目 录
1 网络设备标准化配置................................................................................................................... 1
1.1 交换机配置 . ................................................................................................................................ 1
1 网络设备标准化配置 目的:
1. 标准化网络设备配置;
2. 提高网络设备管理安全; 3. 提高网络设备监管能力,并清晰记录相关日志信息,提高网络问题可查性; 1.1 交换机配置
网络设备配置模板:
---------------------基础服务及生成树配置(无需更改)---------------------- ip domain-name xinaogroup.com
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption
clock timezone BJT 8
!
no ip http server
no ip source-route
no ip domain-lookup
errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery cause loop
errdisable recovery inter 300
errdisable recovery cause psecure-violation !
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
no ip http secure-server
no ip http server
----------------------日志配置(无需更改)-----------------------------
logging trap notifications
logging 10.37.4.102
logging console critical
logging buffered 32768 notifications
------------------VTP 及SNMP 、banner 登录及访问控制(无需更改)---------------- access-list 99 permit 10.37.4.102
access-list 199 remark /********************************************* access-list 199 remark Remote Access authorized servers
access-list 199 remark *********************************************/ access-list 199 permit tcp 10.0.0.0 0.255.255.255 any log
access-list 199 deny tcp any any range 0 65535 log
access-list 199 deny ip any any log
line vty 0 15
access-class 199 in
transport input telnet
exi
snmp-server community EnnNWmo$ RO 99
snmp-server trap link ietf
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server ifindex persist
snmp-server enable traps errdisable
snmp-server enable traps syslog
snmp-server host 10.37.4.102 xinaoranqi
snmp-server ifindex persist
banner motd ^ *************************************************************************
This is a private property facility to be accessed and used for ENN
internal systems. Unauthorized Access Prohibited! *************************************************************************
^
!
-------------------NTP 配置(无需更改)---------------------------------
ntp authentication-key 123 md5 1qazxsw2
ntp authenticate
ntp trusted-key 123
ntp server 10.37.254.250 pre
ntp server 10.37.254.249
------------------AAA 认证(密码需要更改,其他无需更改)--------------
username admin privilege 15 secret EnwLFacsW#10
aaa new-model
radius-server host 10.37.8.103 auth-port 1812 acct-port 1813 key 1qazxsw2 radius-server host 10.37.8.101 auth-port 1812 acct-port 1813 key 1qazxsw2 aaa group server radius OP_AAA
server 10.37.8.101 auth-port 1812 acct-port 1813
server 10.37.8.103 auth-port 1812 acct-port 1813
exi
!
aaa authentication login default group OP_AAA local
aaa authorization exec default group OP_AAA local
aaa authorization network default group OP_AAA local
aaa authorization console
aaa authentication login console group OP_AAA local
aaa authorization exec console group OP_AAA local
!
line con 0
exec-timeout 5 0
authorization exec console
logging synchronous
login authentication console
transport output all
exit ------------------Interface 接口配置(Trunk 接口)----------------------------------------- interface Gx/x
description connect to LFGDC02_AS07_Po10
no ip redirects /三层接口配置/
/三层接口配置/
/三层接口配置/ no ip unreachables no ip proxy-arp
switchport trunk encapsulation dot1q /确认Trunk 接口封装模式为802.1Q/ switchport mode trunk
logging event trunk-status
logging event link-status /指定此接口为Trunk/ /记录Trunk 模式状态 / /记录接口链路状态/
------------------Interface 接口配置(Access 接口)--------------------------------------- interface Gx/x
description connect to LFGDC02_AS07_F0/10
no ip redirects /三层接口配置/
/三层接口配置/
/三层接口配置/
/指定此接口为Access 模式/ no ip unreachables no ip proxy-arp switchport mode access
switchport access vlan 10 /将此接口划分到vlan10/
logging event link-status
注:
接口配置信息需根据实际的接口用途而定,命令使用参照以上命令注释。 —————————设备名称及管理配置源接口信息(需更改)—————————
host CNCHBLF1-BWAS01
snmp-server trap-source vlan 10 snmp-server location CNCHBLF1-BWAS01 snmp-server contact LFMAN
logging source-interface vlan 10 ip radius source-interface vlan 10
ntp source vlan 10 注:
设备命名需按命名标准执行,日志及SNMP 的源接口应为设备管理接口,snmp 的location 及 /记录链路状态/
目 录
1 网络设备标准化配置................................................................................................................... 1
1.1 交换机配置 . ................................................................................................................................ 1
1 网络设备标准化配置 目的:
1. 标准化网络设备配置;
2. 提高网络设备管理安全; 3. 提高网络设备监管能力,并清晰记录相关日志信息,提高网络问题可查性; 1.1 交换机配置
网络设备配置模板:
---------------------基础服务及生成树配置(无需更改)---------------------- ip domain-name xinaogroup.com
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption
clock timezone BJT 8
!
no ip http server
no ip source-route
no ip domain-lookup
errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery cause loop
errdisable recovery inter 300
errdisable recovery cause psecure-violation !
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
no ip http secure-server
no ip http server
----------------------日志配置(无需更改)-----------------------------
logging trap notifications
logging 10.37.4.102
logging console critical
logging buffered 32768 notifications
------------------VTP 及SNMP 、banner 登录及访问控制(无需更改)---------------- access-list 99 permit 10.37.4.102
access-list 199 remark /********************************************* access-list 199 remark Remote Access authorized servers
access-list 199 remark *********************************************/ access-list 199 permit tcp 10.0.0.0 0.255.255.255 any log
access-list 199 deny tcp any any range 0 65535 log
access-list 199 deny ip any any log
line vty 0 15
access-class 199 in
transport input telnet
exi
snmp-server community EnnNWmo$ RO 99
snmp-server trap link ietf
snmp-server enable traps config
snmp-server enable traps cpu threshold
snmp-server ifindex persist
snmp-server enable traps errdisable
snmp-server enable traps syslog
snmp-server host 10.37.4.102 xinaoranqi
snmp-server ifindex persist
banner motd ^ *************************************************************************
This is a private property facility to be accessed and used for ENN
internal systems. Unauthorized Access Prohibited! *************************************************************************
^
!
-------------------NTP 配置(无需更改)---------------------------------
ntp authentication-key 123 md5 1qazxsw2
ntp authenticate
ntp trusted-key 123
ntp server 10.37.254.250 pre
ntp server 10.37.254.249
------------------AAA 认证(密码需要更改,其他无需更改)--------------
username admin privilege 15 secret EnwLFacsW#10
aaa new-model
radius-server host 10.37.8.103 auth-port 1812 acct-port 1813 key 1qazxsw2 radius-server host 10.37.8.101 auth-port 1812 acct-port 1813 key 1qazxsw2 aaa group server radius OP_AAA
server 10.37.8.101 auth-port 1812 acct-port 1813
server 10.37.8.103 auth-port 1812 acct-port 1813
exi
!
aaa authentication login default group OP_AAA local
aaa authorization exec default group OP_AAA local
aaa authorization network default group OP_AAA local
aaa authorization console
aaa authentication login console group OP_AAA local
aaa authorization exec console group OP_AAA local
!
line con 0
exec-timeout 5 0
authorization exec console
logging synchronous
login authentication console
transport output all
exit ------------------Interface 接口配置(Trunk 接口)----------------------------------------- interface Gx/x
description connect to LFGDC02_AS07_Po10
no ip redirects /三层接口配置/
/三层接口配置/
/三层接口配置/ no ip unreachables no ip proxy-arp
switchport trunk encapsulation dot1q /确认Trunk 接口封装模式为802.1Q/ switchport mode trunk
logging event trunk-status
logging event link-status /指定此接口为Trunk/ /记录Trunk 模式状态 / /记录接口链路状态/
------------------Interface 接口配置(Access 接口)--------------------------------------- interface Gx/x
description connect to LFGDC02_AS07_F0/10
no ip redirects /三层接口配置/
/三层接口配置/
/三层接口配置/
/指定此接口为Access 模式/ no ip unreachables no ip proxy-arp switchport mode access
switchport access vlan 10 /将此接口划分到vlan10/
logging event link-status
注:
接口配置信息需根据实际的接口用途而定,命令使用参照以上命令注释。 —————————设备名称及管理配置源接口信息(需更改)—————————
host CNCHBLF1-BWAS01
snmp-server trap-source vlan 10 snmp-server location CNCHBLF1-BWAS01 snmp-server contact LFMAN
logging source-interface vlan 10 ip radius source-interface vlan 10
ntp source vlan 10 注:
设备命名需按命名标准执行,日志及SNMP 的源接口应为设备管理接口,snmp 的location 及 /记录链路状态/