H3C - MSR810

由 datahunter 在四, 13/02/2020 - 12:18 發表

最後更新: 2020-02-13

硬件資料

display version

H3C Comware Software, Version 7.1.064, Release 0707P16
Copyright (c) 2004-2019 New H3C Technologies Co., Ltd. All rights reserved.
H3C MSR810 uptime is 4 weeks, 0 days, 20 hours, 10 minutes
Last reboot reason : Power on
Boot image: flash:/msr810-cmw710-boot-r0707p16.bin
Boot image version: 7.1.064P88, Release 0707P16
  Compiled Jun 12 2019 15:00:00

...

CPU ID: 0xa
1G bytes DDR3 SDRAM Memory
256M bytes Flash Memory
PCB               Version:  2.0
CPLD              Version:  0.0
Basic    BootWare Version:  1.61
Extended BootWare Version:  1.61
[SLOT  0]CON                       (Hardware)2.0,   (Driver)1.0,   (CPLD)0.0
[SLOT  0]GE0/0                     (Hardware)2.0,   (Driver)1.0,   (CPLD)0.0
[SLOT  0]4GSW                      (Hardware)2.0,   (Driver)1.0,   (CPLD)0.0
[SLOT  0]SFP0/5                    (Hardware)2.0,   (Driver)1.0,   (CPLD)0.0
[SLOT  0]CELLULAR0/0               (Hardware)2.0,   (Driver)1.0,   (CPLD)0.0
[SLOT  0]WLAN-Radio0/0             (Hardware)2.0,   (Driver)1.0,   (CPLD)0.0
[SLOT  1]CELLULAR1/0               (Hardware)1.0,   (Driver)1.0,   (CPLD)0.0

hotkey

ctrl+z # 返回 User mode

Console

<Router>screen-length disable

system-view

exit, end, quit

save force

Dump Setting

# ALL Setting

display current-configuration

# 部份 Setting

display current-configuration interface Vlan-interface1

#
interface Vlan-interface1
 ip address 172.16.0.1 255.255.252.0
 packet-filter 3000 inbound
 dhcp server apply ip-pool 1
#
return

display current-configuration configuration acl-ipv4-adv

#
acl advanced 3000
 rule 0 deny ip destination 192.168.12.0 0.0.0.255
#
return

display current-configuration configuration acl-ipv4-basic

Interface

info.

display interface brief

display interface GigabitEthernet0/4

set ip

interface GigabitEthernet 0/0

ip address dhcp-alloc

ip address 192.168.13.1 255.255.255.0

duplex & speed

interface GigabitEthernet 0/4

duplex full
speed 1000

vlan

display vlan

 Total VLANs: 2
 The VLANs include:
 1(default), 12

display vlan brief

display vlan 12

VLAN ID: 12
 VLAN type: Static
 Route interface: Configured
 IPv4 address: 192.168.12.1
 IPv4 subnet mask: 255.255.255.0
 Description: Oasis Staff
 Name: VLAN 0012
 Tagged ports:   None
 Untagged ports:
    GigabitEthernet0/4

display interface Vlan-interface 12

Setting

# 建立 vlan

vlan vlan-id

# 將 port 放到 vlan

# By default, all ports belong to VLAN 1.

vlan vlan-id

port interface-list

DHCP

# 建立 DHCP Pool

dhcp server ip-pool 4

address range 192.168.13.101 192.168.13.200
network 192.168.13.0 mask 255.255.255.0
gateway-list 192.168.13.1
dns-list 192.168.13.1
quit

# 查看 Pool

display dhcp server pool

# Pool bind NIC

interface interface-type interface-number

dhcp server apply ip-pool pool-name

# Enable DHCP Servcie

# By default, DHCP is disabled.

dhcp enable

# Enabling the DHCP server on an interface

# By default, the DHCP server is enabled on the interface.

interface interface-type interface-number

dhcp select server

# Check IP Usage

display dhcp server ip-in-use

NAT

用 Wan 上網

[H3C]interface GigabitEthernet 0/0
[H3C- GigabitEthernet 0/0]nat outbound
[H3C]quit

Port Forward

interface GigabitEthernet0/0
 port link-mode route
 description Single_Line1
 ip address dhcp-alloc
 packet-filter name WebTelnet2 inbound
 nat outbound
 nat server protocol tcp global current-interface 8443 inside 192.168.2.225 443

ddns

View Setting

display ddns policy

Modify Setting

# DDNS Login

ddns policy WAN0(GE0/0)      # WAN0(GE0/0) 是任意名
url http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>
method http-get
username xx
password xx

# Wan NIC

interface GigabitEthernet0/0
ddns apply policy WAN0(GE0/0) fqdn my.domain

ACL

ACL 類型

Basic ACLs 2000 to 2999
Advanced ACLs 3000 to 3999
Layer 2 ACLs 4000 to 4999

When a packet matches a rule, the device stops the match process and performs the action defined in the rule.

A rule with a lower ID is matched before a rule with a higher ID.

---

acl basic { acl-number | name acl-name } [ match-order { auto | config } ]

description text

rule [ rule-id ] { deny | permit } [ counting | fragment | logging | source
{ object-group address-group-name | source-address source-wildcard |
any } | time-range time-range-name | vpn-instance vpn-instance-name ] *

rule rule-id comment text

Basic ACLs match packets based only on source IP addresses.

---

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0

display acl 3000

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] packet-filter 3000 outbound

[Device-GigabitEthernet1/0/1] quit

[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0

Remark

wildcard: more 0s means a narrower IPv4 address range

Checking

[Router]display current-configuration interface Vlan-interface 13

security-zone

System-defined security zones

zones: Local, Trust, DMZ, Management, and Untrust

The system creates these security zones automatically when one of following events occurs:
The first command for creating a security zone is executed.
The first command related to creating a interzone policy is executed.

Default Rule

Packets between an interface that is in a security zone and an interface that is not in any security zone

=> Discard

Packets between two interfaces that are in the same security zone

=> Discard by default (security-zone intra-zone default permit )

Interzone policy

=> Discard by default

Packets between two interfaces that are not in any security zone

=> Forward

Packets originated from or destined for the device itself

=> Discard by default

Setting

1) 建立 ACL

acl basic name AllowAll
 rule 0 permit

acl basic name DenyAll
 rule 0 deny

2) Creating a security zone & Add NIC to Zone

# Creating Zone

security-zone name zone-name

# Add NIC to Zone

import interface layer3-interface-type layer3-interface-number
import interface layer2-interface-type layer2-interface-number vlan vlan-list

3) Interzone policy

zone-pair security source A_zone destination B_zone
 packet-filter name AllowAll

any Any security zone

Checking

display security-zone [ name zone-name ]

display zone-pair security

Qos

Limit Traffic

qos car { inbound | outbound } { any | acl [ ipv6 ] acl-number | carl carl-index } \
cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ]
[ green action | red action | yellow action ] *

undo qos car ...

* You can configure multiple qos car commands on an interface to define multiple CAR policies.

Setting

cir: 8~10000000 (Unit: kbps)
cbs: 1000 to 1000000000 (Unit: kbps)
(CBS is smaller than (100/16)CIR, and this maybe effect network traffic burst)
(The default CBS is the traffic transmitted at the rate of the CIR for 500 milliseconds)
ebs: excess-burst-size (0 to 1000000000. The default is 0 byte)

Action

green action: conform to the CIR. Default: pass
red action: conform to neither CIR nor PIR. Default: discard
yellow action: conform to the PIR but not to the CIR. Default: pass

• discard: Drops the packet.
• pass: Permits the packet to pass through.

i.e.

<Sysname> system-view
[Sysname] interface gigabitethernet 0/1
[Sysname-GigabitEthernet0/1] qos car outbound any cir 30000

undo

undo qos car inbound any
undo qos car outbound any

Wlan

Wifi Client info

display wlan wmm client ?

  all          All clients or radios
  ap           Specify an AP by its name
  mac-address  Specify a client by its MAC address

<AC>display wlan wmm client mac-address x-x-x

 MAC address : 000d-f073-7410        SSID : test
 QoS mode : WMM
 APSD information :
  Max SP Length : N/A
  L: Legacy     T: Trigger      D: Delivery
  AC            AC-BK   AC-BE   AC-VI   AC-VO
  Assoc state   L       L       L       L
 Statistic information :
  Uplink packets   : 0           Downlink packets   : 0
  Uplink bytes     : 0           Downlink bytes     : 0
  Downgrade packets    : 0           Discarded packets        : 0
  Downgrade bytes      : 0           Discarded bytes          : 0

Remark

reset wlan wmm client all

display mac-address

MAC Address      VLAN ID    State            Port/NickName            Aging
????-????-????   1          Client           WLAN-BSS1/0/9482         N

display wlan client

Total number of clients: 102

MAC address    User name            AP name               R IP address      VLAN
000d-f073-7410 N/A                  ap27                  3 172.16.3.193    1

display wlan client status

Total number of clients: 100

MAC address     Access time  RSSI  Rx/Tx rate      Discard  AP name     RID
000d-f073-7410  N/A          N/A   65/1Mbps        0.00%    ap27          3

display wlan ap all

Total number of APs: 40
Total number of connected APs: 38
Total number of connected manual APs: 38
Total number of connected auto APs: 0
Total number of connected common APs: 38
Total number of connected WTUs: 0
Total number of inside APs: 0
Maximum supported APs: 256
Remaining APs: 218
Total AP licenses: 40
Remaining AP licenses: 2
Sync AP licenses: 0

                                 AP information
 State : I = Idle,      J  = Join,       JA = JoinAck,    IL = ImageLoad
         C = Config,    DC = DataCheck,  R  = Run,   M = Master,  B = Backup

AP name                        APID  State Model           Serial ID
ap1                            1     R/M   WA5530          ???????????????????

display wlan ap all address

AP name                          IP address          MAC address
ap1                              172.16.1.45         ????-????-????

display wlan ap connection record all

AP name                         IP address      State     Time
ap21                           172.16.1.41     Run       02-12 13:31:07

Limit Speed

Setting: client-rate-limit

wlan service-template 3
 ssid test
 vlan 13
 akm mode psk
 preshared-key pass-phrase cipher ?????
 cipher-suite tkip
 security-ie rsn
 security-ie wpa
 client-rate-limit enable
 client-rate-limit inbound mode dynamic cir 10000
 client-rate-limit outbound mode dynamic cir 10000
 service-template enable

Notes

inbound = client to AP