1、本地mac地址认证配置
local-user 54-ee-75-45-2c-75
password simple 54-ee-75-45-2c-75
service-type lan-access
#
mac-authentication
mac-authentication domain mac-auth
mac-authentication user-name-format mac-address with-hyphen
mac-authentication interface e1/0/1 to e1/0/24
#
domain mac-auth
authentication lan-access local
2、查看mac地址认证结果
dis mac-authentication
3、配置RADIUS方案
radius scheme 2000
primary authentication 10.1.1.1 1812
primary accounting 10.1.1.2 1813
key authentication abc key accounting abc
user-name-format without-domain
quit
# 配置ISP域的AAA方案。
domain 2000
authentication default radius-scheme 2000
authorization default radius-scheme 2000
accounting default radius-scheme 2000
quit
# 开启全局MAC地址认证特性。
mac-authentication
# 开启端口GigabitEthernet1/1的MAC地址认证特性。
mac-authentication interface gigabitethernet 1/1
# 配置MAC地址认证用户所使用的ISP域。
mac-authentication domain 2000
# 配置MAC地址认证的定时器。
mac-authentication timer offline-detect 180
mac-authentication timer quiet 180
# 配置MAC地址认证使用固定用户名格式。
mac-authentication user-name-format fixed account aaa password simple 123456
4.配置拨号连接
#
interface Dialer1
nat outbound
nat outbound 2000 port-preserved
link-protocol ppp
ppp chap user 075501240843@163.gd
ppp chap password cipher $c$3$eosexm0TFqWeanw1HfXUH2VU3OTzspcAAu0o
ppp pap local-user 075501240843@163.gd password cipher $c$3$8pX3TjqxE3spDotqd1G/WxK6FpOHrpjlGPnI
ppp ipcp dns request
ip address ppp-negotiate
dialer user 075501240843@163.gd
dialer-group 1
dialer bundle 1
#
interface GigabitEthernet0/1
port link-mode route
description ADSL
pppoe-client dial-bundle-number 1
5.DHCP池配置及IP绑定
#
dhcp server ip-pool vlan2
network 10.86.57.0 mask 255.255.255.0
network ip range 10.86.57.20 10.86.57.199 (address range 2.2.2.10 2.2.2.250 )
gateway-list 10.86.57.253
expired day 0 hour 2 设置租约
dns-list 10.111.113.9
static-bind ip-address 2.2.2.100 mask 255.255.255.0 hardware-address sdsd-sd23-sdsa绑定IP
#
dhcp server ip-pool wuhongming
static-bind ip-address 10.86.56.156 mask 255.255.255.0
static-bind mac-address c89c-dc53-4cd7
#
dhcp server ip-pool xingzhengzhuren
static-bind ip-address 10.86.56.113 mask 255.255.255.0
static-bind mac-address 3c97-0ea9-3c42
interface Vlan-interface5
ip address 2.2.2.1 255.255.255.0
ip address 3.3.3.1 255.255.255.0 sub
dhcp server apply ip-pool vlan3
5.堆叠
irf member 2 renumber 1
6.起子接口
interface GigabitEthernet0/0.105
description TO-PBC
ip address 9.75.210.105 255.255.255.252
vlan-type dot1q vid 105
7。路由重发布
ospf 1
import-route direct cost 20 route-policy direct_ospf
import-route static cost 20 route-policy static_ospf
#
route-policy direct_ospf permit node 10
if-match acl 3003
route-policy static_ospf permit node 10
if-match acl 3002
8.配置时区
clock timezone Beijing add 08:00:00
9.开启ttl
ip ttl-expires enable
ip unreachables enable
10.环路测试
loopback-detection 用来测试环路测试是否开启
当交换机开启了 DHCP-Snooping后,会对DHCP报文进行侦听,并可以从接收到的DHCPRequest或DHCP Ack报文中提取并记录IP地址和MAC地址信息。另外,DHCP-Snooping允许将某个物理端口设置为信任端口或不信任端口。信任端口可以正常接收并转发DHCP Offer报文,而不信任端口会将接收到的DHCPOffer报文丢弃。这样,可以完成交换机对假冒DHCPServer的屏蔽作用,确保客户端从合法的DHCP
Server获取IP地址。
stp保护
stp bpdu-protection
stp enable
清除端口包统计
reset counters interface g2/0/5
查看端口收发光功率
display transceiver diagnosis interface GigabitEthernet 0/0/3
display session table source-ip 10.118.187.16 count
静态路由重发布
route-policy import-rt permit node 1
if-match tag 100
ospf 100
import-route static route-policy import-rt matrice20 type2
area 0.0.0.0
network 10.111.126.152 0.0.0.3
network 10.111.126.164 0.0.0.3
NAT
interface GigabitEthernet0/2
port link-mode route
description IPsec_vpn-uc
nat outbound 3021 address-group 5
nat outbound 3006 address-group 2
nat outbound 3004 address-group 1
nat server protocol any global 172.16.100.3 inside 10.111.168.33
nat server protocol any global 172.16.100.4 inside 10.111.168.34
nat server protocol any global 172.16.100.5 inside 10.111.168.35
nat server protocol any global 172.16.100.6 inside 10.111.168.36
nat server protocol any global 84.238.4.109 inside 172.16.40.253
nat address-group 1
address 3.3.3.3 3.3.3.3
acl basic 2000
rule 0 permit source 1.1.1.1 0
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 2.2.2.254 255.255.255.0
nat outbound 2000 address-group 1
#
interface GigabitEthernet0/1
port link-mode route
combo enable copper
ip address 1.1.1.254 255.255.255.0
nat server protocol icmp global 4.4.4.4 inside 2.2.2.2
配置GRE-VPN
interface Tunnel1 mode gre
ip address 192.168.1.1 255.255.255.0
source 30.30.30.2
destination 10.1.1.1
配置NQA+TRACK
nqa entry admin test
type icmp-echo
destination ip 218.17.224.7 //防火墙公网网关
frequency 100
next-hop 10.52.195.251
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
nqa schedule admin test start-time now lifetime forever
track 1 nqa entry admin test reaction 1
ip route-static 0.0.0.0 0.0.0.0 10.55.216.251 track 1
ip route-static 0.0.0.0 0.0.0.0 10.55.216.254 preference 80
BFD echo+TRACK
bfd echo-source-ip 1.1.1.2
bfd multi-hop authentication-mode md5 1 cipher $c$3$t/NeEDbhbYOYLxn4sxRG2hEMfI1YDp/xVXsykw==
track 1 bfd echo interface GigabitEthernet0/0 remote ip 1.1.1.1 local ip 1.1.1.2
BFD contorl-packet
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 8.8.8.2 255.255.255.0
bfd min-transmit-interval 450
bfd min-receive-interval 450
bfd detect-multiplier 3
bfd authentication-mode md5 1 cipher $c$3$y2iImYFlcS39hiH0KP2DP44uLTe3/0rHWn8=
bfd detect-interface source-ip 5.5.5.2
ip route-static 200.2.2.0 24 8.8.8.1
配置策略路由
acl number 3009 name proute //匹配3009的走路由表
rule 2 permit ip destination 10.0.0.0 0.255.255.255
acl number 3010 name wanproute //其他的走策略
rule 5 permit ip source 10.97.2.188 0
rule 6 permit ip source 10.97.2.185 0
rule 7 permit ip source 10.97.2.186 0
rule 8 permit ip source 10.97.2.187 0
rule 9 permit ip source 10.97.2.100 0
policy-based-route liansoft permit node 5
if-match acl 3009
policy-based-route liansoft permit node 10
if-match acl 3010
apply ip-address next-hop 10.97.0.251
应用在接口上
interface Vlan-interface2
description "IT"
ip address 10.97.2.253 255.255.255.0
dhcp select relay
dhcp relay server-select 3
ip policy-based-route liansoft
acl number 3009 name proute//匹配3009的走路由表
rule 2 permit ip destination 10.0.0.0 0.255.255.255
acl number 3010 name wanproute //其他的走策略
rule 5 permit ip source 10.43.10.178 0
policy-based-route liansoft permit node 5
if-match acl 3009
policy-based-route liansoft permit node 10
if-match acl 3010
apply ip-address next-hop 10.43.20.251
应用在接口上:
interface Vlan-interface 10
ip policy-based-route liansoft
acl number 3009 name internal
rule 2 permit ip source 10.0.123.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
acl number 3010 name internet
rule 5 permit ip source 10.0.123.0 0.0.0.255
policy-based-route wangkang permit node 1
if-match acl 3009
policy-based-route wangkang permit node 2
if-match acl 3010
apply ip-address next-hop 10.0.7.200
interface Vlan-interface123
ip address 10.0.123.1 255.255.255.0
dhcp select relay
dhcp relay server-select 3
ip policy-based-route wangkang
ACL过滤
acl number 3100 name AP-ACL
rule 1 deny ip source 10.118.120.189 0 destination 10.0.217.251 0
interface Vlan-interface120
description ARUBA-AP-MGT
ip address 10.118.120.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
packet-filter 3100 inbound
开通tftp自动识别
alg tftp
链路速率与端口路径开销值的对应关系表
风扇改方向
fan prefer-direction slot 1 port-to-power
|
version 5
|
|
V5 NPS
|
||
|
汇聚、接入层交换机都刷(除核心两台)
|
Radius
|
radius scheme cams
primary authentication 10.116.219.43
key authentication simple 123456
nas-ip 10.118.0.158
server-type extended
user-name-format without-domain
quit
domain sf
authentication default radius-scheme cams local
authorization default radius-scheme cams local
accounting default none
quit
domain default enable sf
|
NPS域
|
radius scheme nps
server-type extended
primary authentication 10.118.88.32 key 123456
primary accounting 10.118.88.32 key 123456
user-name-format without-domain
nas-ip 10.118.0.13
domain nps
authentication default radius-scheme nps local
authorization default radius-scheme nps local
accounting default none
authentication lan-access radius-scheme nps local
authorization lan-access radius-scheme nps local
accounting lan-access radius-scheme nps local
|
|
SSH远程
|
public-key local create rsa
输入:1024
ssh server enable
|
MAC认证
|
mac-authentication
mac-authentication domain nps
|
|
|
NTP
|
ntp-service unicast-server 10.116.48.104
|
端口配置
|
interface GigabitEthernet1/0/16
mac-authentication
|
|
|
Console
|
user-interface aux 0
authentication-mode password
set authentication password cipher OAadmin@147
idle-timeout 5 0
quit
|
|
|
|
|
接入层IDLE时间
|
时间为60,仅适用于接入
|
user-interface vty 0 4
authentication-mode scheme
protocol inbound all
idle-timeout 60 0
|
|
|
|
汇聚层IDLE时间
|
|
user-interface vty 0 4
authentication-mode scheme
idle-timeout 15 0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
version 3
|
|
V3 NPS
|
||
|
汇聚、接入层交换机都刷(除核心两台)
|
Radius
|
radius scheme cams
primary authentication 10.116.219.43
key authentication simple 123456
nas-ip 10.118.0.158
server-type extended
user-name-format without-domain
quit
domain sf
authentication default radius-scheme cams local
accounting none
quit
domain default enable sf
|
NPS 域
|
radius scheme nps
server-type extended
primary authentication 10.118.88.32
primary accounting 10.118.88.32
key authentication 123456
key accounting 123456
user-name-format without-domain
nas-ip 10.118.0.130
domain nps
scheme radius-scheme nps local
quit
|
|
SSH远程
|
public-key local create rsa
输入:1024
ssh authentication-type default all
|
MAC认证
|
mac-authentication
mac-authentication domain nps
mac-authentication user-name-format mac-address without-hyphen lowercase
|
|
|
NTP
|
ntp-service unicast-server 10.116.48.104
|
端口配置
|
int e1/0/*
mac-authentication interface Ethernet 1/0/31
|
|
|
Console
|
user-interface aux 0
authentication-mode password
set authentication password cipher OAadmin@147
idle-timeout 5 0
quit
|
|
|
|
|
接入层IDLE时间
|
时间为60,仅适用于接入
|
user-interface vty 0 4
authentication-mode scheme
protocol inbound all
idle-timeout 60 0
|
|
|
|
汇聚层IDLE时间
|
|
user-interface vty 0 4
authentication-mode scheme
idle-timeout 15 0
|
|
|
来源:CSDN
作者:luyajun0730
链接:https://blog.csdn.net/lu07ya/article/details/78700831