神州数码交换机配置命令
Telnet远程Shell管理
• 设置交换机IP地址
– Switch(config)#interface vlan 1
– Switch(config-If-Vlan1)#ip address 10.1.1.1 255.255.255.0
– Switch(config-If-Vlan1)#no shutdown
• 交换机设置Telnet授权用户和口令;若交换机没有设置授权Telnet用户,则任何用户都无法进入交换机的CLI配置界面。
– Switch(config)#telnet-user test password 0 test
HTTP远程图形管理
• 设置交换机IP地址
– Switch(config)#interface vlan 1
– Switch(config-If-Vlan1)#ip address 10.1.1.1 255.255.255.0
– Switch(config-If-Vlan1)#no shutdown
• 交换机启动HTTP Server功能
– Switch(config)#ip http server
• 交换机设置Web授权用户和口令;若交换机没有设置授权Web用户,则任何用户都无法进入交换机的Web配置界面。
– Switch(config)#web-user test password 0 test
SSH配置
• Switch(Config)#ssh-user test password 0 test
• Switch(Config)#ssh-server enable
VLAN的基本配置
• 划分VLAN 100和VLAN 200,并加入端口;
– Switch(Config)#vlan 100
– Switch(Config-Vlan100)#switchport interface e0/0/1-5
– Switch(Config)#vlan 200
– Switch(Config-Vlan200)#switchport interface e0/0/6-10
• 配置0/0/24端口为级联端口
– Switch(Config)#interface ethernet 0/0/24
– Switch(Config-ethernet0/0/24)#switchport mode trunk
– switchport trunk allowed vlan 100;200
– /#Trunk端口缺省允许通过所有VLAN;用户可以通过上述命令设置哪些
VLAN的流量可以通过Trunk口,没有包含的VLAN流量则被禁止。
• 察看配置:show vlan
利用三层交换机实现VLAN间路由
• 为VLAN接口设置IP地址;
– Switch(Config)#interface vlan 100
– Switch(Config-If-Vlan100)#ip address 192.168.1.1 255.255.255.0
– Switch(Config)#interface vlan 200
– Switch(Config-If-Vlan200)#ip address 192.168.2.1 255.255.255.0
Switch-1的配置
• hostname Switch-1
• interface ethernet 0/0/1-2
– port-group 1 mode on
• vlan 100
– switchport interface ethernet 0/0/16-20
• vlan 200
– switchport interface ethernet 0/0/6-10
• vlan 300
– switchport interface ethernet 0/0/11-15
• interface port-channel 1
– switchport mode trunk
– switchport trunk allowed vlan 100;200;300
Switch-2的配置
• hostname Switch-2
• interface ethernet 0/0/1-2
– port-group 2 mode on
• vlan 100
– switchport interface ethernet 0/0/16-20
• vlan 200
– switchport interface ethernet 0/0/6-10
• vlan 400
– switchport interface ethernet 0/0/11-15
• interface port-channel 2
– switchport mode trunk
– switchport trunk allowed vlan 100;200;400
Switch的二层配置
• interface ethernet 0/0/1-2
– port-group 1 mode on
• interface ethernet 0/0/3-4
– port-group 2 mode on
• vlan 100
• vlan 200
• vlan 300
• vlan 400
• vlan 500
– switchport interface ethernet 0/0/11-15
• interface port-channel 1
– switchport mode trunk
– switchport trunk allowed vlan 100;200;300
• interface port-channel 2
– switchport mode trunk
– switchport trunk allowed vlan 100;200;400
Switch 三层配置
• interface vlan 100
– ip address 192.168.10.1 255.255.255.0
• interface vlan 200
– ip address 192.168.20.1 255.255.255.0
• interface vlan 300
– ip address 192.168.30.1 255.255.255.0
• interface vlan 400
– ip address 192.168.40.1 255.255.255.0
• interface vlan 500
– ip address 192.168.50.1 255.255.255.0
三层交换机中三层接口的创建
要将某一个端口设定为三层端口,需要将它加入到某一个VLAN中,然后为该VLAN设置IP地址
Vlan 100
Int f0/4
Switchport access vlan 100
Int vlan 100
Ip address 11.1.1.1 255.255.255.0
No shutdown
DHCP的配置
Switch(Config)#Service dhcp 启动/关闭 DHCP 服务
Switch(Config)#ip dhcp pool A
Switch(dhcp-A-config)#network 10.16.1.0 24
Switch(dhcp-A-config)#lease 3 10 32
Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201
Switch(dhcp-A-config)#dns-server 10.16.1.202
Switch(dhcp-A-config)#exit
Switch(Config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201
二层交换机端口安全配置
设置静态一一映射:
Mac-adderess-table static address 22-22-22-22-22-22-22 vlan 10 int f0/3
设置安全端口地址:
Int f0/3
Switchport port-security
Switchport port-security mac-address 22-22-22-22-22-22
神州数码路由器配置命令
端口基本配置
• interface serial 1/0
– encapsulation hdlc
– ip address 192.168.10.1 255.255.255.252
– physical-layer speed 2048000
– !
PAP认证配置(双向认证)
• DCR-1配置:
• interface s0/1
– encapsulate ppp
– ip add 192.168.10.1 255.255.0.0
– ppp authentication pap
– ppp pap user routerA aaa
– physical-layer speed 2048000
• username routerB password bbb
• DCR-2配置:
• username routerA password aaa
• interface s0/1
– encapsulate ppp
– ip add 192.168.10.2 255.255.0.0
– ppp authentication pap
– ppp pap user routerB bbb
CHAP协议配置
• DCR-1配置:
• username digitalchina2 password legend
• interface Serial1/0
– encapsulation ppp
– ppp authentication chap
– ppp chap hostname digitalchina1
– PPP chap password legend
– ip address 192.168.10.1 255.255.255.252
– physical-layer speed 2048000
• DCR-2配置:
• username digitalchina1 password legend
• interface Serial1/0 encapsulation ppp
– ppp authentication chap
– ppp chap hostname digitalchina2
– PPP chap password legend
– ip address 192.168.10.2 255.255.255.252
RIP协议配置
• DCR-1(config)#router rip
– DCR-1(router-rip)#network 192.200.10.4 255.255.255.252
– DCR-1(router-rip)#version 2
– DCR-1(router-rip)#redistribute connect
OSPF协议配置
• router ospf 1
– network 192.200.10.4 255.255.255.252 area 0
– redistribute connect
NAT配置
如上图所示,公司申请了一个合法的IP地址,公司局域网用户使用一个IP地址连接入internet
• interface fastethernet 0/0
– ip address 192.168.1.1 255.255.255.0
– ip nat inside
• interface serial 1/0
– encapsulation ppp
– ip address 61.1.1.1 255.255.255.252
– ppp pap sent-username 169 169
– ip nat outside
• ip access-list standard test1
– permit any
• ip nat inside source list test1 interface serial 1/0
• ip route default serial 1/0
IPSEC的配置
crypto ipsec transform-set test1 -------------------------------------------设置变换集合
transform-type ah-md5-hmac esp-des
ip access-list extended ipsec -------------------------------------------设置要保护的数据
permit ip 3.3.3.0 255.255.255.0 2.2.2.0 255.255.255.0
set transform-set test1 ----------------- ----------------- -------- ---------------运用变换集合test1
match address ipsec -------------------------指定所要保护的IP数据
配置SSH Server,允许可以通过SSH远程管理设备,并使用AAA本地验证。
SSH配置
• Router (Config)#ssh-user test password 0 test
• Router (Config)#ssh-server enable
使用AAA配置本地登录验证
Router (Config)#aaa authentication login default local
Router (Config)#line vty 0 4
Router (Config-line)#login auth default
Router (Config)#username test pass test 设置本地验证的用户名和密码
访问控制功能的设置
Router (Config)#Time-range aaa
Router (Config)#Periodic weekdays 9 to 18
Access-list 100 permit tcp 192.168.11.0 0.0.0.255 any time-range aaa
Access-list 100 permit tcp 192.168.12.0 0.0.0.255 any time-range aaa
Access-list 100 permit tcp 192.168.13.0 0.0.0.255 any time-range aaa
Access-list 100 permit tcp 192.168.14.0 0.0.0.255 any
Int f0/0
Ip access-group 100 in
因篇幅问题不能全部显示,请点此查看更多更全内容