NE40E命令解释

  • 格式:wps
  • 大小:57.00 KB
  • 文档页数:10

sysname XX-SR-1.MAN.NE40E#super password level 3 cipher abcd123$ //本地super帐号,Telnet/SSH密码字符串不能过于简单,一般应由字母、数字及特殊字符等组成,且不能低于8位#fan speed auto#snmp-agent trap type entity-trap //开启SNMP TRAP#diffserv domain defaultdiffserv domain 5p3dbasdiffserv domain 5p3d#mpls lsr-id 222.217.170.30 //设置MPLS router-id为Loopback0mpls //全局使能mpls#mpls ldp //全局使能mpls ldp#//组播IGMP全局配置igmp-snooping enable#统一认证TACACS+配置hwtacacs-server template 3a-tacacs //配置tacacs服务器模板hwtacacs-server authentication 202.103.194.99 //配置认证服务器hwtacacs-server authorization 202.103.194.99 //配置授权服务器hwtacacs-server accounting 202.103.194.99 //配置计费服务器hwtacacs-server shared-key Nocteam //配置服务器密钥undo hwtacacs-server user-name domain-included //配置上送账号不带后缀域名#MPLS VPN配置ip vpn-instance GXGL-ITMS-MGMT //VPN实例配置route-distinguisher 4809:2000002 //RD值配置vpn-target 4809:200000200 export-extcommunity //EXPORT RT值配置vpn-target 4809:200000200 import-extcommunity //IMPORT RT值配置ip vpn-instance GXGL-WLAN-AP-MGMTroute-distinguisher 4809:2000012vpn-target 4809:200001200 export-extcommunityvpn-target 4809:200001200 import-extcommunity#//访问列表,用于TELNET及SNMP的ACL,只允许授权网段(分公司网管地址、NOC网管地址段202.103.194.99-101、中转机202.103.208.162)对设备VTY远程访问、SNMP访问acl number 2010rule 0 permit source 202.103.194.99 0rule 5 permit source 202.103.194.101 0rule 10 permit source 202.103.225.64 0.0.0.31 rule 25 permit source 220.173.63.200 0.0.0.7 rule 55 permit source 202.103.207.128 0.0.0.15 //防病毒木马访问列表acl number 3000description ANTI-VIRUSrule 1 deny tcp destination-port eq 135rule 2 deny tcp destination-port eq 137rule 3 deny tcp destination-port eq 138rule 4 deny tcp destination-port eq 139rule 5 deny tcp destination-port eq 445rule 6 deny tcp destination-port eq 5554rule 7 deny tcp destination-port eq 901rule 8 deny tcp destination-port eq 2745rule 9 deny tcp destination-port eq 3127rule 10 deny tcp destination-port eq 3128rule 11 deny tcp destination-port eq 6129rule 12 deny tcp destination-port eq 6667rule 13 deny tcp destination-port eq 4444rule 14 deny tcp destination-port eq 1025rule 15 deny tcp destination-port eq 593rule 16 deny udp destination-port eq 135rule 17 deny udp destination-port eq netbios-ns rule 18 deny udp destination-port eq netbios-dgm rule 19 deny udp destination-port eq netbios-ssn rule 20 deny udp destination-port eq 445rule 21 deny udp destination-port eq 9995rule 22 deny udp destination-port eq 9996rule 23 deny udp destination-port eq 1434rule 50 permit tcp destination 202.103.226.142 0 rule 100 deny tcp destination-port eq www#保护设备CPU的访问列表acl number 3100rule 5 permit tcp destination-port eq echorule 10 permit tcp destination-port eq CHARgen rule 15 permit udp destination-port eq 19rule 20 permit tcp destination-port eq finger#保护设备CPU的策略cpu-defend policy 4 //创建cpu保护策略blacklist acl 3100 //关联acl 3100#//流分类配置//QOS流分类traffic classifier tcAnyif-match anytraffic classifier urpf operator or //创建名称为urpf的流分类if-match any //流分类可以通过acl指定特定地址端口或者配置为any。

traffic classifier tcAntiVirus operator orif-match acl 3000#//流动作配置//QOS流动作traffic behavior tbDefaultremark ip-precedence 0traffic behavior tbCriticalremark ip-precedence 4traffic behavior tbHigh //创建流动作名称为tbHighremark ip-precedence 5 //定义流动作为报文打上ip优先级为5,常用的流动作有permit,deny。

traffic behavior permittraffic behavior denydeny//URPF流动作traffic behavior URPFip urpf strict allow-default //定义流动作为urpf的严格模式#//流策略配置traffic policy tpDefaultshare-modeclassifier tcAny behavior tbDefaulttraffic policy tpCriticalshare-modeclassifier tcAny behavior tbCriticaltraffic policy tpHighshare-modeclassifier tcAny behavior tbHightraffic policy Anti-Virusshare-modeclassifier Anti-Virus behavior permittraffic policy URPF //URFP策略,只在二层端口上应用,三层端口直接配置命令即可。

share-mode //此配置为自动生成,如果不是限速可以不用关注,主用是一个策略在多个端口下发限速策略是否采取共享带宽模式。

classifier URPF behavior URPF //将流分类URPF和流动作URPF关联起来#dot1x-template 1#//AAA配置aaalocal-user admin password cipher abcd123$ //创建本地telnet帐号local-user admin service-type telnet //设置账号属性为telnetlocal-user admin level 1 //设置账号权限为level 1authentication-scheme default0authentication-scheme default1authentication-scheme defaultauthentication-mode local radius //配置认证策略为先本地认证后radius认证。

#authorization-scheme default#accounting-scheme default0accounting-scheme default1#domain default0domain default1domain default_admin##multicastbandwidth############################################################################### ##########################################配置ISIS路由协议,ISIS 协议不承载用户路由,仅为BGP 协议提供底层IGP 可达。