1加入vlan5
[sw1-Ethernet0/0/1]interface ethernet 0/0/2 //进入端口2
[sw1-Ethernet0/0/2]port link-type access //为端口2配置access模式
[sw1-Ethernet0/0/2]port default vlan 10 //将端口2加入vlan10
[sw1-Ethernet0/0/2]interface ethernet 0/0/22 //进入sw1端口22
[sw1-Ethernet0/0/22]port link-type trunk //为sw1端口22配置trunk模式
[sw1-Ethernet0/0/22]port trunk allow-pass vlan 5 10 //将vlan5和vlan10加入中继链路trunk
2、设置第二台交换机sw2
undo ter moniter //关闭信息干扰
system-view //进入系统视图
[Huawei]sysname sw2 //修改交换机名字为sw2
[sw2]vlan batch 5 10 //创建vlan5和vlan10
[sw2]interface Ethernet 0/0/3 //进入端口3
[sw2-Ethernet0/0/3]port link-type access //为端口3配置access模式
[sw2-Ethernet0/0/3]port default vlan 5 //将端口3加入vlan5
[sw2-Ethernet0/0/3]interface ethernet 0/0/4 //进入端口4
[sw2-Ethernet0/0/4]port link-type access //为端口4配置access模式
[sw2-Ethernet0/0/4]port default vlan 10 //将端口4加入vlan10
[sw2-Ethernet0/0/4]interface ethernet 0/0/22 //进入sw2端口22
[sw2-Ethernet0/0/22]port link-type trunk //为sw2端口22配置trunk模式
[sw2-Ethernet0/0/22]port trunk allow-pass vlan 5 10 //将vlan5和vlan10加入中继链路trunk
3、测试联通
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-20
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-19
头条 22-07-18
头条 22-07-18
头条 22-07-18
头条 22-07-18
头条 22-07-18
头条 22-07-18
头条 22-07-18