initialization:
dis clock //View clock settings
[H3C]clock protocol none //Close the protocol and enable it by default. Get the system time
clock from the default MDC. datetime hh:mm:ss year/month/day //Set the time
[H3C]clock timezone beijing add 8 //Set the time zone Beijing offset by 8 hours from UTC
Daily operation and maintenance high frequency:
save //Save
reboot //Restart
shutdown -h now //Shutdown
[H3C]mac-address blackhole HHH vlan 1 //Add blackhole MAC to VLAN1
[H3C]mac-address static HHH interface Ethernet 0/1 vlan 1 // Add a mac of port 1 in VLAN1
[H3C]mac-address timer aging 500 //Set the aging time of the MAC address table to 500s
[H3C]display mac-address [H3C]display
arp
[H3C]mac-address port-binding HHH interface Ethernet 0/1 vlan 1 //Configure port binding
[H3C]display mac-address port-binding
[H3C]display saved-configuration
[H3C]display current-configuration
[H3C]restore default //Restore the switch factory default configuration , a restart is required to take effect after recovery
[H3C]display version
[H3C]display device
[H3C]sysname bigheap
[H3C]info-center enable //Enable system log function, enabled by default
[H3C]info-center loghost ip 192.168.0.3 //Output information to the specified log host (only UNIX or LINUX, not Windows). You need to enable the logging function first. It is turned off by default [H3C]info-center loghost level
8
//Set the system log level to 8, the default is 5. Level description: 1.emergencies 2.alerts 3.critical 4.errors 5.warnings 6.notifications 7.informational 8.debugging
terminal debugging //Enable console for debugging information Display, the default console is to disable
terminal logging //Enable the console to display log information, the default console is to enable
terminal trapping //Enable the console to display alarm information, the default console is to enable
[H3C] display info-center //Display the configuration of the system log and the information recorded in the buffer
[H3C] display logbuffer //Display the specified number of log information recently recorded in the log buffer
[H3C]display trapbuffer //Display the most recently recorded information in the alarm buffer Specify the number of log information
reset logbuffer //Clear the information in the log buffer
reset trapbuffer //Clear the information in the alarm buffer
1. User configuration
system-view
[H3C]super passwordH3C //Set user level password
[H3C]undo superpassword //Delete user level password
[H3C]localuser bigheap 1234561 //Web network management user settings, 1 (default) is management level user, default admin,admin
[H3C]undo localuserbigheap //Delete Web network management user
[H3C]user-interface aux0 //Only supports 0
[H3C-Aux]idle-timeout 250 //Set the timeout to 2 minutes and 50 seconds, if it is 0, it means No timeout, the default is 5 minutes
[H3C-Aux]undoidle-timeout //Restore the default value
[H3C]user-interface vty0 //Only supports 0 and 1
[H3C-vty]idle-timeout 250 //Set the timeout to 2 minutes 50 seconds, if it is 0, it means no timeout, the default is 5 minutes
[H3C-vty]undoidle-timeout //Restore the default value
[H3C-vty]set authentication password123456 //Set the telnet password, you must set
[H3C-vty]undo set authenticationpassword //Cancel password
2. View analysis
[H3C]displayusers //Display users
[H3C]displayuser-interface //User interface status
[H3C]display ip //Display information related to the management VLAN interface IP
[H3C]display interface vlan-interface20 //View the interface information of the management VLAN
debuggingip //Enable IP debugging
undo debugging ip //Close ip debugging
[H3C]display vlanall //Display detailed information of all VLANs
3. VLAN configuration
[H3C]vlan 2 //Create VLAN2
[H3C]undo vlanall //Delete all VLANs except the default VLAN. The default VLAN cannot be deleted
[H3C-vlan2]port Ethernet 0/4 to Ethernet0/7
//Replace 4 Go to port 7 and add it to VLAN2. This command can only be used to add access ports and cannot be used to add trunk or hybrid ports
[H3C-vlan2] port-isolateenable //Enable the port isolation feature in the VLAN. Layer 2 forwarding is not possible. Default Do not enable this function
[H3C-Ethernet0/4]port-isolate uplink-portvlan 2
//Set 4 as the isolated uplink port of VLAN2, which is used to forward Layer 2 data. Only one uplink port can be configured. If it is a trunk, it is recommended to allow it. All VLANs pass, isolation cannot be configured with aggregation at the same time
//S1550E supports port-based VLAN, which is achieved by creating different user-groups
//A port can belong to multiple user-groups, but ports that do not belong to the same user-group cannot Communicate with each other
[H3C] user-group20 //Create user-group 20, only user-group 1 exists by default
[H3C-UserGroup20]port Ethernet 0/4 toEthernet 0/7 //Add ports 4 to 7 to VLAN20, Initially they all belong to user-group 1
[H3C]display user-group20 //Display related information of user-group 20*
4. IP configuration
[H3C]vlan 20 //Create vlan
[H3C]management-vlan 20 //Manage vlan
[H3C]interface vlan-interface20 //Enter and manage vlan20
[H3C]undo interface vlan-interface20 //Delete the management VLAN interface
[H3C- Vlan-interface20]ip address192.168.1.2 255.255.255.0 //Configure the static IP address of the management VLAN interface (the default is 192.168.0.234) [
H3C-Vlan-interface20]undo ipaddress //Delete the IP address
[H3C-Vlan-interface20 ]ip gateway192.168.1.1 //Specify the default gateway (default no gateway address)
[H3C-Vlan-interface20]undo ip gateway //Delete the gateway
[H3C-Vlan-interface20]shutdown //Close the interface
[H3C-Vlan- interface20]undoshutdown //Open
5. DHCP client configuration
[H3C-Vlan-interface20]ip address dhcp-alloc //The management VLAN interface obtains the IP address through DHCP
[H3C-Vlan-interface20]undo ip address dhcp-alloc //Cancel
[H3C]display dhcp //Display DHCP client information
debugging dhcp-alloc //Enable DHCP debugging function
undo debugging dhcp-alloc
6. Port configuration
[H3C]interface Ethernet0/3
[H3C-Ethernet0/3]shutdown //Shut down
[H3C-Ethernet0/3]speed 100 //Speed, can be 10, 100, 1000 and auto (default)
[H3C-Ethernet0/3]duplex full //Duplex, can be half, full and auto (default). Optical port and aggregation cannot be configured
[H3C-Ethernet0/3] flow-control //Enable flow control, the default is off
[H3C-Ethernet0/3] broadcast-suppression 20 //Set the broadcast suppression percentage to 20%, which can be 5, 10, 20, 100, and the default is 100. Multicast and unknown unicast are also affected by this
[H3C-Ethernet0/3] loopback internal //Inner loop Test
[H3C-Ethernet0/3]loopback external //Outer loop test, need to plug in the self-loop head, which must be full-duplex or auto-negotiation mode
[H3C-Ethernet0/3]port link-type trunk //Set the link The type is trunk, which can be access (default), trunk
[H3C-Ethernet0/3]port trunk pvid vlan 20 //Set 20 as the default VLAN of the trunk, and the default is 1 (the PVID at both ends of the trunk line must be consistent)
[ H3C-Ethernet0/3]port access vlan 20 //Add the current access port to the specified VLAN
[H3C-Ethernet0/3]port trunk permit vlan all //Allow all VLANs to pass through the current trunk port. This command can be used multiple times.
[H3C-Ethernet0/3]mdi auto //Set the Ethernet port to automatically monitor, normal( Default) is a straight-through line, and across is a crossover line
[H3C] link-aggregation Ethernet 0/1 to Ethernet 0/4 //Add ports 1-4 to the aggregation group, 1 is the main port, and both ends need to be configured at the same time
//Settings Ports with port mirroring and port isolation cannot be aggregated
[H3C]undo link-aggregation Ethernet 0/1 //Delete the aggregation group
[H3C]link-aggregation mode egress //Configure the port aggregation mode to load balancing based on the destination MAC address
/ /Optional is ingress, egress and both, the default is both
[H3C]monitor-port Ethernet 0/2 //To set this port as a mirror port, the mirror port must be set first, and the mirrored port must be deleted first when deleting
// They cannot be on the same port, and the port cannot be in an aggregation group. When setting up a new mirrored port, the new one replaces the old one, and the mirrored port remains unchanged
[H3C]mirroring-port Ethernet 0/3 to Ethernet 0/4 both //Change port 3 and 4 are set as mirrored ports
//both are to monitor received and sent messages at the same time, inbound means to only monitor received messages, and outbound means to only monitor sent messages
[H3C]display mirror
[H3C]display interface Ethernet 0/ 3
reset counters //Clear statistics of all ports
[H3C]display link-aggregation Ethernet 0/3 //Display port aggregation information
[H3C-Ethernet0/3]virtual-cable-test //Diagnose the circuit status of the port
7. Cluster configuration:
S2100 can only be added to the cluster as a member switch. After joining, the system name is changed to the format of "cluster name_member number.original system name". The plug-and-play function is realized through two functions: cluster management protocol
MAC multicast address negotiation and Management VLAN negotiation
[H3C]cluster enable // Enable the cluster function, the default is to enable
[H3C]cluster // Enter the cluster view
[H3C-cluster]administrator-address HHH name switch // HHH is the MAC of the command switch, join the switch cluster
[switch_1.H3C-cluster]undo administrator-address //Exit the cluster
[H3C]display cluster //Display cluster information
[H3C]management-vlan 2 //Cluster messages can only be forwarded in the management VLAN, and the same cluster must be in the same In a management VLAN, you need to specify the management VLAN
debugging cluster before establishing the cluster.
8. QoS configuration:
QoS configuration steps: Set the priority of the port, set the priority mode of the switch trust message, queue scheduling, port speed limit
[H3C-Ethernet0/3] priority 7 //Set the port priority to 7, the default is 0
[H3C] priority-trust cos //Set the priority mode of switch trust packets to cos (802.1p priority, default value), or set it to dscp mode (dscp priority mode) [H3C]queue-scheduler hq-wrr
2 4 6 8 //Set the queue scheduling algorithm to HQ-WRR (default is WRR), and the weight is 2,4,6,8
[H3C-Ethernet0/3]line-rate inbound 29 //Limit the port inbound rate to 2Mbps, When taking 1-28, the rate is rate 8 1024/125, that is, 64,128,192...1.792M; when 29-127, the rate is (rate-27)*1024, that is, 2M, 3M, 4M...100M, and you can continue to go to Gigabit Taken down, when 128-240, the rate is (rate-115) 8 1024, that is, 104M, 112M, 120M...1000M
[H3C]display queue-scheduler //Display queue scheduling mode and parameters
[H3C]display priority-trust // Show priority trust mode
9. Network protocol configuration:
NDP is the Neighbor Discovery Protocol. S1550E can only enable or disable NDP and cannot be configured. The default effective retention time is 180s, and the interval for sending NDP messages is 60s
[H3C]ndp enable //It is enabled by default
[H3C-Ethernet0 /3]ndp enable // Enabled by default
[H3C] display ndp // Display NDP configuration information
[H3C] display ndp interface Ethernet 0/1 // Display neighbor information discovered by NDP on the specified port
debugging ndp interface Ethernet 0/1
HABP protocol, Huawei Authentication Bypass Protocol, is used to solve the problem that when 802.1x and HGMPv1/v2 are configured on the switch at the same time, HGMP messages will be filtered on unauthorized and authenticated ports, thereby making management The device cannot manage the connected switch. After the switch starts HABP, it will ignore 802.1x authentication.
HABP includes a server and a client. The server sends requests regularly, and the client responds and forwards them downward. The server is generally started on the management device, and the client is started on the connected device. 1550E only supports the client.
[H3C]habp enable //Enable HABP feature. It is enabled by default. After startup, it defaults to client mode.
debugging habp // Enable HABP debugging function.
NTDP is Neighbor Topology Discovery Protocol, a protocol used to collect network topology information, and The NDP protocol works together and is used for cluster management. The configuration of S1550E mainly includes turning on and off functions, turning on and off debugging functions
[H3C]ntdp enable // It is turned on by default
[H3C-Ethernet0/3]ntdp enable // By default,
debugging ntdp is enabled
10. SNMP configuration:
S1550E支持SNMPv1,SNMPv2c,主要配置包括:设置团体名,设置系统信息,设置Trap目标主机的地址,允许或禁止发送Trap,禁止SNMP Agent的运行
[H3C]snmp-agent community read bigheap //Set the bigheap community and provide read-only access
[H3C]snmp-agent max-size 1600 //Set the maximum size of SNMP message packets that the Agent can accept/send to 1600 bytes, default 1500
[H3C] snmp-agent sys-info contact #27345 location Diqiu version v2c
//Set system information, the version is v2c, by default the contact information is "R&D Hangzhou, H3C Technologies co.,Ltd.", the location is " Hangzhou China", v2c version
[H3C] undo snmp-agent //Disable the running of SNMP Agent. If any SNMP command is configured, the SNMP Agent will be restarted
[H3C]display snmp-agent community read
[H3C]display snmp-agent sys-info contact
[H3C]display snmp-agent sys-info location
[H3C]display snmp-agent sys-info version
debugging snmp-agent packet|process
11.IGMP Snooping configuration:
IGMP Snooping is a multicast constraint mechanism that runs on Layer 2 switches and is used to manage and control multicast groups. It is mainly responsible for establishing and maintaining the Layer 2 MAC address table, and at the same time forwarding group packets issued by the router based on the established multicast address table. If IGMP Snooping is not running, multicast messages will be broadcast in the Layer 2 network.
IGMP Snooping configuration includes: starting and stopping IGMP Snooping, configuring the router port aging time, configuring the maximum response query time, and configuring multicast group members. Port aging time, configure the port to leave quickly, debugging function
[H3C]igmp-snooping //Enable IGMP Snooping function, the default is off
[H3C] igmp-snooping router-aging-time 500 //Configure the router port aging time to 500s, the default It is 105s
[H3C]igmp-snooping max-response-time 15 //Configure the maximum response query time to 15s, the default is 10s [
H3C]igmp-snooping host-aging-time 300 //Configure the multicast group member port aging time to 300s, the default is 260s
[H3C-Ethernet0/3] igmp-snooping fast-leave //Configure fast leave. If a leave message is received, the port will be deleted immediately without asking. [H3C] display igmp-snooping configuration //Display
configuration Information
[H3C]display igmp-snooping statistics //Display packet statistics
[H3C]display igmp-snooping group vlan 2 //Display information about the IP multicast group and MAC multicast group in VLAN2
reset igmp-snooping statistics // Clear statistical information
debugging igmp-snooping
12. System debugging:
debugging all //Turn on all debugging switches, this command is the protocol debugging switch
terminal debugging //Terminal debugging switch, turn on the switch, the default is to turn off
debugging drv //Mainly display the actual content of the message, the default is to turn off
[H3C]display debugging / /Display debug switch status
Thirteen.802.1x configuration:
[H3C-Ethernet0/3]dot1x //Enable the 802.1x feature. It can also be used in system view. After use, enable it globally.
//You can also use the interface parameter to enable the 802.1x feature of the specified port. It is turned off by default. To enable 802.1x , both globally and on the port need to be enabled
[H3C-Ethernet0/3] dot1x port-control unauthorized-force //Set the working mode to forced unauthorized mode
//The usage mode is the same as the dot1x command, the default is auto, that is, it must pass the authentication It can be accessed, and authorized-force is a forced authorization mode that allows users to access
[H3C-Ethernet0/3] dot1x port-method portbased //Set the access control method to port-based
//The usage mode is the same as the dot1x command, the default For macbase, based on MAC address
[H3C-Ethernet0/3] dot1x max-user 10 //Set the maximum number of port access users to 10. The usage mode is the same as the dot1x command. The default is 128 and the value range is 1- 128
[H3C] dot1x authentication-method eap //Set the 802.1x user authentication method to EAP, that is, EAP relay, and send EAP messages directly to the server. The server needs to support [H3C-Ethernet0/3] dot1x re-authenticate
/ /Enable the 802.1x re-authentication function to enable the switch to authenticate periodically at a certain time interval
//The usage mode is the same as the dot1x command. By default, this feature is turned off on all ports.
[H3C]dot1x timer handshake-period 20 reauth-period 7200 quiet-period 30 tx-period 20 supp-timeout 20 server-timeout 200 //Set the
timer for 802.1x authentication, handshake-period is after successful authentication,
//System Send handshake request messages at this interval (equivalent to the keepalive message sending interval), 1-1024s, the default is 15s.
//reauth-period is the re-authentication timeout timer, 1-86400s, the default is 3600s.
//quiet-period After the user authentication fails, the Autheticator's silent timer is used to process the authentication after silence, 10-120s, the default is 60s.
//tx-period is the transmission timeout timer. If the Supplicant fails to send the authentication response message successfully, the authentication request will be resent. ,10-120s, the default is 30s.
//supp-timeout is the authentication timeout timer, if the Supplicant fails to respond successfully, the authentication request will be resent, 10-120s, the default is 30s.
//server-timeout is the timeout for the server to fail to respond successfully. Timer, 100-300s, default 100s.
reset dot1x statistics //Clear 802.1x statistics
[H3C] display dot1x statistics //Display 802.1x configuration, operation status and statistical information
debugging dot1x //Open 802.1x related modules debugging information
14.RADIUS configuration:
[H3C]radius scheme system //Enter the system scheme, its values are default values, 1550E only supports the default scheme
[H3C-radius-system]primary authentication 10.110.1.1 1812 //Set the RADIUS server address and UDP port number
/ /By default, the server IP address in the system scheme is empty, and the UDP port number is 1812
[H3C-radius-system]key authentication 123 //Indicates that the RADIUS encryption shared key is 123, and there is no shared key by default
[H3C-radius- system]timer 10 //Set the RADIUS server response timeout timer, 1-10s, the default is 5s
[H3C-radius-system]retry 10 //Set the maximum number of response retries of the RADIUS server to 10, 1-20 times, the default is 5s 5 times
[H3C]display radius //Display radius scheme information
debugging radius packet //Turn on radius packet debugging switch