# 进入系统视图
system-view
Enter system view, return user view with return command.

# 配置设备名称
[HUAWEI] sysname fgedu-core-sw01
[fgedu-core-sw01]

# 配置管理IP地址
[fgedu-core-sw01] interface meth 0/0/0
[fgedu-core-sw01-MEth0/0/0] ip address 192.168.1.1 255.255.255.0
[fgedu-core-sw01-MEth0/0/0] quit

# 配置默认网关
[fgedu-core-sw01] ip route-static 0.0.0.0 0.0.0.0 192.168.1.254

# 查看接口状态
[fgedu-core-sw01] display interface brief
PHY: Physical
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
(b): BFD down
(d): Dampening Suppressed
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GE1/0/1 up up 0.01% 0.02% 0 0
GE1/0/2 up up 0.02% 0.03% 0 0
GE1/0/3 down down 0% 0% 0 0
GE1/0/4 up up 0.01% 0.01% 0 0
XGE3/0/1 up up 0.05% 0.08% 0 0
XGE3/0/2 up up 0.04% 0.06% 0 0

# 配置端口描述
[fgedu-core-sw01] interface ge 1/0/1
[fgedu-core-sw01-GE1/0/1] description To-fgedu-server01
[fgedu-core-sw01-GE1/0/1] quit

# 配置端口速率和双工模式
[fgedu-core-sw01] interface ge 1/0/2
[fgedu-core-sw01-GE1/0/2] speed 1000
[fgedu-core-sw01-GE1/0/2] duplex full
[fgedu-core-sw01-GE1/0/2] quit

# 配置端口聚合
[fgedu-core-sw01] interface eth-trunk 1
[fgedu-core-sw01-Eth-Trunk1] description To-fgedu-core-sw02
[fgedu-core-sw01-Eth-Trunk1] port link-type trunk
[fgedu-core-sw01-Eth-Trunk1] port trunk allow-pass vlan all
[fgedu-core-sw01-Eth-Trunk1] mode lacp-static
[fgedu-core-sw01-Eth-Trunk1] quit

# 添加成员端口
[fgedu-core-sw01] interface ge 1/0/23
[fgedu-core-sw01-GE1/0/23] eth-trunk 1
[fgedu-core-sw01-GE1/0/23] quit
[fgedu-core-sw01] interface ge 1/0/24
[fgedu-core-sw01-GE1/0/24] eth-trunk 1
[fgedu-core-sw01-GE1/0/24] quit

# 查看聚合端口状态
[fgedu-core-sw01] display eth-trunk 1
Eth-Trunk1’s state information is:
WorkingMode: STATIC
Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1
Max Bandwidth-affected-linknumber: 8
Operate status: up
Number Of Up Port In Trunk: 2
——————————————————————————–
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GE1/0/23 Selected 1GE 32768 26 305 10111100 1
GE1/0/24 Selected 1GE 32768 27 305 10111100 1

# 配置生成树协议
[fgedu-core-sw01] stp mode rstp
[fgedu-core-sw01] stp root primary
[fgedu-core-sw01] stp priority 0
[fgedu-core-sw01] stp enable

# 查看生成树状态
[fgedu-core-sw01] display stp brief
MSTID Port Role STP State Protection
0 GE1/0/1 DESI FORWARDING NONE
0 GE1/0/2 DESI FORWARDING NONE
0 Eth-Trunk1 ROOT FORWARDING NONE

# 配置路由器接口
system-view
[HUAWEI] sysname fgedu-router01
[fgedu-router01]

# 配置WAN接口
[fgedu-router01] interface ge 0/0/0
[fgedu-router01-GE0/0/0] description To-ISP-WAN
[fgedu-router01-GE0/0/0] ip address 203.0.113.10 255.255.255.252
[fgedu-router01-GE0/0/0] quit

# 配置LAN接口
[fgedu-router01] interface ge 0/0/1
[fgedu-router01-GE0/0/1] description To-LAN-Core
[fgedu-router01-GE0/0/1] ip address 192.168.1.254 255.255.255.0
[fgedu-router01-GE0/0/1] quit

# 配置子接口（单臂路由）
[fgedu-router01] interface ge 0/0/1.10
[fgedu-router01-GE0/0/1.10] dot1q termination vid 10
[fgedu-router01-GE0/0/1.10] ip address 192.168.10.1 255.255.255.0
[fgedu-router01-GE0/0/1.10] arp broadcast enable
[fgedu-router01-GE0/0/1.10] quit

[fgedu-router01] interface ge 0/0/1.20
[fgedu-router01-GE0/0/1.20] dot1q termination vid 20
[fgedu-router01-GE0/0/1.20] ip address 192.168.20.1 255.255.255.0
[fgedu-router01-GE0/0/1.20] arp broadcast enable
[fgedu-router01-GE0/0/1.20] quit

# 查看接口状态
[fgedu-router01] display ip interface brief
Interface IP Address/Mask Physical Protocol
GE0/0/0 203.0.113.10/30 up up
GE0/0/1 192.168.1.254/24 up up
GE0/0/1.10 192.168.10.1/24 up up
GE0/0/1.20 192.168.20.1/24 up up

# 创建VLAN
[fgedu-core-sw01] vlan batch 10 20 30 100 200
[fgedu-core-sw01] vlan 10
[fgedu-core-sw01-vlan10] description Management-VLAN
[fgedu-core-sw01-vlan10] quit
[fgedu-core-sw01] vlan 20
[fgedu-core-sw01-vlan20] description Server-VLAN
[fgedu-core-sw01-vlan20] quit
[fgedu-core-sw01] vlan 30
[fgedu-core-sw01-vlan30] description User-VLAN
[fgedu-core-sw01-vlan30] quit

# 配置VLAN接口（SVI）
[fgedu-core-sw01] interface vlanif 10
[fgedu-core-sw01-Vlanif10] description Management-Gateway
[fgedu-core-sw01-Vlanif10] ip address 192.168.10.1 255.255.255.0
[fgedu-core-sw01-Vlanif10] quit
[fgedu-core-sw01] interface vlanif 20
[fgedu-core-sw01-Vlanif20] description Server-Gateway
[fgedu-core-sw01-Vlanif20] ip address 192.168.20.1 255.255.255.0
[fgedu-core-sw01-Vlanif20] quit
[fgedu-core-sw01] interface vlanif 30
[fgedu-core-sw01-Vlanif30] description User-Gateway
[fgedu-core-sw01-Vlanif30] ip address 192.168.30.1 255.255.255.0
[fgedu-core-sw01-Vlanif30] quit

# 配置Access端口
[fgedu-core-sw01] interface ge 1/0/5
[fgedu-core-sw01-GE1/0/5] port link-type access
[fgedu-core-sw01-GE1/0/5] port default vlan 20
[fgedu-core-sw01-GE1/0/5] quit

# 配置Trunk端口
[fgedu-core-sw01] interface ge 1/0/25
[fgedu-core-sw01-GE1/0/25] port link-type trunk
[fgedu-core-sw01-GE1/0/25] port trunk allow-pass vlan 10 20 30
[fgedu-core-sw01-GE1/0/25] quit

# 查看VLAN配置
[fgedu-core-sw01] display vlan
The total number of vlans is : 5
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: Protocol-transparent-vlan; *: Management-vlan;
——————————————————————————–
VID Type Ports
——————————————————————————–
1 common UT:GE1/0/1(U) GE1/0/2(U) GE1/0/3(D) GE1/0/4(U)
10 common TG:GE1/0/25(U) Eth-Trunk1(U)
20 common UT:GE1/0/5(U) TG:GE1/0/25(U) Eth-Trunk1(U)
30 common TG:GE1/0/25(U) Eth-Trunk1(U)
100 common TG:Eth-Trunk1(U)

# 配置静态路由
[fgedu-router01] ip route-static 192.168.0.0 255.255.0.0 192.168.1.1
[fgedu-router01] ip route-static 10.0.0.0 255.0.0.0 192.168.1.1
[fgedu-router01] ip route-static 0.0.0.0 0.0.0.0 203.0.113.9

# 查看路由表
[fgedu-router01] display ip routing-table
Route Flags: R – relay, D – download to fib
——————————————————————————
Routing Tables: Public
Destinations : 15 Routes : 15
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 203.0.113.9 GE0/0/0
10.0.0.0/8 Static 60 0 RD 192.168.1.1 GE0/0/1
192.168.0.0/16 Static 60 0 RD 192.168.1.1 GE0/0/1
192.168.1.0/24 Direct 0 0 D 192.168.1.254 GE0/0/1
192.168.1.254/32 Direct 0 0 D 127.0.0.1 GE0/0/1
203.0.113.8/30 Direct 0 0 D 203.0.113.10 GE0/0/0
203.0.113.10/32 Direct 0 0 D 127.0.0.1 GE0/0/0

# 配置OSPF动态路由
[fgedu-core-sw01] ospf 1 router-id 192.168.1.1
[fgedu-core-sw01-ospf-1] area 0
[fgedu-core-sw01-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[fgedu-core-sw01-ospf-1-area-0.0.0.0] network 192.168.10.0 0.0.0.255
[fgedu-core-sw01-ospf-1-area-0.0.0.0] network 192.168.20.0 0.0.0.255
[fgedu-core-sw01-ospf-1-area-0.0.0.0] network 192.168.30.0 0.0.0.255
[fgedu-core-sw01-ospf-1-area-0.0.0.0] quit
[fgedu-core-sw01-ospf-1] quit

# 查看OSPF邻居
[fgedu-core-sw01] display ospf peer brief
OSPF Process 1 with Router ID 192.168.1.1
Peer Brief Information
——————————————————————————–
Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
192.168.1.2 192.168.1.2 1 38 Full Eth-Trunk1
192.168.1.3 192.168.1.3 1 35 Full GE1/0/25

# 查看OSPF路由
[fgedu-core-sw01] display ospf routing
OSPF Process 1 with Router ID 192.168.1.1
Routing Tables
Routing for Network
Destination Cost Type NextHop AdvRouter Area
192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0
192.168.10.0/24 1 Stub 192.168.10.1 192.168.1.1 0.0.0.0
192.168.20.0/24 1 Stub 192.168.20.1 192.168.1.1 0.0.0.0
192.168.40.0/24 2 Stub 192.168.1.2 192.168.1.2 0.0.0.0
Total Nets: 4
Intra Area: 4 Inter Area: 0 ASE: 0 NSSA: 0

# 创建基本ACL
[fgedu-core-sw01] acl number 2000
[fgedu-core-sw01-acl-basic-2000] rule 5 permit source 192.168.10.0 0.0.0.255
[fgedu-core-sw01-acl-basic-2000] rule 10 permit source 192.168.20.0 0.0.0.255
[fgedu-core-sw01-acl-basic-2000] rule 15 deny source any
[fgedu-core-sw01-acl-basic-2000] quit

# 创建高级ACL
[fgedu-core-sw01] acl number 3000
[fgedu-core-sw01-acl-adv-3000] rule 5 permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.20.100 0 destination-port eq 80
[fgedu-core-sw01-acl-adv-3000] rule 10 permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.20.100 0 destination-port eq 443
[fgedu-core-sw01-acl-adv-3000] rule 15 permit icmp source any destination any icmp-type echo
[fgedu-core-sw01-acl-adv-3000] rule 20 deny ip source any destination any
[fgedu-core-sw01-acl-adv-3000] quit

# 应用ACL到接口
[fgedu-core-sw01] interface vlanif 30
[fgedu-core-sw01-Vlanif30] traffic-filter inbound acl 3000
[fgedu-core-sw01-Vlanif30] quit

# 查看ACL配置
[fgedu-core-sw01] display acl 3000
Advanced ACL 3000, 4 rules
Acl’s step is 5
rule 5 permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.20.100 0 destination-port eq www
rule 10 permit tcp source 192.168.30.0 0.0.0.255 destination 192.168.20.100 0 destination-port eq https
rule 15 permit icmp source 0.0.0.0 255.255.255.255 destination 0.0.0.0 255.255.255.255 icmp-type echo
rule 20 deny ip source 0.0.0.0 255.255.255.255 destination 0.0.0.0 255.255.255.255

# 配置NAT
[fgedu-router01] acl number 2001
[fgedu-router01-acl-basic-2001] rule 5 permit source 192.168.0.0 0.0.255.255
[fgedu-router01-acl-basic-2001] quit
[fgedu-router01] nat address-group 1 203.0.113.10 203.0.113.10
[fgedu-router01] interface ge 0/0/0
[fgedu-router01-GE0/0/0] nat outbound 2001 address-group 1
[fgedu-router01-GE0/0/0] quit

# 查看NAT会话
[fgedu-router01] display nat session all
NAT Session Table:
Protocol: TCP
Source: 192.168.10.100:52341 -> 203.0.113.10:52341
Destination: 8.8.8.8:80
State: ESTABLISHED
TTL: 00:01:00

# 配置流分类
[fgedu-core-sw01] acl number 3001
[fgedu-core-sw01-acl-adv-3001] rule 5 permit tcp destination-port eq 80
[fgedu-core-sw01-acl-adv-3001] quit
[fgedu-core-sw01] traffic classifier http-traffic
[fgedu-core-sw01-classifier-http-traffic] if-match acl 3001
[fgedu-core-sw01-classifier-http-traffic] quit

# 配置流行为
[fgedu-core-sw01] traffic behavior http-behavior
[fgedu-core-sw01-behavior-http-behavior] remark dscp af21
[fgedu-core-sw01-behavior-http-behavior] car cir 10000 pir 20000 cbs 1875000 pbs 3750000 green pass yellow pass red discard
[fgedu-core-sw01-behavior-http-behavior] quit

# 配置流策略
[fgedu-core-sw01] traffic policy http-policy
[fgedu-core-sw01-trafficpolicy-http-policy] classifier http-traffic behavior http-behavior
[fgedu-core-sw01-trafficpolicy-http-policy] quit

# 应用流策略
[fgedu-core-sw01] interface ge 1/0/1
[fgedu-core-sw01-GE1/0/1] traffic-policy http-policy inbound
[fgedu-core-sw01-GE1/0/1] quit

# 配置端口限速
[fgedu-core-sw01] interface ge 1/0/10
[fgedu-core-sw01-GE1/0/10] qos lr inbound cir 10000 cbs 1875000
[fgedu-core-sw01-GE1/0/10] qos lr outbound cir 10000 cbs 1875000
[fgedu-core-sw01-GE1/0/10] quit

# 查看QoS统计
[fgedu-core-sw01] display qos policy statistics interface ge 1/0/1 inbound
Interface: GE1/0/1
Direction: Inbound
Policy: http-policy
Classifier: http-traffic
Behavior: http-behavior
Packets: 1234567
Bytes: 1234567890
Rate: 5.5 Mbps

# 配置SNMP
[fgedu-core-sw01] snmp-agent
[fgedu-core-sw01] snmp-agent sys-info version v3
[fgedu-core-sw01] snmp-agent group v3 fgedu-group privacy read-view ViewDefault
[fgedu-core-sw01] snmp-agent usm-user v3 fgedu-monitor fgedu-group authentication-mode sha Fgedu@Auth123 privacy-mode aes128 Fgedu@Priv123
[fgedu-core-sw01] snmp-agent trap enable
[fgedu-core-sw01] snmp-agent target-host trap-hostname fgedu-nms address 192.168.1.100 params securityname fgedu-monitor v3 privacy

# 配置NetStream
[fgedu-core-sw01] ip netstream timeout active 60
[fgedu-core-sw01] ip netstream timeout inactive 15
[fgedu-core-sw01] ip netstream export source 192.168.1.1
[fgedu-core-sw01] ip netstream export host 192.168.1.100 9996
[fgedu-core-sw01] interface ge 1/0/1
[fgedu-core-sw01-GE1/0/1] ip netstream inbound
[fgedu-core-sw01-GE1/0/1] ip netstream outbound
[fgedu-core-sw01-GE1/0/1] quit

# 配置端口镜像
[fgedu-core-sw01] observe-port 1 interface ge 1/0/24
[fgedu-core-sw01] interface ge 1/0/1
[fgedu-core-sw01-GE1/0/1] port-mirroring to observe-port 1 both
[fgedu-core-sw01-GE1/0/1] quit

# 配置LLDP
[fgedu-core-sw01] lldp enable
[fgedu-core-sw01] interface ge 1/0/1
[fgedu-core-sw01-GE1/0/1] lldp enable
[fgedu-core-sw01-GE1/0/1] quit

# 查看LLDP邻居
[fgedu-core-sw01] display lldp neighbor brief
Local Interface Neighbor Device Neighbor Interface Exptime
GE1/0/1 fgedu-server01 eth0 100
GE1/0/2 fgedu-server02 eth0 98
GE1/0/25 fgedu-core-sw02 GE1/0/25 105

# 配置AAA认证
[fgedu-core-sw01] aaa
[fgedu-core-sw01-aaa] local-user fgedu_admin password irreversible-cipher Fgedu@Admin123
[fgedu-core-sw01-aaa] local-user fgedu_admin service-type ssh telnet terminal
[fgedu-core-sw01-aaa] local-user fgedu_admin level 15
[fgedu-core-sw01-aaa] quit

# 配置SSH
[fgedu-core-sw01] stelnet server enable
[fgedu-core-sw01] ssh user fgedu_admin
[fgedu-core-sw01] ssh user fgedu_admin authentication-type password
[fgedu-core-sw01] ssh user fgedu_admin service-type stelnet
[fgedu-core-sw01] rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
Input the bits in the modulus[default = 2048]:2048
Generating keys…
…………..++++++++
…………..++++++++

# 配置端口安全
[fgedu-core-sw01] interface ge 1/0/5
[fgedu-core-sw01-GE1/0/5] port-security enable
[fgedu-core-sw01-GE1/0/5] port-security max-mac-num 1
[fgedu-core-sw01-GE1/0/5] port-security protect-action shutdown
[fgedu-core-sw01-GE1/0/5] quit

# 配置DHCP Snooping
[fgedu-core-sw01] dhcp enable
[fgedu-core-sw01] dhcp snooping enable
[fgedu-core-sw01] interface ge 1/0/25
[fgedu-core-sw01-GE1/0/25] dhcp snooping trusted
[fgedu-core-sw01-GE1/0/25] quit
[fgedu-core-sw01] interface ge 1/0/5
[fgedu-core-sw01-GE1/0/5] dhcp snooping check dhcp-chaddr enable
[fgedu-core-sw01-GE1/0/5] quit

# 配置ARP防护
[fgedu-core-sw01] arp anti-attack check user-bind enable
[fgedu-core-sw01] arp anti-attack gateway-duplicate enable
[fgedu-core-sw01] interface vlanif 20
[fgedu-core-sw01-Vlanif20] arp-limit maximum 1000
[fgedu-core-sw01-Vlanif20] quit

# 查看安全日志
[fgedu-core-sw01] display logbuffer | include Security
2026-04-03 10:00:00 fgedu-core-sw01 %%01SECURITY/4/PORTSEC_ACTION(l): Port GE1/0/5 was shutdown due to MAC address violation.
2026-04-03 10:05:00 fgedu-core-sw01 %%01SECURITY/4/DHCP_SNOOPING(l): DHCP snooping check failed on interface GE1/0/10.

# 保存当前配置
save
The current configuration will be written to the device.
Are you sure to continue? [Y/N]y
Now saving the current configuration to the slot 1.
Save the configuration successfully.

# 备份配置到TFTP服务器
backup configuration tftp 192.168.1.100 fgedu-core-sw01-backup-20260403.cfg
Info: Uploading the configuration file to the TFTP server. Please wait…
Info: Uploaded the configuration file to the TFTP server successfully.

# 备份配置到FTP服务器
backup configuration ftp 192.168.1.100 fgedu-core-sw01-backup-20260403.cfg username fgedu password Fgedu@FTP123
Info: Uploading the configuration file to the FTP server. Please wait…
Info: Uploaded the configuration file to the FTP server successfully.

# 恢复配置
restore configuration tftp 192.168.1.100 fgedu-core-sw01-backup-20260403.cfg
Info: Downloading the configuration file from the TFTP server. Please wait…
Info: Downloaded the configuration file from the TFTP server successfully.
The current configuration may be changed after the restoration.
Are you sure to continue? [Y/N]y
Configuration restoration succeeded.

# 查看配置文件
display startup
MainBoard:
Configured startup system software: flash:/CE12800_V200R019C10SPC800.cc
Startup system software: flash:/CE12800_V200R019C10SPC800.cc
Next startup system software: flash:/CE12800_V200R019C10SPC800.cc

Configured startup configuration file: flash:/fgedu-core-sw01.cfg
Startup configuration file: flash:/fgedu-core-sw01.cfg
Next startup configuration file: flash:/fgedu-core-sw01.cfg

# 设置下次启动配置文件
startup saved-configuration fgedu-core-sw01-new.cfg
This operation will take several minutes, please wait…
Info: Succeeded in setting the file for booting system.

# 定期自动备份脚本
# cat > /opt/scripts/network-backup.sh << 'EOF' #!/bin/bash DATE=$(date +%Y%m%d) BACKUP_DIR="/backup/network-config" DEVICES=("192.168.1.1" "192.168.1.2" "192.168.1.3") for device in "${DEVICES[@]}"; do echo "Backing up $device..." ssh fgedu_admin@$device "display current-configuration" > $BACKUP_DIR/${device}-${DATE}.cfg
done

# 保留最近30天的备份
find $BACKUP_DIR -name “*.cfg” -mtime +30 -delete
EOF

# chmod +x /opt/scripts/network-backup.sh