华为交换机基础配置 华为交换机VLAN与Trunk配置

时间:2022-07-20 14:45:57 来源: 三好在线


华为交换机基础配置

1.华为交换机关闭http和https

undo http server enable

undo http secure-server enable

注:关闭时需先关闭http再关闭https;开启时需先开启https再开启http。

2.华为交换机修改密码:

[CN-HBCR-OA-1-2F419-ASW30-aaa] local-user admin password irreversible-cipher uxin777888

Please enter old password:

3.华为交换机SSH远程配置

rsa local-key-pair create # 生成RSA密钥对。

aaa

local-user admin password irreversible-cipher xinghen1216

local-user admin service-type ssh telnet

# 创建本地用户admin,并设置用户密码、服务类型

stelnet server enable

ssh user admin

ssh user admin authentication-type password

ssh user admin service-type stelnet

user-interface vty 0 4

authentication-mode aaa

user privilege level 15

protocol inbound ssh

4.华为交换机配置ntp

clock timezone BJ add 8 #配置时区

ntp-service unicast-server 10.1.41.156 #配置时间服务器

dis ntp-service status #查看ntp状态

clock status: synchronized

clock stratum: 4

reference clock ID: 10.1.41.156

nominal frequency: 100.0000 Hz

actual frequency: 100.0000 Hz

clock precision: 2^18

clock offset: 0.0000 ms

root delay: 31.18 ms

root dispersion: 1.13 ms

peer dispersion: 1.95 ms

reference time: 02:41:38.856 UTC Nov 2 2021(E52B23E2.DB3ECCC4)

synchronization state: clock set

dis ntp-service sessions #查看ntp会话

clock source: 10.1.41.156

clock stratum: 3

clock status: configured, master, sane, valid

reference clock ID: 203.107.6.88

reach: 3

current poll: 64

now: 41

offset: -4.3416 ms

delay: 4.64 ms

disper: 1.01 ms

5.华为交换机配置snmp

snmp-agent sys-info version all #配置snmp版本

snmp-agent community read cipher uxinsnmp123 #配置snmp只读团体名称

snmp-agent trap enable #开启交换机主动发送trap消息功能

snmp-agent target-host trap address udp-domain 10.1.41.253 params securityname cipher uxinsnmp123 #配置告警主机

6.华为交换机管理员安全配置

1)举例:口令长度不低于12位,为数字、字母、特殊字符混合组合;密码有效期限为90天;输入密码次数过多后锁定。用户成功登录后10分钟内无任何操作,则断开该登录连接;三权(系统管理员、安全管理员、审计管理员)分开 。

[CN-HBDHY-OA-1-1F312-DSW01]undo user-interface password complexity-check disable #开启全局密码复杂度检测,此规则默认开启

[CN-HBDHY-OA-1-1F312-DSW01]set password min-length 12 #配置密码长度最短为12位

[CN-HBDHY-OA-1-1F312-DSW01]aaa

[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-user admin idle-timeout 10 #配置本地管理员admin的闲置超时时间为为10分钟

[CN-HBDHY-OA-1-1F312-DSW01-aaa]user-password complexity-check #开启本地账号密码复杂度检测

[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user wrong-password retry-interval 5 retry-time 5 block-time 5 #本地帐号用户的重试时间间隔为5分钟,本地帐号连续输入错误密码的限制次数为5次,本地帐号锁定时间为5分钟

[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user password policy administrator #进入administrator密码策略视图

[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password expire 90 #配置administrator密码策略的密码失效时间位90天

[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password alert before-expire 30 #配置administrator密码策略的密码过期前30天提醒

[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password history record number 5 #配置administrator密码策略的历史密码记录为5条

2)登录源IP限制

acl name sourlimit 2001

rule 11 permit source 10.1.13.100 0

rule 12 permit source 10.1.21.131 0

rule 15 permit source 10.1.41.170 0

rule 21 permit source 10.16.2.100 0

ssh server acl 2001

3)管理员三权分开

local-user admin password irreversible-cipher Abc123123# idle-timeout 10 0

local-user admin privilege level 15 #系统管理员分配管理级权限,即有全部权限

local-user admin service-type terminal ssh

local-user audit password irreversible-cipher Abc123123# idle-timeout 10 0

local-user audit privilege level 1 #审计管理员分配监控级权限,只有部门查看权限

local-user audit service-type terminal ssh

local-user security password irreversible-cipher Abc123123# idle-timeout 10 0

local-user security privilege level 2 #安全管理员分配配置级权限,有日常配置查看和修改的权限,不能进行FTP、文件下载、故障诊断等

local-user security service-type terminal ssh

7.华为交换机syslog配置

0-7共八个级别,0最高,7最低

1)保存到buffer

info-center logbuffer:开启Log信息向Log缓冲区的发送功能,此功能默认开启

2)保存到syslog服务器

[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348

[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0

3)查看syslog配置

[CN-HBDHY-OA-1-1F312-DSW01]dis info-center

Information Center:enabled

Log host:

the interface name of the source address:Vlanif348

10.1.33.10, channel number 2, channel name loghost,

language English , host facility local0

Console:

channel number : 0, channel name : console

Monitor:

channel number : 1, channel name : monitor

SNMP Agent:

channel number : 5, channel name : snmpagent

Log buffer:

enabled,max buffer size 1024, current buffer size 512,

current messages 512, channel number : 4, channel name : logbuffer

dropped messages 0, overwritten messages 97581

Trap buffer:

enabled,max buffer size 1024, current buffer size 256,

current messages 256, channel number:3, channel name:trapbuffer

dropped messages 0, overwritten messages 219323

logfile:

channel number : 9, channel name : channel9, language : English

Information timestamp setting:

log - date, trap - date, debug - date millisecond

Sent messages = 531626, Received messages = 531626

IO Reg messages = 0 IO Sent messages = 0

华为交换机VLAN与Trunk配置

通过eNSP新建如下网络拓扑

1、 配置第一台交换机sw1

undo ter moniter //关闭信息干扰

system-view //进入系统视图

[Huawei]sysname sw1 //修改交换机名字为sw1

[sw1]vlan batch 5 10 //创建vlan5和vlan10

[sw1]interface Ethernet 0/0/1 //进入端口1

[sw1-Ethernet0/0/1]port link-type access //为端口1配置access模式

[sw1-Ethernet0/0/1]port default vlan 5 //将端口1加入vlan5

[sw1-Ethernet0/0/1]interface ethernet 0/0/2 //进入端口2

[sw1-Ethernet0/0/2]port link-type access //为端口2配置access模式

[sw1-Ethernet0/0/2]port default vlan 10 //将端口2加入vlan10

[sw1-Ethernet0/0/2]interface ethernet 0/0/22 //进入sw1端口22

[sw1-Ethernet0/0/22]port link-type trunk //为sw1端口22配置trunk模式

[sw1-Ethernet0/0/22]port trunk allow-pass vlan 5 10 //将vlan5和vlan10加入中继链路trunk

2、设置第二台交换机sw2

undo ter moniter //关闭信息干扰

system-view //进入系统视图

[Huawei]sysname sw2 //修改交换机名字为sw2

[sw2]vlan batch 5 10 //创建vlan5和vlan10

[sw2]interface Ethernet 0/0/3 //进入端口3

[sw2-Ethernet0/0/3]port link-type access //为端口3配置access模式

[sw2-Ethernet0/0/3]port default vlan 5 //将端口3加入vlan5

[sw2-Ethernet0/0/3]interface ethernet 0/0/4 //进入端口4

[sw2-Ethernet0/0/4]port link-type access //为端口4配置access模式

[sw2-Ethernet0/0/4]port default vlan 10 //将端口4加入vlan10

[sw2-Ethernet0/0/4]interface ethernet 0/0/22 //进入sw2端口22

[sw2-Ethernet0/0/22]port link-type trunk //为sw2端口22配置trunk模式

[sw2-Ethernet0/0/22]port trunk allow-pass vlan 5 10 //将vlan5和vlan10加入中继链路trunk

3、测试联通


网站简介 网站团队 本网动态 友情链接 版权声明 我要投稿

Copyright© 2014-2020 中原网视台(www.hnmdtv.com) All rights reserved.