目 录
1. 常规系统维护... 2
2. 配置文件的操作... 3
3. 配置FTP,tftp信息... 3
4. VLAN配置... 3
5. STP基本配置... 3
6. 802.1X基本配置... 3
7. 端口隔离基本配置... 3
8. 配置静态绑定表项... 3
9. 静态聚合配置... 3
10. 配置静态及动态域名解析... 3
11. DHCP服务器基本配置... 3
12. DHCP中继基本配置... 3
13. 查看设备路由表... 3
14. VLAN间路由(单臂路由)... 3
15. 静态路由配置命令... 3
16. RIP基本配置... 3
17. RIPv2配置任务... 3
18.OSPF基本配置命令... 3
19. 访问控制列表... 3
20. 配置基本ACL. 3
21.配置高级ACL. 3
22. 网络地址转换... 3
--------------------------------------------------------------
1. 常规系统维护
1.1查看历史命令记录
display history-command
1.2 配置设备名称
[H3C]sysname ?
TEXT Host name (1 to 30 characters)
1.3配置系统时间
<H3C>clock datetime ?
TIME Specify the time (HH:MM:SS)
1.4显示系统时间
<H3C>display clock
1.5配置欢迎/提示信息
[H3C]header ?
incoming Specify the banner of the terminal user-interface
legal Specify the legal banner
login Specify the login authentication banner
motd Specify the banner of today
shell Specify the session banner
1.6查看版本信息
<H3C>display version
1.7查看当前配置
<H3C>display current-configuration
1.8显示接口信息
<H3C>display interface
1.9显示接口IP状态与配置信息
<H3C>display ip interface brief
1.10显示系统运行统计信息
<H3C>display diagnostic-information
1.11指定下次启动加载的应用程序文件
<H3C>boot-loader file file-url
1.12显示下次启动加载的应用程序文件
<H3C>display boot-loader
1.13重启系统
<H3C>reboot
1.14开启设备定时重启功能,并指定重启的具体时间
<H3C>schedule reboot at hh:mm [ date ]
1.15开启设备定时重启功能,并指定重启的等待时延
<H3C>schedule reboot delay { hh:mm | mm }
1.16显示设备的重启时间
<H3C>display schedule reboot
1.17配置Telnet
(1) 配置与网络相连端口的IP地址
[H3C-ethernet0/0]ip address ip-address { mask | mask-length }
(2) 使能Telnet服务器端功能
[H3C]telnet server enable
(3) 进入vty用户界面视图,设置验证方式
[H3C]user-interface vty first-num2 [ last-num2 ]
[H3C-ui-vty0]authentication-mode { none | password | scheme }
(4) 设置登录密码和用户级别
[H3C-ui-vty0]set authentication password { cipher | simple } password
[H3C-ui-vty0]user privilege level level
(5) 创建用户、配置密码、设置服务类型、设置用户级别
[H3C]local-user username
[H3C-luser-xxx] password { cipher | simple } password
[H3C-luser-xxx] service-type telnet
[H3C-luser-xxx] level level
Telnet配置例子
<H3C>system-view
[H3C]telnet server enable
[H3C]interface ethernet0/0
[H3C-ethernet0/0]ip address 192.168.0.254 24
[H3C]user-interface vty 0
[H3C-ui-vty0]set authentication password cipher 123456
[H3C-ui-vty0]user privilege level 2
2. 配置文件的操作
2.1保存配置
<H3C>save
2.2擦除配置
<H3C>reset saved-configuration
2.3设置下次启动的配置文件
<H3C>startup saved-configuration filename
2.4备份/恢复下次启动配置文件
<H3C>backup startup-configuration to dest-addr [ filename ]
<H3C>restore startup-configuration from src-addr filename
2.5查看保存的配置文件
<H3C>display saved-configuration
2.6查看系统启动配置文件
<H3C>display startup
2.7查看当前生效的配置
<H3C>display current-configuration
2.8查看当前视图下生效的配置
[H3C-ui-vty0]display this
3. 配置FTP,tftp信息
3.1使能FTP服务器端功能
[H3C]ftp server enable
3.2创建用户
[H3C]local-user username
3.3设置服务类型及登录密码
[H3C-luser-xxx]service-type ftp
[H3C-luser-xxx]password { cipher | simple } password
3.4 FTP操作示例
C:\>ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): h3c
331 Password required for h3c.
Password:
230 User logged in.
ftp> put config.cfg
200 Port command okay.
150 Opening ASCII mode data connection for config.cfg.
226 Transfer complete.
ftp: 发送 1329 字节,用时 0.00Seconds 1329000.00Kbytes/sec.
ftp>
3.5在设备上使用TFTP服务
tftp server-address { get | put | sget } source-filename [ destination-filename ] [ source { interface interface-type interface-number | ip source-ip-address } ]
在执行上传/下载操作时,到TFTP服务器的可达路由可能有多条,用户可以配置客户端TFTP报文的源地址
当设备作为TFTP客户端时,可以把本设备的文件上传到TFTP服务器,还可以从TFTP服务器下载文件到本地设备
下载分为普通下载和安全下载两种
4. VLAN配置
4.1创建VLAN并进入VLAN视图
[Switch] vlan vlan-id
4.2将指定端口加入到当前VLAN中
[Switch-vlan10] port interface-list
4.3配置端口的链路类型为Trunk类型
[Switch-Ethernet1/0/1] port link-type trunk
4.4允许指定的VLAN通过当前Trunk端口
[Switch-Ethernet1/0/1] port trunk permit vlan { vlan-id-list | all }
4.5设置Trunk端口的缺省VLAN
[Switch-Ethernet1/0/1] port trunk pvid vlan vlan-id
4.6配置端口的链路类型为Hybrid类型
[Switch-Ethernet1/0/1] port link-type hybrid
4.7允许指定的VLAN通过当前Hybrid端口
[Switch-Ethernet1/0/1] port hybrid vlan vlan-id-list { tagged | untagged }
4.8设置Hybrid端口的缺省VLAN
[Switch-Ethernet1/0/1] port hybrid pvid vlan vlan-id
4.9VLAN显示及维护
<Switch>display vlan
5. STP基本配置
5.1开启设备STP特性
[Switch] stp enable
5.2关闭端口的STP特性
[Switch-Ethernet1/0/1] stp disable
5.3配置STP的工作模式
[Switch] stp mode { stp | rstp | mstp }
5.4STP可选配置
配置当前设备的优先级
[Switch] stp [ instance instance-id ] priority priority
5.5配置端口为边缘端口
[Switch-Ethernet1/0/1] stp edged-port enable
6. 802.1X基本配置
6.1开启全局的802.1X特性
[Switch] dot1x
6.2开启端口的802.1X特性
[Switch] dot1x interface interface-list
6.3添加本地接入用户并设置相关参数
[Switch] local-user user-name
[Switch-luser-localuser] service-type lan-access
[Switch-luser-localuser] password { cipher | simple } password
6.4802.1X典型配置举例
[SWA]dot1x
[SWA]dot1x interface ethernet1/0/1
[SWA]local-user localuser
[SWA-luser-localuser]password simple hello
[SWA-luser-localuser]service-type lan-access
7. 端口隔离基本配置
7.1将指定端口加入到隔离组中,端口成为隔离组的普通端口
[Switch-Ethernet1/0/1] port-isolate enable
7.2将指定端口加入到隔离组中,端口成为隔离组的上行端口
[Switch-Ethernet1/0/2] port-isolate uplink-port
8. 配置静态绑定表项
[Switch-Ethernet1/0/1] user-bind ip-address ip-address [ mac-address mac-address ]
9. 静态聚合配置
9.1创建聚合端口
[Switch] interface bridge-aggregation interface-number
9.2将以太网端口加入聚合组
[Switch-Ethernet1/0/1] port link-aggregation group number
9.3链路聚合显示及维护
<Switch>display link-aggregation summary
10. 配置静态及动态域名解析
10.1配置DNS代理
使能DNS代理功能
[Router] dns proxy enable
10.2配置指定域名服务器
[Router] dns server ip-address
10.3显示静态域名解析表
[Router] display ip host
10.4 显示域名服务器信息
[Router] display dns server [ dynamic ]
10.5显示动态域名缓存区的信息
[Router] display dns dynamic-host
10.6显示DNS代理信息
[Router] display dns proxy table
11. DHCP服务器基本配置
11.1使能DHCP
[Router] dhcp enable
11.2创建DHCP地址池
[Router] dhcp server ip-pool pool-name
11.3配置动态分配的IP地址范围
[Router-dhcp-pool-0] network network-address [ mask-length | mask mask ]
11.4配置为DHCP客户端分配的网关地址
[Router-dhcp-pool-0] gateway-list ip-address
11.5配置为DHCP客户端分配的DNS服务器地址
[Router-dhcp-pool-0] dns-list ip-address
11.6配置DHCP地址池中不参与自动分配的IP地址
[Router] dhcp server forbidden-ip low-ip-address [ high-ip-address ]
11.7配置动态分配的IP地址的租用有效期限
[Router-dhcp-pool-0] expired { day day [ hour hour [ minute minute ] ] | unlimited }
11.8DHCP服务器基本配置示例
[Router] dhcp enable
[Router] server forbidden-ip 192.168.1.10
[Router] server forbidden-ip 192.168.1.254
[Router] dhcp server ip-pool 0
[Router-dhcp-pool-0] network 192.168.1.0 mask 255.255.255.0
[Router-dhcp-pool-0] gateway-list 192.168.1.254
[Router-dhcp-pool-0] dns-list 192.168.1.10
[Router-dhcp-pool-0] expired day 5
11.9显示DHCP地址池的可用地址信息
[Router] display dhcp server free-ip
11.10显示DHCP服务器的统计信息
[Router] display dhcp server statistics
11.11显示DHCP地址池中不参与自动分配的IP地址
[Router] display dhcp server forbidden-ip
12. DHCP中继基本配置
12.1使能DHCP
[Router] dhcp enable
12.2配置DHCP服务器组中DHCP服务器的IP地址
[Router] dhcp relay server-group group-id ip ip-address
12.3配置接口工作在DHCP中继模式
[Router-Ethernet1/1] dhcp select relay
12.4配置接口与DHCP组关联
[Router-Ethernet1/1] dhcp relay server-select group-id
12.5DHCP中继配置示例
[Router] dhcp enable
[Router] dhcp relay server-group 1 ip 192.168.1.10
[Router] interface ethernet 1/1
[Router-Ethernet1/1] dhcp select relay
[Router-Ethernet1/1] dhcp relay server-select 1
12.6显示接口对应的DHCP服务器组的信息
[Router] display dhcp relay { all | interface interface-type interface-number }
12.7显示DHCP服务器组中服务器的IP地址
[Router] display dhcp relay server-group { group-id | all }
12.8显示DHCP中继的相关报文统计信息
[Router] display dhcp relay statistics [ server-group { group-id | all } ]
13. 查看设备路由表
13.1查看IP路由表摘要信息
[Router] display ip routing-table
13.2查看符合指定目的地址的路由信息
[Router] display ip routing-table ip-address [ mask-length | mask ]
13.3查看路由表的统计信息
[Router] display ip routing-table statistics
14. VLAN间路由(单臂路由)
用802.1Q和子接口实现VLAN间路由
[RTA-GigabitEthernet0/0]interface GigabitEthernet0/0.1
[RTA-GigabitEthernet0/0.1]ip address 10.1.1.1 255.255.255.0
[RTA-GigabitEthernet0/0.1]interface GigabitEthernet0/0.2
[RTA-GigabitEthernet0/0.2]vlan-type dot1q vid 2
[RTA-GigabitEthernet0/0.2]ip address 10.1.2.1 255.255.255.0
[RTA-GigabitEthernet0/0.2]interface GigabitEthernet0/0.3
[RTA-GigabitEthernet0/0.3]vlan-type dot1q vid 3
[RTA-GigabitEthernet0/0.3]ip address 10.1.3.1 255.255.255.0
15. 静态路由配置命令
[Router]ip route-static dest-address { mask | mask-length } {gateway-address | interface-type interface-name } [ preference preference-value ]
配置要点:
只有下一跳所属的接口是点对点接口时,才可以填写interface-type interface-name,否则必须填写gateway-address
目的IP地址和掩码都为0.0.0.0的路由为默认路由
16. RIP基本配置
16.1创建RIP进程并进入RIP视图
[Router] rip [ process-id ]
16.2在指定网段接口上使能RIP
[Router-rip-1] network network-address
16.3配置接口工作在抑制状态
[Router-rip-1] silent-interface { all | interface-type interface-number }
16.4使能RIP水平分割功能
[Router-Ethernet1/0] rip split-horizon
16.5使能RIP毒性逆转功能
[Router-Ethernet1/0] rip poison-reverse
17. RIPv2配置任务
17.1指定全局RIP版本
[Router-rip-1] version { 1 | 2 }
17.2关闭RIPv2自动路由聚合功能
[Router-rip-1] undo summary
17.3配置RIPv2报文的认证
[Router-Ethernet1/0] rip authentication-mode { md5 { rfc2082 key-string key-id | rfc2453 key-string } | simple password }
17.4显示RIP当前运行状态及配置信息
<Router> display rip
18.OSPF基本配置命令
18.1配置Router ID
[Router]router id ip-address
18.2启动OSPF进程
[Router]ospf [ process-id ]
18.3重启OSPF进程
<Router>reset ospf [ process-id ]
18.4配置OSPF区域
[Router-ospf-100]area area-id
18.5在指定的接口上启动OSPF
[Router-ospf-1-area-0.0.0.0] network network-address wildcard-mask
18.6OSPF可选配置命令配置OSPF接口优先级
[Router-Ethernet0/0] ospf dr-priority priority
18.7配置OSPF接口Cost
[Router-Ethernet0/0] ospf cost value
18.8显示OSPF邻居信息
[H3C]display ospf peer
18.9显示OSPF的链路状态数据库
<H3C>display ospf lsdb
18.10显示OSPF路由信息
<H3C>display ospf routing
18.11显示OSPF摘要信息
[Router] display ospf brief
18.12显示启动OSPF的接口信息
[Router] display ospf interface
18.13显示OSPF的出错信息
[Router] display ospf error
18.14显示OSPF的进程信息
[Router] display ospf INTEGER<1-16635>
19. 访问控制列表
19.1启动包过滤防火墙功能
防火墙功能需要在路由器上启动后才能生效
[sysname] firewall enable
19.2设置防火墙的默认过滤方式
系统默认的默认过滤方式是permit
[sysname] firewall default { permit | deny }
20. 配置基本ACL
20.1配置基本ACL,并指定ACL序号
基本IPv4 ACL的序号取值范围为2000~2999
[sysname] acl number acl-number
20.2定义规则
制定要匹配的源IP地址范围
指定动作是permit或deny
[sysname-acl-basic-2000] rule [ rule-id ] { deny | permit } [ fragment | logging | source { sour-addr sour-wildcard | any } | time-range time-name ]
21.配置高级ACL
21.1配置高级IPv4 ACL,并指定ACL序号
高级IPv4 ACL的序号取值范围为3000~3999
[sysname] acl number acl-number
21.2定义规则
需要配置规则来匹配源IP地址、目的IP地址、IP承载的协议类型、协议端口号等信息
指定动作是permit或deny
[sysname-acl-adv-3000] rule [ rule-id ] { deny | permit } protocol [ destination { dest-addr dest-wildcard | any } | destination-port operator port1 [ port2 ] established | fragment | source { sour-addr sour-wildcard | any } | source-port operator port1 [ port2 ] | time-range time-name]
21.3配置二层ACL
配置二层 ACL,并指定ACL序号
二层ACL的序号取值范围为4000~4999
[sysname] acl number acl-number
21.4定义规则
需要配置规则来匹配源MAC地址、目的MAC地址、802.1p优先级、二层协议类型等二层信息
指定动作是permit或拒绝deny
[sysname-acl-ethernetframe-3000] rule [ rule-id ] { deny | permit } [ cos vlan-pri | dest-mac dest-addr dest-mask | lsap lsap-code lsap-wildcard | source-mac sour-addr source-mask | time-range time-name]
21.5将ACL应用到接口上,配置的ACL包过滤才能生效
指明在接口上应用的方向是Outbound还是Inbound
[sysname-Serial2/0 ] firewall packet-filter { acl-number | name acl-name } { inbound | outbound }
21.6ACL包过滤显示与调试
22. 网络地址转换
22.1Basic NAT配置示例
# 通过ACL定义一条rule,匹配源地址属于10.0.0.0/24网段的数据
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permit source 10.0.0.0 0.0.0.255
# 配置NAT地址池1用于地址转换的,地址池中的地址从198.76.28.11到198.76.28.20
[RTA]nat address-group 1 198.76.28.11 198.76.28.20
# 进入接口模式视图
[RTA]interface Ethernet0/1
# 将地址池1与acl 2000关联,并在接口出方向上应用NAT
[RTA-Ethernet0/1]nat outbound 2000 address-group 1 no-pat
22.2NAPT配置举例
# 通过ACL定义一条rule,匹配源地址属于10.0.0.0/24网段的数据
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permit source 10.0.0.0 0.0.0.255
# 配置NAT地址池1,地址池中只放入一个地址198.76.28.11
[RTA]nat address-group 1 198.76.28.11
# 进入接口模式视图
[RTA]interface Ethernet0/1
# 将地址池1与acl 2000关联,并在接口出方向上应用NAT
[RTA-Ethernet0/1]nat outbound 2000 address-group 1
22.3Easy IP配置举例
# 通过ACL定义一条rule,匹配源地址属于10.0.0.0/24网段的数据
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permit source 10.0.0.0 0.0.0.255
# 进入接口模式视图
[RTA]interface Ethernet0/1
# 将acl 2000与接口关联,并在出方向上应用NAT
[RTA-Ethernet0/1]nat outbound 2000 address-group 1
22.4NAT Server配置举例
# 进入接口模式视图
[RTA]interface Ethernet0/1
# 在出接口上将私网服务器地址和公网地址做一对一NAT映射绑定
[RTA-Ethernet0/1]nat server protocol tcp global 198.76.28.11 telnet inside 10.0.0.1 telnet
22.5NAT的信息显示和调试
显示地址转换信息
display nat { address-group | aging-time | all | outbound | server | statistics | session | [ slot slot-number ] | [ source global global-addr | source inside inside-addr ] | [ destionation ip-addr ] }
调试地址转换过程
debugging nat { alg | event | packet [ interface interface-type interface-number ] } nat aging-time { tcp | udp | icmp} seconds
清除地址转换连接
reset nat session