day-网络通信-华为交换机、路由器、防火墙常用命令

交换机

交换机远程管理

int vlanif 1
ip add 192.168.1.150 255.255.255.0
q
user vty 0 4
set auth password cipher 123
user privilege level 3
q

telnet AAA认证

telnet server enable       \\开启远程管理服务（默认开启）
user-internface vty 0 4     \\进入虚拟终端接口并设置用户连接数
authentication-mode aaa      \\设置认证模式aaa
protocol inbound telnet
aaa                              \\启用aaa认证
local-user user1 password cipher user001   \\创建用户设置密码
local-user user1 service-type  telnet     \\设置允许的远程方式为telnet
local-user user1 privilege level 15     \\设置用户的权限级别


display current-configuration

修改交换机名字

sysname  sw0102

查看当前端口的配置

int e0/0/0
display this

查看配置

display current-configuration

down端口

int g0/0/0
shutdown

交换机mac地址表

display mac-address

交换机的本网桥地址

dis bridge  mac-address

交换机信息表

dis system-information

vlan

vlan  10

vlan batch 10 20

端口加入vlan

int e0/0/1
port link-type access
port default vlan 10

display port vlan       查看

创建trunk链路

int e0/0/1
port link-type trunk
port trunk allow-pass vlan all

port group e0/0/0 e0/0/2
port link-type trunk
port trunk allow-pass vlan all


prot trunk pvid vlan 100  修改trunk的pvid

int e0/0/1
undo port trunk allow-pass vlan 2-4094

mstp配置

stp mode mstp                  修改模式为mstp

stp	region-configuration 
region-name hcie              给区域创建名字 
instance 10 vlan 10
instance 20 vlan 20             创建实例20绑定vlan20
active region-configuration    激活配置区域

stp instance 10 priority 0    调整交换机为根交换机
stp instance 10 priority 0    调整交换机为根交换机
stp instance 10 priority 4096    调整交换机为次根交换机 0 4096 8172

dis curr config mst

查看命令

display stp brief

dis port vlan

dis ip int b

Eth-trunk静态

int Eth-Trunk 1                创建链路聚合接口1
mode manual load-balance        设置模式为静态负载均衡模式
trunkport g0/0/1                 添加接口成员
trunkport g0/0/2
port link-type trunk             配置eth-trunk的类型为trunk       
port trunk allow-pass vlan all   配置trunk链路允许所有vlan 

display  eth-trunk 1                  查看

Eth-trunk LACP模式

int eth-trunk 1
mode lacp-static
trunkport g0/0/1
trunkport g0/0/2
trunkport g0/0/3
port link trunk
port trunk allow vlan all

max active-linknumber 2       设置为2条链路
lacp preempt enable         开启抢占模式   两个交换机都要开启



lacp priority  100            修改设备的优先级 小的为主设备  默认32768


display  eth-trunk 1                  查看

display eth-trunk 1

设置交换机的最大活动链路为2   默认为8
int eth-trunk 1               进入eth-trunk 1      
max active-linknumber 2       设置为2条链路

sys
lacp priority  100            修改设备的优先级 小的为主设备  默认32768

int eth-trunk 1
lacp preempt enable         开启抢占模式   两个交换机都要开启

mux-vlan

vlan batch 100 200 300
vlan 100                         进入vlan100
mux-vlan                         将vlan100设置为主vlan
subordinate group 300            将vlan300设置为组vlan
subordinate separate 200         将vlan200设置为隔离vlan

int e0/0/1                       端口加入vlan
port link access
port default vlan 100
port mux-vlan enable              开启mux-vlan功能

display mux-vlan

端口隔离组

vlan 10
port group  e0/0/1 to e0/0/5
int e0/0/1
port-isolate group 1

三层交换机删除vlanif

undo int vlanif100

路由器

端口配置IP

int g0/0/0

ip add  192.168.10.254 24

远程登录

user-interface vty 0 4
authentication-mode password
Please configure the login password: password 

路由子接口 单臂路由

int g/0/0/0.10
dot1q termination vid 10
ip add 192.168.10.254 24
arp broadcast enable

int g/0/0/0.20
dot1q termination vid 20
ip add 192.168.20.254 24
arp broadcast enable

查看端口IP地址

display ip int brief

查看路由表

dsiplay ip routing-table

手动添加路由表

ip  route-static 目标网路 子网掩码 下一跳

ip  route-static 192.168.3.2 24  192.168.2.2

undo route-static 192.168.3.2 24 192.168.2.2             删除静态路由

子接口（单臂路由）

int g/0/0/0.10                进入子接口1-4096
dot1q termination vid 10      接口绑定vlan10
ip add 192.168.10.254 24
arp broadcast enable          开启arp广播

浮动路由配置

ip route-static 0.0.0.0 0 192.168.40.1 preference 70

VRRP 负载均衡 网关冗余

u t m
sys
int g0/0/0
ip add 192.168.1.252 24
q
int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200

display vrrp
display vrrp brief

VRRP路由追踪

u t m
sys
int g0/0/0
ip add 192.168.1.252 24
q
int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
vrrp vrid 1 track int g0/0/1 reduced 110

VRRP明文认证

int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
vrrp vrid 1 auth simple 1234       对方也要配置1234为密码
                                       抓包可以看到密码
vrrp vrid 1 authentivation-mode simple 1234         完整命令

display this           查看当前端口的配置

VRRP密文认证

int g0/0/0
vrrp vrid 1 virtual-ip 192.168.1.254
vrrp vrid 1 priority 200
vrrp vrid 1 auth md5 1234       对方也要配置1234为密码
                                       抓包可以看到密码
vrrp vrid 1 authentivation-mode md5 1234

查看配置

display current-configuration

BFD双向转发检测机制

静态

bfd               开启bfd的功能
q
bfd ac bind peer-ip 192.168.23.3
discriminator local 1
discriminator remote 3
commit
q

bfd               开启bfd的功能
q
bfd ca bind peer-ip 192.168.12.1
discriminator local 3
discriminator remote 1
commit
q

display bfd session all

vrrp vrid 6 track bfd-session 3 increased 110    与vrrp联动 3是本地或者远程的标识符

DHCP服务器全局模式

int g0/0/0 
ip add 192.168.1.254 24
q

dhcp enable  
ip pool it
network 192.168.1.0 mask 24
gateway-list 192.168.1.254
dns-list 8.8.8.8
lease day 3
excluded-ip-address 192.168.1.1 192.168.1.2

int g0/0/0
dhcp select global 

display ip pool name vlan10 used       已经使用的IP

DHCP中继

中继路由器  配置在网关上：  
dhcp enable 
int g0/0/0
dhcp select relay
dhcp relay server-ip 192.168.20.254   

基本ACL

acl 2000
rule 10 deny source 192.168.1.0 0.0.0.255

int g0/0/0/
traffic-filter outbound acl 2000

高级ACL

acl 3000
rule 10 permit tcp source 192.168.3.1 0 destination 192.168.3.1 0 destination-port eq 80
rule 20 permit ip source 192.168.3.1 0 destination 192.168.3.0 0.0.0.255 
rule 30 deny ip source 192.168.3.1 0 destination any
int g0/0/1
traffic-filter inbound acl 3000

仅能ping通server
acl 10 permit ICMP source 192.168.3.1 0 destination 192.168.3.1 0

acl 3000
undo rule 10    删除

NAT-PAT

nat address-group 5 200.1.1.5 200.1.1.9

nat address-group 4 200.1.1.5 200.1.1.5       只有一个地址

acl 2000
rule 5 permit source 192.168.1.0 0.0.0.255

int g0/0/1
nat outbound 2000 address-group 5

PAT-EasyIP

acl 2000
rule 5 permit source 192.168.1.0 0.0.0.255

int g0/0/1
nat outbound 2000          
直接使用出口的IP 200.1.1.1

内网服务器映射到外网

int g0/0/1
nat server protocol tcp global 200.1.1.8 80 inside 192.168.1.1 80

nat server protocol tcp global 200.1.1.8 21 inside 192.168.1.2 21

OSPF

u t m
sys
int g0/0/1
ip add 192.168.1.254 24
int g0/0/0
ip add 192.168.12.1 24
q
-----------默认---------------
ospf 
area 0
network 192.168.1.0 0.0.0.255
network 192.168.12.0 0.0.0.255
------------推荐-----------------
ospf 1 router-Id  1.1.1.1
area 0
network 192.168.1.0 0.0.0.255
network 192.168.12.0 0.0.0.255

display ospf peer brief
display ip routing-table protocol ospf
display ospf brief
display ospf lsdb

ospf宣告静态路由

ospf 1 
import-route static       5类

ospf宣告默认路由,缺省路由，默认路由

ospf 1 
default-route-advertise  5类

ospf路由汇总

ABR（区域边界路由 ）

R1----R2----R3----R4----R5----R6
      abr  R34area0    abs   asbr
 
R1: 
ospf 1 router-id 1.1.1.1
area 12
network 192.168.12.0 0.0.0.255
network 10.10.1.1 0.0.0.255
network 10.10.2.2 0.0.0.255
network 10.10.3.3 0.0.0.255

在ABR（区域边界路由器）
ospf 1
area 12 
abr-summary 10.10.0.0 16

ASBR（自动系统边界路由器）

R1----R2----R3----R4----R5----R6
      abr  R34area0    abs   asbr

R6:
int loop 1 
ip add 10.50.1.1 24
int loop 2 
ip add 10.50.2.1 24
int loop 3
ip add 10.50.3.1 24

ospf 1
import-route direct    以外部路由方式宣告进路由表里

ospf 1
asbr-summary 10.50.0.0 255.255.0.0

ospf认证

链路认证

明文认证
R2:
int g0/0/0
ospf auth simple hice

R3:
int g0/0/1
ospf auth simple hcie

int g0/0/0
ospf auth simple hcie

R4:
int g0/0/1
ospf auth simple hcie

密文认证
R4:
int g0/0/0
ospf auth md5 10 hcie

R5:
int g0/0/1
ospf auth md5 10 hcie

区域认证

ospf 1
area 0
auth md5 5 123456

链路认证的优先级大于区域认证

OSPF虚链路

R2：
ospf 1 
area 34
vlink-peer 5.5.5.5

R5:
ospf 1 
area 34
vlink-peer 2.2.2.2

OSPF Gre

R2 -------让隧道两端互相通信:
int loop 0
ip add 10.10.25.2 24
q
ospf 1 
area 34 
network 10.10.25.0 0.0.0.255
----------建立隧道接口 选工具（Gre） 指定源IP 指定目标IP---------------------
int Tunnel0/0/25
tunnel-protocol gre
source 10.10.25.2
destination 10.10.25.5
---------给隧道接口配置IP地址  将隧道接口的网段宣告进区域0----------------
int Tunnel0/0/15
ip add 192.168.12.2 24
q
ospf 1
area 0
network 192.168.12.0 0.0.0.255

R5:
int loop 0
ip add 10.10.25.5 24
q
ospf 1
area 34
network 10.10.25.0 0.0.0.255

int Tunnel0/0/25
tunnel-protocol gre
source 10.10.25.5  24
destination 10.10.25.2

int Tunnel10/0/15
ip add 192.168.25.5 24
q
ospf 1
area 0
network 192.168.25.0 0.0.0.255

OSPF多线程导入

R2：
u t m
sys
int g0/0/1
ip add 192.168.12.1 24
int g0/0/0
ip add 192.168.23.2 24
q
ospf 1 router-id 2.2.2.2
area 34 
net 192.168.23.0 0.0.0.255


R2:
ospf 3 router-id 2.2.2.2
area 12
network 192.168.12.0 0.0.0.255
q

ospf 1
import-route ospf 3

ospf 3
import-route ospf 1

OSPF路由表管理

修改开销：到网段的花费 距离
R2:
int g0/0/2
ospf cost 3

OSPF路由过滤之route-policy

只将R2上的一条静态宣告进路由
R2:
int g0/0/0
ip add 192.168.12.2 24
int g0/0/1
ip add 192.168.23.1 24
q
ip route-static 192.168.1.0 24 192.168.12.1
ip route-static 192.168.2.0 24 192.168.12.1

--------------------------------------------------
只引入192.168.2.0 不引入1.0 宣告时
ospf 1
import-route  static route-policy yunxu20
q
route-policy yunxu20 permit node 10 
if-match acl 2000
q

acl 2000
rule 10 permit 192.168.2.0 0.0.0.255

OSPF路由过滤之LSA过滤

R5
acl 2000
rule 10 deny source 192.168.12.0 0.0.0.255
rule 20 permit source any

ospf 1
area 78
filter 2000 import

AC-AP

第一步：规划vlan和IP地址，让AP能自动获取IP地址并告诉AP谁是AC 中继

第二步：AC上离线导入AC的mac地址，DHCP上配置规划好的无线地址池

第三步：AC配置AP上的地址、无线名称、密码等进行下发

---------------------SW1-----------------------------
sys 
vlan batch 200 210 10 20 30 40
port group g0/0/1 to g0/0/5
port link trunk
port trunk allow vlan all
q
int vlan200 
ip add 192.168.200.254 24
int vlan88
ip add 192.168.88.254 24
q

dhcp enable
int vlan200
dhcp select relay
dhcp relay server 192.168.88.1
int vlan210
ip add 192.168.210.254 24 
vlan batch 10 20 30 40
int vlan10
ip add 192.168.10.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
int vlan20
ip add 192.168.20.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
int vlan30
ip add 192.168.30.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q
int vlan40
ip add 192.168.40.254 24
dhcp select relay
dhcp relay server-ip 192.168.88.1
q

-------------------SW 3 4 5 6--------------------------------------
sys
vlan batch 200 210 88
int g0/0/1
port link trunk
port trunk allow vlan all
port trunk pvid  vlan 200
int g0/0/2
port link trunk
port trunk allow vlan all
---------------------SW 1-----------------------------------------------
sys
vlan batch 200 210 88
int g0/0/2
port link trunk
port trunk allow vlan all
int g0/0/3
port link acc
port def vlan 210
int g0/0/1
port link acc
port def vlan 88


-------------------DHCP------------------------------------------
DHCP：
dhcp enable
ip pool vlan200
network 192.168.200.0 mask 24
gate 192.168.200.254
exclude 192.168.200.251 192.168.200.253
option 43 sub-option 3 ascii 192.168.210.1 
q
int g0/0/0
ip add 192.168.88.1 24
dhcp select global
q
ip route-static 0.0.0.0 0 192.168.88.254
-----------------------------------------

ip pool vlan10
network 192.168.10.0 mask 24
gateway-list 192.168.10.254
dns 8.8.8.8
lease day 3
exclude 192.168.10.251 192.168.10.253
q
ip pool vlan20
network 192.168.20.0 mask 24
gateway-list 192.168.20.254
dns 8.8.8.8
lease day 3
exclude 192.168.20.251 192.168.20.253
q
ip pool vlan30
network 192.168.20.0 mask 24
gateway-list 192.168.30.254
dns 8.8.8.8
lease day 3
exclude 192.168.30.251 192.168.30.253
q
ip pool vlan40
network 192.168.40.0 mask 24
gateway-list 192.168.40.254
dns 8.8.8.8
lease day 3
exclude 192.168.40.251 192.168.40.253
q

AC：

sys
vlan 210
q
int g0/0/1
port link acc
port def vlan 210
int vlan210
ip add 192.168.210.1 24
q
ip route-static 0.0.0.0 0 192.168.210.254

剩下的步骤AC6605

capwap source int vlan210

wlan 
ap-id 1 ap-mac 00e0-fcbd-4350
ap-id 2 ap-mac 00e0-fc42-7c30
ap-id 3 ap-mac 00e0-fcb8-3b40
ap-id 4 ap-mac 00e0-fc0c-70d0

regulatory-domain-profile name zhongguo
   country-code CN
   q

ap-group name vlan10
regulator zhongguo
y
q
ap-group name vlan20
regulator zhongguo
y
q
ap-group name vlan30
regulator zhongguo
y
q
ap-group name vlan40
regulator zhongguo
y
q

ap-id 1
ap-name vlan10
ap-group vlan10
y
q
ap-id 2
ap-name vlan20
ap-group vlan20
y
q
ap-id 3
ap-name vlan30
ap-group vlan30
y
q
ap-id 4
ap-name vlan40
ap-group vlan40
y
q



wlan
ssid-profile name vlan10
  ssid vlan10
q
ssid-profile name vlan20
  ssid vlan20
q
ssid-profile name vlan30
  ssid vlan30
q
ssid-profile name vlan40
  ssid vlan40
q
security-profile name vlan1020
  security wpa2 psk pass-phrase a12345678 aes
q
security-profile name vlan3040
  security wpa2 psk pass-phrase a12345678 aes
q

vlan pool vlan10
vlan 10
vlan pool vlan20
vlan 20
vlan pool vlan30
vlan 30
vlan pool vlan40 
vlan 40

wlan
vap-profile name vlan10
 ssid-profile vlan10
 security-profile vlan1020
 service-vlan vlan-pool vlan10
q
vap-profile name vlan20
 ssid-profile vlan20
 security-profile vlan1020
 service-vlan vlan-pool vlan20
q
vap-profile name vlan30
 ssid-profile vlan30
 security-profile vlan3040
 service-vlan vlan-pool vlan30
q
vap-profile name vlan40
 ssid-profile vlan40
 security-profile vlan3040
 service-vlan vlan-pool vlan40
q

ap-group name vlan10
 vap-profile vlan10 wlan 1 radio 0
 vap-profile vlan10 wlan 1 radio 1
q
ap-group name vlan20
 vap-profile vlan20 wlan 1 radio 0
 vap-profile vlan20 wlan 1 radio 1
q
ap-group name vlan30
 vap-profile vlan30 wlan 1 radio 0
 vap-profile vlan30 wlan 1 radio 1
q
ap-group name vlan40
 vap-profile vlan40 wlan 1 radio 0
 vap-profile vlan40 wlan 1 radio 1

AP

dis ip int b

dis system-information

防火墙

默认密码

admin
Admin@123
y
Admin@123
123..com
123..com

使用网页管理

u t m
sys
int g0/0/0
ip add 192.168.10.230 24
service https permit
service ping permit
service enable
quit
web-manager timeout 1440
return
save
y