Huawei switch settings memo

Huawei switch settings memo
1. Some boards use the combo port to execute the command combo {copper | fiber} and configure Ethernet Optical port and electrical port switch. For example, the G24C board has eight electrical ports and 24 optical ports. The first eight optical ports and electrical ports must be reused. You must use the combo command to set the ports. (optional) configure layer-2 and layer-3 switches. Step 1. Run the system-view command to go to the system view. Step 2 run the interface-type interface-number command to go to the interface view. Step 3 run the portswitch command to configure the interface to work in Layer 2 mode. Step 4: run the undo portswitch command to configure the interface in layer-3 mode. By default, the Ethernet interface is in L2 mode. When the interface is switched from layer-3 mode to layer-2 mode, the layer-3 function and identity of the interface will be disabled, use the MAC address of the system 3. Check the configuration result and run the command display interface [interface-type [interface-number] [| {begin | exclude | include} regular-expression] to view the Ethernet interface. description information, duplex mode, and rate. 4. Configure the Ethernet interface loop test function Step 1. Run the system-view command to go to the system view. Step 2 run the interface-type interface-number command to go to the interface view. Step 3. Execute the loopback internal command and configure the Ethernet port for the loop test. By default, the Ethernet interface loop test function is disabled. 5. Configure the minimum interval for restarting the interface. Step 1. Run the system-view command to go to the system view. Step 2 run the shutdown interval-value command to set the minimum interval between interface shutdown and startup. By default, the minimum time interval between interface shutdown and startup is 15 seconds. 6. Configure the port group step 1. Run the system-view command to go to the system view. Step 2 run the port-group-name command to enter the port group view. Step 3. Execute the Command group-member interface-list to add the Ethernet port to the specified port group. 7. (optional) the configuration interface allows you to use the maximum frame length Step 1 to run the system-view command to enter the system view. Step 2 run the interface-type interface-number command to go To the Ethernet interface view. Step 3 run the jumbo enable [value] command to set the maximum frame length allowed through the Ethernet interface. By default, the system allows frames with a maximum length of 9216 bytes to pass through the Ethernet port. 8. (optional) Enable traffic control step 1. Run the system-view command to enter the system view. Step 2 run the interface-type interface-number command to go to the interface view. Step 3 run the flow-control command to enable the traffic control switch of the Ethernet interface. By default, the traffic control switch of the Ethernet interface is disabled. The traffic control switch must be enabled for the peer device interface. 9. (optional) Enable the traffic control self-negotiation function Step 1: Execute the command system-view to enter the system view. Step 2 run the interface gigabitethernet interface-number command to go To the GE interface view. Step 3 run the flow-control negotiation command to enable the traffic control self-negotiation function of the Gigabit Ethernet interface. By default, the traffic control self-negotiation function of the Ethernet interface is disabled. The peer device interface also needs to configure traffic control self-negotiation to achieve Traffic Control Self-negotiation success 10. (optional) enable port isolation function Step 1. Execute the command system-view to enter the system view. Step 2 run the port-isolate mode {l2 | all} command to configure the port isolation mode. (The entry command can be omitted when only two ports are isolated.) Step 3 run the interface-type interface-number command to enter the Ethernet interface view. Step 4 run the port-isolate enable command to enable port isolation. After enabling port isolation, the port is isolated from the enable port. The port and the port without enabling port isolation can communicate with each other. 11. (optional) configure the IP address of the Ethernet Sub-interface. Step 1. Run the system-view command to go to the system view. Step 2 execute the command interface-type interface-number.subinterface-number to create and go to the Ethernet subinterface view. Step 3 run the command ip address ip-mask [sub] to configure the IP address of the Ethernet sub-interface. Currently, only series E boards Support Sub-interface configuration. 12. Check the configuration Result l use the command display port-group [all | port-group-name] to view the configured port group. L use the command display interface [interface-type [interface-number] [| {begin | exclude | include} regular-expression] to view the self-negotiation function of the interface. 13. Create a single VLAN. Step 1. Run the system-view command to go to the system view. Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view. Step 3 (optional) run the description command to configure the VLAN description. The VLAN configuration description is used to facilitate management and memory of VLANs. By default, VLAN numbers are displayed in the VLAN description. For example, VLAN 15 is described as "VLAN 0015 ". 14. Create multiple VLANs. Step 1. Run the system-view command to go to the system view. Step 2 Execute Command vlan batch {vlan-id1 [to vlan-id2]} & <1-10>, batch create VLAN 15, configure VLAN traffic statistics function Step 1 Execute Command system-view, go to the System View. Step 2 run the command vlan-id to go To the VLAN view. Step 3 run the statistic enable command to enable the traffic statistics function on the VLAN. By default, the VLAN traffic statistics function is disabled. 16. Check the VLAN configuration result and execute the command display vlan to view the created VLAN. <Quidway> display vlanThe total number of vlans is: 5 vlan id Type Status MAC Learning Broadcast/Multicast/Unicast Property ready 1 common enable forward default10 common enable forward default20 common enable forward default30 common enable forward fo Rward forward default100 common enable forward default execute the command display vlan-id verbose to check whether the VLAN description is correctly configured. <Quidway> display vlan 10 verboseVLAN ID: 10 VLAN Type: CommonDescription: VLAN 0010 Status: EnableBroadcast: EnableMAC learning: EnableStatistics: DisableProperty: defaphyphysical status: Down ---------------- Untagged Port: gigabitEthernet1/0/42 -------------- Tagged Port: GigabitEthernet1/0/41 GigabitEthernet1/0/42 -------------- Interface PhysicalGigabitEthernet1/0/42 DOWNGigabitEthernet1/0 OWNGigabitEthernet1/0/41 run the display vlan-id statistics command to view the VLAN traffic statistics. <Quidway> display vlan 20 statisticsBoard: 3 VLAN: 20 Bytes Item Packets Bytes Packets Inbound 0 0 0 Outbound 0 0 17, Trunk (Vlan passthrough) port link-type trunkport trunk allow-pass vlan alleth-Trunk (Ethernet aggregation) # interface Eth-Trunk1port link-type trunkport trunk allow-pass vlan 100 to 20 0 # interface GigabitEthernet0/0/3eth-trunk 1 # interface GigabitEthernet0/0/4eth-trunk 1 S2300/3300/5300 series switches how to prevent users from private static IP addresses, only user data that is bound to the IP address + MAC address or user data that is automatically obtained from a valid DHCP address can be passed through the same interface. Other user data cannot pass. Although the S2300/3300/5300 series switches do not have the am user-bind command of the H3C switch, the DHCP Snooping function can also bind IP + MAC + port to prevent users from setting static IP addresses. For example, if the static IP address 1.1.1.2 and MAC address 001c-2309-9aa7 are required under port Ethernet0/0/1, all other static IP addresses cannot access the Internet. The configuration is as follows: configure the DHCP Snooping function of the device # enable the global DHCP Snooping function. [Quidway] dhcp snooping enable # configure the VLAN to which the user-side interface belongs. [Quidway] vlan 100 [Quidway-vlan100] quit [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port default vlan 100 [Quidway-Ethernet0/0/1] quit # DHCP Snooping under a VLAN function. [Quidway] vlan 100 [Quidway-vlan100] dhcp snooping enable configuration on user side interface for packet check [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping check arp enable [Quidway-Ethernet0/ 0/1] dhcp snooping check ip enable [Quidway-Ethernet0/0/1] quit configuration static binding table entry [Quidway] vlan 100 [Quidway-vlan100] dhcp snooping bind-table static ip-address 1.1.1.2 mac-address 001c-2309-9aa7 interface ethernet 0/0/1 implements IP + port binding (20 12-02-16 16:25:09) label: it Switch can bind IP addresses and ports by combining the stream policy with DHCP Snooping, that is, a port can only be bound to a specific source IP address (only packets that pass through a specific source IP address in the binding table are allowed), and mac is not bound. For example, if the port Ethernet0/0/8 is configured, only packets with the source IP address 192.168.130.50 In the bound table can pass through and other IP packets are discarded. # Global enable dhcp snoopying [Quidway] dhcp snooping enable # define advanced ACL, match ip address 192.168.130.50 [Quidway] acl 3000 [Quidway-acl-adv-3000] rule 5 permit ip source 192.168.130.50 0 [Quidway-acl-adv-3000] rule 10 deny ip source any [Quidway-acl-adv-3000] rule 15 deny ip destination any # create stream classification, match ACL [Quidway] traffic classifier c1 [Quidwayclassifier-c1] if-match acl 3000 # create a popular and stream policy [Quidway] traffic behavior b1 [Quidway -Behavior-b1] permit [Quidway] traffic policy p1 [Quidway-trafficpolicy-p1] classifier c1 behavior b1 # apply stream policy under port, only packets with the source IP address 192.168.130.50 In the bound table can be configured as follows in V100R002C00: [Quidway] interface Ethernet 0/0/8 [Quidway-Ethernet0/0/8] port default vlan 4094 [Quidway-Ethernet0/0/8] dhcp snooping check user-bind enable [Quidway-Ethernet0/0/8] traffic-policy p1 inbound in v100R003C00 and later versions are configured as follows: [Quidway] interface E Thernet 0/0/8 [Quidway-Ethernet0/0/8] port default vlan 4094 [Quidway-Ethernet0/0/8] ip source check user-bind enable [Quidway-Ethernet0/0/8] traffic-policy p1 inbound how to implement through Configuration IP + MAC + port binding function S-swich implements IP + MAC + port binding through the static binding table of DHCP Snooping. The configuration idea is to first configure the static binding table under the VLAN. the IP address of the static binding table and the MAC address are the IP address and MAC address of the PC. Then, configure the IP address and ARP packet check functions on the S-swich interface connected to the PC. The DHCP method is used to assign IP addresses to users, and then restrict these users to use dynamic IP addresses only. If they are changed to static IP addresses, they cannot connect to the network; that is, dhcp snooping is used. For example, configure the IP address 10.1.1.1, and bind the MAC address 0002-0002-0002 to the interface Ethernet0/0/1. The configuration in V100R002 is as follows: [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] vlan 100 [HUAWEI-vlan100] quit [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 100 [HUAWEI-Ethernet0/ 0/1] dhcp snooping check user-bind enable [HUAWEI-Ethernet0/0/1] quit [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping enable [HUAWEI-vlan100] user-bind static ip-address 10.1.1.1 mac-address 0002-0002-00 02 interface Ethernet0/0/1 in V100R003 and later versions are configured as follows: [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] vlan 100 [HUAWEI-vlan100] quit [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 100 [HUAWEI-Ethernet0/ 0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] quit [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping enable [HUAWEI-vlan100] quit [HUAWEI] user-bind static ip-add Ress 10.1.1.1 mac-address 0002-0002-0002 interface Ethernet0/0/1 How to Implement MAC + port binding through configuration Switch implement MAC and port through combination of stream policy and DHCP Snooping BIND, that is to say, a port can only be bound to a specific mac address (a port can only pass packets with a specific mac address in the binding table) without binding an ip address. For example, if you configure port Ethernet0/0/1, only packets with the source mac address in the binding table are allowed to pass through. Other packets are discarded. # Global enable dhcp snooping [Quidway] dhcp snooping enable # create an ACL, only allow packets with MAC address 0-02-02 [Quidway] acl 4000 [Quidway-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff [Quidway-acl-L2-4000] rule deny # create stream classification, match ACL 4000 [Quidway] traffic classifier c1 [Quidwayclassifier-c1] if-match acl 4000 # create a popular and stream policy [Quidway] traffic behavior b1 [Quidway-behavior-b1] permit [Quidway] traffic policy p1 [Quidway-trafficpoli Cy-p1] classifier c1 behavior b1 # apply the stream policy under the port, so that the port can only bind the table and the source mac address is 0-02-02 packets through. The configuration in V001C00R002 is as follows: [Quidway] interface Ethernet 0/0/1 [Quidway-Ethernet0/0/1] port default vlan 4094 [Quidway-Ethernet0/0/1] dhcp snooping check user-bind enable [Quidway-Ethernet0/0/1] traffic-policy p1 inbound in v001C00R003 and later versions are configured as follows: [Quidway] interface Ethernet 0/0/1 [Quidway-Ethernet0/0/1] port default vlan 4094 [Quidway-Ethernet0/0/1] ip source check user-bind enable [Quidway-Ethernet0/0/1] traffi C-policy p1 inbound how to bind an IP address + port to a Switch through configuration can bind an IP address and a port through the combination of the stream policy and DHCP Snooping functions, that is, a port can only be bound to a specific source IP address (only packets that pass through a specific source IP address in the binding table are allowed), and mac is not bound. For example, if the port Ethernet0/0/8 is configured, only packets with the source IP address 192.168.130.50 In the bound table can pass through and other IP packets are discarded. # Global enable dhcp snoopying [Quidway] dhcp snooping enable # define advanced ACL, match ip address 192.168.130.50 [Quidway] acl 3000 [Quidway-acl-adv-3000] rule 5 permit ip source 192.168.130.50 0 [Quidway-acl-adv-3000] rule 10 deny ip source any [Quidway-acl-adv-3000] rule 15 deny ip destination any # create stream classification, match ACL [Quidway] traffic classifier c1 [Quidwayclassifier-c1] if-match acl 3000 # create a popular and stream policy [Quidway] traffic behavior b1 [Quidway -Behavior-b1] permit [Quidway] traffic policy p1 [Quidway-trafficpolicy-p1] classifier c1 behavior b1 # apply stream policy under port, only packets with the source IP address 192.168.130.50 In the bound table can be configured as follows in V100R002C00: [Quidway] interface Ethernet 0/0/8 [Quidway-Ethernet0/0/8] port default vlan 4094 [Quidway-Ethernet0/0/8] dhcp snooping check user-bind enable [Quidway-Ethernet0/0/8] traffic-policy p1 inbound in v100R003C00 and later versions are configured as follows: [Quidway] interface E Thernet 0/0/8 [Quidway-Ethernet0/0/8] port default vlan 4094 [Quidway-Ethernet0/0/8] ip source check user-bind enable [Quidway-Ethernet0/0/8] traffic-policy p1 inbound S2300/3300/5300 series switches how to Prevent Users From private static IP addresses and prevent users from private static IP addresses, only user data that is bound to the IP address + MAC address or user data that is automatically obtained from a valid DHCP address can be passed through the same interface. Other user data cannot pass. Although the S2300/3300/5300 series switches do not have the am user-bind command of the H3C switch, the DHCP Snooping function can also bind IP + MAC + port to prevent users from setting static IP addresses. For example, if the static IP address 1.1.1.2 and MAC address 001c-2309-9aa7 are required under port Ethernet0/0/1, all other static IP addresses cannot access the Internet. The configuration is as follows: configure the DHCP Snooping function of the device # enable the global DHCP Snooping function. [Quidway] dhcp snooping enable # configure the VLAN to which the user-side interface belongs. [Quidway] vlan 100 [Quidway-vlan100] quit [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] port default vlan 100 [Quidway-Ethernet0/0/1] quit # DHCP Snooping under a VLAN function. [Quidway] vlan 100 [Quidway-vlan100] dhcp snooping enable configuration on user side interface for packet check [Quidway] interface ethernet 0/0/1 [Quidway-Ethernet0/0/1] dhcp snooping check arp enable [Quidway-Ethernet0/ 0/1] dhcp snooping check ip enable [Quidway-Ethernet0/0/1] quit configuration static binding table entry [Quidway] vlan 100 [Quidway-vlan100] dhcp snooping bind-table static ip-address 1.1.1.2 mac-address 001c-2309-9aa7 interface ethernet 0/0/1