华为数通设备命令的一些笔记
网络技术配置命令汇总
一、GRE VPN 配置命令
1. 创建GRE隧道接口
interface Tunnel0/0/1
ip address 40.1.1.1 24
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
quit
2. 配置静态路由指向Tunnel接口
ip route-static 10.1.2.0 24 Tunnel 0/0/1
3. 配置Keepalive检测
interface Tunnel0/0/1
keepalive period 3 retry-times 3
二、IPsec VPN 配置命令
1. 配置高级ACL(定义感兴趣流)
acl number 3001
rule 1 permit ip source 10.1.1.0 0.0.0.255 destination 10.2.2.0 0.0.0.255
2. 配置IKE安全提议
ike proposal 10
authentication-method pre-share
encryption-algorithm aes-cbc-256
authentication-algorithm sha1
dh group1
3. 配置IKE对等体
ike peer R2
version 1
exchange-mode main
remote-address 2.2.2.2
ike-proposal 10
pre-shared-key simple pass123
4. 配置IPsec安全提议
ipsec proposal R1
transform esp
encapsulation-mode tunnel
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
5. 配置ISAKMP方式的IPsec安全策略
ipsec policy R1 10 isakmp
security acl 3001
proposal R1
ike-peer R2
6. 接口应用安全策略
interface GigabitEthernet0/0/0
ipsec policy R1
7. 配置IPsec安全框架(用于GRE over IPsec)
ipsec profile pro1
proposal R1
ike-peer R2
8. 接口引用安全框架
interface Tunnel0/0/1
ipsec profile pro1
三、BFD 配置命令
1. 全局使能BFD
bfd
2. 配置BFD会话(单跳检测)
bfd 1 bind peer-ip 10.0.12.2 source-ip 10.0.12.1 auto
commit
3. 静态路由联动BFD
ip route-static 0.0.0.0 0.0.0.0 10.0.12.2 track bfd-session 1
ip route-static 0.0.0.0 0.0.0.0 10.0.13.2 preference 100
4. OSPF与BFD联动
ospf 1
bfd all-interface enable
5. VRRP与BFD联动
vrrp vrid 1 track bfd-session session-name 1 reduced 100
四、VRRP 配置命令
1. 主备备份方式
interface GigabitEthernet0/0/1
ip address 10.0.0.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.10
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface GigabitEthernet0/0/0 reduce 30
2. 备份设备配置
interface GigabitEthernet0/0/1
ip address 10.0.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.0.0.10
五、Eth-Trunk 配置命令
1. 创建Eth-Trunk接口(三层模式)
interface Eth-Trunk1
undo portswitch
ip address 192.168.1.254 255.255.255.0
2. 添加成员接口
interface GigabitEthernet0/0/0
eth-trunk 1
3. 配置手工负载分担模式
interface Eth-Trunk1
mode manual load-balance
4. 配置LACP模式
interface Eth-Trunk1
mode lacp-static
max active-linknumber 2
lacp preempt enable
lacp preempt delay 10
5. 配置系统LACP优先级
lacp priority 100
六、端口安全配置命令
1. 使能端口安全
interface GigabitEthernet0/0/1
port-security enable
2. 配置最大MAC地址数
port-security max-mac-num 2
3. 配置保护动作
port-security protect-action { protect | restrict | shutdown }
4. 配置安全静态MAC地址
port-security mac-address 5489-98ac-71a9 vlan 1
5. 使能Sticky MAC功能
port-security mac-address sticky
6. 配置老化时间
port-security aging-time 10 type inactivity
七、ACL 配置命令
1. 创建基本ACL
acl number 2000
rule 5 deny source 192.168.1.0 0.0.0.255
rule 10 permit source any
2. 创建高级ACL
acl number 3000
rule 5 permit tcp source 192.168.1.0 0.0.0.255 destination any destination-port eq www
rule 10 deny ip any any
3. 接口应用ACL(traffic-filter)
interface GigabitEthernet0/0/1
traffic-filter inbound acl 2000
八、NAT 配置命令
1. 静态NAT(接口视图)
interface GigabitEthernet0/0/1
nat static global 122.1.2.1 inside 192.168.1.1
2. 静态NAT(系统视图)
nat static global 122.1.2.1 inside 192.168.1.1
interface GigabitEthernet0/0/1
nat static enable
3. 动态NAT(No-PAT)
nat address-group 1 122.1.2.1 122.1.2.3
acl 2000
rule 5 permit source 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0/1
nat outbound 2000 address-group 1 no-pat
4. NAPT
nat address-group 1 122.1.2.1 122.1.2.1
interface GigabitEthernet0/0/1
nat outbound 2000 address-group 1
5. Easy IP
interface GigabitEthernet0/0/1
nat outbound 2000
6. NAT Server
interface GigabitEthernet0/0/1
nat server protocol tcp global 122.1.2.1 www inside 192.168.1.10 8080
九、防火墙配置命令
1. 配置安全区域
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
2. 配置安全策略
security-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 172.16.1.0 24
action permit
3. 配置NAT策略(源NAT)
nat address-group group1
mode pat
section 0 1.1.1.10 1.1.1.15
route enable
nat-policy
rule name policy1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
action source-nat address-group group1
4. 配置NAT Server
nat server policy_ftp protocol tcp global 1.1.1.10 ftp inside 10.2.0.8 ftp unr-route
5. 开启ASPF
firewall interzone trust dmz
detect ftp
6. 查看会话
display firewall session table verbose
十、PPP 配置命令
1. 封装PPP协议
interface Serial1/0/0
link-protocol ppp
2. 配置PAP认证(认证方)
interface Serial1/0/0
ppp authentication-mode pap
aaa
local-user huawei password cipher huawei123
local-user huawei service-type ppp
3. 配置PAP认证(被认证方)
interface Serial1/0/0
ppp pap local-user huawei password cipher huawei123
4. 配置CHAP认证(认证方)
interface Serial1/0/0
ppp authentication-mode chap
aaa
local-user huawei password cipher huawei123
local-user huawei service-type ppp
5. 配置CHAP认证(被认证方)
interface Serial1/0/0
ppp chap user huawei
ppp chap password cipher huawei123
十一、PPPoE 配置命令
1. 客户端配置
dialer-rule
dialer-rule 1 ip permit
interface Dialer1
dialer user enterprise
dialer-group 1
dialer bundle 1
ppp chap user huawei1
ppp chap password cipher huawei123
ip address ppp-negotiate
interface GigabitEthernet0/0/1
pppoe-client dial-bundle-number 1
ip route-static 0.0.0.0 0.0.0.0 dialer 1
2. 服务器端配置
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
gateway-list 192.168.1.254
interface Virtual-Template1
ppp authentication-mode chap
ip address 192.168.1.254 255.255.255.0
remote address pool pool1
interface GigabitEthernet0/0/0
pppoe-server bind virtual-template 1
aaa
local-user huawei1 password cipher huawei123
local-user huawei1 service-type ppp
十二、IPv6 配置命令
1. 全局使能IPv6
ipv6
2. 接口使能IPv6
interface GigabitEthernet0/0/0
ipv6 enable
3. 配置IPv6全球单播地址
ipv6 address 2001::1 64
4. 配置链路本地地址
ipv6 address fe80::1 link-local
5. 自动生成链路本地地址
ipv6 address auto link-local
6. DHCPv6服务器配置
dhcp enable
dhcpv6 pool pool1
address prefix 2002::/64
interface GigabitEthernet0/0/0
dhcpv6 server pool1
7. DHCPv6客户端配置
interface GigabitEthernet0/0/0
ipv6 address auto dhcp
8. 无状态地址自动配置
interface GigabitEthernet0/0/1
undo ipv6 nd ra halt
interface GigabitEthernet0/0/0
ipv6 address auto global
9. IPv6静态路由
ipv6 route-static 2001:: 64 2003::1
ipv6 route-static :: 0 2002::1
10. OSPFv3配置
ospfv3 1
router-id 1.1.1.1
interface GigabitEthernet0/0/0
ospfv3 1 area 0
十三、WLAN 配置命令
1. 配置DHCP Option 43(AP发现AC)
ip pool pool1
option 43 ip-address 10.23.100.1
2. 配置CAPWAP源接口
capwap source interface vlanif100
3. 配置AP认证模式
wlan
ap auth-mode mac-auth
4. 离线导入AP
ap-id 0 ap-mac 60de-4476-e360
ap-name area_1
ap-group ap-group1
5. 创建AP组
ap-group name ap-group1
regulatory-domain-profile default
6. 创建域管理模板
regulatory-domain-profile name default
country-code cn
7. 创建安全模板
security-profile name wlan-net
security wpa-wpa2 psk pass-phrase a1234567 aes
8. 创建SSID模板
ssid-profile name wlan-net
ssid wlan-net
9. 创建VAP模板
vap-profile name wlan-net
forward-mode tunnel
service-vlan vlan-id 101
security-profile wlan-net
ssid-profile wlan-net
10. 引用VAP模板到AP组
ap-group name ap-group1
vap-profile wlan-net wlan 2 radio 0
vap-profile wlan-net wlan 2 radio 1
11. 查看AP状态
display ap all
display vap ssid wlan-net
display station ssid wlan-net
十四、DHCP 配置命令
1. 全局启用DHCP
dhcp enable
2. 创建地址池
ip pool vlan1
network 192.168.1.0 mask 24
gateway-list 192.168.1.254
dns-list 8.8.8.8
lease day 0 hour 8 minute 0
excluded-ip-address 192.168.1.1 192.168.1.10
static-bind ip-address 192.168.1.100 mac-address xxxx-xxxx-xxxx
3. 接口启用全局地址池
interface Vlanif1
dhcp select global
4. 配置DHCP中继
interface Vlanif1
dhcp select relay
dhcp relay server-ip 192.168.102.1
5. 查看地址池使用情况
display ip pool name vlan1 used
十五、园区网通用配置
1. 配置VLAN
vlan batch 10 20 30
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
2. 配置VLANIF接口
interface Vlanif10
ip address 192.168.1.254 24
3. 配置接口描述
interface GigabitEthernet0/0/1
description to Core-R1
4. 配置Telnet远程管理
user-interface vty 0 4
authentication-mode aaa
aaa
local-user admin password cipher admin123
local-user admin service-type telnet
local-user admin privilege level 15
5. 配置默认路由
ip route-static 0.0.0.0 0.0.0.0 192.168.100.1
十六、常用查看命令
1. 查看接口状态
display interface Tunnel 0/0/1
2. 查看路由表
display ip routing-table
display ipv6 routing-table
3. 查看IKE SA
display ike sa
4. 查看IPsec SA
display ipsec sa
5. 查看MAC地址表
display mac-address security
display mac-address sticky
6. 查看Eth-Trunk信息
display interface Eth-Trunk 1
7. 查看BFD会话
display bfd session all
8. 查看VRRP状态
display vrrp
9. 查看PPPoE会话
display pppoe-client session summary
10. 查看DHCP Snooping绑定表
display dhcp snooping user-bind all
说明:以上命令基于华为(Huawei)设备命令行格式整理,实际使用时请根据设备型号和软件版本适当调整。 ```
评论