中兴三层交换机开局指南
开通3928或者3952以及32系列三层交换机时。一般用户要给一个上联地址。并且给三层交换机分一个网段 现举例如下:
局方提供上联地址为: 219.150.247.0 /30 (可用地址为219.150.247.1 219.150.247.2)
分配给三层交换机的网段为:
222.88.33.0/23 (半个C 共126个可用地址。) 上层会将这半个C路由指向3928
zxr10#conf t
zxr10(config)#vlan 3000 //创建VLAN 3000 注意:互联vlan要与对端设备vlan号一致
zxr10(config-vlan)#name to-HW8016
zxr10(config-vlan)#switchport pvid fei_1/1
///把端口增加到vlan中。只适应于access
将端口加入vlan还有一种方法:(推荐用)
zxr10(config)#interface fei_1/1 /////进入1口
zxr10(config-if)#switchport mode ? ////改变为trunk或者access
access Switchport in access mode
hybrid Switchport in hybrid mode
trunk Switchport in trunk mode
zxr10(config-if)#switchport mode access
zxr10(config-if)#switchport access vlan 3000 ////// 加入vlan3000,
如果打tag加入则:
zxr10(config-if)#switchport mode trunk
zxr10(config-if)#switchport trunk vlan 3000
zxr10(config-vlan)#exit
zxr10(config)#interface vlan 3000 //进入vlan给这个vlan配置地址(即网关)
zxr10(config-if)#ip address 219.150.247.1 255.255.255.252
zxr10(config-if)#exit
zxr10(config)#username zxr10 password zxr10 //配置登录用户名密码,不配则不能远程登录
zxr10(config)#enable secret zxr10 //enable密码。一般都是zxr10
配置成功后。
zxr10(config)#ip route 0.0.0.0 0.0.0.0 219.150.247.1
zxr10(config)#exit
zxr10#ping 219.150.247.1
应该能通。3928通显示为5个感叹号。如果光路通。也应可以ping通219.150.247.133
zxr10#conf t
修改提示符
Zxr10(config)#hostname zhongxinju
最后保存即可。配置上述信息便可远程进行配置。
地址分配原则(一般情况):
A) 如果条件允许建议MSAG最好设置为30位掩码地址,保证每一台MSAG自己的网段内没有其他主机。便于语音质量。
B) 39系列或者32系列下挂网吧时,也建议使用每个网吧一个30位地址。
C) 如果地址非常紧张。可以采用8个或16个地址一个网段(即29或28位掩码多个可用地址)接多台设备,这些设备属于同一个vlan。建议使用PVLAN将多个端口进行隔离。――具体参考用户手册
附录:一台3928配置举例:
qipeizhongxin#show run
Building configuration...
Current configuration:
!
version V4.6.02B
!
enable secret 5 Cb8+B/Pm1P3PFV2DeUkCbQ==
!
nvram mng-ip-address 10.40.88.177 255.255.0.0
!
nvram boot-username target
!
nvram boot-password target
!
nvram boot-server 10.40.88.170
!
nvram default-gateway 10.40.88.170
!
nvram imgfile-location local
!
hostname qipeizhongxin
!
username admin password nydx#@
!
user-authentication-type local
!
snmp-server contact +86-25-52870000
snmp-server location No.68 Zijinghua Rd. Yuhuatai District, Nanjing, China
snmp-server packetSize 1400
snmp-server engine-id 830900020300010289d64401
snmp-server view DefaultView system included
snmp-server view AllView internet included
!
logging on
logging buffer 200
logging mode fullcycle
logging console notifications
logging level notifications
!
line console idle-timeout 120
line console absolute-timeout 1440
line telnet idle-timeout 120
line telnet absolute-timeout 1440
!
banner incoming @
********************************************************************
Welcome to ZXR10 Fast and Intelligent 3928 Switch of ZTE Corporation
********************************************************************
@
!
!
vlan 1
!
vlan 302
name lailaiwangwang
!
vlan 303
name qijianwangba
!
vlan 307
name fengyunwangba
!
vlan 308
name yangguangcaixian
!
vlan 309
name tianxiwangba
!
vlan 310
name chunziwangba
!
vlan 311
name xiangdongwangba
!
vlan 312
name xinsenwangcheng
!
vlan 313
name jingyingwangba
!
vlan 314
name qianshouwangba
!
vlan 315
name yixinwangba
!
vlan 317
name xinjiwangba
!
vlan 1000
!
Vlan 1001
!
Vlan 1002
!
!
virus-scan set disable
!
interface vlan 302 //网吧属于vlan 302地址为30位掩码。
ip address 222.88.226.109 255.255.255.252 255.255.255.255
!
interface vlan 303 //一般MSAG也最好设置为30位掩码地址。便于语音质量
ip address 222.88.226.53 255.255.255.252 255.255.255.255
!
interface vlan 307
ip address 222.88.226.113 255.255.255.252 255.255.255.255
!
interface vlan 308
ip address 222.88.226.117 255.255.255.252 255.255.255.255
!
interface vlan 309
ip address 222.88.233.161 255.255.255.252 255.255.255.255
!
interface vlan 310
ip address 222.88.233.97 255.255.255.252 255.255.255.255
!
interface vlan 311
ip address 222.88.233.193 255.255.255.252 255.255.255.255
!
interface vlan 312
ip address 219.150.241.189 255.255.255.252 255.255.255.255
!
interface vlan 313
ip address 222.88.242.145 255.255.255.248 255.255.255.255
!
interface vlan 314
ip address 219.150.241.17 255.255.255.248 255.255.255.255
!
interface vlan 315
ip address 222.88.233.133 255.255.255.252 255.255.255.255
!
interface vlan 317
ip address 222.88.233.153 255.255.255.252 255.255.255.255
!
interface vlan 1000
ip address 219.150.241.182 255.255.255.248 255.255.255.255
!
interface fei_1/1
negotiation auto //关闭自协商。执行speed 100 duf full后为强制100兆全双工
ip access-group 101 in //应用ACL.前提是ACL已经被创建。
switchport access vlan 1 //加入vlan1 ,默认端口都属于vlan1
switchport qinq normal //qinq配置。一般不会用到。感兴趣可以看看资料。Qinq可以使交换机支持4096*4096个VLAN
!
interface fei_1/2
negotiation auto
ip access-group 101 in
switchport access vlan 302
switchport qinq normal
!
interface fei_1/3
negotiation auto
ip access-group 101 in
switchport access vlan 303
switchport qinq normal
!
interface fei_1/4
negotiation auto
ip access-group 101 in
switchport access vlan 1
switchport qinq normal
!
interface fei_1/5
negotiation auto
ip access-group 101 in
switchport access vlan 1
switchport qinq normal
!
interface fei_1/6
negotiation auto
ip access-group 101 in
switchport access vlan 1
switchport qinq normal
!
interface fei_1/7
negotiation auto
ip access-group 101 in
switchport access vlan 307
switchport qinq normal
!
interface fei_1/8
negotiation auto
ip access-group 101 in
switchport access vlan 308
switchport qinq normal
!
interface fei_1/9
negotiation auto
ip access-group 101 in
switchport access vlan 309
switchport qinq normal
!
interface fei_1/10
negotiation auto
ip access-group 101 in
switchport access vlan 310
switchport qinq normal
!
interface fei_1/11
negotiation auto
ip access-group 101 in
switchport access vlan 311
switchport qinq normal
!
interface fei_1/12
negotiation auto
ip access-group 101 in
switchport access vlan 312
switchport qinq normal
!
interface fei_1/13
negotiation auto
ip access-group 101 in
switchport access vlan 313
switchport qinq normal
!
interface fei_1/14
negotiation auto
ip access-group 101 in
switchport access vlan 314
switchport qinq normal
!
interface fei_1/15
negotiation auto
ip access-group 101 in
switchport access vlan 315
switchport qinq normal
!
interface fei_1/16
negotiation auto
ip access-group 101 in
switchport mode trunk ///端口打TAG
switchport trunk vlan 1000 ///属于多个vlan
switchport trunk vlan 1001
switchport trunk vlan 1002
switchport qinq normal
!
interface fei_1/17
negotiation auto
ip access-group 101 in
switchport access vlan 317
switchport qinq normal
!
interface fei_1/18
negotiation auto
ip access-group 101 in
switchport access vlan 1
switchport qinq normal
!
interface fei_1/19
negotiation auto
switchport access vlan 314
switchport qinq normal
!
interface fei_1/20
negotiation auto
switchport access vlan 1
switchport qinq normal
!
interface fei_1/21
negotiation auto
switchport access vlan 1
switchport qinq normal
!
interface fei_1/22
negotiation auto
switchport access vlan 1
switchport qinq normal
!
interface fei_1/23
negotiation auto
switchport access vlan 1
switchport qinq normal
!
interface fei_1/24
negotiation auto
ip access-group 101 in
switchport access vlan 1000
switchport qinq normal
!
ip route 0.0.0.0 0.0.0.0 219.150.241.177 //静态默认路由。
!
!
acl extend number 101 //定义一个访问控制列表。防止一般病毒。
rule 1 deny tcp any any eq 135 //注意最后一条允许any any一定要存在。
rule 2 deny tcp any any eq 139 //否则不能上网
rule 3 deny tcp any any eq 136
rule 4 deny tcp any any eq 137
rule 5 deny tcp any any eq 445
rule 6 deny tcp any any eq 5554
rule 7 deny tcp any any eq 9996
rule 8 deny tcp any any eq 1433
rule 9 deny tcp any any eq 1434
rule 10 deny udp any any eq 1433
rule 11 deny udp any any eq 1434
rule 12 deny udp any any eq 135
rule 13 deny udp any any eq 139
rule 14 deny udp any any eq 136
rule 15 deny udp any any eq 137
rule 16 deny udp any any eq 445
rule 18 deny udp any any eq 5554
rule 17 deny udp any any eq 9996
rule 19 permit ip any any
!
!
!
protocol-packet-protect enable //默认配置
!
no ip igmp snooping //新开通时建议关闭组播。
!
nas
!
!
end
qipeizhongxin#
注意几点:
1、 配置用户名密码
2、 设置时钟---对分析故障有作用
3、 关闭组播、STP
4、 设置hostname。
5、 养成习惯,每个接口或者vlan都要加描述
6、 养成习惯,一般上联设备地址小于下挂设备地址
|