华为网络整套架构常用配置

核心交换机上配置防止抢根桥
stp root primary

???

汇聚交换机常规配置
mac-address flapping detect

int g 0/0/1-0/0/20所有下联接入交换机口上配
mac-address flapping action down-error

???

接入交换机常全局上配置（命令使能接口状态自动恢复为Up的功能）
error-down auto-recovery cause port-security interval 30
error-down auto-recovery cause bpdu-protection interval 30

接入交换机常全局上配置
stp bpdu-protection //边缘端口收到bpdu就关端口

dhcp enable
dhcp snooping enable

接入交换机常规配置
interface g 0/0/1-0/0/20
dhcp snooping enable //防私接小路由
Port-security enable //防dhcp饿了死攻击
Port-security max 2 //限制学习2个mac，默认是1
Arp anti-attack user-bind enable //防arp攻击
Ip source check user-bind enable //防ip防冒攻击和擅自改ip上网
Stp edge enable //边缘端口
port-security protect-action error-down //违规就关闭端口

???

802.1x准入(汇聚上放认证执行和控制点)
汇聚上配置：
vlan pool finance
valn 31 to 35
ass hash

vlan pool hr
valn 41 to 45
ass hash

radius-server template Employee
radius-server authentication 10.1.60.2 1812
radius-server accounting 10.1.60.2 1813
radius-server shared-key cipher Huawei@123

radius-server authentication 10.1.60.2 shared-key cipher Huawei@123

aaa
authentication-scheme Employee
authentication-mode radius

aaa
accounting-shceme Employee
accounting-mode radius

aaa
domain Employee
authentication-scheme Employee
accounting-scheme Empoyee
radius-server Employee

dot1x-access-profile name Employee
802.1x认证，并为默认的eap中继模式

mac-access-profile name Employee
mac认证

authentication-profile name Employee
dot1x-access-profile Employee
mac-access-profile Employee
access-domain employee force
authentication dot1x-mac-bypass

interface eth 2 //下联接入交换机上调用
mo la
trunkp g 0/0/21 1/0/21
port l h
y
port h t v 31 to 35 41 to 45 100
authentication-profile Employee

interface eth 3 //下联接入交换机上调用
mo la
trunkp g 0/0/22 1/0/22
port l h
y
port h t v 31 to 35 41 to 45 100
authentication-profile Employee

int eth 1 //上联口三层互联至核心
mo la
trunkp g 0/0/23 0/0/24 1/0/23 1/0/24
port l t
port t a v 100 209

接入交换机上配置
vlan 100

int g0/0/22
port l a
port d v 100

l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002

int ra g 0/0/1 to g 0/0/20
l2protocol-tunnel user-defind-protocol dot1x enable

interface eth 1
port l t
port t a v 100
l2protocol-tunnel user-defined-protocol dot1x enable

???

mac认证

radius-server template Employee
radius-server authentication 10.1.60.2 1812
radius-server accounting 10.1.60.2 1813
radius-server shared-key cipher Huawei@123

radius-server authentication 10.1.60.2 shared-key cipher Huawei@123

aaa
authentication-scheme Employee
authentication-mode radius

aaa
accounting-shceme Employee
accounting-mode radius

aaa
domain Employee
authentication-scheme Employee
accounting-scheme Empoyee
radius-server Employee

创建MAC认证模板：
mac-access-profile name hcie

authentication-profile name hcie
mac-access-profile hcie
acc-domain Employee force

interface g 0/0/1
authentication-profile hcie

???

AP管理上线免认证（其它免认证类似）

aaa //AP管理地址免认证
authentication-shceme ap_noauthen
authentication-mode none

aaa //AP管理地址免认证
domain ap_noauthen
authentication-scheme ap_noauthen

domain ap_noauthen mac-authen force mac-address 580d-6144-d771 mask ffff-ffff-ffff
AP管理地址免认证

domain ap_noauthen mac-authen force mac-address 580d-6144-d666 mask ffff-ffff-ffff
AP管理地址免认证

???

802.1x准入（只有802.1x认证）

radius-server template Employee
radius-server shared-key cipher Huawei@123
radius-server authentication 192.168.23.82 1812 source ip-address 192.168.23.5
radius-server accounting 192.168.23.82 1813 source ip-address 192.168.23.5
radius-attribute nas-ip 192.168.23.5

radius-server authorization 192.168.23.82 shared-key cipher Huawei@123
radius-server source ip-address 192.168.23.5
radius-server authorzation server-source all-interface

free-rule-template name hcie
free-rule 1 destination 172.33.33.5 mask 32

aaa
authentication-scheme Employee
authentication-mode radius

accounting-scheme Employee
accouting-mode radius

domain employee
authentication-scheme Employee
accounting-scheme Employee
radius-server Employee

dot1x-access-profile name Employee

authentication-profile name Employee
dot1x-access-profile Employee
access-domain employee force
free-rule hcie

int g 0/0/3
authentication-profile Employee

test-aaa hr Huawei@123 radius-temp Employee
测试认证成功与否

???

AC控制器上配portal认证

url-template name hcie
url https://192.168.23.82:19008/portal
url-parameter device-ip ac-ip redirect-url redirect-url ssid ssid user-ipaddress uaddress user-mac umac
url-parameter set device-ip 192.168.23.25

web-auth-server hcie
server-ip 192.168.23.82
shared-key cipher Huawei@123
url-template hcie
source-ip 192.168.23.25
port 50100 //对端NCE上是2000跟这个没关系，那个是NCE找交换机用的，这个是交换机找NCE用的

protal-access-profile name hcie
web-auth-server hcie direct

free-rule-template name free_rule
free-rule 1 destination 192.168.23.82 32
free-rule 2 destination 192.168.23.25 32

radius-server template hcie
radius-server shared-key cipher Huawei@123
radius-server authentication 192.168.23.82 1812 source ip-address 192.168.23.25
radius-server accouting 192.168.23.82 1813 source ip-address 192.168.23.25
radius-attribute nas-ip 192.168.23.25

radius-server authorization 192.168.23.82 shared-key cipher Huawei@123
radius-server source ip-address 192.168.23.25
radius-server authorzation server-source all-interface

aaa
authenticatin-schere hcie
authettication-moe radius

aaa
accouting-schere hcie
accouting-mode radiu

web-auth-server server-source all-interface

security-profile name hcie
security wpa-wpa2 psk pre HCIE@security00X aes

ssid-profile name hcie
ssid HQ-user

authencation-profile name hcie
protal-access-profile hcie
authencation-schere hcie
accounting-schere hcie
radius-server hcie
free-rule-template free_rule

vap-profile name hcie
forward-mode tunnel
ssid-profile hcie
security-profile hcie
service-vlan vlan-id 51
authencation-profile hcie

ap-group name default
vap-profile hcie wlan 1 radio all

ap-id 0
ap-name hcie
ag-group default