1. 网络设备概述
网络设备配置管理是网络运维的核心工作,包括交换机、路由器、防火墙等设备的配置和维护。更多学习教程www.fgedu.net.cn
企业网络架构:
┌─────────────────────────────────────────────────────┐
│ 核心层 │
│ 核心交换机/路由器 │
└───────────────────────┬─────────────────────────────┘
│
┌───────────────┼───────────────┐
│ │ │
v v v
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ 汇聚层 │ │ 汇聚层 │ │ 汇聚层 │
│ 汇聚交换机 │ │ 汇聚交换机 │ │ 汇聚交换机 │
└───────────────┘ └───────────────┘ └───────────────┘
│ │ │
v v v
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ 接入层 │ │ 接入层 │ │ 接入层 │
│ 接入交换机 │ │ 接入交换机 │ │ 接入交换机 │
└───────────────┘ └───────────────┘ └───────────────┘
# 设备类型
交换机(Switch) – 二层/三层交换,VLAN划分
路由器(Router) – 路由转发,NAT,VPN
防火墙(Firewall) – 安全策略,访问控制
负载均衡(LB) – 流量分发,健康检查
# 登录网络设备
# SSH登录
$ ssh admin@192.168.1.1
admin@192.168.1.1’s password:
FGedu-Switch>
# 查看设备信息
FGedu-Switch> show version
Cisco IOS Software, Version 15.2(4)E
Copyright (c) 1986-2026 by Cisco Systems, Inc.
Compiled Wed 01-Apr-26 10:00 by prod_rel_team
ROM: Bootstrap program is C2960X boot loader
BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.2(4r)E
FGedu-Switch uptime is 30 weeks, 2 days, 10 hours, 0 minutes
System returned to ROM by power-on
System image file is “flash:c2960x-universalk9-mz.152-4.E.bin”
Switch Ports Model SW Version SW Image
—— —– —– ———- ———-
* 1 56 WS-C2960X-48FPD-L 15.2(4)E C2960X-UNIVERSALK9-M
# 查看当前配置
FGedu-Switch> show running-config
Building configuration…
Current configuration : 4567 bytes
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FGedu-Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$xxxx$xxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
2. 交换机配置
交换机配置包括基础设置、端口配置、VLAN等。学习交流加群风哥微信: itpux-com
FGedu-Switch> enable
FGedu-Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
# 配置fgedu.net.cn
FGedu-Switch(config)# hostname FGedu-Core-SW01
FGedu-Core-SW01(config)#
# 配置管理IP
FGedu-Core-SW01(config)# interface vlan 1
FGedu-Core-SW01(config-if)# ip address 192.168.1.1 255.255.255.0
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
# 配置默认网关
FGedu-Core-SW01(config)# ip default-gateway 192.168.1.254
# 配置SSH登录
FGedu-Core-SW01(config)# ip domain-name fgedu.net.cn
FGedu-Core-SW01(config)# crypto key generate rsa
The name for the keys will be: FGedu-Core-SW01.fgedu.net.cn
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable…
[OK] (elapsed time was 2 seconds)
FGedu-Core-SW01(config)# ip ssh version 2
FGedu-Core-SW01(config)# line vty 0 4
FGedu-Core-SW01(config-line)# transport input ssh
FGedu-Core-SW01(config-line)# login local
FGedu-Core-SW01(config-line)# exit
# 配置用户
FGedu-Core-SW01(config)# username admin privilege 15 secret Fgedu@Switch123
# 配置控制台密码
FGedu-Core-SW01(config)# line console 0
FGedu-Core-SW01(config-line)# password Fgedu@Console123
FGedu-Core-SW01(config-line)# login
FGedu-Core-SW01(config-line)# exit
# 配置端口
FGedu-Core-SW01(config)# interface gigabitethernet 1/0/1
FGedu-Core-SW01(config-if)# description Connect to FGedu-Server01
FGedu-Core-SW01(config-if)# switchport mode access
FGedu-Core-SW01(config-if)# switchport access vlan 10
FGedu-Core-SW01(config-if)# spanning-tree portfast
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
# 配置Trunk端口
FGedu-Core-SW01(config)# interface gigabitethernet 1/0/24
FGedu-Core-SW01(config-if)# description Trunk to FGedu-Core-SW02
FGedu-Core-SW01(config-if)# switchport mode trunk
FGedu-Core-SW01(config-if)# switchport trunk allowed vlan 10,20,30,40
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
# 配置端口聚合
FGedu-Core-SW01(config)# interface port-channel 1
FGedu-Core-SW01(config-if)# description Link Aggregation to Server
FGedu-Core-SW01(config-if)# switchport mode access
FGedu-Core-SW01(config-if)# switchport access vlan 10
FGedu-Core-SW01(config-if)# exit
FGedu-Core-SW01(config)# interface range gigabitethernet 1/0/23-24
FGedu-Core-SW01(config-if-range)# channel-group 1 mode active
FGedu-Core-SW01(config-if-range)# exit
# 保存配置
FGedu-Core-SW01# write memory
Building configuration…
[OK]
3. 路由器配置
路由器配置实现网络互联和路由转发。学习交流加群风哥QQ113257174
FGedu-Router# configure terminal
FGedu-Router(config)# interface gigabitethernet 0/0
FGedu-Router(config-if)# description WAN Interface
FGedu-Router(config-if)# ip address 203.0.113.2 255.255.255.252
FGedu-Router(config-if)# ip nat outside
FGedu-Router(config-if)# no shutdown
FGedu-Router(config-if)# exit
FGedu-Router(config)# interface gigabitethernet 0/1
FGedu-Router(config-if)# description LAN Interface
FGedu-Router(config-if)# ip address 192.168.1.254 255.255.255.0
FGedu-Router(config-if)# ip nat inside
FGedu-Router(config-if)# no shutdown
FGedu-Router(config-if)# exit
# 配置静态路由
FGedu-Router(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1
# 配置OSPF路由
FGedu-Router(config)# router ospf 1
FGedu-Router(config-router)# router-id 1.1.1.1
FGedu-Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
FGedu-Router(config-router)# network 192.168.2.0 0.0.0.255 area 0
FGedu-Router(config-router)# exit
# 配置BGP路由
FGedu-Router(config)# router bgp 65001
FGedu-Router(config-router)# bgp router-id 1.1.1.1
FGedu-Router(config-router)# neighbor 203.0.113.1 remote-as 65002
FGedu-Router(config-router)# network 192.168.0.0 mask 255.255.0.0
FGedu-Router(config-router)# exit
# 查看路由表
FGedu-Router# show ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
Gateway of last resort is 203.0.113.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 203.0.113.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.254/32 is directly connected, GigabitEthernet0/1
203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C 203.0.113.0/30 is directly connected, GigabitEthernet0/0
L 203.0.113.2/32 is directly connected, GigabitEthernet0/0
# 查看接口状态
FGedu-Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 203.0.113.2 YES manual up up
GigabitEthernet0/1 192.168.1.254 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
4. VLAN配置
VLAN实现网络分段和隔离。更多学习教程公众号风哥教程itpux_com
FGedu-Core-SW01# configure terminal
FGedu-Core-SW01(config)# vlan 10
FGedu-Core-SW01(config-vlan)# name IT-Department
FGedu-Core-SW01(config-vlan)# exit
FGedu-Core-SW01(config)# vlan 20
FGedu-Core-SW01(config-vlan)# name HR-Department
FGedu-Core-SW01(config-vlan)# exit
FGedu-Core-SW01(config)# vlan 30
FGedu-Core-SW01(config-vlan)# name Finance-Department
FGedu-Core-SW01(config-vlan)# exit
FGedu-Core-SW01(config)# vlan 100
FGedu-Core-SW01(config-vlan)# name Server-Farm
FGedu-Core-SW01(config-vlan)# exit
# 配置VLAN接口(SVI)
FGedu-Core-SW01(config)# interface vlan 10
FGedu-Core-SW01(config-if)# ip address 192.168.10.1 255.255.255.0
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
FGedu-Core-SW01(config)# interface vlan 20
FGedu-Core-SW01(config-if)# ip address 192.168.20.1 255.255.255.0
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
FGedu-Core-SW01(config)# interface vlan 30
FGedu-Core-SW01(config-if)# ip address 192.168.30.1 255.255.255.0
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
FGedu-Core-SW01(config)# interface vlan 100
FGedu-Core-SW01(config-if)# ip address 192.168.100.1 255.255.255.0
FGedu-Core-SW01(config-if)# no shutdown
FGedu-Core-SW01(config-if)# exit
# 配置VTP
FGedu-Core-SW01(config)# vtp domain FGedu
FGedu-Core-SW01(config)# vtp mode server
FGedu-Core-SW01(config)# vtp password Fgedu@VTP123
# 查看VLAN
FGedu-Core-SW01# show vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/2, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
10 IT-Department active Gi1/0/1
20 HR-Department active
30 Finance-Department active
100 Server-Farm active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
# 配置VLAN间路由
FGedu-Core-SW01(config)# ip routing
# 配置DHCP中继
FGedu-Core-SW01(config)# interface vlan 10
FGedu-Core-SW01(config-if)# ip helper-address 192.168.100.10
FGedu-Core-SW01(config-if)# exit
5. ACL配置
ACL实现访问控制和安全策略。author:www.itpux.com
FGedu-Core-SW01(config)# access-list 10 permit 192.168.10.0 0.0.0.255
FGedu-Core-SW01(config)# access-list 10 permit 192.168.20.0 0.0.0.255
FGedu-Core-SW01(config)# access-list 10 deny any
# 创建扩展ACL
FGedu-Core-SW01(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq 80
FGedu-Core-SW01(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq 443
FGedu-Core-SW01(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq 22
FGedu-Core-SW01(config)# access-list 100 deny ip any any log
# 创建命名ACL
FGedu-Core-SW01(config)# ip access-list extended FGedu-ACL
FGedu-Core-SW01(config-ext-nacl)# permit tcp any host 192.168.100.10 eq 80
FGedu-Core-SW01(config-ext-nacl)# permit tcp any host 192.168.100.10 eq 443
FGedu-Core-SW01(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 host 192.168.100.11 eq 3306
FGedu-Core-SW01(config-ext-nacl)# deny ip any any log
FGedu-Core-SW01(config-ext-nacl)# exit
# 应用ACL到接口
FGedu-Core-SW01(config)# interface vlan 10
FGedu-Core-SW01(config-if)# ip access-group 100 in
FGedu-Core-SW01(config-if)# exit
# 应用ACL到VTY
FGedu-Core-SW01(config)# line vty 0 4
FGedu-Core-SW01(config-line)# access-class 10 in
FGedu-Core-SW01(config-line)# exit
# 查看ACL
FGedu-Core-SW01# show access-lists
Standard IP access list 10
10 permit 192.168.10.0, wildcard bits 0.0.0.255
20 permit 192.168.20.0, wildcard bits 0.0.0.255
30 deny any
Extended IP access list 100
10 permit tcp 192.168.10.0 0.0.0.255 any eq www
20 permit tcp 192.168.10.0 0.0.0.255 any eq 443
30 permit tcp 192.168.10.0 0.0.0.255 any eq 22
40 deny ip any any log
# 查看ACL应用
FGedu-Core-SW01# show ip interface vlan 10 | include access list
Inbound access list is 100.
6. NAT配置
NAT实现地址转换和互联网访问。
FGedu-Router(config)# ip nat inside source static 192.168.100.10 203.0.113.10
# 配置动态NAT
FGedu-Router(config)# ip nat pool FGedu-Pool 203.0.113.20 203.0.113.30 netmask 255.255.255.0
FGedu-Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255
FGedu-Router(config)# ip nat inside source list 1 pool FGedu-Pool
# 配置PAT(端口地址转换)
FGedu-Router(config)# access-list 1 permit 192.168.0.0 0.0.255.255
FGedu-Router(config)# ip nat inside source list 1 interface gigabitethernet 0/0 overload
# 配置端口转发
FGedu-Router(config)# ip nat inside source static tcp 192.168.100.10 80 203.0.113.2 80
FGedu-Router(config)# ip nat inside source static tcp 192.168.100.10 443 203.0.113.2 443
FGedu-Router(config)# ip nat inside source static tcp 192.168.100.11 22 203.0.113.2 2222
# 查看NAT转换
FGedu-Router# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 203.0.113.2:80 192.168.100.10:80 — —
tcp 203.0.113.2:443 192.168.100.10:443 — —
tcp 203.0.113.2:2222 192.168.100.11:22 — —
icmp 203.0.113.2:1234 192.168.1.100:1234 203.0.113.1:1234 203.0.113.1:1234
# 查看NAT统计
FGedu-Router# show ip nat statistics
Total active translations: 45 (2 static, 43 dynamic; 45 extended)
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 12345 Misses: 123
Expired translations: 456
Dynamic mappings:
— Inside Source
[Id: 1] access-list 1 interface GigabitEthernet0/0 refcount 43
7. VPN配置
VPN实现安全远程访问和站点互联。
FGedu-Router(config)# crypto ikev2 proposal FGedu-PROPOSAL
FGedu-Router(config-ikev2-proposal)# encryption aes-cbc-256
FGedu-Router(config-ikev2-proposal)# integrity sha256
FGedu-Router(config-ikev2-proposal)# group 14
FGedu-Router(config-ikev2-proposal)# exit
FGedu-Router(config)# crypto ikev2 policy FGedu-POLICY
FGedu-Router(config-ikev2-policy)# proposal FGedu-PROPOSAL
FGedu-Router(config-ikev2-policy)# exit
FGedu-Router(config)# crypto ikev2 keyring FGedu-KEYRING
FGedu-Router(config-ikev2-keyring)# peer BRANCH
FGedu-Router(config-ikev2-keyring-peer)# address 198.51.100.1
FGedu-Router(config-ikev2-keyring-peer)# pre-shared-key Fgedu@VPN123
FGedu-Router(config-ikev2-keyring-peer)# exit
FGedu-Router(config)# crypto ikev2 profile FGedu-PROFILE
FGedu-Router(config-ikev2-profile)# match identity remote address 198.51.100.1 255.255.255.255
FGedu-Router(config-ikev2-profile)# authentication remote pre-share
FGedu-Router(config-ikev2-profile)# authentication local pre-share
FGedu-Router(config-ikev2-profile)# keyring local FGedu-KEYRING
FGedu-Router(config-ikev2-profile)# exit
FGedu-Router(config)# crypto ipsec transform-set FGedu-TS esp-aes 256 esp-sha256-hmac
FGedu-Router(cfg-crypto-trans)# mode tunnel
FGedu-Router(cfg-crypto-trans)# exit
FGedu-Router(config)# crypto ipsec profile FGedu-IPSEC
FGedu-Router(ipsec-profile)# set transform-set FGedu-TS
FGedu-Router(ipsec-profile)# set ikev2-profile FGedu-PROFILE
FGedu-Router(ipsec-profile)# exit
# 配置GRE隧道
FGedu-Router(config)# interface tunnel 0
FGedu-Router(config-if)# ip address 10.0.0.1 255.255.255.252
FGedu-Router(config-if)# tunnel source gigabitethernet 0/0
FGedu-Router(config-if)# tunnel destination 198.51.100.1
FGedu-Router(config-if)# tunnel protection ipsec profile FGedu-IPSEC
FGedu-Router(config-if)# exit
# 查看VPN状态
FGedu-Router# show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 203.0.113.2/500 198.51.100.1/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3600 sec
FGedu-Router# show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 203.0.113.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 198.51.100.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 12345, #pkts encrypt: 12345, #pkts digest: 12345
#pkts decaps: 12345, #pkts decrypt: 12345, #pkts verify: 12345
8. QoS配置
QoS实现流量优先级和服务质量保证。
FGedu-Core-SW01(config)# class-map match-any VOICE-TRAFFIC
FGedu-Core-SW01(config-cmap)# match ip dscp ef
FGedu-Core-SW01(config-cmap)# exit
FGedu-Core-SW01(config)# class-map match-any VIDEO-TRAFFIC
FGedu-Core-SW01(config-cmap)# match ip dscp af41
FGedu-Core-SW01(config-cmap)# exit
FGedu-Core-SW01(config)# class-map match-any BUSINESS-TRAFFIC
FGedu-Core-SW01(config-cmap)# match ip dscp af21
FGedu-Core-SW01(config-cmap)# exit
# 配置策略映射
FGedu-Core-SW01(config)# policy-map FGedu-QOS-POLICY
FGedu-Core-SW01(config-pmap)# class VOICE-TRAFFIC
FGedu-Core-SW01(config-pmap-c)# priority percent 20
FGedu-Core-SW01(config-pmap-c)# exit
FGedu-Core-SW01(config-pmap)# class VIDEO-TRAFFIC
FGedu-Core-SW01(config-pmap-c)# bandwidth percent 30
FGedu-Core-SW01(config-pmap-c)# exit
FGedu-Core-SW01(config-pmap)# class BUSINESS-TRAFFIC
FGedu-Core-SW01(config-pmap-c)# bandwidth percent 30
FGedu-Core-SW01(config-pmap-c)# exit
FGedu-Core-SW01(config-pmap)# class class-default
FGedu-Core-SW01(config-pmap-c)# fair-queue
FGedu-Core-SW01(config-pmap-c)# exit
FGedu-Core-SW01(config-pmap)# exit
# 应用QoS策略
FGedu-Core-SW01(config)# interface gigabitethernet 1/0/1
FGedu-Core-SW01(config-if)# service-policy output FGedu-QOS-POLICY
FGedu-Core-SW01(config-if)# exit
# 配置流量限速
FGedu-Core-SW01(config)# policy-map RATE-LIMIT
FGedu-Core-SW01(config-pmap)# class class-default
FGedu-Core-SW01(config-pmap-c)# police 10000000 1000000 conform-action transmit exceed-action drop
FGedu-Core-SW01(config-pmap-c)# exit
FGedu-Core-SW01(config-pmap)# exit
# 查看QoS策略
FGedu-Core-SW01# show policy-map interface gigabitethernet 1/0/1
GigabitEthernet1/0/1
Service-policy output: FGedu-QOS-POLICY
Class-map: VOICE-TRAFFIC (match-any)
12345 packets, 1234567 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: ip dscp ef (46)
12345 packets, 1234567 bytes
5 minute rate 1000 bps
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 20 (%)
Bandwidth 200000 (kbps) Burst 5000000 (Bytes)
(pkts matched/bytes matched) 12345/1234567
(total drops/no-buffer drops) 0/0
Class-map: VIDEO-TRAFFIC (match-any)
54321 packets, 54321098 bytes
5 minute offered rate 5000 bps, drop rate 0 bps
9. 配置备份
配置备份确保设备配置安全。
FGedu-Core-SW01# copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK]
# 备份配置到TFTP服务器
FGedu-Core-SW01# copy running-config tftp:
Address or name of remote host []? 192.168.1.100
Destination filename [fgedu-core-sw01-config]? FGedu-Core-SW01-config-20260403.txt
!!
1234 bytes copied in 1.234 secs (1000 bytes/sec)
# 备份配置到SCP服务器
FGedu-Core-SW01# copy running-config scp:
Address or name of remote host []? 192.168.1.100
Destination username [admin]? backup
Destination filename [FGedu-Core-SW01-config]? FGedu-Core-SW01-config-20260403.txt
Password: ********
!
1234 bytes copied in 2.345 secs (526 bytes/sec)
# 配置自动备份
FGedu-Core-SW01(config)# archive
FGedu-Core-SW01(config-archive)# path scp://backup:Fgedu@Backup123@192.168.1.100/backup/FGedu-Core-SW01
FGedu-Core-SW01(config-archive)# write-memory
FGedu-Core-SW01(config-archive)# time-period 1440
FGedu-Core-SW01(config-archive)# exit
# 查看备份历史
FGedu-Core-SW01# show archive
The maximum archive configurations supported is 10.
There are currently 5 archive configurations saved.
Archive # Name
1 scp://backup@192.168.1.100/backup/FGedu-Core-SW01-1
2 scp://backup@192.168.1.100/backup/FGedu-Core-SW01-2
3 scp://backup@192.168.1.100/backup/FGedu-Core-SW01-3
4 scp://backup@192.168.1.100/backup/FGedu-Core-SW01-4
5 scp://backup@192.168.1.100/backup/FGedu-Core-SW01-5 <- Most Recent
# 恢复配置
FGedu-Core-SW01# configure replace scp://backup@192.168.1.100/backup/FGedu-Core-SW01-5
# 配置回滚
FGedu-Core-SW01# configure revert now
# 使用Python自动备份
# cat > /opt/scripts/network_backup.py << 'EOF'
#!/usr/bin/env python3
import paramiko
import datetime
import os
devices = [
{'host': '192.168.1.1', 'username': 'admin', 'password': 'Fgedu@Switch123', 'name': 'FGedu-Core-SW01'},
{'host': '192.168.1.2', 'username': 'admin', 'password': 'Fgedu@Switch123', 'name': 'FGedu-Core-SW02'},
{'host': '192.168.1.254', 'username': 'admin', 'password': 'Fgedu@Router123', 'name': 'FGedu-Router'},
]
backup_dir = '/backup/network_configs'
os.makedirs(backup_dir, exist_ok=True)
date = datetime.datetime.now().strftime('%Y%m%d')
for device in devices:
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(device['host'], username=device['username'], password=device['password'])
stdin, stdout, stderr = ssh.exec_command('show running-config')
config = stdout.read().decode()
filename = f"{backup_dir}/{device['name']}-{date}.txt"
with open(filename, 'w') as f:
f.write(config)
print(f"备份完成: {device['name']}")
ssh.close()
except Exception as e:
print(f"备份失败: {device['name']} - {str(e)}")
EOF
# chmod +x /opt/scripts/network_backup.py
10. 网络监控
网络监控实时掌握设备状态。
FGedu-Core-SW01(config)# snmp-server community Fgedu@SNMP123 RO
FGedu-Core-SW01(config)# snmp-server community Fgedu@SNMPAdmin RW
FGedu-Core-SW01(config)# snmp-server location FGedu-IDC-Room-A
FGedu-Core-SW01(config)# snmp-server contact network@fgedu.net.cn
FGedu-Core-SW01(config)# snmp-server enable traps
FGedu-Core-SW01(config)# snmp-server host 192.168.1.100 Fgedu@SNMP123
# 配置Syslog
FGedu-Core-SW01(config)# logging on
FGedu-Core-SW01(config)# logging host 192.168.1.100
FGedu-Core-SW01(config)# logging trap informational
FGedu-Core-SW01(config)# logging source-interface vlan 1
FGedu-Core-SW01(config)# logging facility local7
# 配置NetFlow
FGedu-Core-SW01(config)# flow record FGedu-FLOW
FGedu-Core-SW01(config-flow-record)# match ipv4 source address
FGedu-Core-SW01(config-flow-record)# match ipv4 destination address
FGedu-Core-SW01(config-flow-record)# match transport source-port
FGedu-Core-SW01(config-flow-record)# match transport destination-port
FGedu-Core-SW01(config-flow-record)# collect bytes
FGedu-Core-SW01(config-flow-record)# collect packets
FGedu-Core-SW01(config-flow-record)# exit
FGedu-Core-SW01(config)# flow exporter FGedu-EXPORTER
FGedu-Core-SW01(config-flow-exporter)# destination 192.168.1.100
FGedu-Core-SW01(config-flow-exporter)# source vlan 1
FGedu-Core-SW01(config-flow-exporter)# transport udp 2055
FGedu-Core-SW01(config-flow-exporter)# exit
FGedu-Core-SW01(config)# flow monitor FGedu-MONITOR
FGedu-Core-SW01(config-flow-monitor)# record FGedu-FLOW
FGedu-Core-SW01(config-flow-monitor)# exporter FGedu-EXPORTER
FGedu-Core-SW01(config-flow-monitor)# exit
# 应用NetFlow到接口
FGedu-Core-SW01(config)# interface gigabitethernet 1/0/1
FGedu-Core-SW01(config-if)# ip flow monitor FGedu-MONITOR input
FGedu-Core-SW01(config-if)# ip flow monitor FGedu-MONITOR output
FGedu-Core-SW01(config-if)# exit
# 查看接口统计
FGedu-Core-SW01# show interface counters
Port InOctets InUcastPkts InMcastPkts InBcastPkts
Gi1/0/1 1234567890 123456 1234 123
Gi1/0/2 987654321 98765 987 98
Port OutOctets OutUcastPkts OutMcastPkts OutBcastPkts
Gi1/0/1 2345678901 234567 2345 234
Gi1/0/2 1876543210 187654 1876 187
# 查看CPU使用率
FGedu-Core-SW01# show processes cpu sorted
CPU utilization for five seconds: 5%/1%; one minute: 4%; five minutes: 3%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 0 1 0 0.00% 0.00% 0.00% 0 Chunk Manager
2 0 1 0 0.00% 0.00% 0.00% 0 Load Meter
3 1234 123456 10 0.00% 0.00% 0.00% 0 Spanning Tree
4 5678 234567 24 1.00% 1.00% 1.00% 0 IP Input
# 查看内存使用
FGedu-Core-SW01# show memory statistics
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 12345678 1234567 11111111 10000000 10000000
I/O 1234567 123456 1111111 1000000 1000000
# 网络健康检查脚本
# cat > /opt/scripts/network_health_check.sh << 'EOF'
#!/bin/bash
echo "网络设备健康检查"
echo "=========================================="
DEVICES="192.168.1.1 192.168.1.2 192.168.1.254"
for device in $DEVICES; do
echo ""
echo "设备: $device"
echo "----------------------------------------"
# 检查连通性
ping -c 1 $device > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo “状态: 在线”
else
echo “状态: 离线”
continue
fi
# SNMP获取信息
# sysName
NAME=$(snmpget -v2c -c Fgedu@SNMP123 $device 1.3.6.1.2.1.1.5.0 2>/dev/null | awk -F\” ‘{print $2}’)
echo “名称: $NAME”
# sysUpTime
UPTIME=$(snmpget -v2c -c Fgedu@SNMP123 $device 1.3.6.1.2.1.1.3.0 2>/dev/null | awk ‘{print $NF}’)
echo “运行时间: $UPTIME”
# CPU使用率
CPU=$(snmpget -v2c -c Fgedu@SNMP123 $device 1.3.6.1.4.1.9.2.1.56.0 2>/dev/null | awk ‘{print $NF}’)
echo “CPU使用率: ${CPU}%”
done
echo “”
echo “==========================================”
EOF
# chmod +x /opt/scripts/network_health_check.sh
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
