清醒的头脑和一台不蓝屏抽风的笔记本
操作前记得跪拜华为设备,毕竟有时候设备抽风会令人崩溃的
1、 配置设备命名:Sysname xx-xxx-xx *按实际规划配置 2、 配置设备loopback地址: interface LoopBack0description For-Chinanet ip address xx.xx.xx.xx 32 *按规划配置 interface LoopBack1description For-Mplsvpn ip address xx.xx.xx.xx *按规划配置 3、 Ssh远程配置用户名密码: Acl number 2000rule 25 permit source xx rule 26 permit source xx rule 30 permit source xx rule 35 permit source xx rule 40 permit source xx rule 45 permit source xx rule 50 permit source xx rule 200 deny *在服务器端生成本地密钥对rsa local-key-pair create * (1024) 注意修改长度1024*使能ssh服务stelnet server enable新建用户名为huawei800,fjnms的SSH 用户,且认证方式为password。ssh user huawei800ssh user huawei800 authentication-type passwordssh user huawei800 service-type stelnet aaalocal-user huawei800 password cipher huawei,800 local-user huawei800 service-type ssh local-user huawei800 level 3 user-interface vty 0 4acl 2000 inbound authentication-mode aaa protocol inbound ssh 4、 NTP时钟同步设置acl number 2001rule 0 permit source xx rule 1 permit source xx rule 10 deny ntp-service source-interface LoopBack0 ntp-service access peer 2001 ntp-service unicast-server xx ntp-service unicast-server xx 5、 SYSLOG目的服务器配置 info-center loghost source LoopBack0 info-center loghost xx info-center loghost xx 6、 SNMP网管配置 snmp-agent snmp-agent community write xx acl 2000 snmp-agent community read xx acl 2000 snmp-agent sys-info version all snmp-agent target-host trap address udp-domain xx params securityname lydx v2c snmp-agent target-host trap address udp-domain xx params securityname lydx v2c snmp-agent trap enable standard 7、 配置上行端口接口地址 (正常需开通4条上行中继,具体按规划) interface GigabitEthernet1/0/0mtu 1600description TO xx GE3/3/3 undo shutdown ip address xx interface GigabitEthernet2/0/0mtu 1600description TOxx GE17/0/3 undo shutdown ip address xx interface GigabitEthernet1/0/1 description toxx GE2/0/8 undo shutdownip address xx interface GigabitEthernet1/0/2description to xx GE4/1/19 undo shutdown 8、 启用ospf(注意必须联系网操中心数据组配合开通) router id xx ospf 1 router-id xx area 0.0.0.0 network xx 全局配置过滤策略:ip ip-prefix iptv_permit index 10 permit xx 26 *配置放行本地iptv unr路由。 ospf 2 filter-policy ip-prefix iptv_permit export unr *引用策略 import-route unr type 1 area 0.0.0.0 network 10.200.0.92 0.0.0.3 9、 配置itv用户域ly_iptv Itv用户域配置:配置认证、授权、计费方式为none:aaaauthentication-scheme ly_iptv authentication-mode none authorization-scheme ly_iptv authorization-mode none accounting-scheme ly_iptv accounting-mode none domain ly_iptv authentication-scheme ly_iptv authorization-scheme ly_iptv accounting-scheme ly_iptv dhcp relay address xx gateway xx 255.255.255.192 *注意dhcp relay地址是下一跳的接口地址 10、配置病毒防护规范 Acl number 3000 rule 15 permit tcp destination-port eq 4444 rule 20 permit udp destination-port eq 8998 rule 25 permit tcp destination-port range 135 139 rule 30 permit udp destination-port range 135 netbios-ssn rule 35 permit tcp destination-port eq 445 rule 40 permit udp destination-port eq 445 rule 45 permit tcp destination-port eq 539 rule 50 permit udp destination-port eq 539 rule 55 permit tcp destination-port eq 593 rule 60 permit udp destination-port eq 593 rule 65 permit udp destination-port range 995 999 rule 70 permit udp destination-port eq 1433 rule 75 permit udp destination-port eq 1434 rule 80 permit tcp source-port eq 3127 rule 85 permit tcp source-port eq 3176 rule 90 permit tcp source-port eq 2745 rule 95 permit tcp source-port eq 6667 rule 100 permit tcp source-port eq 8866 rule 105 permit tcp source-port eq 31337 rule 110 permit tcp source-port eq 5554 rule 115 permit tcp source-port eq 2556 rule 120 permit tcp destination-port range 9995 9996 全局下配置病毒防护策略:traffic classifier anti_virusif-match acl 3000traffic behavior anti_virusdenytraffic policy anti_virusclassifier anti_virus behavior anti_virus上行接口下引用:int g 1/0/0traffic-policy anti_virus inboundospf cost 80int g 2/0/0traffic-policy anti_virus inboundospf cost 80 11、控制引擎防护cpu-defend policy 4attack-source-trace enableattack-source-trace sample-rate 1000attack-source-trace packet-length 200udp-packet-defend enableabnormal-packet-defend enable业务板槽中部署:[NE40E] slot 1[NE40E-slot-1] cpu-defend-policy 4[NE40E-slot-1] quitslot 2cpu-defend-policy 4quit12、BGp配置bgp 64727 group MPLSVPN-RR internal peer MPLSVPN-RR connect-interface LoopBack1 peer MPLSVPN-RR password cipher
其他一些常用的查看信息的命令如下:设备侧信息收集disp curdisp health/cpudisp memdisp devicedisp bgp peerdisp ospf peerdisp isis peerdisp ver(对于8090产品,需要同时运行check version)disp ip int bridisp mpls ldp sessiondisp mpls lspdisp ip rou stadisp fib stadisp ospf lsdbdisp isis lsdbdisp ip roudisp fibdisp bgp routdisp ip rou 0.0.0.0
如果调测过程中发现链路不通或者设备出现诡异情况,请致电华为800
如果调测过程中调测终端笔记本抽风蓝屏的时候,千万不要砸电脑,否则会后悔死你!