分类 网络技术 下的文章

1、关闭未用服务

undo dhcp enable
undo ip http server enable
undo ip https server enable
undo ndp
undo ftp server port
undo tftp client-source

2、设置banner

header login information % %
header shell information % %

3、不存在默认路由
删除默认路由,配置明细路由

undo ip route-static 0.0.0.0 0.0.0.0 *
ip route-static X.X.0.0 255.255.0.0 **
ip route-static X.0.0.0 255.0.0.0

4、创建ssh用户,创建源限制登录acl,在接口下应用用户绑定acl,设置con口

aaa
local-user password cipher
local-user * privilege level 15
local-user * service-type terminal ssh

ssh server enable 或 stelnet server enable
ssh user * authentication-type password
rsa local-key-pair create

acl number 3500
rule 5 permit ip source ** 0
rule 20 deny ip

ssh server acl 3500 #应用acl或在用户接口下应用

user-interface vty 0 15
undo set authentication password
authentication-mode aaa
user privilege level 3
idle-timeout 5 0
protocol inbound ssh
acl 3500 inbound

user-interface aux 0
authentication-mode aaa
idle-timeout 5 0

账号创建完成,通过ssh登录后:
undo telnet server enable #关闭telnet功能
aaa
undo local-user admin #注销原来账号
undo ssh user admin #注销原来的ssh
5、日志记录:

display logbuffer #查询存在日志信息即可:

6.时钟
ntp-service unicast-server ** source-interface Vlanif 10/20
undo ntp-service server disable
clock timezone beijing add 08:00:00
7、业务访问控制列表

acl number 3000(acl明细参考访问控制列表细化,厂站不同,acl不同)

业务acl创建完成,需应用于厂站交换机业务接口(交换机上行互联口不可应用)

例:

interface GigabitEthernet1/0/1
packet-filter 3000 inbound

8、空闲端口关闭

例:

interface GigabitEthernet1/0/1
shutdown

加固完成进行配置保存:save

1、关闭未用服务

undo dhcp enable
undo ip http server enable
undo ip https server enable
undo ndp
undo ftp server port
undo tftp client-source

2、设置banner

header login information % %
header shell information % %

3、创建ssh用户,创建源限制登录acl,在用户接口和con口下应用

aaa
local-user password cipher
local-user * privilege level 15
local-user * service-type terminal ssh

ssh server enable 或 stelnet server enable
ssh user * authentication-type password
rsa local-key-pair create

acl number 3500
rule 0 permit ip source **
rule 5 permit ip source ** 0
rule 10 permit ip source ** 0
rule 20 deny ip

user-interface vty 0 15
undo set authentication password
authentication-mode aaa
user privilege level 3
idle-timeout 5 0
protocol inbound ssh
acl 3500 inbound

user-interface aux 0
authentication-mode aaa
idle-timeout 5 0

账号创建完成,通过ssh登录后:
undo telnet server enable #关闭telnet功能
aaa
undo local-user admin #注销原来账号
undo ssh user admin #注销原来的ssh
4、时钟配置
clock timezone beijing add 08:00:00
5、日志记录

display logbuffer #查询存在日志信息即可:

6、网管参数
snmp-agent trap source LoopBack0 //需要保证Trap接口的IP地址和Trap主机的IP地址之间路由可达。
snmp-agent trap enable
7.关闭空闲端口
例如:
interface GigabitEthernet1/0/1
shutdown

加固完成进行配置保存:save

  1. 电脑用 Console 线连交换机,重启设备,看到提示 “Press Ctrl+B to enter BootLoad menu” 时立即按 Ctrl+B。
  2. 输入 BootROM 默认密码: • 新版本: admin@huawei.com • 老版本: Admin@huawei.com
  3. 进入菜单后选 6. Clear password for console user,确认清除。
  4. 再选 1. Boot with default mode 启动。
  5. 设备启动后 Console 口无需密码即可登录,系统会强制要求设置新密码(8–16 位)。
  6. 登录后执行 save 保存配置。

路由器配置如下:
sysname D-XX-XX-XXX-R1(本站设备命名)

ip vpn-instance vpn-nrt
route-distinguisher 655XX:2
vpn-target 655XX:200 import-extcommunity
vpn-target 655XX:200 export-extcommunity

ip vpn-instance vpn-rt
route-distinguisher 655XX:1
vpn-target 655XX:100 import-extcommunity
vpn-target 655XX:100 export-extcommunity

router id 33.2.X.X(本地环回地址)

ospf 1 router-id 33.2.x.x(本地环回地址)
area 0.0.0.X
network 33.2.x.x 0.0.0.0(本地环回地址)
network 33.3.X.X 0.0.0.0(本地互联地址)

mpls lsr-id 33.2.x.x(本地环回地址)

traffic classifier nrt operator and
if-match any

traffic classifier rt operator and
if-match any

traffic classifier vpn-nrt3 operator and
if-match mpls-exp 3

traffic classifier vpn-rt4 operator and
if-match mpls-exp 4

traffic behavior nrt
remark ip-precedence 3

traffic behavior rt
remark ip-precedence 4

traffic behavior vpn-nrt3
queue af bandwidth pct 30

traffic behavior vpn-rt4
queue af bandwidth pct 60

qos policy e1
classifier vpn-rt4 behavior vpn-rt4
classifier vpn-nrt3 behavior vpn-nrt3

qos policy nrt
classifier nrt behavior nrt

qos policy rt
classifier rt behavior rt

mpls ldp

interface Serial1/0
description XXX1-XXB1-2M
ip address 33.3.X.X 255.255.255.252(本地互联地址)
ospf cost 500
mpls enable
mpls ldp enable
qos apply policy e1 outbound

interface LoopBack0
ip address 33.2.x.x 255.255.255.255(本地环回地址)

interface GigabitEthernet0/0.10
description vpn_rt
ip binding vpn-instance vpn-rt
ip address 33.x.x.126 255.255.255.128(本站业务地址)
qos apply policy rt inbound
vlan-type dot1q vid 10

interface GigabitEthernet7/0.20
description vpn_nrt
ip binding vpn-instance vpn-nrt
ip address 33.x.x.254 255.255.255.128(本站业务地址)
qos apply policy nrt inbound
vlan-type dot1q vid 20

bgp 655XX
router-id 33.2.x.x(本地环回地址)
peer 33.2.x.x as-number 655XX(上联邻居ID)
peer 33.2.x.x connect-interface LoopBack0(上联邻居ID)
#
address-family ipv4 unicast
peer 33.2.x.x enable (上联邻居ID)
#
address-family vpnv4
peer 33.2.x.x enable (上联邻居ID)
#
ip vpn-instance vpn-nrt
#
address-family ipv4 unicast
import-route direct
#
ip vpn-instance vpn-rt
#
address-family ipv4 unicast
import-route direct

snmp-agent
snmp-agent local-engineid 800063A203002389422001
snmp-agent community read XXX
snmp-agent community write XXX-p
snmp-agent sys-info version v2c v3
snmp-agent target-host trap address udp-domain 33.254.XX.1 params securityname XXX-p v2c
snmp-agent target-host trap address udp-domain 33.254.XX.1 params securityname XXX

ntp-service source LoopBack0
ntp-service unicast-server 33.2.x.x (上联邻居ID)

实时交换机

sysname D-XX-XX-XXB-S1

interface Vlan-interface10
ip address 33.XX.0.125 255.255.255.128

interface Ethernet0/3
port access vlan 10

interface Ethernet0/4
port access vlan 10

interface Ethernet0/24
port link-type trunk
port trunk permit vlan all (与路由器互联端口)

ip route-static 0.0.0.0 0.0.0.0 33.XX.0.126 preference 60

非实时交换机

sysname D-XX-XX-XXB-S2

interface Vlan-interface20
ip address 33.XX.0.253 255.255.255.128

interface Ethernet0/3
port access vlan 20

interface Ethernet0/4
port access vlan 20

interface Ethernet0/24
port link-type trunk
port trunk permit vlan all (与路由器互联端口)

ip route-static 0.0.0.0 0.0.0.0 33.XX.0.254 preference 60