ne40e开局

好多数通工程师开局的时候都是从老设备上扒脚本，然后按照需要修改，现在福利来了，完整的NE40E&NE80E开局规范全部送上。

工具/原料
清醒的头脑和一台不蓝屏抽风的笔记本
操作前记得跪拜华为设备，毕竟有时候设备抽风会令人崩溃的
方法/步骤
1、 配置设备命名：
Sysname LY-XL-SZ-NE40e-A-1.MAN *按实际规划配置

2、 配置设备loopback地址：
interface LoopBack0
description For-Chinanet
ip address 218.6.33.241 32 *按规划配置

interface LoopBack1
description For-Mplsvpn
ip address 218.6.33.243 32 *按规划配置

3、 Ssh远程配置用户名密码：
Acl number 2000
rule 25 permit source 61.154.52.25 0
rule 26 permit source 61.154.52.26 0
rule 30 permit source 172.31.0.3 0
rule 35 permit source 172.31.0.8 0
rule 40 permit source 172.31.0.9 0
rule 45 permit source 202.101.113.40 0
rule 50 permit source 61.131.121.66 0
rule 55 permit source 61.131.121.67 0
rule 60 permit source 61.131.121.68 0
rule 65 permit source 61.131.121.69 0
rule 70 permit source 61.131.121.75 0
rule 75 permit source 61.131.121.79 0
rule 80 permit source 61.131.121.86 0
rule 85 permit source 61.131.121.88 0
rule 90 permit source 61.131.121.93 0
rule 95 permit source 172.31.0.45 0
rule 200 deny

*在服务器端生成本地密钥对
rsa local-key-pair create * (1024) 注意修改长度1024
*使能ssh服务
stelnet server enable
新建用户名为huawei800,fjnms的SSH 用户，且认证方式为password。
ssh user huawei800
ssh user huawei800 authentication-type password
ssh user huawei800 service-type stelnet

ssh user fjnms
ssh user fjnms authentication-type password
ssh user fjnms service-type stelnet

aaa
local-user huawei800 password cipher huawei,800
local-user huawei800 service-type ssh
local-user huawei800 level 3

local-user fjnms password cipher ly@nms313
local-user fjnms service-type ssh
local-user fjnms level 3

user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
protocol inbound ssh

4、 NTP时钟同步设置
acl number 2001
rule 0 permit source 218.6.33.7 0
rule 1 permit source 218.6.33.8 0
rule 10 deny

ntp-service source-interface LoopBack0
ntp-service access peer 2001
ntp-service unicast-server 218.6.33.7
ntp-service unicast-server 218.6.33.8

5、 SYSLOG目的服务器配置
info-center loghost source LoopBack0
info-center loghost 61.154.52.25
info-center loghost 61.154.52.26

6、 SNMP网管配置
snmp-agent
snmp-agent community write 319,lynms acl 2000
snmp-agent community read lynms,319 acl 2000
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 61.154.52.25 params securityname lydx v2c
snmp-agent target-host trap address udp-domain 61.154.52.26 params securityname lydx v2c
snmp-agent trap enable standard

7、 配置上行端口接口地

址 （正常需开通4条上行中继，具体按规划）

interface GigabitEthernet1/0/0
mtu 1600
description TO LY-XL-ZHDL-T640-C-1.MAN GE3/3/3
undo shutdown
ip address 218.6.32.53 255.255.255.252

interface GigabitEthernet2/0/0
mtu 1600
description TO LY-XL-LC-NE5000e-C-1.MAN GE17/0/3
undo shutdown
ip address 218.6.32.49 255.255.255.252

interface GigabitEthernet1/0/1
description to LY-XL-ZHDL-NE80E-A-1.IDC GE2/0/8
undo shutdown
ip address 10.200.0.94 255.255.255.252

interface GigabitEthernet1/0/2
description to LY-XL-ZHDL-S8505-A-3.IDC GE4/1/19
undo shutdown

8、 启用ospf（注意必须联系网操中心数据组配合开通）

router id 218.6.33.241

ospf 1 router-id 218.6.33.241
area 0.0.0.0
network 218.6.32.52 0.0.0.3
network 218.6.32.48 0.0.0.3
network 218.6.33.241 0.0.0.0
network 218.6.33.243 0.0.0.0

全局配置过滤策略：
ip ip-prefix iptv_permit index 10 permit 117.31.174.128 26 *配置放行本地iptv unr路由。

ospf 2
filter-policy ip-prefix iptv_permit export unr *引用策略
import-route unr type 1
area 0.0.0.0
network 10.200.0.92 0.0.0.3

9、 配置itv用户域ly_iptv

Itv用户域配置：配置认证、授权、计费方式为none：
aaa
authentication-scheme ly_iptv
authentication-mode none

authorization-scheme ly_iptv
authorization-mode none

accounting-scheme ly_iptv
accounting-mode none

domain ly_iptv
authentication-scheme ly_iptv
authorization-scheme ly_iptv
accounting-scheme ly_iptv
dhcp relay address 10.200.0.93 gateway 117.31.174.129 255.255.255.192 *注意dhcp relay地址是下一跳的接口地址

10、配置病毒防护规范

Acl number 3000
rule 15 permit tcp destination-port eq 4444
rule 20 permit udp destination-port eq 8998
rule 25 permit tcp destination-port range 135 139
rule 30 permit udp destination-port range 135 netbios-ssn
rule 35 permit tcp destination-port eq 445
rule 40 permit udp destination-port eq 445
rule 45 permit tcp destination-port eq 539
rule 50 permit udp destination-port eq 539
rule 55 permit tcp destination-port eq 593
rule 60 permit udp destination-port eq 593
rule 65 permit udp destination-port range 995 999
rule 70 permit udp destination-port eq 1433
rule 75 permit udp destination-port eq 1434
rule 80 permit tcp source-port eq 3127
rule 85 permit tcp source-port eq 3176
rule 90 permit tcp source-port eq 2745
rule 95 permit tcp source-port eq 6667
rule 100 permit tcp source-port eq 8866
rule 105 permit tcp source-port eq 31337
rule 110 permit tcp source-port eq 5554
rule 115 permit tcp source-port eq 2556
rule 120 permit tcp destination-port range 9995 9996

全局下配置病毒防护策略：
traffic classifier anti_virus
if-match acl 3000
traffic behavior anti_virus
deny
traffic policy anti_virus
classifier anti_virus behavior anti_virus
上行接口下引用：
int g 1/

0/0
traffic-policy anti_virus inbound
ospf cost 80
int g 2/0/0
traffic-policy anti_virus inbound
ospf cost 80

11、控制引擎防护
cpu-defend policy 4
attack-source-trace enable
attack-source-trace sample-rate 1000
attack-source-trace packet-length 200
udp-packet-defend enable
abnormal-packet-defend enable
业务板槽中部署：
[NE40E] slot 1
[NE40E-slot-1] cpu-defend-policy 4
[NE40E-slot-1] quit
slot 2
cpu-defend-policy 4
quit
12、BGp配置
bgp 64727
group MPLSVPN-RR internal
peer MPLSVPN-RR connect-interface LoopBack1
peer MPLSVPN-RR password cipher peer 218.6.33.9 as-number 64727
peer 218.6.33.9 group MPLSVPN-RR
peer 218.6.33.9 description LY-LC-NE5000E-C.MAN
peer 218.6.33.10 as-number 64727
peer 218.6.33.10 group MPLSVPN-RR
peer 218.6.33.10 description LY-ZHDL-T640-C.MAN
#
ipv4-family unicast
undo synchronization
undo peer MPLSVPN-RR enable
undo peer 218.6.33.9 enable
undo peer 218.6.33.10 enable
#
ipv4-family vpnv4
policy vpn-target
peer MPLSVPN-RR enable
peer 218.6.33.9 enable
peer 218.6.33.9 group MPLSVPN-RR
peer 218.6.33.10 enable
peer 218.6.33.10 group MPLSVPN-RR

13、MPLS相关配置
全局下配置过滤策略：
ip ip-prefix MPLSVPN-LDP index 10 permit 218.6.33.0 24 greater-equal 24 less-equal 32

mpls lsr-id 218.6.33.243
mpls
lsp-trigger ip-prefix MPLSVPN-LDP
#
mpls ldp
接口下开启MPLS及ldp：
interface GigabitEthernet1/0/0
mpls
mpls ldp

interface GigabitEthernet2/0/0
mpls
mpls ldp

14、全局基础QoS配置

全局下配置网络测信任映射，即双向的qos等级映射转换（必配）。
diffserv domain ds-net
ip-dscp-inbound 0 phb be green
ip-dscp-inbound 8 phb af1 green
ip-dscp-inbound 16 phb af2 green
ip-dscp-inbound 24 phb af3 green
ip-dscp-inbound 32 phb ef green
ip-dscp-inbound 40 phb af4 green
ip-dscp-inbound 48 phb cs6 green
ip-dscp-inbound 56 phb cs7 green

mpls-exp-inbound 0 phb be green
mpls-exp-inbound 1 phb af1 green
mpls-exp-inbound 2 phb af2 green
mpls-exp-inbound 3 phb af3 green
mpls-exp-inbound 4 phb ef green
mpls-exp-inbound 5 phb af4 green
mpls-exp-inbound 7 phb cs7 green
mpls-exp-inbound 6 phb cs6 green

ip-dscp-outbound be green map 0
ip-dscp-outbound af1 red map 8
ip-dscp-outbound af1 yellow map 16
ip-dscp-outbound af1 green map 24
ip-dscp-outbound cs6 green map 48
ip-dscp-outbound af4 yellow map 40
ip-dscp-outbound af4 green map 56
ip-dscp-outbound ef green map 32

mpls-exp-outbound be green map 0
mpls-exp-outbound af1 red map 1
mpls-exp-outbound af1 yellow map 2
mpls-exp-outbound af1 green map 3
mpls-exp-outbound ef green map 4
mpls-exp-outbound af4 yellow map 5
mpls-exp-outbound af4 green map 7
mpls-exp-outbound cs6 green map 6

全局下定义wred机制。
port-wred pwCritical
color green low-limit 2 high-limit 2 discard-percentage 100
port-wred pwGoldSil

verCopper
color green low-limit 10 high-limit 30 discard-percentage 10
color yellow low-limit 10 high-limit 30 discard-percentage 20
color red low-limit 10 high-limit 30 discard-percentage 30
port-wred pwDiamondPlatinum
color green low-limit 6 high-limit 8 discard-percentage 100
color yellow low-limit 6 high-limit 8 discard-percentage 100
port-wred pwNC
color green low-limit 95 high-limit 100 discard-percentage 10
port-wred pwBE
color green low-limit 80 high-limit 100 discard-percentage 10

（T640\NE5000e接口上部署引用）
interface GigabitEthernet1/0/0
trust upstream ds-net
port-queue be wfq weight 45 port-wred pwBE outbound
port-queue af1 wfq weight 28 port-wred pwGoldSilverCopper outbound
port-queue af4 wfq weight 22 port-wred pwDiamondPlatinum outbound
port-queue ef pq shaping shaping-percentage 10 port-wred pwCritical outbound
port-queue cs6 wfq weight 5 port-wred pwNC outbound

interface GigabitEthernet2/0/0
trust upstream ds-net
port-queue be wfq weight 45 port-wred pwBE outbound
port-queue af1 wfq weight 28 port-wred pwGoldSilverCopper outbound
port-queue af4 wfq weight 22 port-wred pwDiamondPlatinum outbound
port-queue ef pq shaping shaping-percentage 10 port-wred pwCritical outbound
port-queue cs6 wfq weight 5 port-wred pwNC outbound


【以上仅是开局上行口信任QoS部署及拥塞避免机制，具体下行接口策略布置及用户策略部署，详见NE80e QoS部署脚本！】
其他一些常用的查看信息的命令如下：
设备侧
信息收集
disp cur
disp health/cpu
disp mem
disp device
disp bgp peer
disp ospf peer
disp isis peer
disp ver（对于8090产品，需要同时运行check version）
disp ip int bri
disp mpls ldp session
disp mpls lsp
disp ip rou sta
disp fib sta
disp ospf lsdb
disp isis lsdb
disp ip rou
disp fib
disp bgp rout
disp ip rou 0.0.0.0
END
注意事项
如果调测过程中发现链路不通或者设备出现诡异情况，请致电华为800
如果调测过程中调测终端笔记本抽风蓝屏的时候，千万不要砸电脑，否则会后悔死你！