华为S5700 交换机 操作手册

华为S5700交换机操作手册MEth 0/0/1 属于管理口system-view[Quidway]interface MEth 0/0/1[Quidway]ip adddress 192.168.5.2 255.255.255.0 #设置管理ip配置连接密码打开web操作sysaaalocal-user huawei password cipher adminlocal-user huawei level15local-user huawei ftp-directory flash;local-user hawed service-type telnet terminal httpCONSOLE:通过密码：[Quidway]user-interface con 0[Quidway-ui-console0]authentication-mode password[Quidway-ui-console0]set authentication password simple h3c[Quidway-ui-console0]user privilege level 3------------->可以不配置，默认级别是3通过用户名和密码：[Quidway]local-user quidway[Quidway-luser-quidway]password simple h3c[Quidway-luser-quidway]service-type terminal level 3[Quidway]user-interface con 0[Quidway-ui-console0]authentication-mode schemeTELNET:通过密码：[Quidway]user-interface vty 0 4[Quidway-ui-vty0-4]authentication-mode password [Quidway-ui-vty0-4]set authentication password simple h3c [Quidway-ui-vty0-4]user privilege level 3通过用户名和密码：[Quidway]user-interface vty 0 4[Quidway-ui-vty0-4]authentication-mode password [Quidway-ui-vty0-4]set authentication password simple h3c [Quidway]local-user quidway[Quidway-luser-quidway]password simple h3c [Quidway-luser-quidway]service-type telnet level 3默认是VRP1.74和1.44是没有缺省用户名和密码的。

SW1配置如下：<Huawei><Huawei>sy<Huawei>system-view （进入全局模式）Enter system view, return user view with Ctrl+Z.[Huawei]sy[Huawei]sysname SW1 ( 设备命名）[SW1][SW1]d[SW1]dhcp en[SW1]dhcp enable （使用DHCP功能）Info: The operation may take a few seconds. Please wait for a moment.done.[SW1][SW1]ip pool 10 （创建全局地址池，同时进入全局地址池视图）Info:It's successful to create an IP address pool.[SW1-ip-pool-10]netw[SW1-ip-pool-10]network 192.168.10.0 m[SW1-ip-pool-10]network 192.168.10.0 mask 24（配置全局地址池可动态分配的IP地址范围）[SW1-ip-pool-10][SW1-ip-pool-10]dns-list 8.8.8.8 （配置DNS ）[SW1-ip-pool-10][SW1-ip-pool-10]gateway-list 192.168.10.1 （配置网关）[SW1-ip-pool-10]ex[SW1-ip-pool-10]excluded-ip-address 192.168.10.201 192.168.10.254 （保留不被分配的地址）[SW1-ip-pool-10][SW1-ip-pool-10]lease d[SW1-ip-pool-10]lease day 7 （IP租约期限）[SW1-ip-pool-10][SW1-ip-pool-10]dis this （查询当前模式的配置）#ip pool 10gateway-list 192.168.10.1 （网关）network 192.168.10.0 mask 255.255.255.0 （IP地址范围）excluded-ip-address 192.168.10.201 192.168.10.254 （保留IP地址范围）lease day 7 hour 0 minute 0 （IP租约周期）dns-list 8.8.8.8#return[SW1-ip-pool-10][SW1-ip-pool-10][SW1-ip-pool-10]quit (退出）[SW1][SW1][SW1][SW1]ip pool 20Info:It's successful to create an IP address pool.[SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20]netw[SW1-ip-pool-20]network 192.168.20.0 m[SW1-ip-pool-20]network 192.168.20.0 mask 24[SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20]d[SW1-ip-pool-20]dns-list 8.8.8.8[SW1-ip-pool-20][SW1-ip-pool-20]g[SW1-ip-pool-20]gateway-list 192.168.20.1[SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20]ex[SW1-ip-pool-20]excluded-ip-address 192.168.20.201 192.168.20.254 [SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20]l[SW1-ip-pool-20]lease d[SW1-ip-pool-20]lease day 7[SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20]dis this#ip pool 20gateway-list 192.168.20.1network 192.168.20.0 mask 255.255.255.0excluded-ip-address 192.168.20.201 192.168.20.254lease day 7 hour 0 minute 0dns-list 8.8.8.8#return[SW1-ip-pool-20][SW1-ip-pool-20][SW1-ip-pool-20]q[SW1][SW1][SW1]v[SW1]vlan b[SW1]vlan batch 10 20 （批量创建vlan）Info: This operation may take a few seconds. Please wait for a moment...done. [SW1][SW1][SW1]int[SW1]interface g[SW1]interface GigabitEthernet 0/0/1 （进入port 1)[SW1-GigabitEthernet0/0/1]por[SW1-GigabitEthernet0/0/1]port l[SW1-GigabitEthernet0/0/1]port link-t[SW1-GigabitEthernet0/0/1]port link-type a[SW1-GigabitEthernet0/0/1]port link-type access (配置port 1 类型）[SW1-GigabitEthernet0/0/1][SW1-GigabitEthernet0/0/1][SW1-GigabitEthernet0/0/1]port[SW1-GigabitEthernet0/0/1]port def[SW1-GigabitEthernet0/0/1]port default v[SW1-GigabitEthernet0/0/1]port default vlan 10 （配置port 1 vlan) [SW1-GigabitEthernet0/0/1][SW1-GigabitEthernet0/0/1]quit (退出）[SW1][SW1]int[SW1]interface g[SW1]interface GigabitEthernet 0/0/2[SW1-GigabitEthernet0/0/2][SW1-GigabitEthernet0/0/2][SW1-GigabitEthernet0/0/2][SW1-GigabitEthernet0/0/2]por[SW1-GigabitEthernet0/0/2]port l[SW1-GigabitEthernet0/0/2]port link-t[SW1-GigabitEthernet0/0/2]port link-type a[SW1-GigabitEthernet0/0/2]port link-type access[SW1-GigabitEthernet0/0/2][SW1-GigabitEthernet0/0/2]por[SW1-GigabitEthernet0/0/2]port def[SW1-GigabitEthernet0/0/2]port default v[SW1-GigabitEthernet0/0/2]port default vlan 20[SW1-GigabitEthernet0/0/2][SW1-GigabitEthernet0/0/2]quit[SW1][SW1][SW1][SW1]int[SW1]interface v （配置VLANIF10接口下的客户端从全局地址池中获取IP地址）[SW1]interface Vlanif 10 （创建vlanif 10)[SW1-Vlanif10][SW1-Vlanif10][SW1-Vlanif10]ip add[SW1-Vlanif10]ip address 192.168.10.1 24 (配置IP地址）[SW1-Vlanif10][SW1-Vlanif10]dhcp sel[SW1-Vlanif10]dhcp select g[SW1-Vlanif10]dhcp select global （在vlanif 10模式下调用全局地址池）[SW1-Vlanif10][SW1-Vlanif10][SW1-Vlanif10]dis[SW1-Vlanif10]display this （查询当前配置参数）#interface Vlanif10ip address 192.168.10.1 255.255.255.0dhcp select global#return[SW1-Vlanif10][SW1-Vlanif10][SW1-Vlanif10]quit[SW1][SW1][SW1]int[SW1]interface v[SW1]interface Vlanif 20[SW1-Vlanif20][SW1-Vlanif20][SW1-Vlanif20]ip add[SW1-Vlanif20]ip address 192.168.20.1 24 [SW1-Vlanif20][SW1-Vlanif20]dhcp[SW1-Vlanif20]dhcp sel[SW1-Vlanif20]dhcp select g[SW1-Vlanif20]dhcp select global[SW1-Vlanif20][SW1-Vlanif20]dis this#interface Vlanif20ip address 192.168.20.1 255.255.255.0dhcp select global#return[SW1-Vlanif20][SW1-Vlanif20][SW1-Vlanif20]quit[SW1][SW1]dis[SW1]display ip pool （查看IP地址池配置情况）-----------------------------------------------------------------------Pool-name : 10Pool-No : 0Position : Local Status : UnlockedGateway-0 : 192.168.10.1Mask : 255.255.255.0VPN instance : -------------------------------------------------------------------------Pool-name : 20Pool-No : 1Position : Local Status : Unlocked Gateway-0 : 192.168.20.1Mask : 255.255.255.0VPN instance : --IP address StatisticTotal :506Used :0 Idle :398Expired :0 Conflict :0 Disable :108 [SW1][SW1][SW1]quit<SW1><SW1><SW1>save （保存配置，写入设备）The current configuration will be written to the device.Are you sure to continue?[Y/N]yNow saving the current configuration to the slot 0.Mar 18 2017 13:30:47-08:00 SW1 %%01CFM/4/SAVE(l)[63]:The user chose Y when deciding whether to save the configuration to the device.Save the configuration successfully.<SW1>PC情况如下。

一．准备网口转串口线（母头），串口（公头）转USB线，光转电模块，PC机，IPOP软件IPO 4.1.EXE二．连接将交换机consle口与电脑连接好之后，打开IPOP软件后，点击终端工具使用COM口进行连接操作，在管理里查看COM端口，三．配置1.配置交换机Telne验证方式为AAA认证<s5700>sys[s5700] user-interface vty 0 4[s5700-ui-vty0-4] authentication-mode aaa[s5700-ui-vty0-4] quit2.配置Telnet登录用户参数，用户名、密码、用户级别。

配置用户名为admin，密码也为xinwei@123，用户级别为15级（最高级别）[s5700] aaa[s5700-aaa] local-user admin password cipher xinwei@123[s5700-aaa] local-user admin privilege level 15[s5700-aaa] local-user admin service-type telnet[s5700-aaa]q<s3700>save3．添加VLAN[s5700] vlan 2[s5700-vlan2] quit4.设定端口模式并将端口与vlan做映射[s5700]interface Ethernet0/0/1Access模式[s5700- GigabitEthernet0/0/1 ]port link-type access[s5700- GigabitEthernet0/0/1] port default vlan 2[s5700- GigabitEthernet0/0/1] description To_xiuyingTrunk模式[s5700- GigabitEthernet0/0/1] port link-type trunk[s5700- GigabitEthernet0/0/1] port trunk allow-pass vlan 2[s5700- GigabitEthernet0/0/1] description To_xiuying[s5700-GigabitEthernet0/0/1]quit5．给VLAN添加IP[s5700]interface vlanif 2[s5700-Vlanif2]ip address 192.168.0.253[s5700-Vlanif2] description To_xiuying 可根据具体情况进行说明6．查看交换机配置[s5700]dis cu7．Telnet连接通过光转电模块用网线将PC与配置好的VLAN端口连接，电脑IP配成与VLAN网关同网段下。

华为S5700交换机的基础配置命令# 设置设备的名称为GSH-FZ-Frontsystem-view[Quidway] sysname GSH-FZ-Front?# 设置查看设备的时区,时间clock timezone BJ add 8clock datetime 18:20:30 2011-06-08display clock#telnet远程登录system-view[Quidway] aaa[Quidway-aaa] local-user testadmin password cipher p@ssw0rd privilege level 15 [Quidway-aaa] quit[Quidway]user-interface vty 0 4[Quidway-vty0-4]authentication-mode aaa#添加VLANsystem-view[Quidway] vlan 128[Quidway-vlan128] quit#设定端口模式system-view[Quidway] int gigabitethernet 0/0/1[Quidway-GigabitEthernet0/0/1] port link-type access#将端口加入Vlansystem-view[Quidway] vlan 131[Quidway-vlan131] port gigabitethernet 0/0/21 to 0/0/22 [Quidway-Vlan131] quit#设置Trunksystem-view[Quidway] interface GigabitEthernet 0/0/23[Quidway-GigabitEthernet0/0/23] port link-type trunk [Quidway-GigabitEthernet0/0/23] port trunk allow-pass vlan 128 131 #设置VLAN IP(管理IP)system-view[Quidway] interface vlanif 131[Quidway-Vlanif131] ip address 192.168.0.253 255.255.255.0 [Quidway-Vlanif131] shutdown[Quidway-Vlanif131] undo shutdown#设置默认路由system-view[Quidway] ip route-static 0.0.0.0 0.0.0.0 192.168.0.254#设定NTPsystem-view[Quidway] ntp-service unicast-peer 192.168.0.254# 关闭WEB Server,dhcpsystem-view[Quidway] undo http server enable[Quidway] undo dhcp enable#保存配置save#相关查看命令[Quidway] display version 显示VRP版本号[Quidway] display current-configuration 显示系统运行配置信息[Quidway] display saved-configuration 显示保存的配置信息[Quidway] display interfaces brief 显示接口配置信息。

绑定客户端IP+MAC+端口[Huawei]user-bind static ip-address 192.168.2.2 mac-address 5489-9852-137A interface GigabitEthernet 0/0/2[Huawei]user-bind static mac-address 6489-98CF-1525 interface g0/0/1系统视图下am user-bind mac-addr mac地址ip-addr ip地址interface 接口类型接口序号以太网端口视图下interface 接口类型接口序号am user-bind mac-addr mac地址ip-addr ip地址华为s5700 ip地址+mac地址+端口绑定问：将单位的交换机绑定ip地址，mac地址和端口，实现某台ip为172.16.3.113，mac地址为000B-2F37-FE4F只能通过GigabitEthernet0/0/2这个端口来上网或查看局域网内的共享文件。

答：一般用am user-bind做。

am user-bind ip-address 172.16.3.113 mac-address 000B-2F37-FE4F interface GigabitEthernet0/0/2首先要有思想准备，工作量巨大。

答：用完后可以到所在VLAN或者端口执行：ip source check user-bind enable一、1、系统视图下am user-bind mac-addr mac地址 ip-addr ip地址 interface 接口类型接口序号2、以太网端口视图下interface 接口类型接口序号am user-bind mac-addr mac地址 ip-addr ip地址二、端口绑定2.1 端口绑定命令2.1.1 am user-bind interface【命令】am user-bind mac-addr mac-address ip-addr ip-address interfaceinterface-type interface-numberundo am user-bind mac-addr mac-address ip-addr ip-address interfaceinterface-type interface-number【视图】系统视图【参数】mac-address：绑定的MAC 地址值。

1.现场情况说明：我这边是一台misgate服务器，下面有五台基于opc通讯的DCS服务器，现场需要做两个配置策略 1 misgate服务器可以和下面五台服务器相互访问 2 下面五台服务器相互之间不能访问图11 misgate服务器可以和下面五台服务器相互访问1 首先你要有根console线，你要有根console线，console线（重要的事说三遍）2 你要有个超级终端，有个超级终端，超级终端（重要的事说三遍,本文档附带超级终端）3 console线连接console口和电脑，打开超级终端，点击新建连接，正确设置波特率、地址位（三层交换机自带设置文档）4 配置VLAN间通过VLANIF接口通信示例（下面的代码是为交换机口分配ip，这个ip也是服务器的默认网关，但是请注意，按着当前步骤配置过后，六个服务器之间实际上是可以相互ping通的，也就是说，这个步骤只是实现了所有网段之间的互联，没有做下面五台服务器之间的隔离，不信的话可以拿两台电脑上试试，按照图一设置参数，然后相互ping）组网需求企业的不同用户拥有相同的业务，且位于不同的网段。

现在相同业务的用户所属的VLAN不相同，需要实现不同VLAN中的用户相互通信。

如图1所示，User1和User2中拥有相同的业务，但是属于不同的VLAN且位于不同的网段。

现需要实现User1和User2互通。

图1 配置VLAN间通过VLANIF接口通信组网图配置思路采用如下的思路配置VLAN间通过VLANIF接口通信：1.创建VLAN，确定用户所属的VLAN。

2.配置接口加入VLAN，允许用户所属的VLAN通过当前接口。

3.创建VLANIF接口并配置IP地址，实现三层互通。

说明：为了成功实现VLAN间互通，VLAN内主机的缺省网关必须是对应VLANIF接口的IP地址。

操作步骤1.配置Switch# 创建VLAN<HUAWEI> system-view[HUAWEI] sysname Switch[Switch] vlan batch 10 30# 配置接口加入VLAN[Switch] interface gigabitethernet0/0/1[Switch-GigabitEthernet0/0/1] port link-type access[Switch-GigabitEthernet0/0/1] port default vlan 10[Switch-GigabitEthernet0/0/1] quit[Switch] interface gigabitethernet 0/0/3[Switch-GigabitEthernet0/0/2] port link-type access[Switch-GigabitEthernet0/0/2] port default vlan 30[Switch-GigabitEthernet0/0/2] quit# 配置VLANIF接口的IP地址[Switch] interface vlanif 10[Switch-Vlanif10] ip address 129.0.0.1 24[Switch-Vlanif10] quit[Switch] interface vlanif 30[Switch-Vlanif20] ip address 129.0.4.1 24[Switch-Vlanif20] quit2.检查配置结果在VLAN10中的主机上配置IP地址为129.0.0.22/24，缺省网关为VLANIF10接口的IP地址129.0.0.1/24。

华为S5700交换机初始化和配置TELNET远程登录方法：1,交换机开启Telnet服务<Huawei>system-view #进入系统视图[Huawei]telnet server ？ #查看有enable还是disable选项，选择对应的开启方式。

[Huawei]telnet server enable #enable选项开启Telnet服务（普通系列一般为这个）[Huawei]undo telnet server disable #disable选项开启Telnet服务（CE高端系列一般为这个）2，配置VTY用户界面的最大个数（同时可以登录的最大数）[Huawei]user-interface maximum-vty 15 #默认是5，这个可以不设置3，配置VTY用户界面的终端属性[Huawei]user-interface vty 0 14 #上面是15所有这里是0 14 如果选择默认这里是0 4 [Huawei-ui-vty0-14]protocol inbound telnet #配置vty支持telnet协议4，配置VTY用户界面的用户验证方式[Huawei-ui-vty0-14]authentication-mode aaa #配置用户终端的身份验证模式为aaa认证为aaa认证[Huawei-ui-vty0-14]quit #退出vty配置界面5，配置登录验证方式[Huawei]aaa #进入aaa配置模式[Huawei-aaa]local-user admin1234 password ? #查看可以选择的密码选择[Huawei-aaa]local-user admin1234 password simple Huawei1234 #密码选项simple 账号admin1234 密码Huawei1234 (普通系列一般为这个)[Huawei-aaa]local-user admin1234 password irreversible-cipher Huawei12#$ #密码选项irreversible-cipher 账号admin1234 密码Huawei12#$ (CE高端系列一般为这个)[Huawei-aaa]local-user admin1234 service-type telnet #配置接入服务类型，如果还需要SSH 登录请加上[Huawei-aaa]local-user admin1234 privilege level 3 #配置账号的级别，默认3级是超级管理员的权限[Huawei-aaa]quit #退出<Huawei>telnet 127.0.0.1 #测试telnet配置是否OK<Huawei>save #保存配置===================================================================华为S5700交换机初始化和配置SSH和TELNET远程登录方法：AAA是指：authentication（认证）、authorization（授权）、accounting（计费）的简称，是网络安全的一种管理机制；Authentication是本地认证/授权，authorization和accounting是由远处radius（远程拨号认证系统）服务或hwtacacs（华为终端访问控制系统）服务器完成认证/授权；AAA是基于用户进行认证、授权、计费的，而NAC方案是基于接入设备接口进行认证的,在实际应用中，可以使用AAA的一种或两种服务。

设置AAA本地验证。

1.执行命令system-view，进入系统视图。

2.执行命令user-interface console interface-number，进入Console用户界面视图。

3.执行命令authentication-mode aaa，设置用户验证方式为AAA验证。

（这是给console口设需要用户验证才能登录，如果没其他人能接触交换机的话也可以不设）4.执行命令quit，退出Console用户界面视图。

5.执行命令aaa，进入AAA视图。

6.执行命令local-user user-name password { simple | cipher } password，配置本地用户名和密码。

clock timezone BJ add 8startup saved-configuration configuration-file指定下次启动用的配置文件使用display current-configuration命令查看当前配置文件。

使用display saved-configuration [ last ]命令配置交换机下次启动时加载的配置文件的内容。

使用display startup命令查看设备启动时使用的文件信息执行命令undo telnet server enable关闭Telnet服务器undo telnet ipv6 server enableundo http server enableundo http secure-server enablessh server timeout seconds，设置SSH认证超时时间。

缺省情况下，SSH连接认证超时时间为60秒。

stelnet server enable#aaa#local-user root password simple 123456#local-user root privilege level 3#local-user root service-type ssh执行命令user-interface [ vty ] first-ui-number [ last-ui-number ]，进入VTY用户界面视图。

'、交换机FTP 配置1、 创建 VLAN 10< huawei213>systeml-view[huawei213]vlan 102、 将端口划入刚才新建的 VLAN 10中（注意划入的端口模式需为ACCESS 才可划入；与 hybrid,trunk 模式的划入方法不同）[huawei213-vla n10]port GigabitEthernet 0/0/2 to 0/0/10[huawei213-vla n10]quit3、 设置VLAN 10的IP 地址 [huawei213]i nteface Vla nif 10[huawei213-Vla nif10]ip address 172.16.10.1 255.255.255.0 [huawei213- Vla nif10]quit4、 添加FTP 登录用户[huawei213]aaa[huawei213-aaa]local-user user password cipher password （用户名 user 密码（密文方式） password ）[huawei213-aaa]local-user user privilege level 3[huawei213-aaa]local-user user service-type ftp[huawei213-aaa]local-user user ftp-directory flash:/[huawei213-aaa]quit5、 开启交换机FTP 服务[huawei213]ftp server en able6、 属于VLAN 10的电脑FTP 做测试（打开 CMD ）C:\Docume nts and Setti ngs\Admi nistrator>ftp 172.16.10.1Conn ected to 172.16.10.1 220 FTP service ready.User （172.16.10.1:（none ））: user331 Password required for user. Password:230 User logged in.ftp>这就说明登录成功了 ~ 1、交换机 WEB 配置注：要开启 WEB 服务，需要先上传 WEB 管理文件S5700SI-V100R005.002.web.zip （设置用户权限） （设置这个用户用于 FTP 登录） （设置这个用户登录到的 FTP 目录）FTP上传文件到交换机S5700SI-V100R005.002.web.zip（划分VLAN 设置IP等省略…）先将S5700SI-V100R005.002.web.zip 文件放到目录C:\Docume nts and Setti ngs\Admi nistrator>ftp 172.16.10.1Conn ected to 172.16.10.1220 FTP service ready.User （172.16.10.1:（ non e））: user331 Password required for user.Password:230 User logged in.ftp>ftp> hashHash mark printing On ftp: （2048 bytes/hash mark）.ftp> put S5700SI-V100R005.002.web.zipftp>quit2、开启HTTP服务< huawei213>systeml-view[huawei213][huawei213] http server load flash:/s5700si-v100r005.002.web.zip （指向刚才上传WEB管理文件）[huawei213]http server en able3、设置WEB用户（注：也可以把以存的用户设置为WEB登录方式）[huawei213]aaa[huawei213-aaa]local-user webuser password cipher password （用户名webuser 密码（密文方式）password）[huawei213-aaa]local-user webuser service-type http （设置这个用户用于WEB 登录）[huawei213-aaa]quit4、客户端电脑做WEB登录测试打开浏览器输入http://172.16.10.1/用尸簣录HUAWCI用户名.密码：验证码Language:厂记住我的密码登奈重置疔讥斫右「甲戈提十百限公司2000-2010-保留一切权利’输入配置的用户名webuser及密码password及验证码后确认登录CPKHQT 軒 w 占 m 卓 Iff KRb 3<Ki <Tt ： i{l#Siit 鼻4浙 S57»-41TP-SI *C 辰SStEdUa mma AC 1HM20V 诸帝劉闾 M*r4WifW HU*WCi Quldway S57Q0-48TP-SI-AC … _. ^ …■ . ■- tzw. /Xu ■ nwir «*V9 acn 04S OK 大功告成! ■■ ** IA 杠方玉 RID 叶切 Mymwi Ttow^ 21QZ1M353 T«20«O» 址心1“ 7110-04^-0*02 * Bfim 5 TO 和 WRdMCt 1 B^ir 專 mfg tH QnfvgHI at 出用 2蛊 3Q1& ； V€:R 4。

'、交换机FTP 配置1、 创建 VLAN 10< huawei213>systeml-view[huawei213]vlan 102、 将端口划入刚才新建的 VLAN 10中（注意划入的端口模式需为ACCESS 才可划入；与 hybrid,trunk 模式的划入方法不同）[huawei213-vla n10]port GigabitEthernet 0/0/2 to 0/0/10[huawei213-vla n10]quit3、 设置VLAN 10的IP 地址 [huawei213]i nteface Vla nif 10[huawei213-Vla nif10]ip address 172.16.10.1 255.255.255.0 [huawei213- Vla nif10]quit4、 添加FTP 登录用户[huawei213]aaa[huawei213-aaa]local-user user password cipher password （用户名 user 密码（密文方式） password ）[huawei213-aaa]local-user user privilege level 3[huawei213-aaa]local-user user service-type ftp[huawei213-aaa]local-user user ftp-directory flash:/[huawei213-aaa]quit5、 开启交换机FTP 服务[huawei213]ftp server en able6、 属于VLAN 10的电脑FTP 做测试（打开 CMD ）C:\Docume nts and Setti ngs\Admi nistrator>ftp 172.16.10.1Conn ected to 172.16.10.1 220 FTP service ready.User （172.16.10.1:（none ））: user331 Password required for user. Password:230 User logged in.ftp>这就说明登录成功了 ~ 1、交换机 WEB 配置注：要开启 WEB 服务，需要先上传 WEB 管理文件S5700SI-V100R005.002.web.zip （设置用户权限） （设置这个用户用于 FTP 登录） （设置这个用户登录到的 FTP 目录）FTP上传文件到交换机S5700SI-V100R005.002.web.zip（划分VLAN 设置IP等省略…）先将S5700SI-V100R005.002.web.zip 文件放到目录C:\Docume nts and Setti ngs\Admi nistrator>ftp 172.16.10.1Conn ected to 172.16.10.1220 FTP service ready.User （172.16.10.1:（ non e））: user331 Password required for user.Password:230 User logged in.ftp>ftp> hashHash mark printing On ftp: （2048 bytes/hash mark）.ftp> put S5700SI-V100R005.002.web.zipftp>quit2、开启HTTP服务< huawei213>systeml-view[huawei213][huawei213] http server load flash:/s5700si-v100r005.002.web.zip （指向刚才上传WEB管理文件）[huawei213]http server en able3、设置WEB用户（注：也可以把以存的用户设置为WEB登录方式）[huawei213]aaa[huawei213-aaa]local-user webuser password cipher password （用户名webuser 密码（密文方式）password）[huawei213-aaa]local-user webuser service-type http （设置这个用户用于WEB 登录）[huawei213-aaa]quit4、客户端电脑做WEB登录测试打开浏览器输入http://172.16.10.1/用尸簣录HUAWCI用户名.密码：验证码Language:厂记住我的密码登奈重置疔讥斫右「甲戈提十百限公司2000-2010-保留一切权利’输入配置的用户名webuser及密码password及验证码后确认登录CPKHQT 軒 w 占 m 卓 Iff KRb 3<Ki <Tt ： i{l#Siit 鼻4浙 S57»-41TP-SI *C 辰SStEdUa mma AC 1HM20V 诸帝劉闾 M*r4WifW HU*WCi Quldway S57Q0-48TP-SI-AC … _. ^ …■ . ■- tzw. /Xu ■ nwir «*V9 acn 04S OK 大功告成! ■■ ** IA 杠方玉 RID 叶切 Mymwi Ttow^ 21QZ1M353 T«20«O» 址心1“ 7110-04^-0*02 * Bfim 5 TO 和 WRdMCt 1 B^ir 專 mfg tH QnfvgHI at 出用 2蛊 3Q1& ； V€:R 4。

华为S5700交换机初始化和配置TELNET远程登录方法：1,交换机开启Telnet服务<Huawei>system-view #进入系统视图[Huawei]telnet server ？#查看有enable还是disable选项，选择对应的开启方式。

[Huawei]telnet server enable #enable选项开启Telnet服务（普通系列一般为这个）[Huawei]undo telnet server disable #disable选项开启Telnet服务（CE高端系列一般为这个）2，配置VTY用户界面的最大个数（同时可以登录的最大数）[Huawei]user-interface maximum-vty 15 #默认是5，这个可以不设置3，配置VTY用户界面的终端属性[Huawei]user-interface vty 0 14 #上面是15所有这里是0 14 如果选择默认这里是0 4[Huawei-ui-vty0-14]protocol inbound telnet #配置vty支持telnet协议4，配置VTY用户界面的用户验证方式[Huawei-ui-vty0-14]authentication-mode aaa #配置用户终端的身份验证模式为aaa认证为aaa认证[Huawei-ui-vty0-14]quit #退出vty配置界面5，配置登录验证方式[Huawei]aaa #进入aaa配置模式[Huawei-aaa]local-user admin1234 password ? #查看可以选择的密码选择[Huawei-aaa]local-user admin1234 password simple Huawei1234 #密码选项simple 账号admin1234 密码Huawei1234 (普通系列一般为这个)[Huawei-aaa]local-user admin1234 password irreversible-cipher Huawei12#$ #密码选项irreversible-cipher 账号admin1234 密码Huawei12#$ (CE高端系列一般为这个)[Huawei-aaa]local-user admin1234 service-type telnet #配置接入服务类型，如果还需要SSH登录请加上[Huawei-aaa]local-user admin1234 privilege level 3 #配置账号的级别，默认3级是超级管理员的权限[Huawei-aaa]quit #退出<Huawei>telnet 127.0.0.1 #测试telnet配置是否OK<Huawei>save #保存配置===================================================================华为S5700交换机初始化和配置SSH和TELNET远程登录方法：AAA是指：authentication（认证）、authorization（授权）、accounting（计费）的简称，是网络安全的一种管理机制；Authentication是本地认证/授权，authorization和accounting是由远处radius（远程拨号认证系统）服务或hwtacacs（华为终端访问控制系统）服务器完成认证/授权；AAA是基于用户进行认证、授权、计费的，而NAC方案是基于接入设备接口进行认证的,在实际应用中，可以使用AAA的一种或两种服务。

华为S5700W-L系列交换机快速配置S5700W-L系列交换机快速配置发布日期2020-05-15目录1 小型园区组网场景 (1)1.1 数据规划 (2)1.2 快速配置小型园区 (3)1.2.1 登录设备 (3)1.2.2 配置管理IP和Telnet (4)1.2.3 配置接口与VLAN (5)1.2.4 配置DHCP (7)1.2.5 配置核心交换机路由 (8)1.2.6 配置出口路由器 (9)1.2.7 配置DHCP Snooping和IPSG (9)1.2.8 业务验证 (10)1.2.9 保存配置 (10)2 中小园区组网场景 (11)2.1 数据规划 (12)2.2 快速配置中小园区 (13)2.2.1 登录设备 (13)2.2.2 配置管理IP和Telnet (14)2.2.3 配置网络互连互通 (15)2.2.4 配置DHCP (18)2.2.5 配置OSPF (21)2.2.6 配置可靠性和负载分担 (21)2.2.7 配置链路聚合 (22)2.2.8 配置限速 (23)2.2.9 配置映射内网服务器和公网多出口 (24)2.2.10 业务验证和保存配置 (27)3 常见问题 (28)3.1 如何清除配置？如何清空配置？如何恢复出厂配置？ (28)3.2 如何一键清除接口配置？ (28)3.3 如何重置Console密码？ (29)3.4 如何重置Telnet密码？ (29)3.5 如何配置地址池中不参与自动分配的IP地址？ (29)3.6 如何配置租期？ (29)3.7 如何为客户端分配固定的IP地址？ (30)1小型园区组网场景说明本文配置步骤以图中所示的接入交换机ACC1，核心交换机CORE 和出口路由器Router为例。

●接入交换机与核心交换机通过Eth-Trunk组网保证可靠性。

●每个部门业务划分到一个VLAN中，部门间的业务在CORE上通过VLANIF三层互通。

●核心交换机作为DHCP Server，为园区用户分配IP地址。

BrochureProduct OverviewBuilding on next-generation, high-performance hardware and the Huawei Versatile Routing Platform (VRP), the S5700-LI supports Advanced Hibernation Management (AHM), intelligent stack (iStack), flexible Ethernet networking, and diversified security control. It provides customers with a green, easy-to-manage, easy-to-expand, and cost-effective gigabit to the desktop solution. In addition, Huawei customizes specialized models to meet customer requirements to suit special scenarios.● Huawei S5700-LI-BAT series battery LAN switches (S5700-LI-BAT for short) are the industry's first switch series to support batteries and provide visualized battery status management. The S5700-LI-BAT can ensure uninterrupted services inenvironments facing frequent mains power failures at the access layer. Access switches are usually distributed; therefore, it is costly and space-consuming to deploy high-performance Uninterruptible Power Supplies (UPSs) for the access switches.Huawei battery LAN switches solve this problem. The use of batteries ensures stable operation of the access layer in the event of mains power failures.● CSFP switches support downlink CSFP ports, and each downlink CSFP port provides 2 Gbit/s bandwidth bidirectionally. CSFP switches apply to scenarios where users increase continuously and demand higher bandwidth, and scenarios where deploying fibers is costly and difficult and construction timeframes are long. The switches with front power sockets can be installed in the 300 mm deep cabinet.Models and AppearancesModels and AppearancesDescriptionS5700-28P-LI-BAT●24x10/100/1000Base-T Ethernet ports, 4xGE SFP ports ● AC power supply●One battery slot for an external lead-acid battery used in the event of a mains power failure or a 150 W AC or DC power module used as the redundant power source ● Forwarding performance: 42 Mpps ● Switching Capacity: 256 GbpsS5700-28P-LI-24S-BAT●28 xGE SFP ports, 4 xCombo 10/100/1000Base-T Ethernet ports ● AC power supply●One battery slot for an external lead-acid battery used in the event of a mains power failure or a 150 W AC or DC power module used as the redundant power source ● Forwarding performance: 42 Mpps ●Switching Capacity: 256 GbpsS5700-52X-LI-48CS-AC ●48 xGE CSFP ports or 24 x GE SFP ports, 4 xCombo 10/100/1000Base-T Ethernetports, 4 x 10GE SFP+ ports●AC power supply, front power sockets, front access●Forwarding performance: 132 Mpps●Switching Capacity: 256 GbpsFeatures and HighlightsInnovative Energy Saving Design●The S5700-LI series smart energy-saving switches reduce power consumption without degrading system performance or user experience. The S5700-LI series uses innovative energy-saving technologies including energy efficient Ethernet (EEE), port power detection, dynamic CPU frequency adjustment, and device sleep mode. These technologies help reduce power consumption by adjusting power depending on the Up/Down states of links, presence/absence of optical modules, shutdown and undo shutdown operations on ports, and peak and off-peak hours. The S5700-LI series is the industry's first switch series that supports device sleep mode, and provides three energy saving modes to adapt to different usage scenarios: standard, basic, and deep modes.Flexible Ethernet Networking●In addition to traditional Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP), the S5700-LI supports Huawei-developed Smart Ethernet Protection (SEP) technology and the latest Ethernet Ring Protection Switching (ERPS) standard. SEP is a ring protection protocol specific to the Ethernet link layer, and applies to various ring network topologies, such as open ring topology, closed ring topology, and cascading ring topology. This protocol is reliable, easy to maintain, and implements fast protection switching within 50 ms. ERPS is defined in ITU-T G.8032. It implements millisecond-level protection switching based on traditional Ethernet MAC and bridging functions.●The S5700-LI supports SmartLink, which implements backup of uplinks. One S5700-LI switch can connect to multiple aggregation switches through multiple links, significantly improving reliability of access devices.●The S5700-LI supports Ethernet OAM (IEEE 802.3ah/802.1ag) to fast-detect link faults.Diversified Security Control●The S5700-LI supports 802.1x authentication, MAC address authentication, and combined authentication on a per port basis, as well as Portal authentication on a per VLANIF interface basis, and implements dynamic policy delivery (VLAN, QoS, and ACL) to users.●The S5700-LI provides a series of mechanisms to defend against DoS attacks and user-targeted attacks. DoS attacks are targeted at switches and include SYN flood, Land, Smurf, and ICMP flood attacks. User-targeted attacks include bogus DHCP server attacks, IP/MAC address spoofing, DHCP request flood, and changing of the DHCP CHADDR value.●The S5700-LI collects and maintains information about access users, such as IP addresses, MAC addresses, IP address leases, VLAN IDs, and interface numbers in a DHCP snooping binding table. In this way, IP addresses and access interfaces of DHCP users can be tracked. You can specify DHCP snooping trusted and untrusted ports to ensure that users connect only to the authorized DHCP server.●The S5700-LI supports strict ARP learning. This feature prevents ARP spoofing attackers from exhausting ARP entries so that users can connect to the Internet normally.Easy Operation and Maintenance●The S5700-LI supports Huawei Easy Operation, a solution that provides zero-touch deployment, replacement of faulty devices without additional configuration, USB-based deployment, batch configuration, and batch remote upgrade. The Easy Operation solution facilitates device deployment, upgrade, service provisioning, and other management and maintenance operations, and also greatly reduces costs of operation and maintenance. The S5700-LI can be managed and maintained using Simple Network Management Protocol (SNMP) V1, V2, and V3, Command Line Interface (CLI), web-based network management system, or Secure Shell (SSH) V2.0. Additionally, it supports remote network monitoring (RMON), multiple log hosts, port traffic statistics collection, and network quality analysis that helps with network consolidation and reconstruction.●EasyDeploy: The Commander collects information about the topology of the client connecting to the Commander and saves client startup information based on the topology. The client can be replaced without configuration. Configuration and scripts can be delivered to the client in batches. In addition, the configuration delivery result can be queried.●The Commander can collect and display power consumption on the entire network.●The S5700-LI can use the GARP VLAN Registration Protocol (GVRP) to implement dynamic distribution, registration, and propagation of VLAN attributes. GVRP reduces manual configuration workload and ensures correct configuration. Additionally, the S5700-LI supports MUX VLAN, which involves a principal VLAN and multiple subordinate VLANs. Subordinate VLANs are classified into group VLANs and separate VLANs. Ports in the principal VLAN can communicate with ports in subordinate VLANs. Ports in a subordinate group VLAN can communicate with each other, whereas ports in a subordinate separate VLAN can communicate only with ports in the principal VLAN. The S5700-LI also supports VLAN Central Management Protocol (VCMP) and VLAN-Based Spanning Tree (VBST) protocol.iStack●The S5700-LI supports intelligent stack (iStack). This technology combines multiple switches into a logical switch. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability. iStack provides high network scalability. You can increase ports, bandwidth, and processing capacity of a stack by simply adding member switches to the stack. iStack also simplifies device configuration and management. After a stack is set up, multiple physical switches are virtualized into one logical device. You can log in to any member switch in the stack to manage all the member switches in the stack.Excellent Network Traffic Analysis●The S5700-LI supports the sFlow function. It uses a method defined in the sFlow standard to sample traffic passing through it and sends sampled traffic to the collector in real time. The collected traffic statistics are used to generate statistical reports, helping enterprises maintain their networks.CSFP Providing High-density Access and Increased Bandwidth●CSFP switches support downlink CSFP ports. Each downlink CSFP port equipped with a CSFP GE optical module and one pair of fibers can provide 2 Gbit/s bandwidth bidirectionally, which is two times the bandwidth of standard SFP optical modules. The 24 downlink CSFP ports can provide 48 Gbit/s bandwidth bidirectionally, implementing high-density access (equal to access of 48 standard SFP ports) and saving the cost of deploying fibers and adding optical modules.Easy O&M with Front Panel●The models with front power sockets can be installed in a 300 mm deep cabinet, and can be maintained through the front panel. This simplifies operation and maintenance. The cabinets can be placed against the wall or back to back, and is well-suited for shallow cabinets and limited equipment room space.Product SpecificationsFixed ports ●S5700-28P-LI-BAT: 24 10/100/1000Base-TEthernet ports, 4 GE SFP ports●S5700-28P-LI-24S-BAT: 28 GE SFP ports,4 Combo 10/100/1000Base-T Ethernetports 48 GE CSFP ports or 24 GE SFP ports, 4 Combo 10/100/1000Base-T Ethernet ports, 4 10GE SFP+ portsMAC address table 16K MAC address entriesMAC address learning and agingStatic, dynamic, and blackhole MAC address entriesPacket filtering based on source MAC addressesInterface-based MAC learning limitingVLAN features 4K VLANsGuest VLAN and voice VLANGVRPMUX VLANVLAN assignment based on MAC addresses, protocols, IP subnets, policies, and interfaces1:1 and N:1 VLAN mappingJumbo frame 10KReliability RRPP ring topology and RRPP multi-instanceSmart Link tree topology and Smart Link multi-instance, providing millisecond-level protectionswitchoverSEPERPS (G.8032)STP (IEEE 802.1d), RSTP (IEEE 802.1w), and MSTP (IEEE 802.1s)BPDU protection, root protection, and loop protectionBPDU tunnelIP routing Static route, RIP, RIPngIPv6 features Neighbor Discovery (ND)Path MTU (PMTU)IPv6 ping, IPv6 tracert, and IPv6 TelnetACLs based on the source IPv6 address, destination IPv6 address, Layer 4 ports, and protocol typeMLDv1/v2 snoopingMulticast IGMPv1/v2/v3 snooping and IGMP fast leaveMulticast forwarding in a VLAN and multicast replication between VLANsMulticast load balancing among member ports of a trunkControllable multicastInterface-based multicast traffic statisticsQoS/ACL Rate limiting on packets sent and received by an interfacePacket redirectionInterface-based traffic policing and two-rate and three-color CAREight queues on each interfaceWRR, DRR, SP, WRR+SP, and DRR+SP queue scheduling algorithmsRe-marking of the 802.1p priority and DSCP priorityPacket filtering at Layer 2 to Layer 4, filtering out invalid frames based on the source MAC address,destination MAC address, source IP address, destination IP address, TCP/UDP port number, protocoltype, and VLAN IDRate limiting in each queue and traffic shaping on interfacesSecurity Hierarchical user management and password protectionDoS attack defense, ARP attack defense, and ICMP attack defenseBinding of the IP address, MAC address, interface number, and VLAN IDPort isolation, port security, and sticky MACMFFBlackhole MAC address entriesLimit on the number of learned MAC addressesIEEE 802.1x authentication and limit on the number of users on an interfaceAAA authentication, RADIUS authentication, HWTACACS authentication, and NACSSH V2.0Hypertext Transfer Protocol Secure (HTTPS)CPU defenseBlacklist and whitelistAccess Security DHCP relay, DHCP server, DHCP snooping, and DHCP securityLightning protection Service interface: 6 kV Service interface: 2 kVSuper Virtual Fabric (SVF) Working as an SVF client that is plug-and-play with zero configuration Automatically loading the system software package and patches of clients One-click and automatic delivery of service configurationsSupports independent running clientManagement and maintenance iStack (excluding battery LAN switches)Virtual Cable Test (VCT)Remote configuration and maintenance using Telnet SNMPv1/v2c/v3RMONeSight and web-based NMSHTTPSLLDP/LLDP-MEDSystem logs and multi-level alarms802.3az EEEDying Gasp (excluding battery LAN switches)Interoperability Supports VBST (Compatible with PVST/PVST+/RPVST)Supports LNP (Similar to DTP)Supports VCMP (Similar to VTP)Operating environment ●Long-term operating temperature: 0°C to45°C●Relative humidity: 5% to 95% (non-condensing)●Long-term operating temperature: 0°C to 45°C●Relative humidity: 5% to 95% (non-condensing)Input voltage AC:●Rated voltage range: 100 V to 240 V AC,50/60 Hz●Maximum voltage range: 90 V to 264 V AC,47/63 HzDC:●Rated voltage range: –48 V to –60 V, DC●Maximum voltage range: –36 V to –72 V,DC AC:●Rated voltage range: 100 V to 240 V AC, 50/60Hz●Maximum voltage range: 90 V to 264 V AC,47/63 HzDC:●Rated voltage range: –48 V to –60 V, DC●Maximum voltage range: –36 V to –72 V, DCPower socketpositionRear power sockets Front power sockets Battery One slot for lead-acid battery charger module NADimensions (W x D442 mm x 310 mm x 43.6 mm 442 mm x 220 mm x 43.6 mmx H)<79.9 WPower consumption ●S5700-28P-LI-BAT: <23 W●S5700-28P-LI-24S-BAT: <34.1 WNetworking and ApplicationsThe S5700-LI provides 1000M desktop access functions for a high performance network, such as voice VLAN, NAC and so on.The S5700-LI-BAT uses a battery as the backup power supply. When a mains power failure occurs, the battery begins powering the switch. When the mains power supply recovers, the switch automatically charges the battery. The use of batteries ensures high reliability at the access layer in the case of frequent mains power failures.Ordering Information98010509 S5700-28P-LI-BAT (24x10/100/1000Base-T Ethernet ports, 4xGE SFP ports, 1 battery slot, AC power supply)98010511 S5700-28P-LI-24S-BAT (28xGE SFP ports, 4xCombo 10/100/1000Base-T Ethernet ports, 1 battery slot,AC power supply)02357823 S5700-52X-LI-48CS-AC (48xGE CSFP ports or 24xGE SFP ports, 4xCombo 10/100/1000Base-T Ethernet ports, 4x10GE SFP+ ports, AC power supply, front power sockets, front access)02310TEE 100/1000BASE-BIDI CSFP single-fiber bidirectional optical module-CSFP-GE/FE-single-mode optical module (Tx1490/Rx1310 nm, 10 km, LC)02353857 RPS1800 Redundant Power System98010517 PBB-12AHA (12AH lead-acid battery charger module)02310JFA 150 W AC power module (optional for battery LAN switches, used as the redundancy for the internal power module)02310JFD 150 W DC power module (optional for battery LAN switches, used as the redundancy for the internal power module)More InformationFor more information about Huawei Campus Switches, visit or contact us in the following ways:●Global service hotline: /en/service-hotline●Logging in to the Huawei Enterprise technical support website: /enterprise/●Sending an email to the customer service mailbox: ********************Copyright © Huawei Technologies Co., Ltd. 2018. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, andrecommendations in this document are provided "AS IS" without warranties, guarantees or representations ofany kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.Huawei Technologies Co., Ltd.Address:Huawei Industrial Base Bantian,Longgang Shenzhen 518129 People'sRepublic of ChinaWebsite:。

华为S5700交换机初始化和配置TELNET远程登录方法：1,交换机开启Telnet服务<Huawei>system-view #进入系统视图[Huawei]telnet server #查看有enable还是disable选项，选择对应的开启方式。

[Huawei]telnet server enable #enable选项开启Telnet服务（普通系列一般为这个）[Huawei]undo telnet server disable #disable选项开启Telnet服务（CE高端系列一般为这个）2，配置VTY用户界面的最大个数（同时可以登录的最大数）[Huawei]user-interface maximum-vty 15 #默认是5，这个可以不设置3，配置VTY用户界面的终端属性[Huawei]user-interface vty 0 14 #上面是15所有这里是0 14 如果选择默认这里是0 4[Huawei-ui-vty0-14]protocol inbound telnet #配置vty支持telnet协议4，配置VTY用户界面的用户验证方式[Huawei-ui-vty0-14]authentication-mode aaa #配置用户终端的身份验证模式为aaa认证为aaa认证[Huawei-ui-vty0-14]quit #退出vty配置界面5，配置登录验证方式[Huawei]aaa #进入aaa配置模式[Huawei-aaa]local-user admin1234 password #查看可以选择的密码选择[Huawei-aaa]local-user admin1234 password simple Huawei1234 #密码选项simple 账号admin1234 密码Huawei1234 (普通系列一般为这个)[Huawei-aaa]local-user admin1234 password irreversible-cipher Huawei12#$ #密码选项irreversible-cipher 账号admin1234 密码Huawei12#$ (CE高端系列一般为这个)[Huawei-aaa]local-user admin1234 service-type telnet #配置接入服务类型，如果还需要SSH登录请加上[Huawei-aaa]local-user admin1234 privilege level 3 #配置账号的级别，默认3级是超级管理员的权限[Huawei-aaa]quit #退出<Huawei>telnet #测试telnet配置是否OK<Huawei>save #保存配置===================================================================华为S5700交换机初始化和配置SSH和TELNET远程登录方法：AAA是指：authentication（认证）、authorization（授权）、accounting（计费）的简称，是网络安全的一种管理机制；Authentication是本地认证/授权，authorization和accounting是由远处radius（远程拨号认证系统）服务或hwtacacs（华为终端访问控制系统）服务器完成认证/授权；AAA是基于用户进行认证、授权、计费的，而NAC方案是基于接入设备接口进行认证的,在实际应用中，可以使用AAA的一种或两种服务。

绑定客户端IP+MAC+端口[Huawei]user-bind static ip-address 192.168.2.2 mac-address 5489-9852-137A interface GigabitEthernet 0/0/2[Huawei]user-bind static mac-address 6489-98CF-1525 interface g0/0/1系统视图下am user-bind mac-addr mac地址ip-addr ip地址interface 接口类型接口序号以太网端口视图下interface 接口类型接口序号am user-bind mac-addr mac地址ip-addr ip地址华为s5700 ip地址+mac地址+端口绑定问：将单位的交换机绑定ip地址，mac地址和端口，实现某台ip为172.16.3.113，mac地址为000B-2F37-FE4F只能通过GigabitEthernet0/0/2这个端口来上网或查看局域网内的共享文件。

答：一般用am user-bind做。

am user-bind ip-address 172.16.3.113 mac-address 000B-2F37-FE4F interface GigabitEthernet0/0/2首先要有思想准备，工作量巨大。

答：用完后可以到所在VLAN或者端口执行：ip source check user-bind enable一、1、系统视图下am user-bind mac-addr mac地址 ip-addr ip地址 interface 接口类型接口序号2、以太网端口视图下interface 接口类型接口序号am user-bind mac-addr mac地址 ip-addr ip地址二、端口绑定2.1 端口绑定命令2.1.1 am user-bind interface【命令】am user-bind mac-addr mac-address ip-addr ip-address interfaceinterface-type interface-numberundo am user-bind mac-addr mac-address ip-addr ip-address interfaceinterface-type interface-number【视图】系统视图【参数】mac-address：绑定的MAC 地址值。

进入接口视图操作步骤1.执行命令system-view，进入系统视图。

2.执行命令interface interface-type interface-number，进入指定接口的接口视图。

3.执行命令description description，配置接口描述。

4.执行命令shutdown，关闭接口。

5.执行命令undo shutdown，启动接口。

检查配置结果基本参数配置完后，可以使用相关的display命令显示配置结果。

操作步骤1.执行命令display interface [ interface-type [ interface-number ] ]，查看接口当前运行状态和统计信息。

2.执行命令display interface description，查看接口的描述信息。

3.执行命令display ip interface [ interface-type interface-number ]，查看接口IP的主要配置信息。

4.执行命令display ip interface brief [ interface-type interface-number ] ，查看接口IP的简要状态信息。

配置Loopback接口IPv4相关项Loopback接口可以配置IPv4地址，可以用于绑定VPN实例、对源IPv4地址进行校验。

操作步骤1.执行命令system-view，进入系统视图。

2.执行命令interface loopback interface-number，创建Loopback接口。

interface-number取值范围为0～1023，最多可创建1024个Loopback接口。

3.执行命令ip address ip-address { mask | mask-length } [ sub ]，配置Loopback接口的IPv4地址。

4.（可选）执行命令ip verify source-address，配置Loopback接口对源IPv4地址校验。

Huawei S5700-EI Series SwitchesProduct BrochureThe S5700-EI series gigabit enterprise switches (S5700-EI) are next-generation energy-saving switchesdeveloped by Huawei to meet the demand for high-bandwidth access and Ethernet multi-servicemaintain, reducing workloads for network planning, construction, and maintenance. The S5700-EI usesS5700-EI Series Gigabit Enterprise Switches Product OverviewProduct Appearance•Switching capacity: 416Gbps2-2Huawei Enterprise Sx700 Series Switch Product•Switching capacity: 416GbpsProduct Features and highlightsPowerful support for services•The S5700-EI supports IGMP v1/v2/v3 snooping, IGMP filter, IGMP fast leave, and IGMP proxy. It supportsline-speed replication of multicast packets between VLANs, multicast load balancing among member interfaces of a trunk, and controllable multicast, meeting requirements for IPTV services and othermulticast services.•The S5700-EI provides the Multi-VPN-Instance CE (MCE) function to isolate users in different VPNs on a device, ensuring data security and reducing costs.•The S5710-EI supports multiple MPLS & VPN features, including Label Distribution Protocol (LDP) or Resource Reservation Protocol for Traffic Engineering (RSVP-TE), MPLS TE, VLL, VPLS, and MPLS L3VPN. Comprehensive reliability mechanisms•Besides STP, RSTP, and MSTP, the S5700-EI supports enhanced Ethernet reliability technologies such asSmart Link and RRPP (Rapid Ring Protection Protocol), which implement millisecond-level protection switchover and ensure network reliability. It also provides Smart Link multi-instance and RRPP multi-instance to implement load balancing among links, optimizing bandwidth usage.Huawei Enterprise Sx700 Series Switch Product2-3•The S5700-EI supports enhanced trunk (E-Trunk) that enables a CE to be dual-homed to two PEs (S5700s).E-Trunk greatly enhances link reliability between devices and implements link aggregation betweendevices. This improves reliability of access devices.•The S5700-EI supports the Smart Ethernet Protection (SEP) protocol, a ring network protocol applied tothe link layer on an Ethernet network. SEP can be used on open ring networks and can be deployed onupper-layer aggregation devices to provide fast switchover, ensuring non-stop transmission of services.SEP features simplicity, high reliability, fast switchover, easy maintenance, and flexible topology, facilitatingnetwork planning and management.•The S5700-EI supports Ethernet Ring Protection Switching (ERPS), also referred to as G.8032. As the latestring network protocol, ERPS was developed based on traditional Ethernet MAC and bridging functionsand uses mature Ethernet OAM function and a Ring Automatic Protection Switching (R-APS) mechanismto implement millisecond-level protection switching. ERPS supports various services and allows flexiblenetworking, helping customers build a network with lower OPEX and CAPEX.•The S5700-EI supports redundant power supplies, and can use an AC power supply and a DC powersimultaneously. Users can choose a single power supply or use two power supplies to ensure devicereliability.•The S5700-EI supports VRRP, and can set up VRRP groups with other Layer 3 switches. VRRP providesredundant routes to ensure stable and reliable communication. Multiple equal-cost routes to an uplinkdevice can be configured on the S5700-EI to provide route redundancy. When an active route isunreachable, traffic is switched to a backup route.•The S5700-EI supports Bidirectional Forwarding Detection (BFD) and provides millisecond-level detectionfor protocols such as OSPF, IS-IS, VRRP, and PIM to improve network reliability. The S5700-EI complies withIEEE 802.3ah and 802.1ag. IEEE 802.3ah defines the mechanism for detecting faults on direct links overthe Ethernet in the first mile, and 802.1ag defines the mechanism for end-to-end service fault detection.The S5700-EI supports Y.1731. Besides fast end-to-end service fault detection, the S5700-EI can use theperformance measurement tools defined in Y.1731 to monitor network performance, providing accuratedata about network quality.Well-designed QoS policies and security mechanisms•The S5700-EI implements complex traffic classification based on packet information such as the 5-tuple,IP precedence, ToS, DSCP, IP protocol type, ICMP type, TCP/UDP port number, VLAN ID, Ethernet protocoltype. ACLs can be applied to inbound or outbound direction on an interface. The S5700-EI supportsa flow-based two-rate three-color CAR. Each port supports eight priority queues and multiple queuescheduling algorithms such as WRR, DRR, SP, WRR+SP, and DRR+SP. All of these ensure the quality ofvoice, video, and data services.Huawei Enterprise Sx700 Series Switch Product•The S5700-EI provides multiple security measures to defend against Denial of Service (DoS) attacks,and attacks against networks or users. DoS attack types include SYN Flood attacks, Land attacks, Smurf attacks, and ICMP Flood attacks. Attacks to networks refer to STP BPDU/root attacks. Attacks to users include bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC spoofing attacks, DHCP requestflood attacks. DoS attacks that change the CHADDR field in DHCP packets are also attacks against users.•The S5700-EI supports DHCP snooping, which discards invalid packets that do not match any binding entries, such as ARP spoofing packets and IP spoofing packets. This prevents man-in-the-middle attacksto campus networks that hackers initiate by using ARP packets. The interface connected to a DHCP server can be configured as a trusted interface to protect the system against bogus DHCP server attacks.•The S5700-EI supports strict ARP learning, which prevents ARP spoofing attacks that will exhaust ARP entries. It also provides IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing.•The S5700-EI supports 802.1x authentication, MAC address authentication, and combined authentication on a per port basis, as well as Portal authentication on a per VLANIF interface basis. The S5700-EI also supports NAC. The S5700-EI authenticates users based on statically or dynamically bound user information such as the user name, IP address, MAC address, VLAN ID, access interface, and flag indicating whether antivirus software is installed. VLANs, QoS policies, and ACLs can be applied to users dynamically.•The S5700-EI can limit the number of MAC addresses learned on an interface to prevent attackers from exhausting MAC address entries by using bogus source MAC addresses. This function minimizes packetflooding that occurs when MAC addresses of users cannot be found in the MAC address table.Fine-grained traffic management•The S5710-EI supports NetStream. The NetStream module supports V5, V8, and V9 packet formats and provides various traffic analysis functions, such as real-time traffic sampling, dynamic report generation, traffic attribute analysis, and traffic exception report. The Netstream module enables administrators to monitor network status in real time and provides applications and analysis functions including potential fault detection, effective fault rectification, fast problem handling, and security monitoring, to help customers optimize network structure and adjust resource deployment.•The S5700-EI supports the Sampled Flow (sFlow) function, which uses a sampling mechanism to obtain statistics about traffic forwarded on a network and sends the statistics to the Collector in real time. The Collector analyzes traffic statistics to help customers manage network traffic efficiently. The S5700-EI integrates the sFlow Agent module and uses hardware for traffic monitoring. Unlike traffic monitoring through port mirroring, sFlow does not degrade network performance during traffic monitoring.Easy deployment and maintenance free•The S5700-EI supports automatic configuration, plug-and-play, and batch remote upgrade. These capabilities simplify device management and maintenance and reduce maintenance costs. The S5700-EI supports SNMP v1/v2c/v3 and provides flexible methods for managing devices. Users can manageHuawei Enterprise Sx700 Series Switch Productthe S5700-EI using the CLI and Web NMS. The NQA function helps users with network planning andupgrading. In addition, the S5700-EI supports NTP, SSH v2, HWTACACS+, RMON, log hosts, and port-based traffic statistics.•EasyDeploy: The Commander collects information about the topology of the client connecting to theCommander and saves client startup information based on the topology. The client can be replacedwithout configuration. Configuration and scripts can be delivered to the client in batches. In addition, theconfiguration delivery result can be queried. The Commander can collect and display power consumptionon the entire network.•The S5700-EI supports the GARP VLAN Registration Protocol (GVRP), which dynamically distributes,registers, and propagates VLAN attributes to reduce manual configuration workloads of networkadministrators and to ensure correct VLAN configuration. In a complex network topology, GVRP simplifiesVLAN configuration and reduces network communication faults caused by incorrect VLAN configuration.•The S5700-EI supports MUX VLAN. MUX VLAN isolates Layer 2 traffic between interfaces in a VLAN.Interfaces in a subordinate separate VLAN can communicate with ports in the principal VLAN but cannotcommunicate with each other. MUX VLAN is usually used on an enterprise intranet to isolate userinterfaces from each other but allow them to communicate with server interfaces. This function preventscommunication between network devices connected to certain interfaces or interface groups but allowsthe devices to communicate with the default gateway.PoE function•The S5700-EI PWR can use PoE power supplies with different power levels to provide -48V DC power forPowered Devices (PDs) such as IP phones, WLAN APs, and Bluetooth APs. In its role as Power SourcingEquipment (PSE), the S5700-EI PWR complies with IEEE 802.3af and 802.3at (PoE+) and can work with PDsthat are incompatible with 802.3af or 802.3at. Each port provides a maximum of 30 W power, complyingwith IEEE 802.3at. The PoE+ function increases the maximum power of each port and implements intelligentpower management for high-power consumption applications. This facilitates the use of PDs. PoE portscan work in power-saving mode. The S5700-EI PWR provides improved PoE solutions. Users can configurewhether and when a PoE port supplies power.High scalability•The S5700-EI supports intelligent stacking (iStack). Multiple S5700-EI switches can be connected withstack cables to set up a stack, which functions as a virtual switch. A stack consists of a master switch,a backup switch, and several slave switches. The backup switch takes over services when the masterswitch fails, reducing service interruption time. Stacks support intelligent upgrade so that users do notneed to change the software version of a switch when adding it to a stack. The iStack function allowsusers to connect multiple switches with stack cables to expand system capacity. These switches can bemanaged using a single IP address, which greatly reduces the costs of system expansion, operation, andmaintenance. Compared with traditional networking technologies, iStack has advantages in scalability,reliability, and system architecture.Huawei Enterprise Sx700 Series Switch ProductVarious IPv6 features•The S5700-EI supports IPv4/IPv6 dual stack and can migrate from an IPv4 network to an IPv6 network.S5700-EI hardware supports IPv4/IPv6 dual stack, IPv6 over IPv4 tunnels (including manual tunnels, 6to4tunnels, and ISATAP tunnels), and Layer 3 line-speed forwarding. The S5700-EI can be deployed on IPv4networks, IPv6 networks, or networks that run both IPv4 and IPv6. This makes networking flexible andenables easy migration from IPv4 to IPv6.Product Specifications2-7Huawei Enterprise Sx700 Series Switch ProductHuawei Enterprise Sx700 Series Switch Product*:The S5700 switches of the EI series are collectively called S5700-EI. S5710-EI is a sub-series switches of S5700-EI .2-9Huawei Enterprise Sx700 Series Switch ProductOn Large-sized Enterprise NetworksThe S5700-EI can function as an access device on a large-sized enterprise network or an aggregation device on a small-sized or medium-sized campus network. It supports link aggregation and dual-homing to improve network reliability.In Data CentersThe S5700-EI can be used in a data center. It connects to gigabit servers and aggregates traffic from the servers to uplink devices through trunk links. If multiple servers are available, an S5700-EI stack can be used to facilitate network maintenance and improve network reliability.InternetWANApplicationsHuawei Enterprise Sx700 Series Switch ProductFor more information, visit or contact your local Huawei sales office.S5710-28C-EI(24xEthernet 10/100/1000 ports,4 of which are dual-purpose 10/100/1000 or SFP ,4x10 GigSFP+, without power module)S5710-28C-PWR-EI-AC(24xEthernet 10/100/1000 PoE+ ports,4 of which are dual-purpose 10/100/1000 orSFP ,4x10 Gig SFP+, with 580W AC power)S5710-52C-EI(48xEthernet 10/100/1000 ports,4x10 Gig SFP+, with 2 interface slots, without powermodule)S5710-52C-PWR-EI(48xEthernet 10/100/1000 PoE+ ports, 4x10 Gig SFP+, with 2 interface slots, withoutpower module)8xGig SFP interface card(used in S5710-EI series)8xEthernet 10/100/1000 ports interface card(used in S5710-EI series)4xGig SFP interface card(including 4xGig SFP optical interface, extend channel card)(used in S5700-EI series)2x10GE SFP+ interface card(used in S5710-EI series)2x10GE SFP+ interface card(used in S5700-SI and S5700-EI series)4x10GE SFP+ optical interface card(including 4x10GE SFP+ interface, extend channel card)(used in S5700-SIand S5700-EI series)Ethernet Stack Interface Card(Including stack card,100cm stack cable)Ethernet Stack Interface Card(Including stack card,300cm stack cable)150W AC Power Module150W DC Power Module500W AC PoE Power Module580W AC PoE Power Module 1150W AC PoE Power Module Product List2-11Huawei Enterprise Sx700 Series Switch ProductCopyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.Other trademarks, product, service and company names mentioned are the property of their respective owners.General DisclaimerThe information in this document may contain predictive statements including,without limitation, statements regarding the future financial and operating results,future product portfolio, new technology, etc. There are a number of factors thatcould cause actual results and developments to differ materially from thoseexpressed or implied in the predictive statements. Therefore, such information isprovided for reference purpose only and constitutes neither an offer nor anacceptance. Huawei may change the information at any time without notice.。

S5700W-L系列交换机快速配置发布日期2020-05-15目录1 小型园区组网场景 (1)1.1 数据规划 (2)1.2 快速配置小型园区 (3)1.2.1 登录设备 (3)1.2.2 配置管理IP和Telnet (4)1.2.3 配置接口与VLAN (5)1.2.4 配置DHCP (7)1.2.5 配置核心交换机路由 (8)1.2.6 配置出口路由器 (9)1.2.7 配置DHCP Snooping和IPSG (9)1.2.8 业务验证 (10)1.2.9 保存配置 (10)2 中小园区组网场景 (11)2.1 数据规划 (12)2.2 快速配置中小园区 (13)2.2.1 登录设备 (13)2.2.2 配置管理IP和Telnet (14)2.2.3 配置网络互连互通 (15)2.2.4 配置DHCP (18)2.2.5 配置OSPF (21)2.2.6 配置可靠性和负载分担 (21)2.2.7 配置链路聚合 (22)2.2.8 配置限速 (23)2.2.9 配置映射内网服务器和公网多出口 (24)2.2.10 业务验证和保存配置 (27)3 常见问题 (28)3.1 如何清除配置？如何清空配置？如何恢复出厂配置？ (28)3.2 如何一键清除接口配置？ (28)3.3 如何重置Console密码？ (29)3.4 如何重置Telnet密码？ (29)3.5 如何配置地址池中不参与自动分配的IP地址？ (29)3.6 如何配置租期？ (29)3.7 如何为客户端分配固定的IP地址？ (30)1小型园区组网场景说明本文配置步骤以图中所示的接入交换机ACC1，核心交换机CORE和出口路由器Router为例。

●接入交换机与核心交换机通过Eth-Trunk组网保证可靠性。

●每个部门业务划分到一个VLAN中，部门间的业务在CORE上通过VLANIF三层互通。

●核心交换机作为DHCP Server，为园区用户分配IP地址。