Huawei路由交换部分配置命令
配置命令
二层类命令
配置access口
interface GigabitEthernet0/0/1
port link-type access 配置端口类型为access
port default vlan 2 修改access的pvid
display port vlan active GigabitEthernet 0/0/1 查看端口tag去留
配置Trunk口
interface GigabitEthernet0/0/3
port link-type trunk 配置端口类型为trunk
port trunk pvid vlan 2 修改trunk的pvid
undo port trunk allow-pass vlan 1 拒绝放行vlan1,默认以utag方式放行vlan 1
port trunk allow-pass vlan 2 to 4094 放行除vlan1之外的所有vlan
display port vlan active GigabitEthernet 0/0/1 查看端口tag去留
配置Hybrid口
tainterface GigabitEthernet0/0/3
port link-type hybrid
port hybrid pvid vlan 2 修改hybrid pvid
port hybrid tagged vlan 10 20 保留tag 10 20并放行
port hybrid untagged vlan 30 40 剥离tag 30 40并放行
undo port hybrid vlan 1 取消放行vlan 1
display port vlan active GigabitEthernet 0/0/1 查看端口tag去留
如何配置hybrid 端口并且效果等同于access端口
interface GigabitEthernet0/0/3
port link-type access
port default vlan 20
interface GigabitEthernet0/0/3
port link-type hybrid
port hybrid pvid vlan 20
port hybird untag vlan 20
undo hybird vlan 1
链路聚合
[SWA]interface Eth-Trunk 1
[SWA-Eth-Trunk1]mode lacp-static #配置聚合模式为静态lacap
[SWA-Eth-Trunk1]max active-linknumber 2 #配置活动链路最大为2
[SWA-Eth-Trunk1]port link-type trunk
[SWA-Eth-Trunk1]port trunk allow-pass vlan all
[SWA-Eth-Trunk1]trunkport GigabitEthernet 0/0/4 to 0/0/6 #将端口加入链路聚合
查看MAC地址表
[Huawei]display mac-address
查看接口放行的vlan
[Huawei]display port vlan GigabitEthernet 0/0/3
Port Link Type PVID Trunk VLAN List
-------------------------------------------------------------------------------
GigabitEthernet0/0/3 hybrid 1 -
查看ARP缓存
<Huawei>display arp
三层路由命令
查看路由表
[Huawei]display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 4 Routes : 4
Destination/Mask Proto Pre Cost Flags NextHop Interface
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[R1]dis ip routing-table 192.168.2.100 #查看具体地址路由,也可以写网段
[R1]display ip routing-table protocol ospf #指定查看某个协议的路由表
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Public routing table : OSPF
Destinations : 2 Routes : 2
OSPF routing table status : <Active>
Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop Interface
3.3.3.3/32 OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/0
10.1.23.0/30 OSPF 10 2 D 10.1.12.2 GigabitEthernet
0/0/0
OSPF routing table status : <Inactive>
Destinations : 0 Routes : 0
查看路由器接口的ip地址及掩码
[Huawei]display ip interface brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 1
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 1
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol
Ethernet0/0/8 unassigned down down
NULL0 unassigned up up(s)
#Physical 物理层状态
#Protocol 协议层状态
只有这两个状态都为up,路由表中才会出现直连路由
静态路由
[RTA] ip route-static 20.1.1.0 255.255.255.0 10.0.0.2 #指定下一跳
[RTC] ip route-static 10.0.0.0 255.255.255.0 S1/0/0 #指定出接口
浮动路由
[RTA] ip route-static 20.0.0.0 30 10.1.1.2
[RTA] ip route-static 20.0.0.0 30 10.1.2.2 preference 70 #通过修改优先级实现路由备份
黑洞路由
[Huawei]ip route-static 1.0.0.0 16 NULL 0 #防环时使用
OSPF
配置
[Router-conf]int g0/0/0
[Router-conf-g0/0/0]undo ospf enable #取消接口的ospf通告
查看邻居状态
[R2-ospf-1]display ospf peer brief
下发默认路由
[R2-ospf-1]default-route-advertise always #不加always如果默认路由下一跳不可达那么下发不了,加了always就都可以下发
VRRP
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]display this
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 192.168.1.253 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.1.254 #设置虚拟IP
vrrp vrid 1 priority 120 #设置优先级
vrrp vrid 1 preempt-mode timer delay 10 #设置抢占延时10S
vrrp vrid 1 track interface GigabitEthernet0/0/1 reduced 30 #监测上行设备接口状态实现VRRP自动切换(优先级减30)
检查通信类命令
ping命令
ping 3.3.3.3 #如果不设置源地址ping,默认查路由表,用去往目的地的出口地址作为源地址
ping -a 1.1.1. 2.2.2.2 #设置源地址和目的地址
NAT(地址转换)
静态NAT
将内网主机的私有地址一对一映射到公有地址
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]nat static enable #开启静态NAT
[AR1-GigabitEthernet0/0/1]nat static global 12.2.2.3 inside 192.168.1.1 #配置映射
动态NAT
将内网主机的私有地址转换为公网地址池里面的地址
[AR1]nat address-group 1 12.2.2.3 12.2.2.5 #创建地址池
[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255 #创建ACL
[AR1-acl-basic-2000]q
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1 no-pat
#no-pat开启端口转换就是动态NAT
NAPT端口地址转换
不仅转换IP地址,同时也会对端口进行转换,实现公有地址与私有地址的1:N映射
[AR1]nat address-group 1 12.2.2.3 12.2.2.5
[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]q
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000 address-group 1
EasyIP
特殊的NAPT,没有地址池概念,使用设备接口地址作为NAT转换的共有地址
[AR1]acl 2000
[AR1-acl-basic-2000]rule 5 permit source 192.168.1.0 0.0.0.255
[AR1-acl-basic-2000]q
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]nat outbound 2000
NAT Server
将内部服务器映射到公网,保证服务器安全
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]nat server protocol tcp global 12.2.2.3 www inside 192
.168.1.1 www
设备登录类配置
设置console 口登录密码
[R1]user-interface console 0 #设置console口登录的密码
[R1-ui-console0]set authentication password cipher huawei #cipher:给密码进行哈希算法
忘记密码时得重新设置一遍即可
设置vty登录密码
不设置密码默认不允许远程登录
[R1]user-interface vty 0 4 #设置前5个终端的密码
[R1-ui-vty0-4]set authentication password cipher huawei
[R1-ui-vty0-4]user privilege level 3 #设置用于权限级别为管理,默认级别为0即参观级别
[R3-ui-vty0-4]idle-timeout 3 30 #设置超时时间为3分30秒(缺省情况下,超时时间是10分钟。)
配置telnet登录
<AR>system-view //进入系统模式
[AR]sysname Huawei //设备命名为Huawei
[Huawei]telnet server enable //开启设备telnet功能
[Huawei]user-interface vty 0 4 //开启登录端口0-4
[Huawei-ui-vty0-4]protocol inbound telnet //通过telnet协议登录
[Huawei-ui-vty0-4]authentication-mode aaa //认证方式为aaa
[Huawei]aaa
[Huawei-aaa]local-user admin123 password cipher admin123 //配置用户名密码
[Huawei-aaa]local-user admin123 service-type telnet //用户用于telnet
[Huawei-aaa]local-user admin123 privilege level 15 //用户等级为15
[Huawei-aaa]quit //退出
保存配置类
查看保存的配置
<Huawei>display saved-configuration
清除已保存的配置
配合重启可以还原出厂设置
<Huawei>reset saved-configuration
查看候选配置命令(配置了还没生效的)
[*HUAWEI]dis configuration candidate #VRP8往上系统才有
各类生成树
全局设置
[LSW1]stp mode mstp #设置stp的模式
[LSW1]stp root primary #设置为根桥,优先级为0,且不能更改设备优先级
[LSW1]stp root secondary #设置为次根桥,优先级为4096,且不能更改设备优先级
[LSW1]stp priority 0 #设置stp优先级,默认为32768
[LSW1]stp pathcost-standard dot1t #设置接口路径开销算法
[LSW1-GigabitEthernet0/0/1]stp cost 2000 #设置接口路径开销
[LSW1]stp enable #开启stp功能,默认开启
MSTP
MSTP配置:
[Huawei]stp mode mstp //将 STP 模式配置为 MSTP模式。
[Huawei]stp region-configuration //进入 MSTP 区域配置模式
[Huawei-mst-region]region-name huawei //设置 MSTP 区域的名称为 “huawei”
[Huawei-mst-region]instance 10 vlan 10 //为 MSTP 区域配置实例 1,并指定 VLAN 10。
[Huawei-mst-region]instance 20 vlan 20 //为 MSTP 区域配置实例 2,并指定 VLAN 20。
[Huawei-mst-region]active region-configuration //激活 MSTP 区域配置,使配置生效。
[Huawei]stp instance 1 root primary //将当前设备配置为 MSTP 实例 1 的根桥。
[Huawei]stp instance 2 root secondary //将当前设备配置为 MSTP 实例 2 的次根桥。
DHCP
全局地址池配置
<Switch>system-view
[Switch]dhcp enable
[Switch]ip pool 1 //系统视图下创建IP地址池
[Switch-ip-pool-1]network 10.1.1.0 mask 255.255.255.128
[Switch-ip-pool-1]dns-list 10.1.1.1
[Switch-ip-pool-1]gateway-list 10.1.1.1
[Switch-ip-pool-1]excluded-ip-address 10.1.1.2 //配置保留地址
[Switch-ip-pool-1]excluded-ip-address 10.1.1.4
[Switch-ip-pool-1]lease 10 //配置租期为10天
[Switch-ip-pool-1]quit
配置VLANIF10接口下的客户端从全局地址池ip pool 1中获取IP地址
[Switch]interface Vlanif 10
[Switch-Vlanif10]ip address 10.1.1.254 255.255.255.128
[Switch-Vlanif10]dhcp select global //全局接口或DHCP服务器
DHCP中继配置
[SW1]dhcp enable
[SW1-Vlanif10]display this
#
interface Vlanif10
ip address 192.168.10.252 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.200.1 #指向DHCP服务器的地址
IPSsec VPN
静态IPSEC配置
两边路由器配置基本一样
另一台修改:
ACL配置且NAT的ACL需要把IPSEC隧道的源地址段去到目的地址段的流量排除
提议名称
隧道本地地址和远端地址
入方向和出方向的编号要交换一下
ipsec策略名称
#配置ACL规则
[R1]acl 3000
[R1-acl-adv-3000]rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 192.
168.20.0 0.0.0.255
#配置IPSec提议
[R1]ipsec proposal cd #提议名称cd
[R1-ipsec-proposal-cd]esp authentication-algorithm sha2-256 #认证算法采用 sha2-256
[R1-ipsec-proposal-cd]esp encryption-algorithm aes-128 #加密算法采用 aes-128
#配置ipsec手动方式安全策略
[R1]ipsec policy chengdu 10 manual #配置IPSEC策略chengdu,方式为手动
[R1-ipsec-policy-manual-chengdu-10]security acl 3000 #包含ACL3000的流量
[R1-ipsec-policy-manual-chengdu-10]proposal cd #采用ipsec提议cd
[R1-ipsec-policy-manual-chengdu-10]tunnel local 100.1.1.1 #配置隧道本地地址 100.1.1.1
[R1-ipsec-policy-manual-chengdu-10]tunnel remote 200.1.1.1 #配置隧道远端地址 200.1.1.1
[R1-ipsec-policy-manual-chengdu-10]sa spi inbound esp 54321 #配置入方向SA编号54321,另一台要变12345
[R1-ipsec-policy-manual-chengdu-10]sa string-key inbound esp cipher summer #配置入方向SA的认证秘钥为summer
[R1-ipsec-policy-manual-chengdu-10]sa spi outbound esp 12345 #配置出方向SA编号12345,另一台要变54321
[R1-ipsec-policy-manual-chengdu-10]sa string-key outbound esp cipher summer #配置出方向SA的认证秘钥为summer
#在接口上应用ipsec策略
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ipsec policy chengdu
#查看ipsec状态
[R1]display ipsec sa brief
Number of SAs:2
Src address Dst address SPI VPN Protocol Algorithm
-------------------------------------------------------------------------------
200.1.1.1 100.1.1.1 54321 0 ESP E:AES-128 A:SHA2_256_
128
100.1.1.1 200.1.1.1 12345 0 ESP E:AES-128 A:SHA2_256_
128
#删除ipsec
[R1]undo ipsec policy chengdu
NAT的ACL这么写
[R1-acl-adv-3001]display this
[V200R003C00]
#
acl number 3001
rule 5 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
rule 10 permit ip
IKE动态建立IPSEC VPN隧道
另一台注意改:
原目地址
对等体
#配置IKE提议
[R1]ike proposal 10 #ike提议编号 10
[R1-ike-proposal-10]authentication-algorithm sha1 #配置认证算法 sha1
[R1-ike-proposal-10]encryption-algorithm aes-cbc-128 #配置加密算法aes-cbc-128
[R1-ike-proposal-10]dh group14 #秘钥交换协议采用DH
[R1-ike-proposal-10]q
#配置ike对等体
[R1]ike peer bj v1 #ike对等体为bj,采用ike v1协商对等体
[R1-ike-peer-bj]pre-shared-key cipher summer #配置预共享秘钥summer
[R1-ike-peer-bj]ike-proposal 10 #ike提议编号10
[R1-ike-peer-bj]local-address 100.1.1.1 #本地地址 100.1.1.1
[R1-ike-peer-bj]remote-address 200.1.1.1 #远端地址 200.1.1.1
[R1-ike-peer-bj]q
#配置ipsec提议
[R1]ipsec proposal cd #ipsec提议名称 cd
[R1-ipsec-proposal-cd]esp authentication-algorithm sha2-256 #认证算法采用sha2-256
[R1-ipsec-proposal-cd]esp encryption-algorithm aes-128 #加密算法采用aes-128
#配置ipsec策略
[R1]ipsec policy chengdu 10 isakmp #配置ipsec 策略chengdu,编号10,isakmp表示自动隧道
[R1-ipsec-policy-isakmp-chengdu-10]security acl 3000 #保护ACL3000匹配的流量
[R1-ipsec-policy-isakmp-chengdu-10]ike-peer bj #ike对等体是bj
[R1-ipsec-policy-isakmp-chengdu-10]proposal cd #采用ipsec提议cd
#接口下应用安全策略
[R1]interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1]ipsec policy chengdu
WLAN无线配置
隧道转发模式配置
配置AC基础参数(VLAN、IP、DHCP)
[AC6605]vlan batch 100 101 102 #100是管理vlan,101和102是业务vlan
[AC6605]interface GigabitEthernet 0/0/1
[AC6605-GigabitEthernet0/0/1]port link-type trunk
[AC6605-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[AC6605]interface Vlanif 100
[AC6605-Vlanif100]ip add 192.168.100.254 24
[AC6605-Vlanif100]q
[AC6605]dhcp enable
[AC6605]interface Vlanif 100
[AC6605-Vlanif100]dhcp select interface #开启DHCP为AP动态分配管理地址
在AC上配置AP上线
#创建域管理模板,并配置国家代码
[AC6605]wlan
[AC6605-wlan-view]regulatory-domain-profile name china #配置域管理模板,名称是china
[AC6605-wlan-regulate-domain-china]country-code CN #配置国家代码,CN代表中国
#创建AP组,并引用特定的域管理模板
[AC6605]wlan
[AC6605-wlan-view]ap-group name jiaoxue #配置AP组,名称是jiaoxue
Info: This operation may take a few seconds. Please wait for a moment.done.
[AC6605-wlan-ap-group-jiaoxue]regulatory-domain-profile china #引用域管理模板china
Warning: Modifying the country code will clear channel, power and antenna gain c
onfigurations of the radio and reset the AP. Continue?[Y/N]:y
[AC6605-wlan-ap-group-jiaoxue]q
[AC6605-wlan-view]q
#配置CAPWAP隧道地址接口或者源地址
[AC6605]capwap source interface Vlanif 100 #CAPWAP隧道源地址是Vlanif 100地址
#配置AP设备入网认证
[AC6605]wlan
[AC6605-wlan-view]ap auth-mode mac-auth #配置AP通过MAC地址认证
[AC6605-wlan-view]ap-id 1 ap-mac 00e0-fc51-1490 #输入需要认证AP1的MAC地址。可以在AP1上通过 display int g 0/0/0 查看AP的MAC地址
[AC6605-wlan-ap-1]ap-name JX001 #把AP1命名为JX001
[AC6605-wlan-ap-1]ap-group jiaoxue #把AP加入jiaoxue组
Warning: This operation may cause AP reset. If the country code changes, it will
clear channel, power and antenna gain configurations of the radio, Whether to c
ontinue? [Y/N]:y
#检查AP上线结果
[AC6605]display ap all #查看AP上线情况,状态为nor(normal)表示正常的
Info: This operation may take a few seconds. Please wait for a moment.done.
Total AP information:
nor : normal [1]
--------------------------------------------------------------------------------
------------
ID MAC Name Group IP Type State STA Uptim
e
--------------------------------------------------------------------------------
------------
1 00e0-fc51-1490 JX001 jiaoxue 192.168.100.29 AP6050DN nor 0 33S
--------------------------------------------------------------------------------
------------
#ID为1,名称为JX001,属于组jiaoxue,MAC是00e0-fc51-1490,ID地址是192.168.100.29
AP完成上线后,名字已经被自动修改为JX001,无需手动配置
#配置AC无线业务,配置完成后会自动发下到对应AP
[AC6605]wlan
[AC6605-wlan-view]security-profile name sec_work #安全模板,名称为sec_work
[AC6605-wlan-sec-prof-sec_work]security wpa-wpa2 psk pass-phrase a1234567 aes //采用wpa-wpa2认证方式,PKS表示预共享密码,通过密码认证,密码为a1234567,加密算法是aes
#配置ssid模板
[AC6605]wlan
[AC6605-wlan-view]ssid-profile name profile_work #SSID模板,名称是profile_work
[AC6605-wlan-ssid-prof-profile_work]ssid work #SSID名称是 work
#配置VAP模板,设置为隧道模式,配置用户VLAN101,并绑定安全模板、SSID模板
[AC6605]wlan
[AC6605-wlan-view]vap-profile name vap_work #VAP模式名称是 vap_work
[AC6605-wlan-vap-prof-vap_work]forward-mode tunnel #转发模式是隧道模式
[AC6605-wlan-vap-prof-vap_work]service-vlan vlan-id 101 #使用work这个VAP模式的用户服务VLAN是101,即所有连接到work这个VAP的用户被划分到VLAN 101
[AC6605-wlan-vap-prof-vap_work]security-profile sec_work #调用安全模板 sec_work
Info: This operation may take a few seconds, please wait.done.
[AC6605-wlan-vap-prof-vap_work]ssid-profile profile_work #调用SSID模板profile_work
Info: This operation may take a few seconds, please wait.done.
#在AP组中绑定vap模板
[AC6605]wlan
[AC6605-wlan-view]ap-group name jiaoxue
[AC6605-wlan-ap-group-jiaoxue]vap-profile vap_work wlan 1 radio 0 #在AP组中,将指定VAP模板引用到射频,一般redio 0表示2.4GHz,redio 1表示 5GHz
Info: This operation may take a few seconds, please wait...done.
[AC6605-wlan-ap-group-jiaoxue]vap-profile vap_work wlan 1 radio 1
Info: This operation may take a few seconds, please wait...done.
浙公网安备 33010602011771号