⭐Introduction to the author: I am a sophomore majoring in network engineering, continue to learn Java, and strive to output high-quality articles
⭐Author's homepage: @追梦幽穹
Table of contents
1 Introduction
局域网(Local Area Network,简称LAN)是一种连接在有限地理范围内的设备和计算机网络,通常用于家庭、办公室或小型组织中。It allows multiple computers, servers, printers and other network devices to connect to share resources and information. It is very important for the effective management and maintenance of these networks, and understanding some commonly used LAN building commands will become a powerful tool for you to manage small LANs.
Why is a Small LAN so useful for a home or small office network?
- A small local area network can easily and quickly share files and resources, such as shared folders, printers, etc. This means you can share files between different computers in your home, or easily print files in the office, increasing your productivity.
- Small LANs provide better network security. You can set access control and security policies to ensure only authorized devices can access network resources. Additionally, by using firewalls and security settings, you can better protect your network from potential cyber attacks and threats.
However, to effectively manage and maintain a small LAN, you need to master some commonly used commands. These commands can help you configure network settings, diagnose network problems, view connection status, and perform other important tasks. The purpose of this article is to introduce you to some commonly used small LAN building commands to help you better understand and manage your LAN.
在接下来的部分中,我们将逐一介绍这些常用命令,并提供使用示例和实际应用案例,帮助你更好地理解它们的功能和用法。Whether you're a home network user or a small office administrator, mastering these commands will make it easier for you to manage and maintain your small LAN.
2. Common commands (ENSP)
conventional
| introduce | Order |
|---|---|
| Telnet | telnet IP |
| create key pair | rsa local-key-pair create |
| open ssh | stelnet server enable |
| create interface group 1 | port-group 1 |
| Add equally configured interfaces to an interface group | group-member e0/0/1 to e0/0/7 |
| Configure the interfaces in the interface group to access mode | port link-type access |
| Set the interface PVID in the interface group to VLAN 10 | port default vlan 10 |
| Set the PVID of the interface to 50, and the untagged traffic received by this port will be tagged with VLAN 50 | port hybrid pvid vlan 50 |
| Set the interface to allow VLAN 50 traffic communication, and remove the tag when sending | port hybrid untagged vlan 50 |
| Set the interface to allow VLAN 10,20,30,40 traffic communication. When the traffic of the above VLAN is sent through this interface, it is tagged |
port hybrid tagged vlan 10 20 30 40 |
| See each port mode, PVID | display port vlan |
| View individual VLANs | display vlan |
给端口分配vlan |
port default vlan 15` |
VTY
| introduce | Order |
|---|---|
| Enter VTY user view (line 0-4) | user-interface vty 0 4 |
| Configure the access type as Telnet (default is Telnet) | protocol inbound telnet |
| Configure the authentication method as password (the default is password authentication) | authentication-mode password |
| The configured password is Huawei1, and the plain text of the password is displayed in the configuration file. If you need ciphertext, replace the simple keyword in the command with cipher |
set authentication password simple Huawe1 |
| Configure the authority of VTY users as level 15 (level 0 by default) | user privilege level 15 |
配置超时时间 |
idle-timeout minutes seconds |
配置超时时间为30分40秒idle-timeout 30 40: (the default is 10 minutes, the first parameter of this command is minutes, the second parameter is seconds, if there is only one parameter, the system considers it to be setting minutes, if both parameters are entered as 0, then for never timeout)
Console
| introduce | Order |
|---|---|
| Enter Console | User Interface View user-interface console 0 |
| Set the Console user interface to require password authentication | authentication-mode password |
| The configuration password is Huawei123, and the plain text of the password is displayed in the configuration file. If you need ciphertext, replace the simple keyword in the command with cipher |
set authentication password simple Huawei123 |
port security
| introduce | Order |
|---|---|
| Enable port security | port-security enable |
| Set the maximum number of secure MAC addresses to 3 | port-security max-mac-num 3 |
| Enable sticky MAC function | port-security mac-address sticky |
| Statically bind the MAC address to the port | port-security mac-address sticky mac address port number |
one-arm routing
| introduce | Order |
|---|---|
| Create a virtual subinterface | interface GigabitEthernet 0/0/0.10 |
| Encapsulate for VLAN 10, and assume the gateway of VLAN 10 at the same time | dot1q termination vid 10 |
| Open arp broadcast | arp broadcast enable |
DHCP
| introduce | Order |
|---|---|
| Enable DHCP | dhcp enable |
| Create a DHCP address pool | ip pool vlan20 |
| gateway address | gateway-list IP |
| specified network | network network mask subnet mask |
| Configure reserved addresses | excluded-ip-address 10.0.1.117 10.0.1.126 |
| Configure the lease period | lease day 7 hour 0 minute 0 |
| configure dns server | dns-list IP |
| Configure relay mode | dhcp select relay |
NAT
When the entire intranet is on the public network, the IP address is converted from the 11th available IP address to the 20th available IP address of 51.51.51.0/24.
| introduce | Order |
|---|---|
| Convert source IP1 to IP2 | nat static global IP2 inside IP1 |
| capture traffic | acl 2000 rule permit source network segment wildcard mask |
| Define address pool | nat address-group 1 51.51.51.10 51.51.51.15 |
| Convert the ip captured in acl 2000 to the ip of the address pool | nat outbound 2000 address-group 1 |
ACL
基础ACL
| introduce | Order |
|---|---|
| Configure a firewall policy rule | rule deny source 10.20.20.0 0.0.0.255 |
| 配置一个流量过滤器 | traffic-filter outbound acl 2002 |
高级ACL
| 介绍 | 命令 |
|---|---|
| 允许 IP1 ping IP2 | acl 3000 rule permit icmp source IP1 通配符掩码 destination IP2 通配符掩码 |
| 拒绝 IP1 与 IP2 之间所有通信 | rule deny ip source IP1 通配符掩码 destination IP2 通配符掩码 |
| 允许 10.10.10.0/24访问172.16.33.11服务器http流量 | rule permit tcp source 10.10.10.0 0.0.0.255 destination 172.16.33.11 0 destination-port eq 80 |
| 拒绝 10.10.10.0/24访问172.16.33.11文件服务器(ftp流量) | rule deny tcp source 10.10.10.0 0.0.0.255 destination 172.16.33.11 0 destination-port range 20 21 |
| 防止外网对公司的UDP 445攻击 | rule deny udp source any destination any destination-port eq 445 |
GVRP
| 介绍 | 命令 |
|---|---|
| 全局配置模式开启gvrp | gvrp |
| 接口配置gvrp | int eth0/0/0 gvrp |
| 查看vlan信息 | display vlan |
STP
| 介绍 | 命令 |
|---|---|
| 修改STP模式为STP | stp mode stp |
| 修改STP模式为STP(STP优先级必须为4096的倍数,默认为32768。) | stp priority 4096 |
| 将接入层交换机LSW3和LSW4上所有未用端口配置为access模式,并设置为边缘接口。 | stp edged-port enable |