H3C_S5500基本配置思路及实用命令

version 5.20, Release 1207sysname dunan-s5500 设备重命名super password level 3 simple abcd123456 设置串口连接密码 domain default enable system说明性文字telnet server enable telnet服务开启loopback-detection enable 环回口连接开启注释VLAN连接区域vlan 1description fileserver vlan 2description firewallvlan 10description erp+sql+other vlan 20description caiwu vlan 30description waimaovlan 40description bigofficevlan 50description jishubuvlan 60description erchejianvlan 70description huayivlan 80description zongcaivlan 90description webservlan 130description wlanradius scheme systemdomain system 说明性文字access-limit disablestate activeidle-cut disableself-service-url disable将ACL规则定义策略和行为这里和3600是不同的，分为三部traffic classifier c_vlan operator and if-match acl 3000traffic classifier a_vlan operator and if-match acl 3001traffic behavior d_vlanfilter denytraffic behavior b_vlanfilter denyqos policy p_vlanclassifier c_vlan behavior b_vlanqos policy t_vlanclassifier a_vlan behavior d_vlan设置web访问用户和密码并定义权限为最高local-user h3cpassword simple dafmservice-type telnetlevel 3建立高级访问控制列表并建立子规则acl number 3000rule 0 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 1 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 2 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 3 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 4 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 5 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.50.0 0.0.0.255 rule 6 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 7 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 8 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 9 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 10 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 11 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 12 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 13 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 14 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 15 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 16 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 rule 17 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 18 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 19 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.50.0 0.0.0.255 rule 20 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 21 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 22 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 23 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 acl number 3001rule 0 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 1 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 3 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 4 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 5 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 6 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 7 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 8 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 配置VLAN网关，实际为设置vlan 间路由interface NULL0interface Vlan-interface 1ip address 192.168.1.1 255.255.255.0interface Vlan-interface 2ip address 192.168.2.2 255.255.255.0interface Vlan-interface 10ip address 192.168.10.1 255.255.255.0interface Vlan-interface 20ip address 192.168.20.1 255.255.255.0interface Vlan-interface 30ip address 192.168.30.1 255.255.255.0interface Vlan-interface 40ip address 192.168.40.1 255.255.255.0interface Vlan-interface 50ip address 192.168.50.1 255.255.255.0interface Vlan-interface 60ip address 192.168.60.1 255.255.255.0interface Vlan-interface 70ip address 192.168.70.1 255.255.255.0interface Vlan-interface 80ip address 192.168.80.1 255.255.255.0interface Vlan-interface 90ip address 192.168.90.1 255.255.255.0interface Vlan-interface 30ip address 192.168.130.1 255.255.255.0将接口划入vlaninterface GigabitEthernet1/0/1port access vlan 10interface GigabitEthernet1/0/2port access vlan 10interface GigabitEthernet1/0/3port access vlan 10interface GigabitEthernet1/0/4port access vlan 90定义策略到接口qos apply policy t_vlan inboundinterface GigabitEthernet1/0/5 port access vlan 20 interface GigabitEthernet1/0/6 port access vlan 20 interface GigabitEthernet1/0/7 port access vlan 30 interface GigabitEthernet1/0/8 port access vlan 30 interface GigabitEthernet1/0/9 port access vlan 40 interface GigabitEthernet1/0/10 port access vlan 40 interface GigabitEthernet1/0/11 port access vlan 50 定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/12 port access vlan 50定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/13 port access vlan 60 interface GigabitEthernet1/0/14 port access vlan 60 interface GigabitEthernet1/0/15 port access vlan 70 interface GigabitEthernet1/0/16 port access vlan 70 interface GigabitEthernet1/0/17 port access vlan 80定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/18 port access vlan 80定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/19 port access vlan 130定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/20 port access vlan 130定义策略到接口qos apply policy p_vlan inboundinterface GigabitEthernet1/0/21 duplex full flow-control interface GigabitEthernet1/0/22interface GigabitEthernet1/0/23 port access vlan 2 interface GigabitEthernet1/0/24 port access vlan 2 interface GigabitEthernet1/0/25 shutdowninterface GigabitEthernet1/0/26 shutdowninterface GigabitEthernet1/0/27 shutdowninterface GigabitEthernet1/0/28 shutdown配置到防火墙的默认路由ip route-static 0.0.0.0 0.0.0.0 192.168.2.1简单网络管理协议的描述snmp-agentsnmp-agent local-engineid 800063A20300E0FC123456 snmp-agent sys-info version v3load xml-configuration开启aux口和telnet访问的权限并设定串口访问密码user-interface aux 0authentication-mode passwordset authentication password simple abcd123456user-interface vty 0 4user privilege level 3set authentication password cipher ^BM!.M()1=%X)AG\U/NCA!!protocol inbound telnet华为路由器交换机配置命令：交换机命令[Quidway]dis curr；显示当前配置[Quidway]display interfaces；显示接口信息[Quidway]display vlanall；显示路由信息[Quidway]display version；显示版本信息[Quidway]super password；修改特权用户密码[Quidway]sysname；交换机命名[Quidway]interface ethernet0/1；进入接口视图[Quidway]interface vlanx；进入接口视图[Quidway-Vlan-interfacex]ip address 10.65.1.1 255.255.0.0；配置VLAN的IP地址[Quidway]ip route-static 0.0.0.0 0.0.0.0 10.65.1.2；静态路由＝网关[Quidway]rip；三层交换支持[Quidway]user-interface vty 0 4；进入虚拟终端[S3026-ui-vty0-4]authentication-mode password；设置口令模式[S3026-ui-vty0-4]set authentication-mode password simple222；设置口令[S3026-ui-vty0-4]user privilege level3；用户级别[Quidway]interface ethernet0/1；进入端口模式[Quidway]int e0/1；进入端口模式[Quidway-Ethernet0/1]duplex {half|full|auto}；配置端口工作状态[Quidway-Ethernet0/1]speed{10|100|auto}；配置端口工作速率[Quidway-Ethernet0/1]flow-control；配置端口流控[Quidway-Ethernet0/1]mdi{across|auto|normal}；配置端口平接扭接[Quidway-Ethernet0/1]portlink-type{trunk|access|hybrid}；设置端口工作模式[Quidway-Ethernet0/1]port access vlan3；当前端口加入到VLAN[Quidway-Ethernet0/2]port trunk permitvlan{ID|All}；设trunk允许的VLAN[Quidway-Ethernet0/3]port trunk pvid vlan3；设置trunk端口的PVID [Quidway-Ethernet0/1]undoshutdown；激活端口[Quidway-Ethernet0/1]shutdown；关闭端口[Quidway-Ethernet0/1]quit；返回 [Quidway]vlan3；创建VLAN[Quidway-vlan3]port ethernet0/1；在VLAN中增加端口[Quidway-vlan3]port e0/1；简写方式[Quidway-vlan3]port ethernet0/1 to ethernet0/4；在VLAN中增加端口[Quidway-vlan3]port e0/1 to e0/4；简写方式[Quidway]monitor-port；指定镜像端口[Quidway]port mirror；指定被镜像端口[Quidway]port mirror int_listobserving-portint_typeint_num；指定镜像和被镜像[Quidway]description string；指定VLAN描述字符[Quidway]description；删除VLAN描述字符[Quidway]display vlan[vlan_id]；查看VLAN设置[Quidway]stp{enable|disable}；设置生成树,默认关闭[Quidway]stp priority 4096；设置交换机的优先级[Quidway]stp root{primary|secondary}；设置为根或根的备份[Quidway-Ethernet0/1]stpcost200；设置交换机端口的花费[Quidway]link-aggregatione0/1toe0/4ingress|both;端口的聚合[Quidway]undolink-aggregatione0/1|all;始端口为通道号[SwitchA-vlanx]isolate-user-vlanenable；设置主vlan[SwitchA]isolate-user-vlansecondary；设置主vlan包括的子vlan[Quidway-Ethernet0/2]porthybridpvidvlan；设置vlan的pvid[Quidway-Ethernet0/2]porthybridpvid；删除vlan的pvid[Quidway-Ethernet0/2]porthybridvlanvlan_id_listuntagged；设置无标识的vlan 如果包的vlanid与PVId一致，则去掉vlan信息.默认PVID=1。

S5500系列交换机基本QINQ功能的配置一组网需求：1、Provider1、Provider2均为H3C S5500-SI系列设备，用作运营商网络接入设备，Customer1、Customer2为用户网络接入设备；2、Customer1能够发出VLAN10的报文，要求Customer1和Customer2之间可以互通VLAN10的报文。

二组网图：三配置步骤：Provider1的配置1．创建vlan 1000并将入端口加入<Sysname> system-view[Sysname] vlan 1000[Sysname] port GigabitEthernet 1/0/12．开启以太网端口的QinQ功能[Sysname] interface GigabitEthernet 1/0/1[Sysname-GigabitEthernet1/0/1] qinq enable3．配置G1/0/2口允许vlan 1000的报文通过[Sysname] interface GigabitEthernet 1/0/3[Sysname-GigabitEthernet1/0/3] port link-type trunk[Sysname-GigabitEthernet1/0/3] port trunk permit vlan 1000Provider2的配置Provider2的配置与Provider1完全相同配置完成后，Customer1和Customer2同属于VLAN10，且ip地址在同一网段的主机可以相互ping通。

四配置关键点：1．如果与provider1(或者provider2)相连的设备为其他厂商的设备，请确定该设备以太网协议类型值是否为0x8100，如果不是请在provider1(或者provider2)全局视图下应用qinq ethernet-type命令进行配置，例如该设备以太网协议类型值9100，则配置qinq ethernet-type 9100。

H3C S5500-SI 二层动态链路聚合典型配置一、组网需求：Device A与Device B通过各自的以太网端口GigabitEthernet1/0/1～GigabitEthernet1/0/3相互连接。

通过配置动态链路聚合，实现出负荷在各成员端口间的分担，并采用源MAC地址与目的MAC地址相结合的聚合负载分担模式。

二、组网图：三、配置步骤：1. 配置Device A#配置聚合负载分担模式为源MAC地址与目的MAC地址相结合的方式。

<DeviceA> system-view[DeviceA] link-aggregation load-sharing mode source-mac destination-mac# 创建二层聚合端口1，并配置成动态聚合模式。

[DeviceA] interface bridge-aggregation 1[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic[DeviceA-Bridge-Aggregation1] quit#分别将端口GigabitEthernet1/0/1至GigabitEthernet1/0/3加入到聚合组1中。

[DeviceA] interface GigabitEthernet 1/0/1[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1[DeviceA-GigabitEthernet1/0/1] quit[DeviceA] interface GigabitEthernet 1/0/2[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1[DeviceA-GigabitEthernet1/0/2] quit[DeviceA] interface GigabitEthernet 1/0/3[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 12. 配置Device BDevice B的配置与Device A相似，配置过程略。

H3C S5500 V2 series基本配置之蔡仲巾千创作一、配置交换的web界面<h3c>sys(进入系统模式）[h3c]int vlan 1(进入虚接口VLAN 1）[h3c-int-vlan 1]undo ip address(清除原地址）[h3c-int-vlan 1]ip add 2.10.3.1 255.255.255.0(配置web界面ip地址）[h3c-int-vlan 1]quit（返回上一级）[h3c]ip http enable(启用web服务）[h3c]local-user admin(设置当地用户名、此处用户名admin）[h3c-admin]password simple admin(设置当地密码、此处密码admin）[h3c-admin]service-type telnet level 3(设置服务等级为3级）[h3c-admin]quit（返回上一级）[h3c]loal-user admin[h3c-admin]service-type terminal telnet http https(平安防护措施、认证方式）[h3c-admin]quit（返回上一级）注：以上配置完成后接入服务器用IE访问IP地址2.10.3.1访问二、交换机划分vlan<h3c>sys（进入系统模式）[h3c]vlan 2(划分vlan 2）[h3c-vlan 2]quit（返回上一级）[h3c]vlan 3(划分vlan 3）[h3c-vlan 3]quit（返回上一级）[h3c]vlan 2（进入vlan 2）[h3c-vlan 2]port g/0/1 to g1/0/12(对vlan 2进行端口划分-此处vlan 2划分到1-12端口）[h3c-vlan 2]quit（返回上一级）[h3c]vlan 3（进入vlan 3）[h3c-vlan 3]port g/0/13 to g1/0/24(对vlan 3进行端口划分-此处vlan3划分到13-24端口）注：以上配置是根据现场要求24口交换机划分两个vlan平分所有端口三、交换机VLAN IP 互通[h3c]int vlan 2[h3c-vlan-interface 2]ip add 192.168.2.1 255.255.255.0[h3c-vlan-interface 2]quit[h3c]int vlan 3[h3c-vlan-interface 3]ip add 192.168.3.1 255.255.255.0[h3c-vlan-interface 3]quit注：以上配置完成后能通过vlan 2 的端口与vlan 3 的端口互通。

H3C S5500基本配置思路及实用命令1.总体配置思路：1)添加VLAN1，并将相应端口添加到该VLAN。

(在VLAN状态下才可一次将多个端口加入相应VLAN,interface e 1/0/1 to e 1/0/24)2)添加VLAN2，并将其置为管理VLAN(在#状态下management-vlan 2)，才可设置其VLAN的IP地址。

3)添加静态路由。

4)配置端口TRUNK模式。

5)配置远程登录VTY认证。

6)配置本地用户。

2.进入特权模式System View<H3C> System ViewSystem View: return to User View with Ctrl+Z.[H3C]dis[H3C]display cur3.配置交换机主机名sysnamesysname H3C4.添加VLANvlan 1或在此状态下直接将相应端口加入该VLAN (否则只能一个口一个口的添加)Interface e 1/0/1 to e 1/0/245.配置管理VLAN-- management-vlanmanagement-vlan 26.给管理VLAN添加IP地址interface Vlan-interface1ip address 10.10.40.176 255.255.255.07.添加端口到VLAN：port access vlan 1interface GigabitEthernet1/0/2port access vlan 18.远程登录配置及3A认证模式user-interface vty 0 4authentication-mode scheme9.配置3A认证本地用户及属性local-user testpassword simple testpwdauthorization-attribute level 3service-type telnet可能的配置local-user testpassword simple testservice-type telnetlevel 310.将端口配置为Trunk口interface GigabitEthernet1/0/20port link-type trunkport trunk permit vlan all11.添加静态路由ip route-static 0.0.0.0 0.0.0.0 10.10.40.112.查看路由表display ip routing-table[H3C]display ip routing-tableRouting Tables: PublicDestinations : 7 Routes : 7Destination/Mask Proto Pre Cost NextHop Interface0.0.0.0/0 Static 60 0 10.10.40.1 Vlan210.10.40.0/24 Direct 0 0 10.10.40.180Vlan210.10.40.180/32 Direct 0 0 127.0.0.1 InLoop0127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0192.168.76.0/24 Direct 0 0 192.168.76.3Vlan76192.168.76.3/32 Direct 0 0 127.0.0.1 InLoop013.显示当前配置display current-configuration[H3C]display current-configuration14.查看端口及VLAN的up/down状态display brief interface[H3C]display brief interfaceThe brief information of interface(s) under route mode:Interface Link Protocol-link Protocol type Main IPNULL0 UP UP(spoofing) NULL --Vlan1 UP UP ETHERNET 192.168.76.3Vlan2 UP UP ETHERNET 10.10.40.180The brief information of interface(s) under bridge mode:Interface Link Speed Duplex Link-typePVIDGE1/0/1 UP 1G(a) full(a) access1GE1/0/2 DOWN auto auto access1GE1/0/3 DOWN auto auto access1GE1/0/9 DOWN auto auto access1GE1/0/10 DOWN auto auto access1display brief interface GigabitEthernet 1/0/1[H3C]display brief interface GigabitEthernet 1/0/1The brief information of interface(s) under bridge mode:Interface Link Speed Duplex Link-typePVIDGE1/0/1 UP 1G(a) full(a) access1display brief interface Vlan-interface 1[H3C]display brief interface Vlan-interface 1The brief information of interface(s) under route mode:Interface Link Protocol-link Protocol type Main IPVlan1 UP UP ETHERNET 192.168.76.315.查看MAC地址缓存表display mac-address[H3C]display mac-addressMAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)0000-e7a7-2374 1 Learned GigabitEthernet1/0/19 AGING0000-e8f1-6952 1 Learned GigabitEthernet1/0/19 AGING0001-6c41-9cee 1 Learned GigabitEthernet1/0/19 AGING000c-2919-0d6c 1 Learned GigabitEthernet1/0/19 AGING000c-2961-d8ea 1 Learned GigabitEthernet1/0/19 AGING16.查看某一端口的MAC地址缓存表display mac-address interface GigabitEthernet 1/0/1[H3C]display mac-address interface GigabitEthernet 1/0/1MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)0016-3642-e888 1 Learned GigabitEthernet1/0/1 AGING0016-eca2-d69d 1 Learned GigabitEthernet1/0/1 AGING001c-25d8-77b6 1 Learned GigabitEthernet1/0/1 AGING0024-1d6e-6fbe 1 Learned GigabitEthernet1/0/1 AGING17.查看ARP缓存表display arp[H3C]display arpType: S-Static D-DynamicIP Address MAC Address VLAN ID Interface Aging Type192.168.76.56 0016-eca2-d69d 1 GE1/0/1 20D192.168.76.131 0016-3642-e888 1 GE1/0/1 19D192.168.76.171 0024-1d6e-6fbe 1 GE1/0/1 13D10.10.40.1 0018-742d-4fc0 2 GE1/0/19 14D192.168.76.1 0018-742d-4fc0 1 GE1/0/19 10D18.Tftp备份配置1)查看配置文件名及所在文件夹-dir配置文件名可能为startup.cfg或config.cfg配置文件可能在flash:/或unit1>flash:/目录下<jyzx-px-zhongxin>dir flash:/Directory of flash:/0 -rw- 8221183 Aug 11 2010 16:27:52s5500tpsi-cmw520-r2202p11.bin1 -rw- 2365 Apr 26 2000 12:13:58 startup.cfg(配置文件名)31496 KB total (23460 KB free)<jyzx-bg-3-d>dirDirectory of unit1>flash:/1 -rw- 3146 Jan 01 2004 00:00:00 config.def2 (*) -rw- 3711222 Mar 25 2011 16:51:52s31si_e-cmw310-r2211p07.bin3 (*) -rw- 886025 Jan 01 2004 00:00:00h3c-http3.1.9-0019.web4 (*) -rw- 2834 Apr 03 2000 01:20:33 config.cfg(配置文件名)7239 KB total (2739 KB free)(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute<jyzx-bg-4-x>tftp 172.16.8.91 put unit1>flash:/config.cfg 10.10.40.185.txtFile will be transferred in binary mode.Sending file to remote tftp server. Please wait... |TFTP: 2979 bytes sent in 0 second(s).File uploaded successfully.<jyzx-bg-4-x>dirDirectory of unit1>flash:/1 -rw- 3146 Jan 01 2004 00:00:00 config.def2 (*) -rw- 3711222 Mar 25 2011 16:51:52 s31si_e-cmw310-r2211p07.bin3 (*) -rw- 886025 Jan 01 2004 00:00:00 h3c-http3.1.9-0019.web4 (*) -rw- 2979 Apr 02 2000 07:17:02 config.cfg7239 KB total (2739 KB free)(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute2)配置可以使用tftp的ACLacl number 2000rule permit source 172.16.8.91 0[jyzx-px-zhongxin]acl number 2000[jyzx-px-zhongxin-acl-basic-2000]rule permit source 172.16.8.91 ?0 Wildcard bits : 0.0.0.0 ( a host )X.X.X.X Wildcard of source[jyzx-px-zhongxin-acl-basic-2000]rule permit source 172.16.8.91 03)配置tftp服务器- tftp-server acl 2000tftp-server acl 2000[jyzx-px-zhongxin]tftp-server acl 2000The ACL number does not exist or contains no rule. Continue? [Y/N]:y(如果还没有配置ACL,则会有此提示)[jyzx-px-zhongxin]tftp client source ip 172.16.8.914)备份配置文件到tftp软件所在目录下(在用户视图下,即“>”状态下)tftp 172.16.8.91 put flash:/startup.cfg (无目标文件名则表示与源文件名同名)tftp 172.16.8.91 put flash:/startup.cfg startup.txt(将配置文件保存为txt文件)<jyzx-px-zhongxin>tftp 172.16.8.91 put flash:/startup.cfgFile will be transferred in binary modeSending file to remote TFTP server. Please wait... \TFTP: 2365 bytes sent in 0 second(s).File uploaded successfully.<jyzx-px-zhongxin>tftp 172.16.8.91 put flash:/startup.cfg 10.10.40.177.txtFile will be transferred in binary modeSending file to remote TFTP server. Please wait... \TFTP: 2365 bytes sent in 0 second(s).File uploaded successfully.5)小结过程在特权状态下配置ACL和Tftp-server信息acl number 2000rule permit source 172.16.8.91 0quittftp-server acl 2000save在用户视图下备份配置tftp 172.16.8.91 put flash:/startup.cfg 10.10.40.177.txt19.关闭实时信息- undo info-center enable[jyzx-bg-4-x]undo info-center enable% Information center is disabled20.问题1：无法用system-view命令进入特权模式原因：因为local-user中用户认证属性设置不对，level 3必须设置。

H3C S5500 V2 series基本配置一、配置交换的web界面<h3c>sys(进入系统模式）[h3c]int vlan 1(进入虚接口VLAN 1）[h3c-int-vlan 1]undo ip address(清除原地址）[h3c-int-vlan 1]ip add 2.10.3.1 255.255.255.0(配置web界面ip地址）[h3c-int-vlan 1]quit（返回上一级）[h3c]ip http enable(启用web服务）[h3c]local-user admin(设置本地用户名、此处用户名admin）[h3c-admin]password simple admin(设置本地密码、此处密码admin）[h3c-admin]service-type telnet level 3(设置服务等级为3级）[h3c-admin]quit（返回上一级）[h3c]loal-user admin[h3c-admin]service-type terminal telnet http https(安全防护措施、认证方式）[h3c-admin]quit（返回上一级）注：以上配置完成后接入服务器用IE访问IP地址2.10.3.1访问二、交换机划分vlan<h3c>sys（进入系统模式）[h3c]vlan 2(划分vlan 2）[h3c-vlan 2]quit（返回上一级）[h3c]vlan 3(划分vlan 3）[h3c-vlan 3]quit（返回上一级）[h3c]vlan 2（进入vlan 2）[h3c-vlan 2]port g/0/1 to g1/0/12(对vlan 2进行端口划分-此处vlan 2划分到1-12端口）[h3c-vlan 2]quit（返回上一级）[h3c]vlan 3（进入vlan 3）[h3c-vlan 3]port g/0/13 to g1/0/24(对vlan 3进行端口划分-此处vlan3划分到13-24端口）注：以上配置是根据现场要求24口交换机划分两个vlan平分所有端口三、交换机VLAN IP 互通[h3c]int vlan 2[h3c-vlan-interface 2]ip add 192.168.2.1 255.255.255.0[h3c-vlan-interface 2]quit[h3c]int vlan 3[h3c-vlan-interface 3]ip add 192.168.3.1 255.255.255.0[h3c-vlan-interface 3]quit注：以上配置完成后能通过vlan 2 的端口与vlan 3 的端口互通。

version 5.20, Release 1207#sysname dunan-s5500 设备重命名#super password level 3 simple abcd123456 设置串口连接密码#domain default enable system 说明性文字#telnet server enable telnet服务开启#loopback-detection enable 环回口连接开启#vlan 1description fileserver 注释VLAN连接区域#vlan 2description firewall#vlan 10description erp+sql+other#vlan 20description caiwu#vlan 30description waimao#vlan 40description bigoffice#vlan 50description jishubu#vlan 60description erchejian#vlan 70description huayi#vlan 80description zongcai#vlan 90description webser#vlan 130description wlan#radius scheme system#domain system 说明性文字access-limit disablestate activeidle-cut disableself-service-url disable#traffic classifier c_vlan operator and 将ACL规则定义策略和行为这里和3600是不同的，分为三部if-match acl 3000traffic classifier a_vlan operator andif-match acl 3001#traffic behavior d_vlanfilter denytraffic behavior b_vlanfilter deny#qos policy p_vlanclassifier c_vlan behavior b_vlanqos policy t_vlanclassifier a_vlan behavior d_vlan#local-user h3c 设置web访问用户和密码并定义权限为最高password simple dafmservice-type telnetlevel 3#acl number 3000rule 0 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.90.0 0.0.0.255rule 1 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.90.0 0.0.0.255rule 2 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.20.0 0.0.0.255rule 3 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.30.0 0.0.0.255rule 4 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.40.0 0.0.0.255rule 5 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.50.0 0.0.0.255rule 6 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 7 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 8 deny tcp source 192.168.130.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 9 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 10 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 11 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 12 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 13 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 14 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 15 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 16 deny tcp source 192.168.50.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 rule 17 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 18 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 19 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.50.0 0.0.0.255 rule 20 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 21 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 22 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.90.0 0.0.0.255 rule 23 deny tcp source 192.168.80.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 acl number 3001rule 0 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 1 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule 2 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule 3 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.30.0 0.0.0.255 rule 4 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.40.0 0.0.0.255 rule 5 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.60.0 0.0.0.255 rule 6 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.70.0 0.0.0.255 rule 7 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.80.0 0.0.0.255 rule 8 deny tcp source 192.168.90.0 0.0.0.255 destination 192.168.130.0 0.0.0.255 建立高级访问控制列表并建立子规则#interface NULL0#interface Vlan-interface1ip address 192.168.1.1 255.255.255.0#interface Vlan-interface2ip address 192.168.2.2 255.255.255.0#interface Vlan-interface10ip address 192.168.10.1 255.255.255.0#interface Vlan-interface20ip address 192.168.20.1 255.255.255.0#interface Vlan-interface30ip address 192.168.30.1 255.255.255.0#interface Vlan-interface40ip address 192.168.40.1 255.255.255.0#interface Vlan-interface50ip address 192.168.50.1 255.255.255.0#interface Vlan-interface60ip address 192.168.60.1 255.255.255.0#interface Vlan-interface70ip address 192.168.70.1 255.255.255.0#interface Vlan-interface80ip address 192.168.80.1 255.255.255.0#interface Vlan-interface90ip address 192.168.90.1 255.255.255.0#interface Vlan-interface130ip address 192.168.130.1 255.255.255.0 配置VLAN网关，实际为设置vlan间路由#interface GigabitEthernet1/0/1port access vlan 10 将接口划入vlan#interface GigabitEthernet1/0/2port access vlan 10#interface GigabitEthernet1/0/3port access vlan 10#interface GigabitEthernet1/0/4port access vlan 90qos apply policy t_vlan inbound 定义策略到接口#interface GigabitEthernet1/0/5port access vlan 20#interface GigabitEthernet1/0/6port access vlan 20#port access vlan 30#interface GigabitEthernet1/0/8port access vlan 30#interface GigabitEthernet1/0/9port access vlan 40#interface GigabitEthernet1/0/10port access vlan 40#interface GigabitEthernet1/0/11port access vlan 50qos apply policy p_vlan inbound 定义策略到接口#interface GigabitEthernet1/0/12port access vlan 50qos apply policy p_vlan inbound定义策略到接口#interface GigabitEthernet1/0/13port access vlan 60#interface GigabitEthernet1/0/14port access vlan 60#interface GigabitEthernet1/0/15port access vlan 70#interface GigabitEthernet1/0/16port access vlan 70#interface GigabitEthernet1/0/17port access vlan 80qos apply policy p_vlan inbound定义策略到接口#interface GigabitEthernet1/0/18port access vlan 80qos apply policy p_vlan inbound 定义策略到接口#interface GigabitEthernet1/0/19port access vlan 130qos apply policy p_vlan inbound 定义策略到接口#port access vlan 130qos apply policy p_vlan inbound 定义策略到接口#interface GigabitEthernet1/0/21duplex fullflow-control#interface GigabitEthernet1/0/22#interface GigabitEthernet1/0/23port access vlan 2#interface GigabitEthernet1/0/24port access vlan 2#interface GigabitEthernet1/0/25shutdown#interface GigabitEthernet1/0/26shutdown#interface GigabitEthernet1/0/27shutdown#interface GigabitEthernet1/0/28shutdown#ip route-static 0.0.0.0 0.0.0.0 192.168.2.1 配置到防火墙的默认路由#snmp-agentsnmp-agent local-engineid 800063A20300E0FC123456snmp-agent sys-info version v3 简单网络管理协议的描述#load xml-configuration#user-interface aux 0 开启aux口和telnet访问的权限并设定串口访问密码authentication-mode passwordset authentication password simple abcd123456user-interface vty 0 4user privilege level 3set authentication password cipher ^BM!.#M()1=%X)AG\U/NCA!! protocol inbound telnet#。

H3C三层交换机S5500初始配置+网络访问策略H3C三层交换机S5500初始配置+网络访问策略作者：饮马闪客发布于：2014-7-31 22:00 Thursday 分类：网络相关以下为H3C交换机系列S5500型号的初始配置首先连接交换机的CONSOLE口，使用超级终端进入交换机操作的指令界面:配置VLAN1地址：<HG-S5500> sysSystem View: return to User View with Ctrl+Z.[HG-S5500] interface Vlan-interface 1[HG-S5500-Vlan-interface1] ip address 192.168.254.1 24开启web和telnet服务：[HG-S5500] ip http enable[HG-S5500] telnet server enable建立管理用户：[HG-S5500] local-user admin设置密码：[HG-S5500-luser-admin] password cipher admin110为该用户开启web服务：[HG-S5500-luser-admin] service-type web为该用户开启telnet服务：[HG-S5500-luser-admin] service-type telnet将该用户设置为管理员级别：[HG-S5500-luser-admin] authorization-attribute level 3telnet访问（vty）配置：[HG-S5500] user-interface vty 0 4配置本地或远端用户名口令认证方式[HG-S5500-ui-vty0-4] authentication-mode scheme配置静态路由连接外网：[HG-S5500] ip route-static 0.0.0.0 0.0.0.0 192.168.254.2 (注:静态路由地址为外网进来的接口地址)建立网段访问策略，以vlan31为例，首先建立vlan31:[HG-S5500]vlan 31配置vlan31的ip地址：[HG-S5500] interface Vlan-interface 31[HG-S5500-Vlan-interface31] ip address 192.168.31.1 24编写31网段的访问规则如能访问34、35网段，不能访问其他网段：给其能访问的规则名为 acl number 3100:[HG-S5500] acl number 3100[HG-S5500-acl-adv-3100] rule permit ip source 192.168.31.1 0.0.0.255 destination 192.168.34.0 0.0.0.255[HG-S5500-acl-adv-3100] rule permit ip source 192.168.31.1 0.0.0.255 destination 192.168.35.0 0.0.0.255限制其访问其他网段名为 acl number 3600:[HG-S5500] acl number 3600[HG-S5500-acl-adv-3600] rule permit ip source 192.168.31.1 0.0.0.255 destination 192.168.0.0 0.0.255.255首先注意一点交换机S5500不支持packet_filter，因此只能通过Qos实现vlan策略，以上诉vlan31为例接着定义类h3100: [HG-S5500] traffic classifier h3100[HG-S5500-classifier-h3100] if-match acl 3100定义类h3600：[HG-S5500] traffic classifier h3600[HG-S5500-classifier-h3600] if-match acl 3600创建流hb3100为允许访问，hb3600为不允许访问：[HG-S5500] traffic behavior hb3100[HG-S5500-behavior-hb3100] filter permit[HG-S5500] traffic behavior hb3600[HG-S5500-behavior-hb3600] filter deny创建Qos policy:[HG-S5500] qos policy hvlan31绑定：[HG-S5500-qospolicy-hvlan31] classifier h3100 behavior hb3100[HG-S5500-qospolicy-hvlan31] classifier h3600 behavior hb3600绑定Qos策略：[HG-S5500] qos vlan-policy hvlan31 vlan 31 inbound初始化操作：<HG-S5500> reset saved-configuration选择确认初始化Y：<HG-S5500> Y重启即可生效：<HG-S5500> reboot保存配置：[HG-S5500] saveThe current configuration will be written to the device. Are you sure? [Y/N]: yPlease input the file name(*.cfg)[flash:/20130115.cfg](To leave the existing filename unchanged, press the enter key): 20140408.cfg备注：编写其他vlan策略，请仿照红字处vlan31开始根据步骤编写即可。

H3C S5500基本配置思路及实用命令1.总体配置思路：1)添加VLAN1，并将相应端口添加到该VLAN。

(在VLAN状态下才可一次将多个端口加入相应VLAN,interfacee1/0/1toe1/0/24)2)添加VLAN2，并将其置为管理VLAN(在#状态下management-vlan 2)，才可设置其VLAN的IP地址。

3)添加静态路由。

4)配置端口TRUNK模式。

5)配置远程登录VTY认证。

6)配置本地用户。

2.进入特权模式System View<H3C> System ViewSystem View:return to User View with Ctrl+Z.[H3C]dis[H3C]display cur3.配置交换机主机名sysnamesysname H3C4.添加VLANvlan 1或在此状态下直接将相应端口加入该VLAN (否则只能一个口的添加)Interface e 1/0/1 to e 1/0/245.配置管理VLAN-- management-vlanmanagement-vlan 26.给管理VLAN添加IP地址interface Vlan-interface1 ip address10."10."40."176255."255."255."07.添加端口到VLAN：port access vlan 1port access vlan 18.远程登录配置及3A认证模式user-interface vty 0 4authentication-mode scheme9.配置3A认证本地用户及属性local-user testpassword simple testpwdauthorization-attribute level 3可能的配置local-user testpassword simple test level 310."将端口配置为Trunk口port link-type trunkport trunk permit vlan all 11."添加静态路由ip route-static0."0.0."00."0.0."010."10."40."112."查看路由表display ip routing-table[H3C]display ip routing-tableRouting Tables:PublicDestinations :7 Routes :7Destination/Mask Proto Pre Cost NextHop Interface0.0."0.0/0 Static 60 010."10."40."1 Vlan210."10."40."0/24 Direct 0 010."10."40."180 Vlan210."40."180/32 Direct 0 0 127."0.0."1 InLoop0127."0.0."0/8 Direct 0 0 127."0.0."1 InLoop0127."0.0."1/32 Direct 0 0 127."0.0."1 InLoop019168."76."0/24 Direct 0 0192."168."76."3 Vlan76192."168."76."3/32 Direct 0 0127."0.0."1 InLoop013."显示当前配置display current-configuration[H3C]display current-configuration14."查看端口及VLAN的up/down状态display brief interface[H3C]display brief interfaceThe brief information of interface(s) under route mode:Interface Link Protocol-link Protocol type Main IPNULL0 UP UP(spoofing) NULL --Vlan1 UP UP ETHERNET192."168."76."3Vlan2 UP UP ETHERNET10."10."40."180The brief information of interface(s) under bridge mode:Interface Link Speed Duplex Link-type PVIDGE1/0/1 UP 1G(a) full(a) access 1GE1/0/2 DOWN auto auto access 1GE1/0/3 DOWN auto auto access 1The brief information of interface(s) under bridge mode:Interface Link Speed Duplex Link-type PVIDGE1/0/1 UP 1G(a) full(a) access 1display brief interface Vlan-interface 1[H3C]display brief interface Vlan-interface 1The brief information of interface(s) under route mode:Interface Link Protocol-link Protocol type Main IPVlan1 UP UP ETHERNET192."168."76."315."查看MAC地址缓存表display mac-address[H3C]display mac-address16."查看某一端口的MAC地址缓存表17."查看ARP缓存表display arp[H3C]display arpType:S-Static D-DynamicIP Address MAC Address VLAN ID Interface Aging Type192."168."76."56 0016-eca2-d69d 1 GE1/0/1 20 D192."168."76."131 0016-3642-e888 1 GE1/0/1 19 D192."168."76."171 0024-1d6e-6fbe 1 GE1/0/1 13 D10."10."40."1 0018-742d-4fc0 2 GE1/0/19 14 D192."168."76."1 0018-742d-4fc0 1 GE1/0/19 10 D18."Tftp备份配置1)查看配置文件名及所在文件夹-dir配置文件名可能为startup.cfg或config.cfg配置文件可能在flash:/或unit1>flash:/目录下<jyzx-px-zhongxin>dir flash:/Directory of flash:/0 -rw- Aug 11 2010 16:27:52 s5500tpsi-cmw520-r2202p11."bin1 -rw- 2365 Apr 26 2000 12:13:58startup.cfg(配置文件名)31496 KB total (23460 KB free)<jyzx-bg-3-d>dirDirectory of unit1>flash:/1 -rw- 3146 Jan 01 2004 00:00:00 config.def2 (*) -rw- Mar 25 2011 16:51:52 s31si_e-cmw310-r2211p07."bin3 (*) -rw- 886025 Jan 01 2004 00:00:00 h3c-http3."1.9-0019."web4 (*) -rw- 2834 Apr 03 2000 01:20:33config.cfg(配置文件名)7239 KB total (2739 KB free)(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute<jyzx-bg-4-x>tftp172."16."8.91 put unit1>flash:/config.cfg10."10."40."185."txtFile will be transferred in binary mode.Sending file to remote tftp server. Please wait... |TFTP:2979 bytes sent in 0 second(s).File uploaded successfully.<jyzx-bg-4-x>dirDirectory ofunit1>flash:/1 -rw- 3146 Jan 01 2004 00:00:00 config.def2 (*) -rw- Mar 25 2011 16:51:52 s31si_e-cmw310-r2211p07."bin3 (*) -rw- 886025 Jan 01 2004 00:00:00 h3c-http3."1.9-0019."web4 (*) -rw- 2979 Apr 02 2000 07:17:02config.cfg7239 KB total (2739 KB free)(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute2)配置可以使用tftp的ACLacl number 2000rule permit source172."16."8.91 0[jyzx-px-zhongxin]acl number 2000[jyzx-px-zhongxin-acl-basic-2000]rule permit source172."18.91 ?0 Wildcard bits :0."0.0."0 ( a host )X.X.X.X Wildcard of source[jyzx-px-zhongxin-acl-basic-2000]rule permit source172."16."8.91 03)配置tftp服务器- tftp-server acl 2000tftp-server acl 2000[jyzx-px-zhongxin]tftp-server acl 2000The ACL number does not exist or contains no rule. Continue? [Y/N]:y(如果还没有配置ACL,则会有此提示)[jyzx-px-zhongxin]tftp client source ip172."16."8.914)备份配置文件到tftp软件所在目录下(在用户视图下,即“>”状态下)172."16."8.91 put flash:/startup.cfg (无目标文件名则表示与源文件名同名)tftp172."16."8.91 put flash:/startup.cfg startup.txt(将配置文件保存为txt文件)<jyzx-px-zhongxin>tftp 172."16."8.91 put flash:/startup.cfgFile will be transferred in binary modeSending file to remote TFTP server. Please wait... \TFTP:2365 bytes sent in 0 second(s).File uploaded successfully.<jyzx-px-zhongxin>tftp172."16."8.91 put flash:/startup.cfg10."10."40."177."txtFile will be transferred in binary modeSending file to remote TFTP server. Please wait... \ TFTP:2365 bytes sent in 0 second(s).File uploaded successfully.5)小结过程在特权状态下配置ACL和Tftp-server信息acl number 2000rule permit source172."16."8.91 0quittftp-server acl 2000save在用户视图下备份配置tftp172."16."8.91 put flash:/startup.cfg10."10."40."177."txt19."关闭实时信息-undo info-center enable[jyzx-bg-4-x]undo info-center enable% Information center is disabled20."21."问题1：无法用system-view命令进入特权模式问题2：无法配置VLAN的IP地址原因：因为local-user中用户认证属性设置不对，level 3必须设置。

Knowledge by LauH3C S5500-EI 典型配置事例1、文档目的通过此典型配置的事例，可以为以后的H3C交换机配置作为一个参考2、说明2.1、属于个人理解，所以不一定全面正确，只做参考2.1、叠堆设置在文档最后部分2.2、环境说明5台cisco 3750接入层交换机，通过堆叠方式，形成统一管理。

现把接入层5台cisco 3750交换机更换成H3C 5500 交换机，增强业务能力。

配置均需要与原有配置相同，以及需要满足用户提出的设置要求。

3、配置部分3.1、基本配置sysname H3C5500 #设置交换机名字super password level 3 cipher admin #设置用户转换等级时需要的密码telnet server enable #开启telnet服务ip route-static 0.0.0.0 0.0.0.0 Vlan-interface1 10.16.5.9 #配置vlan1默认静态路由mac-address timer aging 360 #配置mac地址老化时间（360s）3.2、vty端口设置user-interface vty 0 4 #进入vty接口authentication-mode scheme#Vty口的登录权限，命令的授权和审计均使用AAA服务器command authorizationcommand accountingset authentication password cipher .#本地认证的密文密码idle-timeout 15 0#设置回话空闲超时3.3、本地用户配置local-user admin#创建本地用户password cipher -I<D3GV1;!QSV;PNMV*FI1!!#设置本地用户密文密码authorization-attribute level 3#授权级别为3service-type telnet#服务类型为telnet3.4、NTP配置ntp-service unicast-server 192.168.5.30#配置NTP服务器地址clock timezone 1 add 08:00:00#时区设置，+8小时info-center source default channel 1 trap level informational #把channel 1 的所有警告类信息等级设置为information，其余类别的等级默认info-center source default channel 3 log state on#开启channel 3所有事件的log功能info-center loghost 10.16.35.1 channel 1#调用channel 1的信息，传输到log主机中info-center synchronous#开启配置信息防打断功能3.6、接口配置（环路检测，端口安全，广播组播数据限制）port-security enable#全局开启端口安全（要使端口安全生效，必须全局和端口都开启）port-security trap intrusion#trap端口安全的检测动作loopback-detection enable#全局开启环路检测（要使端口环路检测生效，必须全局和端口都开启）loopback-detection interval-time 5#设置环路检测的时间间隔为5s（默认30s）interface GigabitEthernet1/0/1port link-mode bridge #使端口工作在2层loopback-detection enable #开启端口环路检测loopback-detection action shutdown #设置检测到环路的行为为关闭该端口stp edged-port enable #开启边缘端口特性port-security max-mac-count 1#设置端口最大学习mac地址数量为1个port-security port-mode autolearn#设置端口自动学习mac地址port-security intrusion-mode disableport-temporarily#设置端口违反安全规则的行为为关闭端口20sbroadcast-suppression 1#允许端口传输广播数据的百分比为1%multicast-suppression 20#允许端口传输组播数据的百分比为20%snmp-agentsnmp-agent community read netinfo#配置读权限的团体名snmp-agent log all#开启snmp操作的log功能snmp-agent sys-info version all#开启snmp所有版本支持（这里是v2c，v2，v1的配置，v3的有不同)snmp-agent target-host trap address udp-domain 10.16.35.1 params securityname netinfo#配置snmp服务器和发送trap报文使用的团体名为netinfosnmp-agent trap enable default-route#配置snmp trap默认路由，如不配置，则默认trap所有信息3.8、AAA配置集合hwtacacs scheme h3c#配置hwtacacs认证名称primary authentication 10.16.8.119#分别配置认证，授权，审计的主/备服务器secondary authentication 10.16.8.118primary authorization 10.16.8.119secondary authorization 10.16.8.118primary accounting 10.16.8.119secondary accounting 10.16.8.118key authentication cisco#分别配置与认证服务器进行认证，授权，审计之间通讯的密钥key authorization ciscokey accounting ciscouser-name-format without-domain#传输用户名称到认证服务器时去除域名domain #建域,cnauthentication login hwtacacs-scheme h3c local#引用HWTACACS的h3c认证方案，如服务器无响应则使用本地验证authorization login hwtacacs-scheme h3c localccounting login hwtacacs-scheme h3c localauthentication super hwtacacs-scheme h3c#用户级别的转换授权引用HWTACACS的h3c认证方案authorization command hwtacacs-scheme h3c none#用户命令的授权使用HWTACACS的h3c的授权方案，服务器如无响应则不需要授权accounting command hwtacacs-scheme h3c#命令的审计引用HWTACACS的h3c的审计方案access-limit disable#关闭接入用户数量的限制state active#激活该域idle-cut disable#关闭空闲超时4、部分配置详细解析及理论4.1、信息中心理论解析：4.1.1、信息中心的信息分类和等级：由于H3C采用信息中心的概念管理交换机上的信息，所以H3C交换机的log，trap，debug 信息必须通过信息设置。

1：配制系统名Sysname + 名字2：进入接口interface GigabitEthernet1/0/23：配置接口IP地址作用：给接口一个网络上唯一的区分符Interface vlan 1Ip address 168.10.2.1 255.255.255.04：查看交换机信息显示版本------display version显示当前配置信息---------display current显示NVRAM的配置-------display saved-config显示接口信息---------display interface显示路由信息-------display ip routing-table显示启动引导文件------display boot-loader显示系统时间-------------------display clock修改系统时间-------------------clock datetime 10:20:25 月/日/年查看设备版本及运行时间-------------------display version查看vlan接口相关信息----------------------------display ip interface vlan-interface 20 5：VLAN配制创建VLAN---------vlan 10(1-4094)删除VLAN--------undo vlan 10(1-4094)在VLAN中增加端口------port Ethernet 1/0/1在VLAN中删除端口--------undo port Ethernet 1/0/1将端口加入VLAN----------port access vlan 10(1-4094)将端口脱离VLAN-----------undo port access vlan 10(1-4094)显示VLAN信息---------------display vlan 10（1-4094）6：Tunk配制定义端口属性为Trunk--------port link-type trunk删除端口Trunk属性-----------undo port link-type定义端口可以传输的VLAN--------port trunk permit vlan 10在VLAN中删除端口---------------undo port trunk permit vlan 107：Link Aggregation作用：将几条物理链路聚合在一起，当作一条逻辑链路来使用，分为静态聚合和动态聚合。

目录1 RRPP配置命令..................................................................................................................................1-11.1 RRPP配置命令..................................................................................................................................1-11.1.1 control-vlan.............................................................................................................................1-11.1.2 display rrpp brief.....................................................................................................................1-11.1.3 display rrpp ring-group...........................................................................................................1-31.1.4 display rrpp statistics..............................................................................................................1-41.1.5 display rrpp verbose...............................................................................................................1-71.1.6 domain ring.............................................................................................................................1-91.1.7 protected-vlan.......................................................................................................................1-101.1.8 reset rrpp statistics...............................................................................................................1-111.1.9 ring........................................................................................................................................1-121.1.10 ring enable..........................................................................................................................1-141.1.11 rrpp domain........................................................................................................................1-151.1.12 rrpp enable.........................................................................................................................1-151.1.13 rrpp ring-group....................................................................................................................1-161.1.14 timer....................................................................................................................................1-171 RRPP配置命令1.1 RRPP配置命令1.1.1 control-vlan【命令】control-vlan vlan-idundo control-vlan【视图】RRPP域视图【缺省级别】2：系统级【参数】vlan-id：控制VLAN的ID，取值范围为2～4093。

写过华为S8508的策略路由，这次碰到一台H3C S5500，在配置上和华为交换机有些不同。

大致配置如下：拓扑图：网络情况如下：用户1网络：172.16.1.0/24用户2网络： 192.168.1.0/24至出口1网络：172.16.100.0/24至出口2网络：192.168.100.0/24实现功能：用户1通过互联网出口1，用户2通过互联网出口2。

功能实现：在三层交换台机上配置默认路由，将数据包丢向192.168.100.253，再利用策略路由，凡是用户2网络IP192.168.1.0/24的地址都丢向172.16.100.253。

配置步骤：说明：这里接口的配置等操作就不在写了。

1、首先建立默认路由，将所有的数据包都丢往出口2的下一节点192.168.100.253[H3C5500] ip route-static 0.0.0.0 0.0.0.0 192.168.100.2532、配置流分类1，对象为172.16.1.0/24的数据[H3C5500]acl number 3001[H3C5500-acl-adv-3001] rule 0 permit ip source 172.16.1.0 0.0.0.255 [H3C5500] quit[H3C5500] traffic classifier 1[H3C5500-classifier-1] if-match acl 3001[H3C5500-classifier-1] quit3、配置刚才定义的流分类的行为，定义如果匹配就下一跳至出口1即172.16.100.253[H3C5500] traffic behavior 1[H3C5500-behavior-1] redirect next-hop 172.16.100.253[H3C5500-behavior-1] quit4、将刚才设置的应用至QOS策略中，定义policy 1[H3C5500] qos policy 1[H3C5500-qospolicy-1] classifier 1 behavior 1[H3C5500-qospolicy-1] quit5、在接口上应用定义的QOS策略policy 1[H3C5500] interface GigabitEthernet 1/0/15[H3C5500-GigabitEthernet1/0/15] qos apply policy 1 inbound[H3C5500-GigabitEthernet1/0/15] quit至此，配置已完成。

H3C_S5500-EI_IRF及以太口堆叠的典型配置H3C S5500-EI IRF堆叠的典型配置一、组网需求：配置两台S5500-EI交换机进行链型堆叠，并分别配置成员编号为1、2线缆连接方式如图所示二、组网图：三、配置步骤：(1) 两台设备不连堆叠线缆，分别上电，分别配置# 在Switch 1上的配置。

#[Switch-01]dis versionH3C Comware Platform SoftwareComware Software, Version 5.20, Release 2202 ------查看版本#[Switch-01]irf member 1 renumber 1Warning: Renumbering the switch number may result in configuration change or loss. Continue?(Y/N)y#[Switch-01]irf member 1 irf-port 1 port 1#[Switch-01]irf member 1 irf-port 1 port 2# 在Switch 1上的配置。

#[Switch-01]dis versionH3C Comware Platform SoftwareComware Software, Version 5.20, Release 2202 ------查看版本#[Switch-01]irf member 1 renumber 1Warning: Renumbering the switch number may result in configuration change or loss. Continue?(Y/N)y#[Switch-01]irf member 1 irf-port 2 port 3#[Switch-01]irf member 1 irf-port 2 port 4(2) 关闭三台设备电源，将三台设备按照组网图连接堆叠电缆，然后全部上电，堆叠形成。

目录1 Track配置 ............................................................................................................................................ 1-11.1 Track简介 ......................................................................................................................................... 1-11.1.1 Track模块与监测模块联动 ..................................................................................................... 1-11.1.2 Track模块与应用模块联动 ..................................................................................................... 1-11.2 Track配置任务简介........................................................................................................................... 1-11.3 配置Track与监测模块联动.............................................................................................................. 1-21.3.1 配置Track与NQA联动 ........................................................................................................ 1-21.3.2 配置Track与BFD联动......................................................................................................... 1-21.4 配置Track与应用模块联动.............................................................................................................. 1-21.4.1 配置Track与VRRP联动...................................................................................................... 1-21.4.2 配置Track与静态路由联动 ................................................................................................... 1-31.5 Track显示和维护 .............................................................................................................................. 1-41.6 Track典型配置举例........................................................................................................................... 1-41.6.1 VRRP、Track与NQA联动配置举例..................................................................................... 1-41.6.2 静态路由、Track与NQA联动配置举例................................................................................ 1-81 Track配置1.1 Track简介图1-1联动功能实现示意图Track的用途是实现联动功能。

H3C S5500-EI NQA经典配置网络拓扑如下5500 交换机verH3C Comware Platform SoftwareComware Software, Version 5.20, Release 2202Copyright (c) 2004-2009 Hangzhou H3C Tech. Co., Ltd. All rights reserved.H3C S5500-52C-EI uptime is 0 week, 2 days, 17 hours, 44 minutesH3C S5500-52C-EI with 1 Processor256M bytes SDRAM32768K bytes Flash MemoryHardware Version is REV.CCPLD Version is 002Bootrom Version is 509[SubSlot 0] 48GE+4SFP Hardware Version is REV.C1、交换机上一个客户端vlan，vlan网关配置在5500交换机上。

(也可以是多个客户端网段)2、交换机通往上游3条等价链路，配置了三条默认路由指向外网路由器，三条默认路由优先级和cost值相同。

ip route-static 0.0.0.0 0.0.0.0 172.16.1.9 track 1ip route-static 0.0.0.0 0.0.0.0 172.16.1.13 track 2正常情况下，三条链路均有流量，实现了等价负载均衡。

上游路由器回指了三条到192.168.1.0 的路由，三条路由优先级和cost值相同。

没配置NQA时如果任意1条或2条默认路由下一跳失效了（链路断了），但查看路由表三条等价默认路由依然存在，这时系统认为默认路由仍然可用，依旧进行3条链路的等价负载均衡，这时候就会有包仍然送到失效的下一跳上，部分客户端网络就会中断了，而且不会自行恢复，除非你自行删除失效的默认路由。

目录1 RRPP配置 ........................................................................................................................................... 1-11.1 RRPP简介 ........................................................................................................................................ 1-11.1.1 RRPP产生背景 ...................................................................................................................... 1-11.1.2 RRPP基本概念 ...................................................................................................................... 1-11.1.3 RRPP协议报文 ...................................................................................................................... 1-31.1.4 RRPP定时器.......................................................................................................................... 1-41.1.5 RRPP运行机制 ...................................................................................................................... 1-41.1.6 RRPP典型组网 ...................................................................................................................... 1-51.1.7 协议规范 ................................................................................................................................ 1-81.2 RRPP配置任务简介.......................................................................................................................... 1-81.3 创建RRPP域................................................................................................................................... 1-91.4 配置控制VLAN................................................................................................................................. 1-91.5 配置保护VLAN............................................................................................................................... 1-101.6 配置RRPP环................................................................................................................................. 1-101.6.1 配置RRPP端口................................................................................................................... 1-111.6.2 配置RRPP节点................................................................................................................... 1-111.7 激活RRPP域................................................................................................................................. 1-131.8 配置RRPP定时器.......................................................................................................................... 1-131.9 配置RRPP环组 ............................................................................................................................. 1-141.10 RRPP显示和维护 ......................................................................................................................... 1-141.11 RRPP典型配置举例...................................................................................................................... 1-151.11.1 单环配置举例 ..................................................................................................................... 1-151.11.2 相交环配置举例.................................................................................................................. 1-171.11.3 相交环负载分担配置举例................................................................................................... 1-211.12 常见配置错误举例......................................................................................................................... 1-301 RRPP配置1.1 RRPP简介RRPP（Rapid Ring Protection Protocol，快速环网保护协议）是一个专门应用于以太网环的链路层协议。