H3C网络设备常用配置脚本
为了方便H3C网络设备的配置特建立此文档方便大家参考
工具/原料
H3C交换机
交换机初始化基本配置
1、sysname 交换机名字super password level 3 cipher 密码loopback-detection enableuser-interface aux 0idle-timeout 30 0user-interface vty 0 4idle-timeout 30 0
NTP时间同步配置
1、clock timezone GMT add 8ntp-service unicast-server NTP服务器IP地址ntp source-interface LoopBack 0 (三层交换机,存在Loopback口时)
2、外网可用NTP服务器202.120.2.101
SSH服务配置
1、Comware V3 Platformacl number 2000rule 1 permit source 192.168.0.1 0 //允许192.168.0.1登录rule 50 denyrsa local-key-pair createuser-interface vty 0 4acl 2000 inboundprotocol inbound sshssh user admin authentication-type password //允许admin用户进行ssh登录
2、Comware V5 Platformacl number 2000rule 1 permit source 192.168.0.1 0//允许192.168.0.1登录rule 50 denypublic-key local create rsassh server enableuser-interface vty 0 4acl 2000 inboundprotocol inbound sshssh user admin service-type all authentication-type password//允许admin用户进行ssh登录
AAA认证配置
1、Comware V3 Platformlocal-user adminpassword cipher *****service-type ssh telnet terminallevel 3hwtacacs scheme acsprimary authentication *****primary authorization*****primary accounting *****key authentication *****key authorization*****key accounting *****user-name-format without-domaindomain acsscheme hwtacacs-scheme acs localdomain default enable acsuser-interface aux 0authentication-mode scheme command-authorizationaccounting commands schemeuser-interface vty 0 4authentication-mode scheme command-authorizationaccounting commands scheme
2、Comware V5 Platformlocal-user huanglypassword cipher *****author足毂忍珩ization-attribute level 3service-type ssh telnet terminalhwtacacs scheme acskey authentication *****key authorization *****key accounting *****domain acsauthentication default hwtacacs-scheme acs localauthorization default hwtacacs-scheme acs localaccounting default hwtacacs-scheme acs localdomain default enable acsuser-interface aux 0 8authentication-mode schemecommand authorizationcommand accountinguser-interface vty 0 4authentication-mode schemecommand authorizationcommand accounting
SNMP服务配置
1、SNMPv2snmp-agentsnmp-agent community read *******snmp-agent sys-info version all
2、SNMPv3snmp-agentsnmp-agent sys-info version v3snmp-agent group v3 ******* privacysnmp-agent usm-user v3 admin *******authentication-mode md5 ******* privacy-mode des56*******
Syslog服务配置
1、info-center logbuffer size 1024info-center loghost ********info-center loghost source LoopBack 0(三层交换机,存在Loopback口时)
广播/组播风暴抑制
1、连接终端接口interface Ethernet1/0/1broadcast-suppression bps 64multicast-suppression bps 64
2、级联口/Trunk口interface GigabitEthernet1/0/1broadcast-suppression 5multicast-suppression 5
端口安全
1、interface Ethernet1/0/1port link-type accessport-security enableport-security timer disableport 30Interface Ethernet1/0/1port-security max-mac-count 1port-security intrusion-mode blockmacport-security port-mode autolearn
静态ARP绑定
1、arp static 192.168.10.47 0024-8117-4ce3
2、终端接口速率限制arp rate-limit rate 50 drop
3、级联口/Trunk口速率限制arp rate-limit rate 300 drop
生成树相关
1、MSTstp enablestp mode mstpstp 水瑞侮瑜bpdu-protectionstp re爿讥旌护gion-configurationregion-name ***instance 1 vlan 53 to 60 127revision-level 1active region-configurationstp instance 0 root primary(适用于主根)stp instance 1 root primary(适用于备根)stp instance 0 root secondary(适用于主根)stp instance 1 root secondary(适用于备根)
2、启用边缘端口(功能同PortFast)interface Ethernet1/0/1stp edged-port enable
VRRP
1、interface Vlan-interface1ip address 192.168.0.254 255.255.255.0vrrp vrid 1 virtual-ip 192.168.0.254vrrp vrid 1 preempt-modevrrp vrid 1 priority 110(VRRP主)vrrp vrid 1 track interface GigabitEthernet1/0/28 reduced 20
Port-Channel(LACP)
1、omware V3 Platformlink-aggregation group 1 mode staticlink-aggregat足毂忍珩ion group 1 description LACP_to_CL-MYL-S3100-2X-1int e1/0/21port link-type trunkport trunk permit vlan alllacp enableport link-aggregation group 1int e1/0/22port link-type trunkport trunk permit vlan alllacp enableport link-aggregation group 1
2、Comware V5 Platforml坡纠课柩ink-aggregation load-sharing mode dest足毂忍珩ination-ip source-ipinterface Bridge-Aggregation1port link-type trunkport trunk permit vlan allinterface GigabitEthernet1/0/22port link-type trunkport trunk permit vlan allport link-aggregation group 1interface GigabitEthernet1/0/24port link-type trunkport trunk permit vlan allport link-aggregation group 1
光口复用
1、combo enable fiber
