爱华网1. 常规系统维护
1.1查看历史命令记录
display history-command
1.2 配置设备名称
[H3C]sysname ?
TEXT Host name (1 to 30characters)
1.3配置系统时间
<H3C>clock datetime?
TIME Specify the time(HH:MM:SS)
1.4显示系统时间
<H3C>displayclock
1.5配置欢迎/提示信息
[H3C]header ?
incoming Specify the banner of theterminal user-interface
legal Specify the legalbanner
login Specify the loginauthentication banner
motd Specify the banner oftoday
shell Specify the sessionbanner
1.6查看版本信息
<H3C>displayversion
1.7查看当前配置
<H3C>displaycurrent-configuration
1.8显示接口信息
<H3C>displayinterface
1.9显示接口IP状态与配置信息
<H3C>display ipinterface brief
1.10显示系统运行统计信息
<H3C>displaydiagnostic-information
1.11指定下次启动加载的应用程序文件
<H3C>boot-loaderfile file-url
1.12显示下次启动加载的应用程序文件
<H3C>displayboot-loader
1.13重启系统
<H3C>reboot
1.14开启设备定时重启功能,并指定重启的具体时间
<H3C>schedulereboot at hh:mm [ date ]
1.15开启设备定时重启功能,并指定重启的等待时延
<H3C>schedulereboot delay { hh:mm | mm }
1.16显示设备的重启时间
<H3C>displayschedule reboot
1.17配置Telnet
(1) 配置与网络相连端口的IP地址
[H3C-ethernet0/0]ip addressip-address { mask | mask-length }
(2) 使能Telnet服务器端功能
[H3C]telnet serverenable
(3) 进入vty用户界面视图,设置验证方式
[H3C]user-interface vtyfirst-num2 [ last-num2 ]
[H3C-ui-vty0]authentication-mode {none | password | scheme }
(4) 设置登录密码和用户级别
[H3C-ui-vty0]set authentication password { cipher| simple } password
[H3C-ui-vty0]user privilege levellevel
(5)创建用户、配置密码、设置服务类型、设置用户级别
[H3C]local-user username
[H3C-luser-xxx] password { cipher | simple }password
[H3C-luser-xxx] service-typetelnet
[H3C-luser-xxx] levellevel
Telnet配置例子
<H3C>system-view
[H3C]telnet serverenable
[H3C]interfaceethernet0/0
[H3C-ethernet0/0]ip address192.168.0.254 24
[H3C]user-interface vty0
[H3C-ui-vty0]set authenticationpassword cipher 123456
[H3C-ui-vty0]user privilege level2
2. 配置文件的操作
2.1保存配置
<H3C>save
2.2擦除配置
<H3C>resetsaved-configuration
2.3设置下次启动的配置文件
<H3C>startupsaved-configuration filename
2.4备份/恢复下次启动配置文件
<H3C>backupstartup-configuration to dest-addr [ filename]
<H3C>restorestartup-configuration from src-addrfilename
2.5查看保存的配置文件
<H3C>displaysaved-configuration
2.6查看系统启动配置文件
<H3C>displaystartup
2.7查看当前生效的配置
<H3C>displaycurrent-configuration
2.8查看当前视图下生效的配置
[H3C-ui-vty0]displaythis
3. 配置FTP,tftp信息
3.1使能FTP服务器端功能
[H3C]ftp server enable
3.2创建用户
[H3C]local-user username
3.3设置服务类型及登录密码
[H3C-luser-xxx]service-typeftp
[H3C-luser-xxx]password { cipher | simple }password
3.4 FTP操作示例
C:>ftp192.168.0.1
Connected to192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)):h3c
331 Password required forh3c.
Password:
230 User logged in.
ftp> putconfig.cfg
200 Port command okay.
150 Opening ASCII mode dataconnection for config.cfg.
226 Transfer complete.
ftp: 发送 1329 字节,用时 0.00Seconds1329000.00Kbytes/sec.
ftp>
3.5在设备上使用TFTP服务
tftp server-address { get |put | sget } source-filename [ destination-filename ][ source { interface interface-type interface-number| ip source-ip-address } ]
在执行上传/下载操作时,到TFTP服务器的可达路由可能有多条,用户可以配置客户端TFTP报文的源地址
当设备作为TFTP客户端时,可以把本设备的文件上传到TFTP服务器,还可以从TFTP服务器下载文件到本地设备
下载分为普通下载和安全下载两种
4. VLAN配置
4.1创建VLAN并进入VLAN视图
[Switch] vlan vlan-id
4.2将指定端口加入到当前VLAN中
[Switch-vlan10] portinterface-list
4.3配置端口的链路类型为Trunk类型
[Switch-Ethernet1/0/1] portlink-type trunk
4.4允许指定的VLAN通过当前Trunk端口
[Switch-Ethernet1/0/1] port trunkpermit vlan { vlan-id-list | all }
4.5设置Trunk端口的缺省VLAN
[Switch-Ethernet1/0/1] port trunk pvid vlanvlan-id
4.6配置端口的链路类型为Hybrid类型
[Switch-Ethernet1/0/1] portlink-type hybrid
4.7允许指定的VLAN通过当前Hybrid端口
[Switch-Ethernet1/0/1] port hybridvlan vlan-id-list { tagged | untagged }
4.8设置Hybrid端口的缺省VLAN
[Switch-Ethernet1/0/1] port hybrid pvid vlanvlan-id
4.9VLAN显示及维护
<Switch>displayvlan
5. STP基本配置
5.1开启设备STP特性
[Switch] stp enable
5.2关闭端口的STP特性
[Switch-Ethernet1/0/1] stpdisable
5.3配置STP的工作模式
[Switch] stp mode { stp | rstp |mstp }
5.4STP可选配置
配置当前设备的优先级
[Switch] stp [ instance instance-id ]priority priority
5.5配置端口为边缘端口
[Switch-Ethernet1/0/1] stpedged-port enable
6. 802.1X基本配置
6.1开启全局的802.1X特性
[Switch] dot1x
6.2开启端口的802.1X特性
[Switch] dot1x interfaceinterface-list
6.3添加本地接入用户并设置相关参数
[Switch] local-useruser-name
[Switch-luser-localuser]service-type lan-access
[Switch-luser-localuser] password { cipher |simple } password
6.4802.1X典型配置举例
[SWA]dot1x
[SWA]dot1x interfaceethernet1/0/1
[SWA]local-userlocaluser
[SWA-luser-localuser]passwordsimple hello
[SWA-luser-localuser]service-typelan-access
7. 端口隔离基本配置
7.1将指定端口加入到隔离组中,端口成为隔离组的普通端口
[Switch-Ethernet1/0/1]port-isolate enable
7.2将指定端口加入到隔离组中,端口成为隔离组的上行端口
[Switch-Ethernet1/0/2]port-isolate uplink-port
8. 配置静态绑定表项
[Switch-Ethernet1/0/1] user-bindip-address ip-address [ mac-address mac-address]
9. 静态聚合配置
9.1创建聚合端口
[Switch] interfacebridge-aggregation interface-number
9.2将以太网端口加入聚合组
[Switch-Ethernet1/0/1] portlink-aggregation group number
9.3链路聚合显示及维护
<Switch>displaylink-aggregation summary
10. 配置静态及动态域名解析
10.1配置 DNS代理
使能DNS代理功能
[Router] dns proxyenable
10.2配置指定域名服务器
[Router] dns serverip-address
10.3显示静态域名解析表
[Router] display iphost
10.4 显示域名服务器信息
[Router] display dns server [dynamic ]
10.5显示动态域名缓存区的信息
[Router] display dnsdynamic-host
10.6显示DNS代理信息
[Router] display dns proxytable
11. DHCP服务器基本配置
11.1使能DHCP
[Router] dhcp enable
11.2创建DHCP地址池
[Router] dhcp server ip-poolpool-name
11.3配置动态分配的IP地址范围
[Router-dhcp-pool-0] networknetwork-address [ mask-length | mask mask]
11.4配置为DHCP客户端分配的网关地址
[Router-dhcp-pool-0] gateway-listip-address
11.5配置为DHCP客户端分配的DNS服务器地址
[Router-dhcp-pool-0] dns-listip-address
11.6配置DHCP地址池中不参与自动分配的IP地址
[Router] dhcp server forbidden-iplow-ip-address [ high-ip-address ]
11.7配置动态分配的IP地址的租用有效期限
[Router-dhcp-pool-0] expired { dayday [ hour hour [ minute minute ] ] |unlimited }
11.8DHCP服务器基本配置示例
[Router] dhcp enable
[Router] server forbidden-ip192.168.1.10
[Router] server forbidden-ip192.168.1.254
[Router] dhcp server ip-pool0
[Router-dhcp-pool-0] network192.168.1.0 mask 255.255.255.0
[Router-dhcp-pool-0] gateway-list192.168.1.254
[Router-dhcp-pool-0] dns-list192.168.1.10
[Router-dhcp-pool-0] expired day5
11.9显示DHCP地址池的可用地址信息
[Router] display dhcp serverfree-ip
11.10显示DHCP服务器的统计信息
[Router] display dhcp serverstatistics
11.11显示DHCP地址池中不参与自动分配的IP地址
[Router] display dhcp serverforbidden-ip
12. DHCP中继基本配置
12.1使能DHCP
[Router] dhcp enable
12.2配置DHCP服务器组中DHCP服务器的IP地址
[Router] dhcp relay server-group group-idip ip-address
12.3配置接口工作在DHCP中继模式
[Router-Ethernet1/1] dhcp selectrelay
12.4配置接口与DHCP组关联
[Router-Ethernet1/1] dhcp relay server-selectgroup-id
12.5DHCP中继配置示例
[Router] dhcp enable
[Router] dhcp relay server-group 1ip 192.168.1.10
[Router] interface ethernet1/1
[Router-Ethernet1/1] dhcp selectrelay
[Router-Ethernet1/1] dhcp relayserver-select 1
12.6显示接口对应的DHCP服务器组的信息
[Router] display dhcp relay { all| interface interface-type interface-number }
12.7显示DHCP服务器组中服务器的IP地址
[Router] display dhcp relayserver-group { group-id | all }
12.8显示DHCP中继的相关报文统计信息
[Router] display dhcp relaystatistics [ server-group { group-id | all } ]
13. 查看设备路由表
13.1查看IP路由表摘要信息
[Router] display iprouting-table
13.2查看符合指定目的地址的路由信息
[Router] display ip routing-tableip-address [ mask-length | mask ]
13.3查看路由表的统计信息
[Router] display ip routing-tablestatistics
14. VLAN间路由(单臂路由)
用802.1Q和子接口实现VLAN间路由
[RTA-GigabitEthernet0/0]interfaceGigabitEthernet0/0.1
[RTA-GigabitEthernet0/0.1]ipaddress 10.1.1.1 255.255.255.0
[RTA-GigabitEthernet0/0.1]interfaceGigabitEthernet0/0.2
[RTA-GigabitEthernet0/0.2]vlan-type dot1q vid2
[RTA-GigabitEthernet0/0.2]ipaddress 10.1.2.1 255.255.255.0
[RTA-GigabitEthernet0/0.2]interfaceGigabitEthernet0/0.3
[RTA-GigabitEthernet0/0.3]vlan-type dot1q vid3
[RTA-GigabitEthernet0/0.3]ipaddress 10.1.3.1 255.255.255.0
15. 静态路由配置命令
[Router]ip route-staticdest-address { mask | mask-length } {gateway-address |interface-type interface-name } [ preference preference-value]
配置要点:
只有下一跳所属的接口是点对点接口时,才可以填写interface-typeinterface-name,否则必须填写gateway-address
目的IP地址和掩码都为0.0.0.0的路由为默认路由
16. RIP基本配置
16.1创建RIP进程并进入RIP视图
[Router] rip [ process-id]
16.2在指定网段接口上使能RIP
[Router-rip-1] networknetwork-address
16.3配置接口工作在抑制状态
[Router-rip-1] silent-interface {all | interface-type interface-number }
16.4使能RIP水平分割功能
[Router-Ethernet1/0] ripsplit-horizon
16.5使能RIP毒性逆转功能
[Router-Ethernet1/0] rippoison-reverse
17. RIPv2配置任务
17.1指定全局RIP版本
[Router-rip-1] version { 1 | 2}
17.2关闭RIPv2自动路由聚合功能
[Router-rip-1] undosummary
17.3配置RIPv2报文的认证
[Router-Ethernet1/0] ripauthentication-mode { md5 { rfc2082 key-string key-id |rfc2453 key-string } | simple password }
17.4显示RIP当前运行状态及配置信息
<Router> displayrip
18.OSPF基本配置命令
18.1配置Router ID
[Router]router idip-address
18.2启动OSPF进程
[Router]ospf [ process-id]
18.3重启OSPF进程
<Router>reset ospf[ process-id ]
18.4配置OSPF区域
[Router-ospf-100]areaarea-id
18.5在指定的接口上启动OSPF
[Router-ospf-1-area-0.0.0.0] networknetwork-address wildcard-mask
18.6OSPF可选配置命令配置OSPF接口优先级
[Router-Ethernet0/0] ospf dr-prioritypriority
18.7配置OSPF接口Cost
[Router-Ethernet0/0] ospf costvalue
18.8显示OSPF邻居信息
[H3C]display ospf peer
18.9显示OSPF的链路状态数据库
<H3C>display ospflsdb
18.10显示OSPF路由信息
<H3C>display ospfrouting
18.11显示OSPF摘要信息
[Router] display ospfbrief
18.12显示启动OSPF的接口信息
[Router] display ospfinterface
18.13显示OSPF的出错信息
[Router] display ospferror
18.14显示OSPF的进程信息
[Router] display ospfINTEGER<1-16635>
19. 访问控制列表
19.1启动包过滤防火墙功能
防火墙功能需要在路由器上启动后才能生效
[sysname] firewallenable
19.2设置防火墙的默认过滤方式
系统默认的默认过滤方式是permit
[sysname] firewall default {permit | deny }
20. 配置基本ACL
20.1配置基本ACL,并指定ACL序号
基本IPv4ACL的序号取值范围为2000~2999
[sysname] acl numberacl-number
20.2定义规则
制定要匹配的源IP地址范围
指定动作是permit或deny
[sysname-acl-basic-2000] rule [rule-id ] { deny | permit } [ fragment | logging | source {sour-addr sour-wildcard | any } | time-rangetime-name ]
21.配置高级ACL
21.1配置高级IPv4ACL,并指定ACL序号
高级IPv4ACL的序号取值范围为3000~3999
[sysname] acl numberacl-number
21.2定义规则
需要配置规则来匹配源IP地址、目的IP地址、IP承载的协议类型、协议端口号等信息
指定动作是permit或deny
[sysname-acl-adv-3000] rule [rule-id ] { deny | permit } protocol [ destination {dest-addr dest-wildcard | any } | destination-portoperator port1 [ port2 ] established |fragment | source { sour-addr sour-wildcard | any } |source-port operator port1 [ port2 ] | time-rangetime-name]
21.3配置二层ACL
配置二层 ACL,并指定ACL序号
二层ACL的序号取值范围为4000~4999
[sysname] acl numberacl-number
21.4定义规则
需要配置规则来匹配源MAC地址、目的MAC地址、802.1p优先级、二层协议类型等二层信息
指定动作是permit或拒绝deny
[sysname-acl-ethernetframe-3000]rule [ rule-id ] { deny | permit } [ cos vlan-pri |dest-mac dest-addr dest-mask | lsap lsap-codelsap-wildcard | source-mac sour-addrsource-mask | time-range time-name]
21.5将ACL应用到接口上,配置的ACL包过滤才能生效
指明在接口上应用的方向是Outbound还是Inbound
[sysname-Serial2/0 ] firewallpacket-filter { acl-number | name acl-name } {inbound | outbound }
21.6ACL包过滤显示与调试
22. 网络地址转换
22.1Basic NAT配置示例
#通过ACL定义一条rule,匹配源地址属于10.0.0.0/24网段的数据
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permitsource 10.0.0.0 0.0.0.255
#配置NAT地址池1用于地址转换的,地址池中的地址从198.76.28.11到198.76.28.20
[RTA]nat address-group 1198.76.28.11 198.76.28.20
# 进入接口模式视图
[RTA]interfaceEthernet0/1
# 将地址池1与acl2000关联,并在接口出方向上应用NAT
[RTA-Ethernet0/1]nat outbound 2000address-group 1 no-pat
22.2NAPT配置举例
#通过ACL定义一条rule,匹配源地址属于10.0.0.0/24网段的数据
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permitsource 10.0.0.0 0.0.0.255
#配置NAT地址池1,地址池中只放入一个地址198.76.28.11
[RTA]nat address-group 1198.76.28.11
# 进入接口模式视图
[RTA]interfaceEthernet0/1
# 将地址池1与acl2000关联,并在接口出方向上应用NAT
[RTA-Ethernet0/1]nat outbound 2000address-group 1
22.3Easy IP配置举例
#通过ACL定义一条rule,匹配源地址属于10.0.0.0/24网段的数据
[RTA]acl number 2000
[RTA-acl-basic-2000]rule 0 permitsource 10.0.0.0 0.0.0.255
# 进入接口模式视图
[RTA]interfaceEthernet0/1
# 将acl2000与接口关联,并在出方向上应用NAT
[RTA-Ethernet0/1]nat outbound 2000address-group 1
22.4NAT Server配置举例
# 进入接口模式视图
[RTA]interfaceEthernet0/1
#在出接口上将私网服务器地址和公网地址做一对一NAT映射绑定
[RTA-Ethernet0/1]nat serverprotocol tcp global 198.76.28.11 telnet inside 10.0.0.1telnet
22.5NAT的信息显示和调试
显示地址转换信息
display nat { address-group |aging-time | all | outbound | server | statistics | session | [slot slot-number ] | [ source global global-addr |source inside inside-addr ] | [ destionation ip-addr] }
调试地址转换过程
debugging nat { alg | event | packet [ interfaceinterface-type interface-number ] } nat aging-time { tcp |udp | icmp} seconds
清除地址转换连接
reset nat session
