【正文】 查看 LOG 的配置show log configuration顯示交換機(jī)日志的設(shè)置2 數(shù)據(jù)配置 IP 路由配置 靜態(tài)路由 增加路由：其中 是網(wǎng)關(guān)地址，metric 值設(shè)為 200 configure iproute add /20 200 增加默認(rèn)路由： configure iproute add default 200 刪除路由： configure iproute delete /20 200 察看靜態(tài)路由： sh iproute permanent Ori Destination Gateway Mtr Flags VLAN Duration*s Sum toshast 57d:16h:24m:55s OSPF 路由創(chuàng)建 router idconfigure ospf routerid Ip 端口啟動(dòng) ospfconfigure ospf add vlan xxxx area configure ospf vlan xxxx cost xx把靜態(tài)路由分發(fā)進(jìn) ospf 的域中enable ospf export static cost 10 type asetype1 tag 0把直連端口分發(fā)進(jìn) ospf 的域中enable ospf export direct cost 10 type asetype1 tag 0察看 ospf 鄰居show ospf neighbourshow ospf interface配置實(shí)例： Interface Configurationconfigure ospf add vlan vxcdc area configure ospf vlan vxcdc cost 3configure ospf add vlan vdcslz area configure ospf add vlan vdckl area configure ospf add vlan vdcgr area configure ospf add vlan lp0 area configure ospf add vlan Default area OSPF Router Configurationconfigure ospf routerid enable ospf originatedefault cost 10 type asetype1 tag 0enable ospf export static cost 10 type asetype1 tag 0enable ospf export direct cost 10 type asetype1 tag 0 察看結(jié)果：6808:12 sh ospf neiNeighbor ID Pri State Up/Dead Time Address Interface 1 FULL/BDR 40:17:01:01/00:02 vxcdc 1 FULL/DR 57:16:50:09/00:00 vdcslz 1 FULL/DR 57:16:50:10/00:07 vdckl 1 FULL/DR 57:16:50:10/00:02 vdcgr BGP 路由 BGP Router Configuration1．配置 AS 號(hào)configure bgp ASnumber 649782．配置 router id,一般選用 loopback0 的地址configure bgp routerid 3．激活匯聚功能enable bgp alwaysparemedenable bgp aggregation4．加入 ip 端口configure bgp add work 5．建立 BGP 鄰居create bgp neighbor remoteASnumber 65010察看狀態(tài)：6808:16 sh bgp nei Peer AS Weight State InMsgs OutMsgs(InQ) Up/DownEe 65010 1 ESTABLISHED 158406 158169(0 ) 54:22:02:43Id 64978 1 Peer: (c) send munities, (d) disabled, (e) enabled, (E) external peer (I) internal peer, (m) EBGP multihop, (r) route reflector clientBGP Peer Statistics Total Peers : 2 EBGP Peers : 1 IBGP Peers : 1 RR Client : 0 EBGP Multihop : 0 Enabled : 1 Disabled : 1 安全的配置 防 DOS 配置全局激活 enable cpudosprotect配置 DOS 攻擊的告警值config cpudosprotect noticethreshold 1000配置 DOS 攻擊的最高值，此時(shí)將產(chǎn)生動(dòng)態(tài) ACL 列表來(lái)保護(hù)交換機(jī)config cpudosprotect alertthreshold 1100打開(kāi)基于源和目的地址的過(guò)濾config cpudosprotect filtertypeallowed destination source察看狀態(tài)BD6808 sh cpudosprotect Denialofservice protection to CPU is ENABLEDNotice level: 1000 new packets/second (level for logging)Alert level: 1100 new packets/second (level for ACL creation)Filter types: destination +protocol source+protocolACL timeout: 300 secondsACL rule precedence: 10Messages are OFFTrusted Ports: noneACL not active 注：當(dāng)有攻擊時(shí)，將可以看到 ACL 的自動(dòng)產(chǎn)生 病毒 ACL 對(duì)非法流量做過(guò)濾是每臺(tái)交換機(jī)最起碼要做的配置，主要是過(guò)濾“蠕蟲(chóng)”“沖擊波”等病毒，必要時(shí)關(guān)閉ping 的流量（ICMP）創(chuàng)建 基于 IP 的 ACLcreate accesslist bog001dde ip destination 2022enable accesslist bog001dde counter創(chuàng)建 基于 TCP 的 ACLcreate accesslist tcp256sde tcp destination any ipport any source any ipport 256 deny ports any precedence 1031enable accesslist tcp256sde counter創(chuàng)建 基于 UDP 的 ACLcreate accesslist udp123dde udp destination any ipport 123 source any ipport any deny ports any precedence 1051enable accesslist udp123dde counter創(chuàng)建 基于 UDP 的 ACL,比如關(guān)閉 ping 流量create accesslist denyicmp icmp destination any source any type any code any deny ports any precedence 10察看 accesslist 運(yùn)行狀態(tài)：6808:24 sh accesslistRule Dest/mask:L4DP Src/mask:L4SP Flags Hits VGSJpe /16:0 /16:0 IPX 11550187288 icmpEcho /0 :0 /0 :2048 MPX 0 tongxung /32:0 /0 :0 IDN 0 denyip2 /32:0 /0 :0 IDX 1019 icmpRepl /0 :0 /0 :0 MPX 0 icmpTrac /0 :0 /0 :2816 MPX 0 icmpNeed /0 :0 /0 :772 MPX 0 udp1434 /0 :1434 /0 :0 UDX 177820 安全訪(fǎng)問(wèn)設(shè)置1. 建議關(guān)閉交換機(jī)的 WEB Access 訪(fǎng)問(wèn)端口 disable web2. 建議對(duì) tel 做源地址訪(fǎng)問(wèn)限制 EPI_center SNMP 設(shè)置處于網(wǎng)管的需要，需要激活 SNMP Accessenable snmp access配置只讀 munityconfigure snmp add munity readonly ****配制讀寫(xiě) munity configure snmp add munity readwrite ********察看狀態(tài)：* dongcheng6808:27 sh manaCLI idle timeouts: enabled 30 minCLI Paging: enabledCLI configuration logging: enabledTel access: enabled tcp port: 23Web access: disabled tcp port: 80SSH Access: key invalid, disabled tcp port: 22UDP Echo Server: enabled udp port: 7SNMP Access: enabledSNMP Read Only Communities: fcgmshlc/utn```Total Read Only Communities: 1SNMP Read Write Communities: fcgmshlc/bdbxlh fcgmshlc/usezhw`Total Read Write Communities: 2SNMP dot1dTpFdbTable: disabledRMON polling: enabledSNMP Traps: enabled QOSExtreme 交換機(jī)支持 8 個(gè)級(jí)別的 QOS,它與以太網(wǎng)的 對(duì)應(yīng)關(guān)系如下；配置命令為：configure dot1p type dot1p_priority qosprofile qosprofile 端口配置命令 配置端口速度config port speed 10/100/1000 配置端口狀態(tài)config port duplex VLAN 的配置 創(chuàng)建 VLANcreat VLAN xxx(VLAN 名字) 增加或刪除 VLAN 的端口config VLAN xxx add port [untage|tage]config vlan xxx dele port [portnumber] 設(shè)置 VLAN 的 IP 地址config VLAN xxx ip address 設(shè)置 LOOPBACKenable loopbackmode vl