Notes on Huawei switching and routing configuration

<Quidway> language-mode?
Chinese environment
English English environment
<Quidway> system-view
[Quidway] sysname?
TEXT Host name (1 to 30 characters)

Display history commands display history-command displays the historical commands you have typed

# Go To The System View.
<Quidway> system-view
Back to level-1 command view quit
Return from any non-user view to user view return
Display system clock display clock
Display current-configuration
Display the running configuration of the current view
Display End User display users [all]
Display System version display version [slot-id]

Lock user interface
3.2.2 set the S-switch device time
Perform the following operations in the User View.
Operation Command
Set the UTC Standard time clock datetime time
Set clock daylight-saving-time-zone-name oneyear in daylight saving time.
Start-time start-date end-time end-date offset
Set clock timezone
Switch language mode
Perform the following operations in the User View.
Operation Command
Switch to chinese mode language-mode chinese
Switch to english mode language-mode english

Switch user level
Operation Command
[Tswitch] sysname switch for test
[Switch for test] super password level 15 simple 111
User-interface vty 0 4
Authentication-mode password
Set authentication password simple 111
User privilege level 15
Quit

Switch user level super [level]
Configure Console user interface properties
Configure the Display Properties of the user interface
Background information
To configure the Display Properties of the user interface, follow these steps:
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the user-interface {0 | console 0} command to go to the user interface view.
Step 3 run the screen-length command to configure the number of lines on the terminal screen;
Step 4. Execute the command history-command max-size and configure the buffer size of the history command.

Configure logon parameters on the user interface
Background information
To configure the logon parameters on the user interface, follow these steps:
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the user-interface {0 | console 0} command to go to the user interface view.
Step 3. Run the idle-timeout minutes [seconds] command to configure the timeout and disconnection time for the login user.
By default, the timeout duration of a logon user is 10 minutes.
The terminal line is automatically disconnected. You can use the idle-timeout 0 0 command to set the connection to never timed out or be disconnected.
Configure Password to verify logon users
Background information
Description
Configure the Password authentication method. You must set the authentication Password. Otherwise, you cannot log on.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the user-interface {0 | console 0} command to go to the user interface view.
Step 3. Execute the command authentication-mode password and use the Password authentication method.
Step 4. Execute the command

To configure the AAA local authentication for logon users, perform the following steps:
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the user-interface {0 | console 0} command to go to the user interface view.
Step 3 run the authentication-mode aaa command to go To the AAA view.
Step 4 run the quit command and return it to the System View.
Step 5 run the aaa command to go To the AAA view.
Step 6 run the local-user-name password {simple | cipher} password command to configure the local user name and
Password.
Step 7 run the local-user-name service-type {ftp | ppp | ssh | telnet | terminal} * command.

4-11
This step is optional.
Step 8: Execute the command local-user-name level to configure the user's logon level.
Step 9 run the authentication-scheme-name command to create the authentication scheme and go to
Certification solution view.
Step 10 execute the command authentication-mode local and configure the AAA authentication mode as local.
In
#
Aaa
Authentication-scheme default
Authorization-scheme default
Accounting-scheme default
Domain default
Domain default_admin
Local-user admin password simple admin
Local-user admin level 15
Local-user admin ftp-directory flash:
Local-user admin service-type telnet
 
Change Password in AAA Mode
Sys
Aaa
Local-user admin password simple 999
# Run the local-user-name password {simple | cipher} password command to create a local user account
.
Local-user admin service-type terminal
# Run the local-user-name service-type {ftp | ppp | ssh | telnet | terminal} * command to configure the service type of the local user.
Local-user admin level 15
# Run the local-user-name level command to configure the priority of the local user.
Local-user admin state active
# Run the local-user-name state {active | block} command to configure the local user status.

Configure logon authentication mode
User-interface con 0
User-interface vty 0 4
Authentication-mode aaa
# Set the Authentication Mode to aaa
User-interface con 0
User-interface vty 0 4
User privilege level 3
Set authentication password simple
 
5.3.2 Enable FTP service
Procedure
Step 1. Run the system-view command to go to the system view.
Step 2. Run the ftp server enable command to enable the FTP service.

Step 4: run the command idle-timeout minutes [seconds] to configure the user's timeout and disconnection time.
By default, the timeout duration of a logon user is 10 minutes.
The terminal line is automatically disconnected. You can use the idle-timeout 0 0 command to set the connection to never time out and disconnect.
Idle-timeout 0 0
Tfpt configuration backup
<Tswitch> tftp 10.24.29.30 put vrpcfg.zip vrpcfg.cfg.zip
Transfer file in binary mode.
Now begin to copy file to remote tftp server, please wait for a while... |
TFTP: 856 bytes sent in 1 second.
File uploaded successfully.
<Tswitch> tftp 10.24.29.30 put S5300EI-V100R003C00SPC301.cc S5300EI-V100R003C00S
PC301.cc
Transfer file in binary mode.
Now begin to copy file to remote tftp server, please wait for a while... |
TFTP: 9348204 bytes sent in 84 seconds.
File uploaded successfully.
 

Configure basic SNMP Agent functions
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the command snmp-agent to start the SNMP Agent service.
Step 3 run the command snmp-agent sys-info version {v1 | v2c | v3} * | all} to configure the corresponding SNMP protocol
Version.
Step 4. Run the snmp-agent local-engineid command to configure the engine ID of the local SNMP entity.
Step 5 (optional) execute the command snmp-agent sys-info contact to configure the Administrator contact method.
Step 6 (optional) run the snmp-agent sys-info location command to configure the S-switch location.

Snmp-agent
Snmp-agent community read sgdupc110
Snmp-agent sys-info version v1 v3
Snmp-agent usm-user v3 admin sgdu

#
1.2.5 configure MIB view information
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the snmp-agent mib-view {excluded | included} view-name oid-tree Command to configure the MIB view
Graph Information.

Check Configuration results
Background information
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display SNMP message statistics display snmp-agent statistics
Display the engine ID of the current device display snmp-agent {local-engineid | remoteengineid
Snmp-agent
Snmp-agent local-engineid 000007DB7F0000010000037C
Snmp-agent community read sgdupc110
Snmp-agent sys-info version v1 v3
Snmp-agent usm-user v3 admin sgdupc110
}
3.2.2 configure the IP Spoofing Attack Prevention Function
Background information
Perform the following configuration on the S-switch that requires IP Spoofing Protection.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend ip-spoofing enable command to prevent IP spoofing attacks.
By default, the IP Spoofing Protection Function is disabled.
Quidway S5300 series Ethernet Switches
Configuration Guide-security 3 attack prevention Configuration

S-switchy, which enables the protection against IP spoofing attacks, records the attack information after being attacked by IP spoofing.
And output through logs. The output log shows the IP addresses and attacks recorded by the system in the last 30 seconds.
The start time, attack end time, total number of attack packets, and other information. Up to 12 different IP addresses can be displayed.
If "..." is displayed, it indicates that there are more than 12 attack sources.
---- End
3.2.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device, and display "ipspoofing"
Indicates that the IP Spoofing Attack prevention function is enabled.
Configure the Land Attack Prevention Function
A land attack is an attack that uses the same source and target host and port to send data packets to a machine. As a result, machines with vulnerabilities usually crash.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend land enable command to enable the Land Attack prevention function.
By default, the Land Attack prevention function is disabled.
---- End
3.3.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
"Land" indicates that the Land Attack prevention function is enabled.
<Quidway> display firewall defend flag

 
Configure the Land Attack Prevention Function
Background information
Perform the following configuration on the S-switch that requires configuring Land Attack prevention.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend land enable command to enable the Land Attack prevention function.
By default, the Land Attack prevention function is disabled.
---- End
3.3.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
"Land" indicates that the Land Attack prevention function is enabled.
<Quidway> display firewall defend flag

Configure the Smurf attack Prevention Function
Background information
Perform the following configuration on the S-switch that requires Smurf attack prevention.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend smurf enable command to enable the Smurf attack prevention function.
By default, the Smurf attack prevention function is disabled.
Check Configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
"Smurf" indicates that the Smurf attack prevention function is enabled.
<Quidway> display firewall defend flag
 
Configure the SYN Flood attack Prevention Function
Background information
Perform the following configuration on the S-switch that requires SYN Flood attack prevention.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the firewall defend syn-flood enable command to enable global SYN Flood attack prevention.
By default, the SYN Flood attack prevention function is disabled.
Step 6 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 7 run the firewall defend enable command to enable the attack prevention enable switch.
Step 8 execute the command quit and return to the System View.
Step 9 (optional) run the firewall defend syn-flood ip-address [max-rate-number] command to set
Enable the IP address and parameters of the SYN Flood attack prevention function.
---- End
3.5.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
"Syn-flood" indicates that the SYN Flood prevention function is enabled.
<Quidway> display firewall defend flag
The attack defend flag is:
 
Configure the ICMP Flood attack Prevention Function
Background information
Perform the following configurations on the S-switch that requires ICMP Flood attack prevention.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend icmp-flood enable command to enable the global switch of the ICMP Flood attack prevention function.
By default, the ICMP Flood attack prevention function is disabled.

Step 9 (optional) run the firewall defend icmp-flood ip-address [max-rate-number] command to set
Provides the ICMP Flood attack prevention function for specified IP devices.
---- End
3.6.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
"Icmp-flood" indicates that the ICMP Flood attack prevention function is enabled.
<Quidway> display firewall defend flag

Configure the Ping of Death attack Prevention Function
Background information
Perform the following configuration on the S-switch that requires Ping of Death attack prevention.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend ping-of-death enable command to enable the Ping of Death attack prevention function.
By default, the Ping of Death attack prevention function is disabled.
---- End
3.7.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Operation Command
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
 

Configure TearDrop Attack prevention
Background information
Perform the following configuration on the S-switch that requires TearDrop Attack prevention.
Procedure
Step 1 run the system-view command to go to the system view.
Step 2. Execute the command vlan-id to create a VLAN and enter the VLAN view.
Step 3 execute the command quit and return to the System View.
Step 4. Run the firewall enable command to enable the enable function for attack prevention.
Step 5 run the interface vlanif vlan-id command to go to The VLANIF interface view.
Step 6 run the firewall defend enable command to enable the attack prevention enable switch.
Step 7 execute the command quit and return to the System View.
Step 8 run the firewall defend teardrop enable command to enable TearDrop Attack prevention.
By default, the TearDrop Attack prevention function is disabled.
---- End
3.8.3 check configuration results
After completing the preceding configuration, run the following command to check the configuration result.
Check Configuration results
Display firewall defend flag
Use the display firewall defend flag command to view the attack prevention information configured by the S-switch device.
"Teardrop" indicates that the TearDrop Attack prevention function is enabled.
<Quidway> display firewall defend flag
The attack defend flag is:
Teardrop

Enable the global DHCP Snooping Function
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the dhcp snooping enable command to enable the Global DHCP Snooping function.
By default, DHCP Snooping is disabled.
Enable local DHCP Snooping
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the command vlan-id to go To the VLAN view.
Step 3 run the dhcp snooping enable command to enable the DHCP Snooping function under the VLAN.
By default, DHCP Snooping is disabled.
Configure the Trusted interface
Procedure
Step 1 run the system-view command to go to the system view.
Step 2 run the command vlan-id to go To the VLAN view. This VLAN should be a network-side interface (that is, DHCP connection)
Server Interface.
Step 3 run the dhcp snooping trusted interface-type interface-number command to configure DHCP
The "VLAN + Interface" of the Server is in the Trusted state.

Run the display dhcp snooping global command. You can see that the global DHCP Snooping function is enabled.
<Quidway> display dhcp snooping global
Dhcp snooping enable
Run the display this command in the corresponding VLAN view to view the Trusted interface information.
<Quidway> system-view
[Quidway] vlan 10
[Quidway-vlan10] display this
#
Vlan 10
Dhcp snooping enable
Dhcp snooping trusted interface GigabitEthernet0/0/2
#
Return
 
This section describes how to use the display command to view the running status of the S-switch device.
1.2.1 view device information
Display device [unit-id] to view device information.
1.2.2 view version information
Run the command display version [unit-id] to view the version information.
1.2.3 view electronic tags
Display information includes: board model, bar code, BOM code, English description, production date, supplier name, release
Line number, CLEI code, and sales BOM code.
Perform the following configuration on S-switch.
Procedure
Step 1. Execute the command display elabel [unit-id] to view the electronic tag.
1.2.4 view Temperature
Run the command display environment [unit-id] to view the device temperature.
Run the command display cpu-usage to view the CPU usage statistics.

1.2.5 view CPU usage
Run the command display memory-usage [unit-id] to view the memory usage statistics.
In practice, use this command in any view to view the memory usage statistics of the S-switch device.
1.2.6 view memory usage
Run the command display memory-usage [unit-id] to view the memory usage statistics.
In practice, use this command in any view to view the memory usage statistics of the S-switch device.
---- End S
1.2.7 view alarm information
Execute the command display alarm urgent [unit-id | time interval] to view the warning messages in the running status of the device.
.
In actual operations, use this command in any view to view the alert information for each event on the S-switch device.
1.2.8 View Interface status information
View the status of a specified Interface
Perform the following configuration on S-switch.
1. Execute the command display interface-type interface-number to view the status information of the specified interface.
.
The interface status information includes the current operation status of the interface, basic configuration of the interface, and statistics on sending and receiving packets.
View the status information of the current interface View
Perform the following configuration on S-switch.
1. Run the system-view command to enter the system view.
2. Run the interface-type interface-number command to enter the interface view.
3. Execute the command display this interface to view the status information of the current interface.

Author: "Kang Jianhua"