Huawei华为交换机基本配置命令
恢复出厂设置----------------注意Y和N的选项,不要输错。
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration file . Continue? [Y/N]:n
Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]:y
新交换机第一次上电,或恢复出厂设置后,要求设置新密码
出厂自带的用户名是admin,密码是[email protected]
Login authentication
Username:admin
Password:
Warning: The default password poses security risks.
The password needs to be changed. Change now? [Y/N]: y
Please enter old password:
Please enter new password: ---------------------输入密码时没有任何显示
Please confirm new password:
The password has been changed successfully.
第一次保存设置时,需输入文件名,只需按回车
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
May 28 2019 10:57:52 HUAWEI %%01CFM/4/SAVE(s)[1]:The user chose Y when deciding whether to save the configuration to the device.
flash:/vrpcfg.zip exists, overwrite?[Y/N]:y
May 28 2019 10:57:54 HUAWEI %%01CFM/4/OVERWRITE_FILE(s)[2]:When deciding whether to overwrite the configuration file vrpcfg.zip, the user chose Y.
Now saving the current configuration to the slot 0......
Save the configuration successfully.
设置日期和时间
设置console口的连接方式,可设置为无,仅密码,用户名密码等方式
[HUAWEI]user-interface console 0
[HUAWEI-ui-console0]authentication-mode ?
aaa AAA authentication, and this authentication mode is recommended
none Login without checking
password Authentication through the password of a user terminal interface
[HUAWEI-ui-console0]set authentication password
[HUAWEI-ui-console0]set authentication password cipher administrator
开启telnet服务,stp功能,http服务
[HUAWEI]telnet server enable-------------------开启telnet服务
[HUAWEI]stp mode rstp-------------------设置stp模式为rstp
[HUAWEI]stp enable-------------------开启stp功能
[HUAWEI]http server enable-------------------开启http服务(默认就是开启的)
设置vty,telnet登录
[HUAWEI]user-interface maximum-vty 15-------------------vty界面最大值15
authentication-mode password-------------认证模式设置为仅需密码,也可设置为aaa模式
user privilege level 15-------------------用户权限级别15(非常重要)
set authentication password cipher $1a$IZ,o~LZ$Z.$GHlQ-zn9-Gn<*8(yp-@F#6wmH;M\%L#($\PXNa.:$---此处是密码,输入时是明文,根据需要设置
history-command max-size 256-------------------命令行最大历史记录
idle-timeout 6 0-------------------用户超时时间6分0秒
screen-length 100-------------------屏幕长度100行
protocol inbound telnet-------------------允许telnet协议进入(非常重要)
设置一个用户用于网页登录
[HUAWEI]aaa
[HUAWEI-aaa]dis local-user
----------------------------------------------------------------------------
User-name State AuthMask AdminLevel
----------------------------------------------------------------------------
admin A MH 15
----------------------------------------------------------------------------
Total 1 user(s)
[HUAWEI-aaa]undo local-user admin
Error: Have user(s) online, can not be deleted.
[HUAWEI-aaa]quit
由于第一次登录时,console口要求用户名密码登录,所以无法删除本地用户admin,此时可退到<>视图,保存设置,退出交换机,再重新登录。由于我们已经将console口的认证方式改为仅需密码,所以可以再次进入aaa,删除用户admin。删除后,再建立admin,权限,服务类型等,均可由我们自己控制。
[HUAWEI]aaa
[HUAWEI-aaa]undo local-user admin
[HUAWEI-aaa]local-user admin password irreversible-cipher administrator idle-timeout 6 0------标红的为密码,根据需要设置
Info: Add a new user.
[HUAWEI-aaa]local-user admin service-type http
[HUAWEI-aaa]local-user admin privilege level 15
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[HUAWEI-aaa]local-user admin ftp-directory flash:
如遇更新版本的交换机软件,telnet服务要求必须是aaa认证(用户名密码认证),可按上面所述再建立一个用户,service-type设置为telnet。
关闭交换机自动弹出配置改变告警
输入配置命令后设备会提示如下类似信息:
DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 1, the change loop count is 64, and the maximum number of records is 1.
这个是配置改变的告警提示信息,不是错误信息,可以配置如下命令屏蔽此信息:
[HUAWEI]info-center source DS channel console trap level warning state off
建立vlan,并将端口加入vlan
[HUAWEI]vlan 2------------------建立单个vlan,2
[HUAWEI-vlan2]quit------------------建立vlan后就进入该vlan了,所以退出
[HUAWEI]vlan batch 3 to 10------------------批量建立vlan,3-10
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI]------------------批量建立vlan后不会进入哪个vlan
由于华为交换机的端口出厂时默认都是hybrid类型或auto类型的,所以无法立即加入vlan,需要更改端口的link-type后,才可以加入vlan。单个端口更改方式如下:
[HUAWEI]interface GigabitEthernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/1]port default vlan 2
[HUAWEI-GigabitEthernet0/0/1]dis this
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
批量更改,先更改端口类型,再统一加入某个vlan,如下:
[HUAWEI]port-group group-member g 0/0/2 to g 0/0/4
[HUAWEI-port-group]port link-type access
[HUAWEI-GigabitEthernet0/0/2]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/3]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/4]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-port-group]port default vlan 3
[HUAWEI-GigabitEthernet0/0/2]port default vlan 3
[HUAWEI-GigabitEthernet0/0/3]port default vlan 3
[HUAWEI-GigabitEthernet0/0/4]port default vlan 3
也可以先批量更改端口连接类型,再进入vlan添加端口,如下:
[HUAWEI]port-group group-member g 0/0/5 to g 0/0/10
[HUAWEI-port-group]port link-type access
[HUAWEI-GigabitEthernet0/0/5]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/6]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/7]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/8]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/9]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/10]port link-type access
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-port-group]quit
[HUAWEI]vlan 4
[HUAWEI-vlan4]port g 0/0/5 to 0/0/6
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-vlan4]
更改完成后可查看端口与vlan对应关系:
[HUAWEI]display port vlan
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 access 2 -
GigabitEthernet0/0/2 access 3 -
GigabitEthernet0/0/3 access 3 -
GigabitEthernet0/0/4 access 3 -
GigabitEthernet0/0/5 access 4 -
GigabitEthernet0/0/6 access 4 -
GigabitEthernet0/0/7 access 1 -
GigabitEthernet0/0/8 access 1 -
GigabitEthernet0/0/9 access 1 -
GigabitEthernet0/0/10 access 1 -
GigabitEthernet0/0/11 auto 1 1-4094
GigabitEthernet0/0/12 auto 1 1-4094
设置端口为trunk类型
[HUAWEI]interface GigabitEthernet 0/0/28
[HUAWEI-GigabitEthernet0/0/28]port link-type trunk
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-GigabitEthernet0/0/28]port trunk pvid vlan 10
[HUAWEI-GigabitEthernet0/0/28]port trunk allow-pass vlan 2 to 4000
Info: This operation may take a few seconds. Please wait a moment....done.
[HUAWEI-GigabitEthernet0/0/28]undo port trunk allow-pass vlan 1
Info: This operation may take a few seconds. Please wait a moment...done.
[HUAWEI-GigabitEthernet0/0/28]dis this
#
interface GigabitEthernet0/0/28
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4000
#
return
两个交换机相连的trunk端口,pvid必须一致,规模较大的企业局域网,不建议使用vlan1,所以trunk端口不允许vlan1通过
设置链路聚合
[HUAWEI]interface Eth-Trunk 1
[HUAWEI-Eth-Trunk1]port link-type trunk
Info: This operation may take a few seconds. Please wait for a moment...done.
[HUAWEI-Eth-Trunk1]port trunk pvid vlan 10
[HUAWEI-Eth-Trunk1]port trunk allow-pass vlan 2 to 4000
Info: This operation may take a few seconds. Please wait a moment....done.
[HUAWEI-Eth-Trunk1]undo port trunk allow-pass vlan 1
Info: This operation may take a few seconds. Please wait a moment...done.
[HUAWEI-Eth-Trunk1]dis this
#
interface Eth-Trunk1
port link-type trunk
port trunk pvid vlan 10
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 2 to 4000
#
return
以上命令建立一个聚合端口,并设置了端口的属性
[HUAWEI]interface GigabitEthernet 0/0/25
[HUAWEI-GigabitEthernet0/0/25]eth-trunk 1
Info: This operation may take a few seconds. Please wait a moment...done.
以上命令将G 0/0/25端口加入聚合端口eth-trunk 1,无需更多设置。可将更多的端口加入聚合端口。
开启DHCP功能,设置地址池,并应用
[HUAWEI]dhcp enable
ip pool 192.168.2.0----------------建立一个地址池,名为192.168.2.0
gateway-list 192.168.2.254----------------设置网关地址
network 192.168.2.0 mask 255.255.255.0----------------设置网段
excluded-ip-address 192.168.2.251 192.168.2.253----------------设置不参与分配的IP地址范围
lease day 0 hour 0 minute 30----------------设置租期时长
dns-list 114.114.114.114 8.8.8.8----------------设置dns地址
[HUAWEI]interface Vlanif 2----------------进入vlanif 2
[HUAWEI-Vlanif2]ip address 192.168.2.254 24----------------给vlanif 2 设置IP地址(就是上面地址池的网关地址)
[HUAWEI-Vlanif2]dhcp select global ----------------DHCP选择全局,会自动匹配地址池
开启流控制功能,限制某些网段互网(主要是限制访客网与办公网、财务网互访)
[HUAWEI]acl number 3001-----------添加一个高级ACL,可控制源地址和目的地址
Info: When the ACL that is referenced by SACL is modified, the SACL will be dynamically updated. During the update, these SACL will become invalid temporarily.
[HUAWEI-acl-adv-3001]rule 1000 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.0.0 0.0.255.255
[HUAWEI-acl-adv-3001]rule 1100 deny ip source 172.16.0.0 0.0.255.255 destination 175.40.0.0 0.0.255.255
[HUAWEI-acl-adv-3001]quit
注意源地址和目的地址的反向掩码
[HUAWEI]traffic-filter inbound acl 3001-----------在全局层面应用ACL 3000里面的规则