中英文切换 language-mode Chinese|English
保存配置 save
清除配置 reset saved-configuration
重启 reboot
查看保存配置 display saved-configuration
查看启动配置 display startup
查看版本 display version
查看当前配置 display current-configuration
显示下次启动加载应用程序 display boot-loader
显示系统时间 display clock
配置系统时间 clock datetime
查看IP路由表 display ip routing-table
(一)远程登录:(Telnet)
(只密码访问的:)
[H3C]user-interface vty 0 4
[H3C-ui-vty0-4]authentication-mode password
[H3C-ui-vty0-4]set authentication password simple 123
[H3C-ui-vty0-4]user privilege level 3
[H3C-ui-vty0-4]quit
[H3C]int vlan 1
[H3C-Vlan-interface1]ip add 192.168.1.1 24
[H3C-Vlan-interface1]quit
(用户加密码访问:)
[S5500]local-user yang
[S5500-luser-yang]password simple 123456
[S5500-luser-yang]service-type telnet
[S5500-luser-yang]authorization-attribute level 3
(二) 端口聚合(交换机两边一样)
(创建聚合)
[S55002]int Bridge-Aggregation 1
(进端口将端口添加到聚合组)
[S55002]int GigabitEthernet 1/0/9
[S55002-GigabitEthernet1/0/9]port link-aggregation group 1
[S55002]int GigabitEthernet 1/0/10
[S55002-GigabitEthernet1/0/10]port link-aggregation group 1
(查看聚合)
[S55002]dis link-aggregation summary
(三)全双工,速度(速率),turnk
[S55002-GigabitEthernet1/0/5]duplex auto/full/half(三种模式)
[S55002-GigabitEthernet1/0/5]speed 10/100/1000/auto(速率值)
[S55002-GigabitEthernet1/0/5]port link-type access/hybrid/trunk(三中接口)
[S55002-GigabitEthernet1/0/5]port trunk permit vlan all 或1--4094
(四) VLAN 配置
[S55002]vlan 2 创建VLAN(1-4094)
[S55002]int vlan 2 进入vlan
[S55002-vlan2]port GigabitEthernet 1/0/1 to GigabitEthernet 1/0/4 (将端口划到vlan里)
(五) 端口做trunk
[H3C]int GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]port link-type trunk
[H3C-GigabitEthernet1/0/1]port trunk permit vlan all
(六) 生成树
[H3C]stp {enable|disable} 开启生成树
[H3C]stp mode {stp|rstp|mstp} 模式
[H3C]stp priority 4096 优先级
[H3C-GigabitEthernet1/0/5]stp edged-port enable 配置边缘端口
[H3C-GigabitEthernet1/0/5]stp cost 200 开销值
(七)直联路由
(注:PC机两边必须配IP,网关,线路连接正常才可通)
[H3C]int e0/0
[H3C-Ethernet0/0]ip add 192.168.1.1 24
[H3C]int e0/1
[H3C-Ethernet0/1]ip add 192.168.2.1 24
[H3C-Ethernet0/*]undo shutdown (默认开启)
(八)单臂路由
(注:配置后要等待一会,PC网关要对应相应的dot1q VLAN)
(路由部分:)
[H3C]int e0/0.1
[H3C-Ethernet0/0.1]ip add 192.168.1.1 24
[H3C-Ethernet0/0.1]vlan-type dot1q vid 2
[H3C]int e0/0.2
[H3C-Ethernet0/0.1]ip add 192.168.1.1 24
[H3C-Ethernet0/0.2]vlan-type dot1q vid 3
(交换部分:)
[H3C]vlan 2
[H3C-vlan2]port GigabitEthernet 1/0/11
[H3C]vlan 3
[H3C-vlan3]port GigabitEthernet 1/0/1
[H3C]int GigabitEthernet 1/0/20
[H3C-GigabitEthernet1/0/20]port link-type trunk
[H3C-GigabitEthernet1/0/20]port trunk permit vlan all
(九) 静态路由实验
(注:同一路由器,不许两端口配同一网段)
1. 图({192.168.1.0}pc1--RTA-{192.168.3.0}-RTB--pc2{192.168.2.0})
[RTA-Ethernet0/0]ip add 192.168.2.254 24
[RTA-Ethernet0/0]quit
[RTA]int Ethernet 0/1
[RTA-Ethernet0/1]ip add 192.168.3.1 24
[RTA-Ethernet0/1]quit
[RTA]ip route-static 192.168.1.0 255.255.255.0 192.168.3.2
[RTB]int e0/0
[RTB-Ethernet0/0]ip add 192.168.1.254 24
[RTB-Ethernet0/0]quit
[RTB]int e0/1
[RTB-Ethernet0/1]ip add 192.168.3.2 24
[RTB-Ethernet0/1]quit
[RTB]ip route-static 192.168.2.0 255.255.255.0 192.168.3.1
2. 图({192.168.1.0}pc1-S5500-{10.10.10.0}-RTA--{192.168.3.0}--RTB--{10.10.20.0}--RTC--pc2{192.168.2.0})
(给设备配IP)
[RTA]int e0/0
[RTA-Ethernet0/0]ip add 10.10.10.2 24
[RTA-Ethernet0/0]quit
[RTA]int e0/1
[RTA-Ethernet0/1]ip add 192.168.3.1 24
[RTA-Ethernet0/1]quit
[RTA]ip route-static 0.0.0.0 0.0.0.0 192.168.3.2
[RTA]ip route-static 192.168.1.0 255.255.255.0 10.10.10.1
[RTB]ip route-static 192.168.1.0 255.255.255.0 192.168.3.1
[RTB]ip route-static 192.168.11.0 255.255.255.0 10.10.20.2
[RTC]ip route-static 0.0.0.0 0.0.0.0 10.10.20.1
[S5500B]ip route-static 0.0.0.0 0.0.0.0 10.10.10.2
(十) 动态路由实验
(RIP)
图: {192.168.0.0}PC--RTA--{192.168.1.0}--RTB--PC{192.168.11.0}
(给路由配IP)
[RTA]int e0/1
[RTA-Ethernet0/1]ip add 192.168.1.1 24
[RTA-Ethernet0/1]quit
[RTA]int e0/0
[RTA-Ethernet0/0]ip add 192.168.0.1 24
[RTA]rip
[RTA-rip-1]network 192.168.0.0
[RTA-rip-1]network 192.168.1.0
[RTA-rip-1]quit
[RTB]rip
[RTB-rip-1]network 192.168.1.0
[RTB-rip-1]network 192.168.11.0
[RTB-rip-1]quit
注:如果两个路由相连网段不同时要启用 rip 2 ,加安全在接口上用
[RTA-Ethernet0/1]rip authentication-mode md5 rfc2453 h3c
(OSPF)
[RTA]ospf 1
[RTA-ospf-1]area 0
[RTA-ospf-1-area-0.0.0.0]network 192.168.11.0
(十一)ACL(包过滤)访问控制列表
[RTA]firewall enable
[RTA]acl number 3000
(禁止来自172网段去往192网段)
[RTA-acl-adv-3000] rule deny ip source 172.16.0.1 0 destination 192.168.0.0 0.0.1.255
[RTA]int e0/0
(将ACL3000应用在接口如的方向)
[RTA-Ethernet0/0]firewall packet-filter 3000 inbound
(十二) NAT地址转换
(预留网段:10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16)
图:{10.10.10.0/24}PC---{10.10.10.254}RTA{198.76.28.1/24}---Inetrnet{198.76.29.4/24}
(Basic NAT)
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permit source 10.10.10.0 0.0.0.255 (允许来自于pc网段)
[RTA-acl-basic-2000]quit
[RTA]nat address-group 1 198.76.28.11 198.76.28.20 (地址池,不能用以使用地址)
[RTA]int e0/0
[RTA-Ethernet0/0]nat outbound 2000 address-group
1
(NAT Server)
在接口上将私网地址与公网地址一对一NAT映射绑定
[RTA]int e0/0
[RTA-Ethernet0/0]nat server protocol tcp global 198.76.28.11 telnet inside 10.0.0.1 telnet
(十三)端口安全(802.1X)
(802.1X基本配置)
图:pc-----[e1/0/1]S5500
[S5500B]dot1x
/*802.1x is enabled globally*/
[S5500B]dot
[S5500B]dot1x interface GigabitEthernet 1/0/1
/*802.1x is enabled on port GigabitEthernet1/0/1*/
[S5500B]local-user yang
[S5500B-luser-yang]password simple yang
[S5500B-luser-yang]service-type lan-access
(注:查看MAC命令 [H3C] dis mac-address )
图:PCA[e1/0/2]--PCB[e1/0/3]--PCC[e1/0/4]------STA-----Server[e1/0/1]
(端口隔离技术)(注:未成功)
[H3C-GigabitEthernet1/0/1]port-isolate enable (加入隔离组普通端口)
[H3C-GigabitEthernet1/0/1]port-isolate uplink-port (加入隔离组上行端口)
(端口绑定技术)
[H3C-GigabitEthernet1/0/1]user-bind ip-address 192.168.1.10 (端口绑定IP地址)
[H3C-GigabitEthernet1/0/1]undo user-bind mac-address 0001-6c63-f590 (端口绑定MAC地址)
[H3C-GigabitEthernet1/0/1]user-bind ip-address 192.168.1.20 mac-address 0001-6c
63-f590 (端口绑定IP,MAC地址)
(十四)
(二十) POE分AC和交换两部分 (AC部分只有两个口)
(AC 配置)
<H3C>sys
[H3C]sysname AC
[AC]vlan 10
[AC-vlan10]quit
[AC]vlan 20
[AC-vlan20]quit
[AC]int vlan 10
[AC-Vlan-interface10]ip add 192.168.10.254 24
[AC-Vlan-interface10]quit
[AC]int vlan 20
[AC-Vlan-interface20]ip add 192.168.20.254 24
[AC-Vlan-interface20]quit
(开启DHCP服务 配地址池 网关)
[AC]dhcp enable
[AC]dhcp server ip-pool ap (配一个AP地址池)
[AC-dhcp-pool-ap]network 192.168.10.0
[AC-dhcp-pool-ap]gateway-list 192.168.10.254(AC网关)
[AC-dhcp-pool-ap]quit
[AC]dhcp server ip-pool use (配一个用户地址池)
[AC-dhcp-pool-use]network 192.168.20.0
[AC-dhcp-pool-use]gateway-list 192.168.20.254 (用户网关)
[AC-dhcp-pool-use]quit
[AC]dhcp server forbidden-ip 192.168.10.254 (不许分配的地址池,因网关使用了)
[AC]dhcp server forbidden-ip 192.168.20.254
[AC]interface Bridge-Aggregation 1 (组,配trunk ,所有 vlan通过)
[AC-Bridge-Aggregation1]port link-type trunk
[AC-Bridge-Aggregation1]port trunk permit vlan all
<AC>oap connect slot 0 (切换到交换模式)
(交换 配置)
<H3C>sys
[H3C]vlan 10
[H3C-vlan10]port GigabitEthernet 1/0/1
[H3C-vlan10]quit
[H3C]int Bridge-Aggregation 1 (组,配trunk ,AC所在vlan10通过)
[H3C-Bridge-Aggregation1]port link-type trunk
[H3C-Bridge-Aggregation1]port trunk permit vlan 10
[H3C]int GigabitEthernet 1/0/1(进端口开启 POE服务)
[H3C-GigabitEthernet1/0/1]poe enable
(AC 配置 ctrl+k 可切换到AC)
<AC>sys
[AC]int WLAN-ESS 20(创虚口 )
[AC-WLAN-ESS20]port access vlan 20(将虚口划到 vlan 20中)
[AC]wlan service-template 20
clear(创模版)
[AC-wlan-st-20]ssid aaa (给模版配名字aaa)
[AC-wlan-st-20]bind WLAN-ESS 20 ( 将虚口与模版绑定)
[AC-wlan-st-20]service-template enable(开启模版服务)
[AC-wlan-st-20]quit
[AC]wlan ap ap model WA2620i-AGN (ap 型号)
[AC-wlan-ap-ap]serial-id 219801A0CNC122000814(ap条形码)
[AC-wlan-ap-ap]radio 2 (设无线频率为2)
[AC-wlan-ap-ap-radio-2]radio enable (开启无线服务)
[AC-wlan-ap-ap-radio-2]service-template 20 (应用到模版)
(无线查看命令:)
<AC>dis dhcp server ip all
<AC>dis wlan ap all
(二十一)IPSee VPN(GRE)配置
(GRE配置)
<RT4>sys
[RT4] int Tunnel 0
[RT4-Tunnel0]ip add 20.1.1.1 24
[RT4-Tunnel0]source 203.1.1.2 (本端出口地址)
[RT4-Tunnel0]destination 202.1.1.1(对端出口地址)
[RT4-Tunnel0]quit
(静态写对端地址)
[RT4]ip route-static 192.168.10.0 255.255.255.0 Tunnel 0
[RT4]ipsec proposal aaa
[RT4-ipsec-proposal-zcy]transform esp
[RT4-ipsec-proposal-zcy]esp authentication-algorithm md5
[RT4-ipsec-proposal-zcy]esp encryption-algorithm des
[RT4-ipsec-proposal-zcy]encapsulation-mode tunnel
[RT4-ipsec-proposal-zcy]quit
[RT4]ike peer bbb
[RT4-ike-peer-yang]pre-shared-key simple 00
[RT4-ike-peer-yang]remote-address 20.1.1.2(对端tunnel地址)
[RT4-ike-peer-yang]quit
[RT4]acl number 3000
(ACL 列表 允许本端pc到对端pc地址通过)
[RT4-acl-adv-3000]rule 0 permit ip source 192.168.11.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
[RT4-acl-adv-3000]quit
[RT4]ipsec policy ccc 10 isakmp
[RT4-ipsec-policy-isakmp-yz-10]security acl 3000
[RT4-ipsec-policy-isakmp-yz-10]proposal aaa
[RT4-ipsec-policy-isakmp-yz-10]ike-peer bbb
[RT4-ipsec-policy-isakmp-yz-10]quit
[RT4]int tunnel 0
[RT4-tunnel0]ipsec policy ccc