华为交换机配置命令汇总

VRP系统基本使用

 

command-privilege level rearrange  ——用户级别为15级才能执行,将所有缺省注册为2、3级的命令,分别批量提升到10和15级。

undo command-privilege level rearrange——批量恢复。

◆command-privilege level level view view-name comman-key——将指定的命令提升到指定的命令级别。

★command-privilege level 15 view shell reboot

◆super password [ level user-level ] [ cipher password ]——为对应的命令级别设置保护密码,缺省是对级别3设置密码。

◆super [ level ]——切换用户级别,缺省级别为3,有密码输入密码,即上条命令设置的密码

◆?——在线帮助

◆display this include-default——查询配置时,默认配置信息也显示。

◆display current-configuration [ configuration [ configuration-type [ configuration-instance ] ] | interface [ interface-type [ interface-number ] ]][ feature feature-name [ filter filter-expression ] | filter filter-expression ]——查看当前生效的配置信息,可通过参数或关键字查看指定的配置

◆display current-configuration [all | inactive]——查看所有配置信息

◆terminal  echo-mode {character | line}——配置命令行的回显模式为字符模式或行模式

过滤命令行显示信息,可以使用正则表达式来过滤显示信息。使用方法有以下两种:

在命令中指定过滤方式:在命令行中通过输入begin、exclude、include关键字。

在分屏显示时指定过滤方式:在分屏显示时,使用“/”、“-”或“+”。

▲目录管理:

◆mkdir directory——创建指定目录。

◆rmdir directory——删除指定目录。

◆pwd——显示当前所处的目录路径信息。

◆cd directory——切换目录。

◆dir——查看指定文件或目录。

▲文件管理:

◆more filename[offset][all]——显示指定文件内容

◆copy source-filename destination-filename——复制文件。

◆move source-filename destination-filename——移动文件。

◆rename old-name new-name——重命名。

◆zip source-file destination-filename—压缩指定文件。

◆unzip source-filename destination-filename解压缩指定文件。

◆delete [/unreserved] filename——删除文件。

◆undelete filename——恢复文件

◆reset recycle-bin [filename]——彻底删除回收站文件。

◆excute batch-filename——执行指定的批处理文件。

◆file prompt {alert | quiet}——修改文件操作的提醒方式。

◆format devicename——格式化存储器。format flash:

 

◆display version——显示版本

 

▲管理VRP配置文件

set save-configuuration [  interval interval | cpu-limit cpu-usage | delay delay-interval]*——自动保存配置文件。

set save-configuration backup-to-server server server-ip transport-type { ftp | sftp} user user-name password password [path folder]

set save-configuration backup-to-server server server-ip transport-type tftp [path folder]

——自动远程保存配置文件。

save [all] [configuration]——手动保存配置文件。

 

▲备份配置文件

◆直接屏幕复制:display current-configuration后复制所有显示信息到txt文件,保存扩展名.cfg。

◆备份配置文件:copy config.cfg backup.cfg

◆通过TFTP备份:交换机作为tftp客户端

tftp [-a source-ip-address | -i interface-type interface-number] tftp-server put source-filename [destination-filename]

◆通过FTP备份:交换机作为FTP服务器

system-view

ftp server enable

aaa

local-user huawei password cipher huawei@123

local-user huawei ftp-directory flash:

local-user huawei service-type ftp

local-user huawei privilege level 15

 

▲交换机基本配置

clock timezone time-zone-name {add | minus} offset——设置所在时区。我国时区名称通常写成BJ。

★clock timezone  BJ add 08:00:00

clock datetime HH:MM:SS YYYY-MM-DD——设置当前时间和日期。

 

▲配置交换机名称和IP地址

sysname host-name

interface interface-type interface-number——进入接口视图

★interface vanif 2

ip address ip-address {mask | mask-length} [sub]——为接口配置IP地址。

 

▲设置标题文本

header login {information text | file file-name}——设置登录时显示的标题

header shell {information text | file file-name}——设置登陆成功后的标题。

★header shell information &标题信息!&   或者使用%    %进行交互过程。

 

用户界面

Console用户界面   用户界面的编号 CON0

VTY用户界面   VTY0~VTY14

查看绝对编号: display user-interface

 

用户界面的用户验证和优先级

用户界面的用户验证方式

两种方式:password验证 和 AAA验证

用户界面优先级(无验证或密码验证)  用户优先级(AAA验证)

 

Console用户界面物理属性的配置步骤

User-interface console interface-number

Speed speed-value

Flow-control { hardware | none | software }

Parity { even | mark | none | odd | space }

Stopbits { 1.5 | 1 | 2 }

Databits { 5 | 6 | 7 | 8 }

 

Console用户界面终端属性的配置

User-interface console 0

Idle-timeout minutes [ seconds ]

Screen-length screen-length [temporary]

Screen-width screen-width

History-command max-size size-value

 

Console用户界面用户优先级的配置

User-interface console 0

User privilege level level  ——仅对采用密码验证方式不验证方式用户生效

 

Console用户界面的用户验证方式的配置

User-interface console 0

Authentication-mode { aaa | password |none }

Set authentication password [cipher password ]

aaa

local-user user-name { password cipher password | privilege level level } *

local-user user-name service-type terminal

 

console用户界面管理

display users [all]

display user-interface console ui-number [summary]

display local-user

kill user-interface 0   or    kill user-interface console 0

 

VTY用户界面配置管理

VTY用户界面的最大个数

User-interface maximum-vty 10

 

通过ACL限制VTY用户界面登录的配置

User-interface vty first-ui-number [last-ui-number]

Acl acl-number {inbound | outbound }

 

VTY用户界面终端属性的配置

User-interface vty first-ui-number [last-ui-number]

Shell

Idle-timeout minutes [seconds]

Screen-length screen-length [temporary]

Screen-width screen-width

History-command max-size size-value

Protocol inbound { all | ssh | telnet }

 

配置VTY用户界面的用户优先级

User-interface vty  first-ui-number [last-ui-number]

Authentication-mode { aaa | password |none }

Set authentication password [cipher password ]

aaa

local-user user-name { password cipher password | privilege level level } *

local-user user-name service-type { Telnet | ssh}

 

vty用户界面管理

display users [all]

display user-interface maximum-vty

display user-interface vty ui-number1 [summary]

display local-user

display vty mode

 

telnet服务器功能及参数的配置

telne server enable

telnet server port port-number

 

配置telnet登录交换机

System-view

User-interface vty 0 7

Shell

Idle-timeout 20

Screen-length 30

History-command max-size 20

Authentication-mode aaa

User privilege level 15

Quit

User-interface maximum-vty 8

Acl 2001

Rule permit source 10.1.1.1 0

Quit

User-interface vty 0 7

Acl 2001 inbound

Aaa

Local-user user1 password cipher 12345

Local-user user1 service-type telnet

Local-user user1 privilege level 3

Quit

telnet server enable

telnet server port 1025

 

配置STelnet服务器功能和参数

System-view

Rsa local-key-pair create   or     dsa local-key-pair create

Stelnet server enable

Ssh server port port-number

Ssh server rekey-interval interval

Ssh server timeout seconds

Ssh server authentication-retries times

Ssh server compatible-ssh1x enable

 

配置ssh用户

Ssh user user-name

Ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | all }

Ssh user user-name service-type {stelnet | all}

Ssh user user-name authorization-cmd aaa

 

配置对SSH用户进行password、password-dsa或password-rsa验证

Aaa

Local-user user-name password cipher password

Local-user user-name service-type ssh

Local-user user-name privilege level level

 

配置对SSH用户进行dsa、rsa、password-dsa或password-rsa验证

System-view

Rsa peer-public-key key-name [encoding-type { der | openssh | pen }]  or

Dsa peer-public-key key-name encoding-type {der | openssh | pem }

Public-key-code begin

Public-key-code end

Peer-public-key end

Ssh user user-name assign { rsa-key | dsa-key } key-name

 

STelnet登录管理

Display ssh user-information [user-name]

Display ssh server status

Display ssh server session

 

FTP服务器功能使用及参数配置

System-view

ftp server port port-number

ftp server enable

ftp server-source {-a source-ip-address | -I interface-type interface-number}

ftp timeout minutes

 

配置FTP本地用户

System-view

Aaa

Local-user user-name password cipher password

Local-user user-name privilege level level

Local-user user-name service-type ftp

Local-user user-name ftp-directory directory

 

FTP访问控制的配置

System-view

Acl [number] acl-number

Rule [rule-id] {deny | permit} [source { source-address source-wildcard | any} |fragment | logging | time-range time-name] *

ftp acl acl-number

 

 

接口及以太网链路配置管理

 

接口分类:

管理接口——Console、Meth(Meth0/0/1)

物理接口——以太网接口(电口、光口)

逻辑接口——Loopback接口、Null接口、VLANIF接口、Tunnel接口、以太网子接口、Eth-Trunk接口

 

交换机接口基本参数配置

System-view

Set flow-stat interval interval-time

Interface interface-type interface-number

Description description

Set flow-stat interval interval-time

Shutdown

Undo shutdown

 

接口配置管理

Display interface [interface-type [ interface-number ] ]

Display interface brief

Display ip interface  [interface-type  interface-number ]

Display ip interface brief  [interface-type [ interface-number ] ]

Display interface description  [interface-type [ interface-number ] ]

Display counters [ inbound | outbound ] [ interface  interface-type [ interface-number ]

Display counters rate [ inbound | outbound ] [ interface  interface-type [ interface-number ]

Reset counters interface interface-type [ interface-number ]

Reset counters if-mib  interface interface-type [ interface-number ]

 

以太网接口属性

两种以太网接口类型:

二层以太网接口——物理接口,工作于数据链路层,不能配置IP,可对接收到的报文进行二层交换转发,可通过配置Access、Hybrid、Trunk和Tunnel类型加入VLAN,只能通过三层的VLANIF接口对接收到的报文进行三层路由转发。

三层以太网子接口——逻辑接口,工作在网络层,可配置IP,处理三层协议,封装和终结一个或多个VLAN,实现在三层以太网子接口上收发VLAN报文。

 

以太网端口组配置管理

配置永久端口组

Port-group port-group-name

Group-member {interface-type interface-number1 [ to interface-type interface-number2 ]} &<1-10>

Display port-group [all | port-group-name]

配置临时端口组

Port-group group-member  {interface-type interface-number1 [ to interface-type interface-number2 ]} &<1-10>

 

以太网端口的基本属性配置

Interface interface-type interface-number

Port-group port-group-name

Combo-port {auto| copper | fiber}

Set port-work-mode { lan | wan }

Port split

Auto speed { 10 | 100 | 1000 }

Undo negotiation auto

Speed {10 | 100 | 1000 }

Flow-control

Negotiation auto

Flow-control negotiation

Negotiation auto

Auto duplex { full | half}

Undo negotiation auto

Duplex {full | half}

Virtual-cable-test

Mdi {across | auto | normal}

Loopback-detect enable

Energy-efficient-ethernet enable

Jumboframe enable [value]

Undo portswitch

 

端口隔离配置管理

端口单向隔离的配置

Port-isolate mode {l2 | all}

Interface interface-type interface-number

Am isolate {interface-type interface-number} &<1-8>

Am isolate interface-type interface-number [to interface-number]

 

端口隔离组的配置

Port-isolate mode {l2 | all}

Interface interface-type interface-number

Port-isolate enable [group group-id]

Display port-isolate group {group-id | all}

 

以太网子接口配置管理

以太网子接口可用于VLAN间的三层互通和局域网与广域网间的互联

以太网子接口的配置

Interface interface-type interface-number.subinterface-number

IP address ip-address {mask | mask-length} [sub]

Dot1q termination vid low-pe-vid [ to high-pe-vid]

Qinq termination pe-vid pe-vid ce-vid ce-vid1 [ to ce-vid2]

Arp broadcast enable

 

Display interface [interface-type [interface-number [.subnumber]]]

Display dot1q information termination [interface interface-type interface-number [.subnumber]]

Display qinq information termination  [interface interface-type interface-number [.subnumber]]

 

Loopback接口配置管理

Loopback是一种三层逻辑接口

Loopback接口的配置

Interface loopback loopback-number

Ip address ip-address {mask | mask-length } [sub]

Ip verify source-address

 

配置NULL接口

NULL接口由系统自动创建,只有一个编号0的NULL接口。

 

以太网链路聚合,两种聚合模式:

手工负载分担Eth-Trunk链路、  LACP(Link Aggregation Control Protocol,链路聚合控制协议)Eth-Trunk链路

在堆叠场景中跨设备Eth-Trunk接口支持本地流量优先转发

E-Trunk——Enhanced Trunk,增强Trunk

 

手工负载分担模式链路聚合配置管理

interface eth-trunk trunk-id

mode manual load-balance

trunkport interface-type { interface-number1 [ to interface-number2 ]} &,1-8>

quit

interface interface-type interface-number

eth-trunk trunk-id

interface eth-trunk trunk-id

least active-linknumber link-number

load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }

display eth-trunk [trunk-id [ interface interface-type interface-number | berbose ]]

display trunkmembership eth-trunk trunk-id

 

LACP模式链路聚合配置管理

interface eth-trunk trunk-id

mode lacp

trunkport interface-type {interface-number1 [ to interface-number2 ] } &<1-8>

quit

interface interface-type interface-number

eth-trunk trunk-id

interface eth-trunk trunk-id

least active-linknumber link-number

max active-linknumber link-number

load-banlance {dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dst-mac }

lacp priority priority

quit

interface interface-type interface-number

lacp priority priority

quit

interface eth-trunk trunk-id

lacp preempt enable

lacp preempt delay delay-time

lacp timeout {fast | slow }

 

Eth-Trunk接口本地流量优先转发配置

在eth-trunk接口视图下: local-preference enable

 

E-Trunk配置管理

system-view

lacp e-trunk system-id mac-address

lacp e-trunk priority priority

e-trunk e-trunk-id

priority priority

peer-address peer-ip-address source-address source-ip-address

e-trunk track bfd-session session-name bfd-session-name

quit

interface eth-trunk trunk-id

e-trunk e-trunk-id [ remote-eth-trunk eth-trunk-id]

quit

e-trunk e-trunk-id

e-trunk mode {auto | force-master | force-backup }

security-key { simple simple-key | cipher cipher-key }

timer hello hello-times

timer hold-on-failure multiplier mulitpulier

timer revert delay delay-value

 

 

Eth-Trunk子接口配置管理

system-view

interface eth-trunk trunk-id.subnumber

ip address ip-address { mask | mask-length } [sub]

dot1q termination vid low-pe-vid [ to high-pe-vid]

qinq termination pe-vid pe-vid ce-vid ce-vid1 [to ce-vid2]

arp broadcast enable

 

iStack堆叠的配置

system-view

stack port interface interface-type interface-number enable

stack port interface interface-type interface-number1 to interface-number2 enable

interface stack-port member-id/port-id

port member-group interface interface-type interface-number

quit

stack enable

stack slot slot-id renumber new-slot-id

stack slot slot-id priority priority

reboot

display switchover state

slave auto-update config

slave switchover enable

slave switchover

stack reserved-vlan vlan-id

stack timer mac-address switch-delay delay-time

stack led enable [duration duration-value ]

 

iStack堆叠管理

display stack

display stack peers

display stack configuration [slot slot-id]

display stack-port membership [slot-id/port-id ]

display stack-port {global load-balance | load-balance [ slot-id/port-id]

display interface stack-port [ slot-id/port-id]

reset counters stack-port [slot-id/port-id]

 

双主检测的配置步骤

system-view

interface interface-type interface-number

mad detect mode direct

 

interface eth-trunk trunk-id

mad detect mode relay

interface eth-trunk trunk-id

mad relay

mad exclude interface { interface-type interface-number1 [to interface-type interface-number2]} &<1-10>

mad restore

 

CSS(Cluster Switch System,集群交换系统)

CSS集群的配置

system-view

set css id new-id [ chassis chassis-id ]

set css mode { lpu | css-card }

interface css-port port-id

port interface {interface-type interface-number1 [ to interface-type interface-number2 ]} &<1-10> enable

quit

set css priority priority [chassis chassis-id]

css master force [ chassis chassis-id ]

css enable

css standby port delay time

set css system-mac chassis chassis-id

quit

startup system-software system-file all

css fast upgrade

 

基本VLAN特性配置管理

VLAN——Virtual Local Area Network

基于端口划分VLAN的配置

system-view

vlan vlan-id  或    vlan batch { vlan-id1 [ to vlan-id2] } &<1-10>

quit

interface interface-type interface-number

port link-type { access | hybrid | trunk }

port default vlan vlan-id

port trunk allow-pass vlan {{vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

port trunk pvid vlan vlan-id

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

port hybrid tagged vlan  {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

port hybrid pvid vlan vlan-id

 

基于MAC地址划分VLAN配置

system-view

vlan vlan-id

mac-vlan mac-address mac-address [ mac-address-mask | mac-address-mask-length] [priority priority]

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

vlan precedence mac-vlan

mac-vlan enable

 

基于子网划分VLAN配置

system-view

vlan vlan-id

ip-subnet-vlan [ip-subnet-index] ip ip-address {mask | mask-length} [priority priority]

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

vlan precedence ip-subnet-vlan

ip-subnet-vlan enable

 

基于协议划分VLAN配置

system-view

vlan vlan-id

protocol-vlan [protocol-index ] {at | ipv4 | ipv6 | ipx { ethernetii | llc | raw | snap } | mode {ethernetii-etype etype-id1 | llc dsap dsap-id ssap ssap-id | snap-etype etype-id2 ]}}

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

protocol-vlan vlan vlan-id {all | protocol-index1 [to protocol-index2 ]} [priority priority]

 

基于策略划分VLAN配置

system-view

vlan vlan-id

policy-vlan mac-address mac-address ip ip-address [interface interface-type interface-number] [priority priority]

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

 

常见VLAN管理命令

display vlan

display mac-vlan {mac-address { all | mac-address} | vlan vlan-id}

display ip-subnet-vlan vlan {all | vlan-id1 [ to vlan-id2]}

display protocol-vlan vlan  {all | vlan-id1 [ to vlan-id2]}

display protocol-vlan interface {all | interface-type interface-number}

display policy-vlan {all | vlan vlan-id}

reset vlan vlan-id statistics

 

GVRP配置管理

GVRP——GARP VLAN Registration Protocol,GARP VLAN注册协议

GARP——Generic Attribute Registration Protocol,通用属性注册协议

使能GVRP功能的配置

system-view

gvrp

interface interface-type interface-number

port link-type trunk

port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ]} &<1-10> | all}

gvrp

配置GVRP端口注册模式

gvrp registration {fixed | forbidden | normal}

GARP定时器参数的配置

system-view

garp timer leaveall timer-value

interface interface-type interface-number

garp timer {hold | join | leave } timer-value

GVRP配置管理

display gvrp status

display gvrp statistic [interface { interface-type interface-number [ to interface-type interface-number]} &<1-10>

display garp timer [interface { interface-type interface-number [ to interface-type interface-number]} &<1-10>

reset garp statistcs  [interface { interface-type interface-number [ to interface-type interface-number]} &<1-10>

 

VLAN间通信配置管理

通过VLANIF接口实现VLAN间通信的配置

system-view

interface vlanif vlan-id

ip address ip-address {mask | mask-length} [ sub ]

damping time delay-time

mtu mtu

bandwidth bandwidth

 

通过子网接口实现VLAN间通信配置

system-view

interface {Ethernet | gigabitethernet | xgigabitethernet | eth-trunk } interface-number.subinterface-number

ip address ip-address {mask | mask-length} [ sub ]

dot1q termination vid low-pe-vid [to high-pe-vid]

arp broadcast enable

 

配置VLAN Switch实现VLAN间通信

VLAN Switch switch-vlan:

system-view

vlan-switch vlan-switch-name interface interface-type1 interface-number1 vlan vlan-id [inner-vlan vlan-id2 [ to vlan-id3 ] ] interface interface-type2 interface-number2 [ switch-vlan vlan-id4 ]

 

管理VLAN的配置

system-view

vlan vlan-id

management-vlan

quit

interface vlanif vlan-id

ip address ip-address { mask | mask-length} [sub]

 

VLAN聚合配置管理

Super-VLAN   VLAN Aggregation

super-vlan与sub-vlan

sub-vlan间通信通过super-vlan的vlanif接口的arp proxy功能实现

必须先创建、配置各个sub-VLAN,再创建、配置Super-VLAN。

Sub-VLAN的配置

system-view

interface interface-type interface-number

port link-type access

quit

vlan vlan-id

port interface-type { interface-number1 [to interface-number2] } &<1-10>

Super-VLAN的配置

system-view

vlan vlan-id

aggregate-vlan

access-vlan { vlan-id1 [ to vlan-id2 ]}&<1-10>

quit

interface vlanif vlan-id

arp-proxy inter-sub-vlan-proxy enable

ip address ip-address {mask | mask-length} [sub]

 

MUX VLAN配置管理

Principal VLAN——主VLAN    

Subordinate VLAN——从VLAN :Separate VLAN——隔离型从VLAN,Group VLAN——互通型从VLAN

配置MUX VLAN

主VLAN的配置

system-view

vlan vlan-id

mux-vlan

从VLAN的配置

system-view

vlan vlan-id

quit

vlan vlan-id   ——进入主VLAN视图

subordinate group {vlan-id1 [to vlan-id2 ]}&<1-10>

subordinate separate vlan-id

使能端口MUX VLAN功能

在端口视图下

port mux-vlan enable

 

 

QinQ封装和终结

基本QinQ和灵活QinQ

基本QinQ功能配置

system-view

vlan vlan-id

quit

interface interface-type interface-number

port link-type dot1q-tunnel

port default vlan vlan-id

配置外层VLAN标签的TPID值

端口视图下

qinq Protocol Protocol-id

配置对Untagged数据帧添加双层VLAN标签

system-view

vlan vlan-id

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan vlan-id

port vlan-stacking untagged stack-vlan vlan-id1 stack-inner-vlan vlan-id2

 

基于VLAN ID的灵活QinQ配置

system-view

vlan vlan-id

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan vlan-id

qinq vlan-translation enable

port vlan-stacking vlan vlan-id1 [ to vlan-id2 ] stack-vlan vlan-id3 [remark-8021p 8021p-value]

 

基于802.1p优先级的灵活QinQ配置

system-view

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan vlan-id

port vlan-stacking 8021p 8021p-value stack-vlan vlan-id

port vlan-stacking vlan vlan-id1 [to vlan-id2] 8021p 8021p-value1 [to 8021p-value2 ] stack-vlan vlan-id3 [remark-8021p 8021p-value3]

 

在出端口上配置8021p优先级映射的配置

system-view

diffserv domain ds-domain-name

8021p-outbound service-class { green | yellow | red } map 8021p-value

quit

interface interface-type interface-number

port link-type { hybrid | trunk}

port hybrid tagged vlan vlan-id

trust upstream ds-domain-name

 

基于流策略的灵活QinQ配置

system-view

traffic classifier classifier-name

if-match vlan-id start-vlan-id [to end-vlan-id ]

quit

traffic behavior behavior-name

nest top-most vlan-id vlan-id

quit

traffic policy policy-name

classifier classifier-name behavior behavior-name

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ]} &<1-10> | all}

traffic-policy policy-name inbound

 

QinQ映射配置管理

QinQ配置与QinQ映射配置的不同:QinQ配置是将数据帧封装成QinQ数据帧(原来不是QinQ数据帧),即增加一层VLAN标签,而QinQ映射是将已有的VLAN标签进行替换,不改变原数据帧的标签结构。

配置1 to 1QinQ映射——数据帧带有一层标签,映射为用户指定的一层标签。

在对应子接口视图下:

qinq mapping vid vlan-id1 [ to vlan-id2 ] map-vlan vid vlan-id3

 

配置2 to 1QinQ映射——数据帧带有两层层标签,根据两层标签,映射修改外层标签为用户指定的标签

qinq mapping pe-vid vlan-id1 ce-vid vlan-id2 [to vlan-id3 ] map-vlan vid vlan-id4

 

VLAN映射配置管理

注意与QinQ映射的区别

与VLAN Switch的区别:VLAN Switch交换数据帧不查找MAC地址表,VLAN映射需要查找MAC地址表

 

配置1 to 1VLAN映射——私网数据帧中单层VLAN标签映射为公网单层VLAN标签

基于VLAN的1 to 1的VLAN映射配置

system-view

interface interface-type interface-number

qinq vlan-translation enable

port vlan-mapping vlan vlan-id1 [to vlan-id2] map-vlan vlan-id3 [remark-8021p 8021p-value]

 

在入端口上基于8021p优先级的1 to 1的VLAN映射配置

system-view

interface interface-type interface-number

port vlan-mapping 8021p 8021p-value map-vlan vlan-id [remark-8021p 8021p-value2 ]

port vlan-mapping vlan vlan-id1 [ to vlan-id2 ] 8021p 8021p-value1 [ to 8021p-value2 ] map-vlan vlan-id3 [ remark-8021p 8021p-value ]

 

基于流策略的1 to 1的VLAN映射配置

system-view

traffic classifier classifier-name

if-match vlan-id start-vlan-id [ to end-vlan-id ]

quit

traffic behavior behavior-name

remark vlan-id vlan-id

quit

traffic policy policy-name

classifier classifier-name behavior behavior-name

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{vlan-id1 [ to vlan-id2 ] }&<1-10> | all}

traffic-policy policy-name { inbound | outbound }

 

基于流策略的VLAN映射和QinQ映射,为什么端口都要以无标签的hybrid端口加入相应的vlan??不带标签怎么进行if-match匹配呢???

 

2 to 1的VLAN映射——对帧中原两层VLAN标签中的外层标签进行替换

基于VLAN的2 to 1的VLAN映射配置

system-view

interface interface-type interface-number

qinq vlan-translation enable

port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 [to vlan-id3 ] map-vlan vlan-id4 [remark-8021p 8021p-value]

 

基于流策略的2 to 1的VLAN映射配置

system-view

traffic classifier classifier-name operator and

if-match vlan-id vlan-id

if-match cvlan-id cvlan-id

quit

traffic behavior behavior-name

remark vlan-id vlan-id

quit

traffic policy policy-name

classifier classifier-name behavior behavior-name

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

traffic-policy policy-name {inbound | outbound}

 

2 to 2VLAN映射——私网双层VLAN标签映射为公网的双层VLAN标签

基于VLAN的2 to 2的VLAN映射配置

system-view

interface interface-type interface-number

qinq vlan-translation enable

port vlan-mapping vlan vlan-id1 inner-vlan vlan-id2 map-vlan vlan-id3 map-inner-vlan vlan-id4 [ remark-8021p 8021p-value ]

 

基于流策略的2 to 2的VLAN映射配置

system-view

traffic classifier classifier-name operator and

if-match vlan-id vlan-id

if-match cvlan-id cvlan-id

quit

traffic behavior behavior-name

remark vlan-id vlan-id

remark cvlan-id cvlan-id

quit

traffic policy policy-name

classifier classifier-name behavior behavior-name

quit

interface interface-type interface-number

port link-type hybrid

port hybrid untagged vlan {{ vlan-id1 [to vlan-id2]} &<1-10> | all}

traffic-policy policy-name {inbound | outbound}

 

 

生成树协议配置管理

 

STP——Spanning Tree Protocol,生成树协议

根桥、桥ID、桥优先级、根端口、指定端口、端口状态、端口ID、端口优先级

一个根桥、两种度量、三个选举要素、四个比较原则和五种端口状态

 

RSTP——快速生成树协议

 

STP/RSTP基本功能配置

system-view

stp mode {stp | rstp }

stp root {primary | secondary }

stp priority priority

stp pathcost-standard {dot1d-1998 | dot1t | legacy }

interface interface-type interface-number

stp cost cost

stp port priority priority

quit

bpdu enable    或    bpdu bridge enable

stp enable

stp converge {fast | normal }

 

STP参数配置

system-view

stp bridge-diameter diameter

stp timer-factor timer-factor

stp timer forward-dealy forward-delay

stp timer hello hello-time

stp timer max-age max-age

interface eth-trunk trunk-id

max bandwidth-affected-linknumber link-number

display stp [ interface interface-type interface-number | slot slot-id ] [brief ]

 

RSTP参数配置

system-view

interface interface-type interface-number

stp point-to-point {auto | force-false | force-true }

stp transmit-limit packet-number

stp mcheck  接口视图或系统视图

stp edged-port default

stp bpdu-filter default

interface interface-type interface-number

stp edged-port enable

stp bpdu-filter enable

 

RSTP保护功能配置

system-view

stp bpdu-protection

stp tc-protection

stptc-protection threshold threshold

interface interface-type interface-number

stp root-protection

quit

interface interface-type interface-number

stp loop-protection

 

MSTP——Multiple Spanning Tree Protocol,多生成树协议

MSTP基本功能配置

system-view

stp mode mrstp

stp region-configuration

region-name name

Instance instance-id vlan { vlan-id1 [ to vlan-id2 ]} &<1-10>

vlan-mapping modulo modulo

revision-level level

active region-configuration

quit

stp [ instance instance-id ] root { primary | secondary }

stp [instance instance-id ] priority priority

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

interface interface-type interface-number

stp [ instance instance-id ] cost cost

stp [ instance instance-id ] port priority priority

quit

stp enable

stp converage { fast | normal }

 

MSTP多进程基本功能配置

system-view

stp process process-id

quit

interface interface-type interface-number

stp binding process process-id

stp binding process process-id1 [ to process-id2 ] link-share

quit

stp process process-id

stp [ instance instance-id] root {primary | secondary }

stp [ instance instance-id ] priority priority

quit

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

interface interface-type interface-number

stp binding process process-id

stp [ process process-id] [instance instance-id] cost cost

stp [process process-id ] [instance instance-id ] port priority priority

quit

stp process process-id

stp tc-notify process 0

stp enable

quit

stp converge {fast | normal }

 

MSTP保护功能配置

system-view

stp process process-id

stp bqdu-protection

stp tc-protection

stp sc-protection threshold threshold

quit

interface interface-type interface-number

stp binding process process-id

stp root-protection

quit

interface interface-type interface-number

stp loop-protection

quit

stp process process-id

stp link-share-protection

 

支持与其他厂商设备互通的参数配置

system-view

interface interface-type interface-number

stp no-agreement-check

stp compliance { auto | dot1s | legacy }

stp config-digest-snoop

 

ACL配置管理

ACL——Access Control List,访问控制列表

基本ACL的配置

system-view

time-range time-name { start-time to end-time days |from time1 date1 [ to time2 date2 ]}

acl [ number ] acl-nujmber [match-order {auto | config } ]

acl name acl-name { basic | acl-number } [ match-order {auto | config } ]

description text

step step

rule [ rule-id ] { deny | permit } [source {source-address source-wildcard | any} | fragment | logging | time-range time-name ]

rule rule-id description description

 

高级ACL的配置

acl [ number ] acl-nujmber [match-order {auto | config } ]

acl name acl-name { advance | acl-number } [ match-order {auto | config } ]

当参数Protocol为ICMP时

Rule [rule-id] {deny | permit} {protocol-number|icmp}[destination {destination-address destination-wildcard |any} | { {precedence precedence | tos tos} * |dscp dscp} | fragment  |logging |icmp-type {icmp-name|icmp-type icmp-code} |source {source-address source-wildcard |any} | time-range time-name | ttl-expired]*

当参数Protocol为TCP时(即要过滤TCP协议报文时)

Rule [rule-id] {deny | permit} {protocol-number|tcp} [destination {destination-address destination-wildcard |any} |destination-port{ eq port | gt port | lt port |range port-start port-end} | { {precedence precedence |tos tos} * |dscp dscp} | fragment |logging |source {source-address source-wildcard |any} |source-port { eq port |gt port | lt port| range port-start port-end} |tcp-flag{ ack | fin | psh | rst | syn | urg}* | time-range time-name |ttl-expired]*

当参数Protocol为UDP时(即要过滤UDP协议报文时)

Rule [rule-id] {deny|permit} {protocol-number|udp} [destination {destination-addressdestination-wildcard |any} |destination-port { eq port | gt port| lt port |range port-start port-end} | { {precedence precedence |tos tos} * |dscp dscp} | fragment |logging  |source {source-addresssource-wildcard |any} |source-port { eq port |gt port| lt port | range port-start port-end} |tcp-flag { ack | fin | psh | rst | syn | urg }* | time-range time-name |ttl-expired]*

当参数Protocol为GRE、IGMP、IP、IPINIP、OSPF时

Rule [rule-id] {deny | permit} {protocol-number|gre | igmp | ip | ipinip | ospf} [destination  {destination-address destination-wildcard |any} | { { precedence precedence | tos tos} * | dscp dscp} | fragment |logging |source {source-address source-wildcard |any} | time-range time-name | ttl-expired]*

 

二层ACL配置

acl [ number ] acl-nujmber [match-order {auto | config } ]

acl name acl-name {link | acl-number } [ match-order {auto | config } ]

Rule [rule-id] {permit | deny } [ [ether-ii |802.3 | snap] | l2-protocol type-value [type-mask ] | destination-mac dest-mac-address [ dest-mac-mask ] | source-mac source-mac-address  [source-mac-mask ] | vlan-id vlan-id [ vlan-id-mask ] |8021p 802.1p-value | cvlan-id cvlan-id  [cvlan-id-mask ] |cvlan-8021p 802.1p-value| double-tag ]* [time-range time-name]

用户自定义ACL配置

acl [ number ] acl-nujmber [match-order {auto | config } ]

acl name acl-name {user | acl-number } [ match-order {auto | config } ]

Rule [Rule-id] {deny | permit } [ [ l2-head | ipv4-head | ipv6-head |l4-head ] { rule-string rule-mask offset } & <1-8> ] [ time-range time-range]

 

基于ACL的简化流策略配置

基于ACL的报文过滤配置

在全局或VLAN上应用基于ACL的报文过滤

traffic-filter [ vlan vlan-id] inbound acl {bas-acl | adv-acl } [ rule rule-id ]

traffic-filter [ vlan vlan-id] inbound acl {bas-acl | adv-acl | user-id } [ rule rule-id ]

traffic-filter [ vlan vlan-id ] inbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl | user-acl } [rule rule-id]

traffic-secure [ vlan vlan-id] inbound acl {bas-acl | adv-acl | l2-acl | name acl-name } [rule rule-id]

traffic-secure [ vlan vlan-id] inbound acl { l2-acl | name acl-name } [rule rule-id]  acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ]

traffic-filter [ vlan vlan-id ] outbound acl { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [rule rule-id]

traffic-filter [ vlan vlan-id ] {inbound | outbound} acl  { l2-acl | name acl-name } [rule rule-id]  acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ]

traffic-filter [ vlan vlan-id ] {inbound | outbound} acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ] acl { l2-acl | name acl-name } [rule rule-id]

 

在端口上应用基于ACL的报文过滤

traffic-filter inbound acl {bas-acl | adv-acl } [ rule rule-id ]

traffic-filter inbound acl {bas-acl | adv-acl | user-acl} [ rule rule-id ]

traffic-filter inbound acl  { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl  | user-acl } [ rule rule-id ]

traffic-secure inbound acl {bas-acl | adv-acl | l2-acl | name acl-name } [rule rule-id]

traffic-secure inbound acl  { l2-acl | name acl-name } [rule rule-id]  acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ]

traffic-filter outbound acl  { [ ipv6 ] {bas-acl | adv-acl | name acl-name } | l2-acl } [ rule rule-id ]

traffic-filter {inbound | outbound} acl  { l2-acl | name acl-name } [rule rule-id]  acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ]

traffic-filter {inbound | outbound} acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ] acl { l2-acl | name acl-name } [rule rule-id]

 

基于ACL的流量监管配置

在全局或VLAN上应用基于ACL的流量监管

traffic-limit [ vlan vlan-id ] inbound acl { { [ ipv6 ] { bas-acl | adv-acl | name acl-name }} | l2-acl | user-acl } [rule rule-id ] cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value] [green {drop | pass [remark-8021p 8021p-value |remark-dscp dscp-value]}] [yellow  {drop | pass [remark-8021p 8021p-value |remark-dscp dscp-value]}] [red  {drop | pass [remark-8021p 8021p-value |remark-dscp dscp-value]}]

traffic-limit [ vlan vlan-id ] inbound acl  { l2-acl | name acl-name } [rule rule-id]  acl {bas-acl | adv-acl | name acl-name }  [ rule rule-id ]  cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value] [green {drop | pass [remark-8021p 8021p-value |remark-dscp dscp-value]}] [yellow  {drop | pass [remark-8021p 8021p-value |remark-dscp dscp-value]}] [red  {drop | pass [remark-8021p 8021p-value |remark-dscp dscp-value]}]

 

基于ACL的流镜像配置

traffic-mirror [ vlan vlan-id ] inbound acl { { [ ipv6 ] { bas-acl | adv-acl | name acl-name }} | l2-acl | user-acl } [rule rule-id ] to observe-port o-index

 

基于ACL的重定向配置

traffic-redirect [ vlan vlan-id ] inbound acl { { [ ipv6 ] { bas-acl | adv-acl | name acl-name }} | l2-acl | user-acl } [rule rule-id ] { cpu | interface interface-type interface-number | ip-nexthop ip-nexthop | ipv6-nexthop ip-nexthop}

 

基于ACL的重标记配置

traffic-remark [ vlan vlan-id ] inbound acl { { [ipv6] {bas-acl | adv-acl | name acl-name }} | l2-acl | user-acl} [rule rule-id] {dscp { dscp-name | dscp-value} | 8021p 8021p-value | destination-mac mac-address | ip-precedence ip-precedence-value | vlan-id vlan-id | local-precedence local-precedence-value}

 

基于ACL的流量统计配置

traffic-statistic [ vlan vlan-id ] inbound acl { { [ipv6] {bas-acl | adv-acl | name acl-name }} | l2-acl | user-acl} [rule rule-id] [by-bytes]

 

自反ACL配置

system-view

time-range time-name { start-time to end-time days | from time1 date1 [ to time2 date2] }

acl [number] acl-number [match-order {auto | config }]

acl name acl-name {advance | acl-number } [match-order {auto | config }]

当protocol为TCP时

Rule [rule-id] {deny | permit} {protocol-number|tcp} [destination {destination-address destination-wildcard |any} |destination-port{ eq port | gt port | lt port |range port-start port-end} | { {precedence precedence |tos tos} * |dscp dscp} | fragment |logging |source {source-address source-wildcard |any} |source-port { eq port |gt port | lt port| range port-start port-end} |tcp-flag{ ack | fin | psh | rst | syn | urg}* | time-range time-name |ttl-expired]*

当protocol为UDP时

Rule [rule-id] {deny|permit} {protocol-number|udp} [destination {destination-addressdestination-wildcard |any} |destination-port { eq port | gt port| lt port |range port-start port-end} | { {precedence precedence |tos tos} * |dscp dscp} | fragment |logging  |source {source-addresssource-wildcard |any} |source-port { eq port |gt port| lt port | range port-start port-end} |tcp-flag { ack | fin | psh | rst | syn | urg }* | time-range time-name |ttl-expired]*

quit

interface interface-type interface-number

traffic-reflect { inbound | outbound } acl {adv-acl-name | adv-acl-number} [timeout time-value ]

quit

traffic-reflect timeout time-value

 

QoS基础技术原理

 

QoS——Quality of Service,服务质量

 

QoS优先级映射配置管理

优先级映射根据不同的交换机系列,有不同的配置

S2700SI/2700EI/2710SI系列优先级映射配置

system-view

interface interface-type interface-number

trust 8021p

port priority priority-value

quit

qos local-precedence-queue-map local-precedence queue-index

display qos local-precedence-queue-map

 

S2700/3700/S5700SI/5700EI/5700LI/5700S-LI系列优先级映射配置管理

system-view

interface interface-type interface-number

trust { 8021p | dscp | ip-precedence }

port priority priority-value

quit

qos map-table { dscp-dot1p | dscp-dp | dscp-dscp }

input { input-value1 [ to input-value2 ] & <1-10>} output output-value

quit

qos map-table {ip-pre-dot1p | ip-pre-ip-pre}

input  input-value1  [ to input-value2 ]  output output-value

quit

qos local-precedence-queue-map local-precedence queue-index

display qos map-table [ dscp-dot1p | dscp-dp | dscp-dscp | ip-pre-dot1p | ip-pre-ip-pre ]

display qos local-precedence-queue-map

 

S5700HI/5710EI/6700/7700/9300/9300E/9700系列优先级映射配置

system-view

interface interface-type interface-number

trust { 8021p {inner| outer} | dscp }

port priority priority-value

quit

diffserv domain {default | ds-domain-name }

8021p-inbound 8021p-value phb service-class [ green | yellow | red ]

8021p-outbound service-class {green | yellow | red } map 8021p-value

ip-dscp-inbound dscp-value phb service-class [green | yellow | red ]

ip-dscp-outbound service-class { green | yellow | red } map dscp-value

quit

interface interface-type interface-number

trust upstream { ds-domain-name | default | none }

undo qos phb marking enable

quit

display diffserv domain [ all | name ds-domain-name ]

display qos local-precedence-queue-map

 

配置流量监管

基于接口的流量监管配置

S2700/3700/5700/6700,在对应的接口视图下使用:

qos lr inbound cir cir-value [cbs cbs-value ]

S7700/9300/9300E/9700

qos car car-name {cir cir-value [cbs cbs-value [pbs pbs-value] | pir pir-value [cbs cbs-value pbs pbs-value]]}

在流行为视图下: car car-name share

在接口视图下: qos car inbound car-name

在VLAN视图下:storm suppression broadcast car-name [share]

               storm suppression multicast car-name [share]

               unicast-suppression car-name [share]

 

管理网口的流量监管配置

qos lr pps packets

 

基于流的流量监管配置 四大步骤

定义流分类、配置流行为、配置流策略、应用流策略

基于接口的流量整形配置

qos lr outbound cir cir-value [cbs cbs-value ]

qos lr cir cir-value [cbs cbs-value ] [ outbound ]

 

基于接口队列的流量整形配置

qos queue queue-index shaping cir cir-value cbs cbs-value

qos queue queue-index shaping cir cir-value  pir pir-value [ cbs cbs-value pbs pbs-value]

配置接口队列缓存

qos queue queue-index max-length packet-number 

qos queue queue-index length length-value 

qos queue max-length

 

尾部丢弃法的接口队列缓存的配置

qos tail-drop-profile profile-name

qos queue queue-index max-length packet-number [ green max-length packet-number ]

qos queue queue-index green max-length packet-number non-green max-length packet-number

 

流量监管和流量整形管理

display qos lr outbound interface interface-type interface-number

reset traffic policy statistics { global [slot slot-id ] | interface interface-type interface-number | vlan vlan-id } inbound

reset qos queue statistics [queue queue-index { inbound interface interface-type interface-number | outbound interface interface-type interface-number [ from interface { interface-type interface-number | all}]}]

display traffic policy statistics  { global [slot slot-id ] | interface interface-type interface-number | vlan vlan-id } {inbound | outbound } [ verbose {classifier-base | rule-base} [ class classifier-name ]]

display qos queue statistics [queue queue-index {inbound interface interfrace-type interface-number }

display qos queue statistics [queue queue-index {inbound interface interfrace-type interface-number | outbound interface interfrace-type interface-number [ from interface { interface-type interface-number | all}]}]

 

拥塞避免和拥塞管理的配置管理

尾部丢弃法拥塞避免配置

system-view

qos tail-drop-profile profile-name

qos queue queue-index max-buffer cell-number [ green max-buffer cell-number]

qos queue queue-index green max-buffer cell-number

qos queue queue-index green max-buffer cell-number non-green max-buffer cell-number

qos queue queue-index max-llength packet-number [green max-length packet-number ]

qos queue queue-index green max-length packet-number

qos queue queue-index green max-length packet-number non-green max-length packet-number

quit

interface interface-type interface-number

shutdown

qos tail-drop-profile profile-name

undo shutdown

 

WRED方法拥塞避免配置

system-view

int int-type int-number

shutdown

qos queue queue-index length length-value

undo shutdown

dei enable

quit

drop-profile drop-profile-name

color { green | non-tcp | red | yellow } low-limit low-limit-percentage high-limit high-limit-percentage discard-percentage discard-percentage

quit

qos queue queu-index wred drop-profile-name

int int-type int-number

qos wred drop-profile-name

qos queue queue-index wred drop-profile-name

 

拥塞管理的配置

qos queue queue-index wrr weight weight

 

S2700/3700SI/3700EI交换机的拥塞管理配置

system-view

int int-type int-number

qos { pq | wrr | drr }

qos queue queue-index wrr weight weight

qos queue queue-index drr weight weight

 

S5700系列拥塞管理配置

system-view

qos schedule-profile profile-name

qos { pq | wrr | drr}

qos queue queue-index wrr weight weight

qos queue queue-index drr weight weight

int int-type int-number

qos schedule-profile profile-name

 

S7700/9300/9700系列拥塞管理配置

system-view

int int-type int-number

qos queue queue-index wfq weight weight

qos { pq | wrr | drr}

qos { pq { start-queue-index [ to end-queue-index ]} &<1-8> | {wrr | drr }{ start-queue-index [ to end-queue-index ]} &<1-8>

qos queue queue-index wrr weight weight

qos queue queue-index drr weight weight

 

复杂流策略配置管理

流分类中可以配置的流分类规则

if-match vlan-id start-vlan-id [to end-vlan-id ] [cvlan-id cvlan-id]

if-match cvlan-id start-vlan-id [to end-vlan-id ] [vlan-id vlan-id]

if-match 8021p {8021p-value} &<1-8>

if-match cvlan- 8021p {8021p-value} &<1-8>

if-match discard

if-match double-tag

if-match destination-mac mac-address [ mac-address-mask ]

if-match source-mac mac-address [ mac-address-mask ]

if-match l2-protocol {arp | ip | mpls | rarp | protocol-value }

if-match any

if-match dscp dscp-value &<1-8>

if-match ip-precedence ip-precedence &<1-8>

if-match protocol { ip | ipv6}

if-match tcp syn-flag { syn-flag-value | ack | fin | psh | rst | syn | urg}

if-match inbound-interfacec interface-type interface-number

if-match acl {acl-number | acl-name }

if-match ipv6 acl {acl-number | acl-name }

 

流行为配置

system-view

traffic behavior behavior-name

permit | deny

remark 8021p [ 8021p-value | inner-8021p ]

remark dscp {dscp-name | dscp-value }

remark cvlan-id cvlan-id

remark local-precedence { local-precedence-name | local-precedence-value }

remark local-precedence { local-precedence-name | local-precedence-value } [green | yellow | red ]

remark ip-precedence ip-precedence

remark destination-mac mac-address

remark vlan-id vlan-id

redirect cpu

redirect ip-nexthop ip-address &<1-4> [ forced]

redirect ip-multihop { nexthop ip-address } &<2-4>

redirect interface interface-type interface-number

car [aggregation ] cir cir-value cbs cbs-value

car [aggregation ] cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value ][ green { discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence ]}] [yellow { discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]}] [red {discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ]}]

car  cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value ] [green pass ] [yellow { discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]}] [red {discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ]}]

car [aggregation ]  cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value ] [green pass ] [yellow { discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]}] [red {discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ]}]

car  cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value ] [green {discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]} ] [yellow { discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]}] [red {discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ]}]

car  cir cir-value [pir pir-value] [cbs cbs-value pbs pbs-value ] [share ] [mode { color-blind | color-aware }]  [green {discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]} ] [yellow { discard | pass [remark-dscp dscp-value | remark-8021p 8021p-precedence]}] [red {discard | pass [ remark-dscp dscp-value | remark-8021p 8021p-precedence ]}]

mirroring to observe-port observe-port-index

statistic enable

mac-address learning disable

nest top-most vlan-id vlan-id

 

IP组播配置与管理

 

IGMP基本功能配置

system-view

multicast routing-enable

int int-type int-number

igmp enable

quit

igmp

version {1 | 2 |3 }

int int-type int-number

igmp version {1 | 2 |3 }

igmp static-group group-address [ inc-step-mask { group-mask | group-mask-length } number group-number] [source source-address ]

igmp group-policy { acl-number | acl-name acl-name }  [ 1 |2 | 3 ]

 

调整IGMP性能参数的配置

system-view

igmp

require-router-alert

send-router-alert

int int-type int-number

igmp require-router-alert

igmp send-router-alert

quit

igmp

timer query interval

robust-count robust-value

max-response-time interval

timer other-querier-present interval

lastmember-queryinterval interval

quit

int int-type int-number

igmp timer query interval

igmp robust-count robust-value

igmp max-response-time interval

igmp timer other-querier-present interval

igmp lastmember-queryinterval interval

quit

igmp

prompt-leave [ group-policy acl-number ]

quit

int int-type int-number

igmp prompt-leave [ group-policy acl-number ]

igmp on-demand

igmp query ip-source-policy { basic-acl-number | acl-name acl-name }

igmp ip-source-policy [basic-acl-number ]

 

SSM Mapping配置

system-view

igmp ssm-mapping group-address { group-mask | group-mask-length } source-address

quit

int int-type int-number

igmp ssm-mapping enable

 

IGMP Limit配置

system-view

igmp global limit number

int int-type int-number

igmp limit number [ except acl-number ]

 

PIM-DM基本功能配置

system-view

multicast routing-enable

int int-type int-number

pim dm

 

调整组播源控制参数配置

system-view

pim

source-lifetime interval

source-policy { acl-number | acl-name acl-name }

 

调整邻居控制参数的配置

system-view

pim

timer hello interval

hello-option holdtime interval

quit

int int-type int-number

pim timer hello interval

pim hello-option holdtime interval

pim triggered-hello-delay interval

pim neighbor-policy basic-acl-number

pim require-genid

quit

pim

neighbor-check { receive | send }

 

调整剪枝控制参数配置

system-view

pim

timer join-prune interval

holdtime join-prune interval

quit

int int-type int-number

pim timer join-prune interval

pim holdtime join-prune interval

quit

pim

join-prune max-packet-length packet-length

join-prune periodic-messages queue-size queue-size

join-prune triggered-message-cache disable

hello-option lan-delay interval

hello-option override-interval interval

quit

int int-type int-number

pim hello-option lan-delay interval

pim hello-option override-interval interval

 

调整嫁接控制参数

pim timer graft-retry interval

调整状态刷新控制参数

system-view

int int-type int-number

undo pim state-refresh-capable

quit

pim

state-refresh-interval interval

state-refresh-rate-limit interval

state-refresh-ttl ttl-value

调整断言控制参数

holdtime assert interval

pim holdtime assert interval

配置PIM Silent

pim silent

 

ASM模型的PIM-SM配置

system-view

multicast routing-enable

int int-type int-number

pim sm

quit

pim

static-rp rp-address [ basic-acl-number ] [preferred ]

c-bsr interface-type interface-number [hash-length [ priority ]]

bsm semantic fragmentation

c-rp interface-type interface-number [ group-policy basic-acl-number | priority priority | holdtime hold-interval | advertisement-interval adv-interval ] *

quit

int int-type int-number

pim bsr-boundary

quit

pim

c-bsr admin-scope

quit

int int-type int-number

multicast boundary group-address { mask | mask-length }

quit

pim

c-bsr group group-address { mask | mask-length } [hash-length hash-length | priority priority ] *

c-bsr global [hash-length hash-length | priority priority ] *

spt-switch-threshold infinity

register-suppression-timeout interval

probe-interval interval

register-header-checksum

register-source interface-type interface-number

register-policy advanced-acl-number

c-rp priority priority

c-rp advertisement-interval interval

c-rp holdtime interval

crp-policy adv-acl-number

c-bsr priority priority

c-bsr hash-length hash-length

c-bsr holdtime interval

c-bsr interval interval

bsr-policy basic-acl-number

 

SSM模型的PIM-SM配置

system-view

multicast routing-enable

int int-type int-number

pim sm

quit

pim

ssm-policy basic-acl-number

 

跟踪下游邻居功能配置

system-view

pim

hello-option neighbor-tracking

quit

int int-type int-number

pim hello-option neighbor-tracking

 

调整DR竞选控制参数配置

system-view

pim

hello-option dr-priority priority

quit

int int-type int-number

pim hello-option dr-priority priority

pim timer dr-switch-delay

 

Join信息的过滤策略配置

pim join-policy { asm basic-acl-number | ssm adv-acl-number | adv-acl-number }

 

PIM BFD配置

system-view

int int-type int-number

pim bfd enable

pim bfd { min-tx-interval tx-value | min-rx-interval rx-value | detect-multiplier multiplier-value }*

 

PIM GR配置

system-view

pim

graceful-restart

gracefule-restart period period

 

IGMP Snooping基本功能配置

system-view

igmp-snooping enable

vlan vlan-id

l2-multicast forwarding-mode { ip | mac }

igmp-snooping enable

igmp-snooping version version

undo igmp-snooping router-learning

quit

int int-type int-number

igmp-snooping static-router-port vlan { vlan-id1 [ to vlan-id2 ]} &<1-10>

undo igmp-snooping learning vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> |all}

l2-multicast static-group [ source-address source-ip-address ] group-address group-ip-address vlan {vlan-id1 [ to vlan-id2]}&<1-10>

quit

vlan vlan-id

igmp-snooping querier enable

igmp-snooping query-interval query-interval

igmp-snooping robust-count robust-count

igmp-snooping max-response-time max-response-time

igmp-snooping lastmember-queryinterval lastmember-queryinterval

quit

igmp-snooping send-query source-address ip-address

vlan vlan-id

igmp-snooping report-suppress

igmp-snooping require-router-alert

igmp-snooping send-router-alert

igmp-snooping static-group suppress-dynamic-join

 

IGMP Snooping Proxy功能配置

system-view

vlan vlan-id

igmp-snooping proxy

quit

int int-type int-number

igmp-snooping proxy-uplink-port vlan vlan-id

 

配置IGMP Snooping策略

igmp-snooping group-policy acl-number [ version version-number ] [ default-permit ]

 

接口下组播数据过滤配置

multicast-source-deny { vlan-id1 [ to vlan-id2 ] } & <1-10>

 

丢弃未知组播流配置

multicast drop-unknown

 

动态成员端口老化时间配置

system-view

vlan vlan-id

igmp-snooping query-interval query-interval

igmp-snooping robust-count robust-count

igmp-snooping max-response-time max-response-time

igmp-snooping lastmember-queryinterval lastmember-queryinterval

 

动态路由器端口老化时间配置

igmp-snooping router-aging-time router-aging-time

 

成员端口快速离开配置

igmp-snooping prompt-leave [ group-policy acl-number [ deafult-permit ]]

 

网络拓扑变化时发送query报文的配置

system-view

igmp-snooping send-query enable

igmp-snooping send-query source-address ip-address

 

IGMP Snooping SSM Mapping配置

system-view

vlan vlan-id

igmp-snooping version 3

igmp-snooping ssm-mapping enable

igmp-snooping ssm-mapping group-address { group-mask | mask-length } source-address

 

基于用户VLAN的组播VLAN一对多配置

system-view

igmp-snooping enable

vlan vlan-id

igmp-snooping enable

quit

vlan vlan-id

igmp-snooping enable

multicast-vlan enable

multicast-vlan user-vlan { vlan-id1 [ to vlan-id2 ]}&<1-10>

quit

 

基于接口的组播VLAN配置

system-view

igmp-snooping enable

vlan vlan-id

igmp-snooping enable

quit

int int-type int-number

l2-multicast-bind vlan vlanid1 [ to vlanid2 ] mvlan mvlanid

quit

 

端口镜像配置

本地端口镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number

int int-type int-number

port-mirroring to observe-port observe-port-index { both | inbound | outbound }

 

远程端口镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number vlan vlan-id

observe-port [observe-port-index ] interface interface-type interface-number destination-ip dest-ip-address source-ip source-ip-address [dscp dscp-value | vlan vlan-id ] *

int int-type int-number

port-mirroring to observe-port observe-port-index { both | inbound | outbound }

 

本地流镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number

traffic classifier c1

 

traffic behavior behavior-name

mirroring to observe-port observe-port-index

quit

traffic policy policy-name

classifier classifier-name behavior behavior-name

在端口上应用策略

 

远程流镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number vlan vlan-id

observe-port [observe-port-index ] interface interface-type interface-number destination-ip dest-ip-address source-ip source-ip-address [dscp dscp-value | vlan vlan-id ] *

traffic classifier c1

 

traffic behavior behavior-name

mirroring to observe-port observe-port-index

quit

traffic policy policy-name

classifier classifier-name behavior behavior-name

在端口上应用策略

 

本地VLAN镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number

vlan vlan-id

mirroring to observe-port observe-port-index inbound

 

远程VLAN镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number vlan vlan-id

vlan vlan-id

mirroring to observe-port observe-port-index inbound

 

本地MAC地址镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number

vlan vlan-id

mac-mirroring mac-address to observe-port observe-port-index inbound 

 

远程MAC地址镜像配置

system-view

observe-port observe-port-index interface interface-type interface-number vlan vlan-id

vlan vlan-id

mac-mirroring mac-address to observe-port observe-port-index inbound 

 

基于MAC地址的安全配置管理

MAC地址表项配置

system-view

mac-address static mac-address interface-type interface-number vlan vlan-id

mac-address blackhole mac-address [vlan vlan-id | vsi vsi-name ]

mac-address aging-time aging-time

 

禁止MAC地址学习功能配置

system-view

int int-type int-number

mac-address learning disable [ action { discard | forward }]

vlan vlan-id

mac-address learning disable

 

限制MAC地址学习数量配置

system-view

int int-type int-number

mac-limit maximum max-num

mac-limit alarm { disable | enable }

vlan vlan-id

mac-limit maximum max-num

mac-limit alarm { disable | enable }

 

MAC地址表配置管理

display mac-address

display mac-address static

display mac-address dynamic

display mac-address blackhole

display mac-address aging-time

display mac-address summary

display mac-addresstotal-number

display mac-limit

 

安全动态MAC功能配置

system-view

int int-type int-number

port-security enable

port-security max-mac-num max-number

port-security protect-action { protect | restrict | shutdown }

port-security aging-time time [ type { absolute | inactivity }]

 

Sticky MAC功能配置

system-view

int int-type int-number

port-security enable

port-security mac-address sticky

port-security max-mac-num max-number

port-security protect-action { protect | restrict | shutdown }

port-security mac-address sticky mac-address vlan vlan-id

 

MAC地址防漂移配置

system-view

int int-type int-number

mac-learning priority priority-id

quit

undo mac-learning priority priority-id allow-flapping

 

MAC地址漂移检测的配置

system-view

vlan vlan-id

loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }

return

display loop-detect eth-loop [ vlan vlan-id ]

mac-address flapping detection

mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2]}&<1-10>

mac-address flapping detection vlan {{vlan-id1 [ to vlan-id2 ] } &<1 – 10> |all} security-level { high | middle | low}

mac-address flapping aging-time aging-time

int int-type int-number

mac-address flapping action { quit-vlan | error-down}

quit

display mac-address flapping

display mac-address flapping record [ begin yyyy/mm/dd hh:mm:ss]

 

MAC-spoofing-defend功能配置

system-view

mac-spoofing-defend enable

int int-type int-number

mac-spoofing-defend enable

丢弃全零MAC地址报文功能配置

system-view

drop illegal-mac enable

drop illegal-mac alarm

 

MAC刷新ARP功能配置

system-view

mac-address update arp

 

端口桥功能配置

int int-type int-number

port bridge enable

 

ARP安全配置管理

基于源MAC地址的ARP报文限速配置

system-view

arp speed-limit source-mac maximum maximum

arp speed-limit source-mac mac-address maximum maximum

 

基于源IP地址的ARP报文限速配置

system-view

arp speed-limit source-ip maximum maximum

arp speed-limit source-ip ip-address maximum maximum

 

基于全局、VLAN或者接口的ARP报文限速配置

system-view

int int-type int-number     或     vlan vlan-id

arp anti-attack rate-limit enable

arp anti-attack rate-limit packet-number [ interval-value ]

arp anti-attack rate-limit packet-number [interval-value | block timer timer ]*

arp anti-attack rate-limit alarm enable

arp anti-attack rate-limit alarm threshold threshold

 

ARP Miss消息源抑制的配置

system-view

arp-miss speed-limit source-ip maximum maximum

arp-miss speed-limit sourc-ip ip-address [mask mask ] maximum maximum [none-black | block timer timer ]

 

基于全局、VLAN或者接口的ARP Miss报文限速配置

system-view

int int-type int-number     或     vlan vlan-id

arp-miss-miss anti-attack rate-limit enable

arp-miss anti-attack rate-limit packet-number [ interval-value ]

arp-miss anti-attack rate-limit alarm enable

arp-miss anti-attack rate-limit alarm threshold threshold

 

临时ARP表项的老化时间配置

system-view

int vlanif int-number

arp-fake expire-time expire-time

 

ARP表项严格学习配置

system-view

arp learning strict

int vlanif int-number

arp learning strict { force-enable | force-disable | trust }

 

基于接口的ARP表项限制配置

system-view

int int-type int-number

arp-limit vlan vlan-id1 [ to vlan-id2maximum maximum

quit

int vlanif int-number

arp-limit maximum maximum

quit

int int-type int-number [.subnumber ]

arp-limit vlan vlan-id1 [ to vlan-id2maximum maximum

 

免费ARP报文主动丢弃配置

system-view

int vlanif int-number

arp anti-attack gratuitous-arp drop

 

ARP表项固化的配置

system-view

int vlanif int-number

arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

 

动态ARP检测的配置

system-view

int int-type int-number

arp anti-attack check user-bind enable

arp anti-attack check user-bind check-item { ip-address | mac-address | vlan }

arp anti-attack check user-bind check-item { ip-address | mac-address | interface }*

arp anti-attack check user-bind alarm enable

arp anti-attack check user-bind alarm threshold threshold

 

ARP防网关冲突配置

arp anti-attack gateway-duplicate enable

 

发送ARP免费报文的配置

system-view

int int-type int-number

arp gratuitous-arp send enable

arp gratuitous-arp send interval interval-time

 

ARP报文内MAC地址一致性检查的配置

system-view

int int-type int-number

arp validate { source-mac | destination-mac }*

 

ARP报文合法性检查配置

arp anti-attack packet-check { ip | dst-mac | sender-mac }*

 

DHCP触发ARP学习配置

dhcp snooping enable

 

 

AAA配置管理

配置AAA方案——>配置本地用户——>配置业务方案——>配置域的AAA方案

本地认证、授权中的AAA方案配置

system-view

aaa

authentication-scheme authentication-scheme-name

authentication-mode local

authentication-super { hwtacacs | radius | super }* [none]

quit

domainname-parse-direction { left-to-right | right-to-left}

authorization-scheme authorization-scheme-name

authorization-mode local [none]

quit

authorization-modify mode { modify | overlay }

 

本地认证、授权的本地用户配置

system-view

aaa

local-user user-name password cipher password

local-user user-name privilege level level

local-user user-name user-group user-group-name

local-user user-name idle-timeout minutes [seconds]

local-user user-name service-type { 8021x | bind | ftp | http| ppp | ssh | telnet | terminal | web | x25-pad }*

local-user user-name ftp-directory directory

local-user user-name state { active | block }

local-user user-name access-limit max-number

local-aaa-user wrong-password retry-interval retry-interval retry-time retry-time block-time block-time

quit

local-user change-password

 

本地认证、授权中的业务方案配置

system-view

aaa

service-scheme service-scheme-name

admin-user privilege level level

dhcp-server group group-name

ip-pool pool-name [ move-to new-position ]

dns ip-address [ secondary]

policy-route next-hop-ip-address [ vlan-id ]

 

配置域的AAA方案

本地认证、授权中域的AAA配置

system-view

aaa

domain domain-name

authentication-scheme authentication-scheme-name

authorization-scheme authorization-scheme-name

user-group group-name

service-scheme service-scheme-name

state { active | block }

quit

domain-name-delimiter delimiter

 

RADIUS方式认证、授权和计费配置

配置AAA方案——>配置RADIUS服务器模板——>配置业务方案——>配置域的AAA方案

RADIUS认证、计费中的AAA方案配置

system-view

aaa

authentication-scheme authentication-scheme-name

authentication-mode radius [none]

authentication-super { hwtacacs | radius | super }* [none ]

quit

domain name-parse-direction {left-to-right | right-to-left }

accounting-scheme accounting-scheme-name

accounting-mode radius

accounting start-fail { online | offline }

accounting realtime interval

accounting interim-fail [ max-times times ] { online | offline }

RADIUS服务器模板的配置

system-view

radius-server authorization ip-address [ -instance -instance-name ] {server-group group-name | shared-key {cipher | simple } key-string } * [ack-reserved-interval interval ]

radius-server template template-name

radius-server authentication ip-address port [ -instance -instance-name | source { loopback interface-number | ip-address ip-address }]*

radius-server authentication ip-address port [ -instance -instance-name | source { loopback interface-number | ip-address ip-address }]* secondary

radius-server accounting ip-address port [ -instance -instance-name | source { loopback interface-number | ip-address ip-address }]*

radius-server accounting ip-address port [ -instance -instance-name | source { loopback interface-number | ip-address ip-address }]* secondary

radius-server shared-key [ cipher | simple ] key-string

radius-server user-name domain-include

radius-server traffic-unit { byte | kbyte | mbyte | gbyte }

radius-server { retransmit retry-times | timeout time-value }*

radius-server nas-port-format { new | old }

radius-server nas-port-id-format { new | old }

radius-attribute nas-ip ip-address

radius-server accounting-stop-packet resend [ resend-times ]

radius-server dead-time dead-time

return

test-aaa user-name user-password radius-template template-name [ chap | pap ]

 

HWTACACS方式认证、授权和计费配置

配置AAA方案——>配置HWTACACS服务器模板——>配置业务方案——>配置域的AAA方案

HWTACACS方式AAA方案配置

system-view

aaa

authentication-scheme authentication-scheme-name

authentication-mode hwtacacs [none]

authentication-super { hwtacacs | radius | super }* [none ]

quit

domain name-parse-direction {left-to-right | right-to-left }

quit

aaa-authen-bypass enable time time-value

aaa

authorization-scheme authorization-scheme-name

authorization-mode { hwtacacs | local }* [none]

authorization-cmd privilege-level hwtacacs [ local ] [ none ]

quit

quit

aaa-author-bypass enable time time-value

aaa-author-cmd-bypass enable time time-value

aaa

accounting-scheme accounting-scheme-name

accounting-mode hwtacacs

accounting start-fail { online | offline }

accounting realtime interval

accounting interim-fail [ max-times times ] { online | offline }

 

HWTACACS服务器模板的配置

system-view

hetacacs enable

hwtacacs-server template template-name

hwtacacs-server authentication ip-address [port ] [ public-net | -instance -instance-name ]

hwtacacs-server authentication ip-address [ port ] [ public-net | -instance -instance-name] secondary

hwtacacs-server authorization ip-address [ port ] [ public-net | -instance -instance-name]

hwtacacs-server authorization ip-address [ port ] [ public-net | -instance -instance-name] secondary

hwtacacs-server accounting ip-address [ port ] [ public-net | -instance -instance-name]

hwtacacs-server accounting ip-address [ port ] [ public-net | -instance -instance-name] secondary

hwtacacs-server source-ip ip-address

hwtacacs-server shared-key [ cipher | simple ] key-string

hwtacacs-server user-name domain-include

hwtacacs-server traffic-unit { byte | kbyte | mbyte | gbyte }

hwtacacs-server timer response-timeout value

hwtacacs-server timer quiet value

quit

hwtacacs-server accounting-stop-packet resent { disable | enable number }

return

hwtacacs-user change-password hwtacacs-server template-name

 

 

NAC配置管理

802.1x认证配置

802.1x使能认证功能的配置

system-view

dot1x enable

dot1x enable interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dot1x enable

 

接口授权状态的配置

system-view

dot1x port-control { auto | authorized-force | unauthorized-force } interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dotax port-control { auto | authorized-force | unauthorized-force }

 

接口接入控制方式的配置

system-view

dot1x port-method { mac | port } interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dot1x port-method { mac | port }

 

用户认证方式配置

system-view

dot1x authentication-method { chap | eap | pap }

 

MAC旁路认证的配置

system-view

dot1x mac-bypass interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

dot1x mac-bypass mac-auth-first interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dot1x mac-bypass

dot1x mac-bypass mac-auth-first

 

接口允许接入的最大802.1x认证用户数的配置

system-view

dot1x max-user user-number interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dot1x max-user user-number

 

配置802.1x认证的定时器

dot1x timer { clinet-timeout client-timeout-value | server-timeout server-timeout-value | tx-period tx-period-value }

 

配置802.1x认证的静默功能

system-view

dot1x quiet-period

dot1x quiet-times fail-times

dot1x timer quiet-period quiet-period-value

 

配置对802.1x认证用户进行重认证

system-view

dot1x reauthenticate interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dot1x reauthenticate

quit

dot1x timer reauthenticate-period reauthenticate-period

dot1x reauthenticate mac-address mac-address

 

802.1x在线用户握手功能配置

system-view

dot1x handshake

dot1x handshake packet-type { request-identity | srp-sha1-part2 }

dot1x retry max-retry-value

dot1x timer handshake-period handshake-period-value

 

Guest VLAN功能配置

system-view

authentication guest-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

authentication guest-vlan vlan-id

 

Restrict VLAN功能配置

system-view

authentication restrict-vlan vlan-id interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

authentication restrict-vlan vlan-id

 

Critical VLAN功能配置

system-view

authentication critical-vlan vlan-id  interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

authentication critical eapol-success interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

authentication max-reauth-req times interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

authentication critical-vlan vlan-id

authentication critical eapol-success

authentication max-reauth-req times

 

802.1x认证的接口open功能配置

system-view

authentication open interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

authentication open

 

配置允许DHCP报文触发802.1x认证

dot1x dhcp-trigger

 

配置单播报文触发802.1x认证

system-view

dot1x unicast-trigger interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

dot1x unicast-trigger

 

配置802.1x快速部署功能

system-view

dot1x free-ip ip-address { mask-length | mask-address }

dot1x url url-string

 

用户组功能的配置

system-view

user-group group-name

acl-id acl-number

user-vlan vlan-id

remark { 8021p 8021p-value | dscp dscp-value }*

quit

user-group group-name eanble

 

MAC认证配置管理

使能MAC认证功能配置

system-view

mac-authen

mac-authen interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

mac-authen

 

配置用户名形式

mac-authen username { fixed username [ password cipher password ] | macaddress [ format {with-hyphen | without-hyphen}]}

 

配置MAC用户认证域

system-view

mac-authen domain isp-name [ mac-address mac-address mask mask ]

int int-type int-number

mac-authen domain isp-name

 

配置接口允许接入的最大MAC认证用户数

system-view

mac-authen max-user user-number interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

mac-authen max-user user-number

 

配置MAC认证定时器

mac-authen timer { guest-vlan reauthenticate-period interval | offline-detect offline-detect-value | quiet-period quiet-value | server-timeout server-timeout-value }

 

配置对MAC认证用户进行重认证

system-view

mac-authen reauthenticate interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

mac-authen reauthenticate

quit

mac-authen timer reauthenticate-period reauthenticate-period

mac-authen reauthenticate mac-address mac-address

 

Portal认证配置管理

Portal服务器参数配置

system-view

web-auth-server server-name

server-ip server-ip-address &<1-10>

url url-etring

portal local-serer ip ip-address

 

使能Portal认证功能的配置

system-view

interface vlanif vlan-id

web-auth-server server-name { direct | layer3 }

portal local-server https ssl-policy policy-name [port port-num ]

portal local-server enable interface { interface-type interface-number1 [ to interface-number2 ]} &<1-10>

int int-type int-number

portal local-server enable

 

与Portal服务器信息交互参数的配置

system-view

web-auth-server version v2 [v1]

web-auth-server listening-port port-number

web-auth-server reply-message

web-auth-server server-name

source-ip ip-address

port port-number [all ]

shared-key { cipher | simple }  key-string

 

Portal认证用户接入控制参数的配置

system-view

portal free-rule rule-id { destination { any | ip { ip-address mask {mask-length | ip-mask} | any }} | source { any | interface interface-type interface-number | ip { ip-address mask {mask-length | ip-mask } | any } | vlan vlan-id }*}}*

port free-rule rule-id source ip ip-address mask { mask-length | ip-mask } [mac mac-address][ interface interface-type interface-number] destination user-group group-name

portal max-user user-number

interface vlanif vlan-id

portal auth-network network-address {mask-length | mask-address }

portal domain domain-name

portal local-server authentication-method { chap | pap }

 

配置Portal认证用户下线探测周期

portal offline-detect time-length

 

配置portal认证探测与逃生功能

system-view

web-auth-server server-name

server-detect { interval interval-period | max-times times | critical-num critical-num | action { log | trap | permit-all }*}*

 

配置Portal认证用户信息同步功能

system-view

web-auth-server server-name

user-sync [ interval interval-period | max-times times ]*

 

配置Portal认证静态用户

system-view

static-user start-ip-address [end-ip-address ] [-instance -instance-name ][ domain-name domain-name | interface interface-type interface-number  [detect ] | mac-address mac-address | vlan vlan-id]*

static-user username format-include { ip-address | mac-address | system-name }

static-user password cipher password

 

你可能感兴趣的:(HCSE——构建企业级交换网络)