关于华为二层交换机集群管理配置规范及说明

1、关于华为二层交换机集群管理配置规范及说明一、组网说明：榆社县局S3552G交换机下挂榆社水利小区 3号楼S2016C 3号楼S2016C 交换机下挂水利小区2号楼S2403H 3号楼S2016C交换机下挂水利小区1号楼 S2024C。二、组网图：YS_XianJu_S3552GYS_ShuiLi_3#Lou_S2016CYS_ShuiLi_1#Lou_S2024CYS_ShuiLi_2#Lou_S2403H三、配置步骤1 、配置管理设备（由汇聚层人员来配置）（1）启动设备上的NDP和端口日的NDP协议：YS_XianJu_S3552G ndp enable#配置NDP信息的有效保留时间为200

2、秒YS_XianJu_S3552G ndp timer aging 200#配置NDP报文发送的时间间隔为70秒YS_XianJu_S3552G ndp timer hello 70（2）启动设备上的 NTDP和端口上的NTDPYS_XianJu_S3552G ntdp enable#配置拓扑收集范围为 7 跳YS_XianJu_S3552G ntdp hop 7 #配置被收集设备转发拓扑收集请求的延迟时间为150msYS_XianJu_S3552G ntdp timer hop-delay 15015ms#配置被收集设备的端口转发拓扑收集请求的延迟时间为 YS_XianJu_S3552G n

3、tdp timer port-delay 15 #配置定时拓扑收集的时间间隔为 3 分钟 YS_XianJu_S3552G ntdp timer 3(3) 配置管理 vlan#创建管理 vlan YS_XianJu_S3552Gvlan 4051#将管理 vlan4051 作为管理 vlan YS_XianJu_S3552Gmanagement-vlan 4051 #进入以太网端口description to_ys_shuili_dishui2_caizhen_xiaoquport link-type trunkundo port trunk permit vlan 1port trunk p

4、ermit vlan 45 to 51 3527 4051( 4)启动集群功能YS_XianJu_S3552G cluster enable#进入集群视图YS_XianJu_S3552G clusterYS_XianJu_S3552G -cluster#配置集群内部使用的IP地址池起始地址为10.0.1.1有254个地址YS_XianJu_S3552G -cluster ip-pool 10.0.1.1 255.255.255.0（5）配置集群名字建立集群YS_XianJu_S3552G -cluster build YSYDYSYD_0.YS_XianJu_S3552G -cluster（6

5、）将下挂的两个交换机加入到集群中YSYD_0.YS_XianJu_S3552G -cluster add-member 1 mac-address 00e0-fc01- 0011YSYD_0.YS_XianJu_S3552G -cluster add-member 2 mac-address 00e0-fc01- 0013YSYD_0.YS_XianJu_S3552G -cluster add-member 3 mac-address 00e0-fc01- 0011#配置成员设备信息的保留时间为 100秒YSYD_0.YS_XianJu_S3552G -cluster holdtime 100

6、#配置握手报文定时发送的时间间隔为10秒YSYD_0.YS_XianJu_S3552G -cluster timer 102、配置成员设备（由接入层维护人员来配置）以xx水利小区3号楼S2016C为例：#启动设备上的NDP和端口上的NDPYS_ShuiLi_3#Lou_S2016C ndp enable#启动设备上的NTDP和端口上的NTDPYS_ShuiLi_3#Lou_S2016C ntdp enable#创建vlan 4051创建管理vian,根汇聚层交换机管理vlan来确定。YS_ShuiLi_3#Lou_S2016C vlan 4051#将 vlan4051 作为管理 vlanYS_

7、ShuiLi_3#Lou_S2016C management-vlan 4051#进入以太网端口透传管理vlan 4051将二层交换机上联口透传管理 vlan#启 动集群功能YS_ShuiLi_3#Lou_S2016C cluster enable四、数据配置举例如下：1、xx局S3552G配置如下：dis cu# sysname YS_XianJu_S3552G #superpassword level 3 cipher A#:+/G*8P,:)&CZHH(&1!#ntdp hop 7ntdp timer port-delay 15ntdp timer hop-delay 150ntdp t

8、imer 3#radius scheme systemserver-type huaweiprimary authentication 127.0.0.1 1645primary accounting 127.0.0.1 1646user-name-format without-domaindomain systemradius-scheme systemaccess-limit disable state active vlan-assignment-mode integer idle-cut disable self-service-url disable messenger time d

9、isabledomain default enable system # local-server nas-ip 127.0.0.1 key huawei local-user sxhuaweipassword cipher (W_UELR9laNK;9B9.)Q!ndp timer aging 200#management-vlan 4051#acl number 3998rule 0 deny ip destination 10.0.1.0 0.0.0.255rule 1 permit ip source 10.0.1.0 0.0.0.255acl number 3999rule 0 de

10、ny ip source 10.0.1.0 0.0.0.255rule 1 permit ip destination 10.0.1.0 0.0.0.255#vlan 1#vlan 27#vlan 28#vlan29#vlan 30#vlan 31#vlan 32#vlan 33#vlan 34#vlan 35#vlan 36#vlan 37#vlan 38#vlan39#vlan 40#vlan 41#vlan 42#vlan 43#vlan 44#vlan 45#vlan 46#vlan 47#vlan 48#vlan49#vlan 50#vlan 51#vlan 52#vlan 53#v

11、lan 1672description to_ys_taichanggaosu(yulin)#vlan 1711#vlan 2101#vlan 2103#vlan 2104#vlan 2105multicast-vlan enable #vlan 3524#vlan 3526#vlan 3527#vlan 3528#vlan3529#vlan 3530#vlan 3532#vlan 3534#vlan 35#vlan 3536#vlan 3537#vlan 4051#interface Vlan-interface4051ip address 221.131.31.130 255.255.25

12、5.240#shutdown #description to_ys_taichanggaosu(yulin) broadcast-suppression 5port access vlan 1672# description to_ys_donghuixiaoxue broadcast-suppression 5port access vlan 3526# description to_ys_tudijushe broadcast-suppression 5port access vlan 3528# description to_ys_nonghangsushe broadcast-supp

13、ression 5port access vlan 3529# description to_ys_dishuiyixiaoqu broadcast-suppression 5port access vlan 3530# description to_ys_lianjiazhuang broadcast-suppression 5port access vlan 1711# description to_ys_dongshengyingyeting port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 2

14、103 to 2105 3532# description _xianweidanxiaowenhuazhanbroadcast-suppression 5port access vlan 3534# description to_ys_youzhenxiaoqu broadcast-suppression 5port access vlan 35# description to_ys_jiaokejuwenhuazhanbroadcast-suppression 5 port access vlan 3536# description to_ys_jishengfuyouyuan broad

15、cast-suppression 5port access vlan 3537# description to_ys_xiangzhenjuxiaoquport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 31 to 33# description to_ys_mingzhenjuxiaoqu port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 34 to 35# description to_ys_renhang

16、xiaoqu port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 36# description to_ys_huagongxiaoquport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 27 to 30# description to_ys_gongan,liangshijuxiaoqu port link-type trunkundo port trunk permit vlan 1port trunk pe

17、rmit vlan 37 to 40# description to_ys_gongan,yizhongxuexiaoqu port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 41 to 44# description to_ys_shuili_dishui2_caizhen_xiaoquport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 45 to 51 3527 4051# description to_ys

18、_guoshuixiaoquport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 52 to 53# description to_ys_yingchunyingyetingport link-type trunkundo port trunk permit vlan 1port trunk permit vlan 2101 3524# shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown

19、 # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown # shutdown# duplex fullspeed 1000port link-type trunkundo port trunk permit vlan 1port trunk permit v

20、lan 27 to 531672 1711 to 3526 to 3530 to 3537 4051# shutdown # shutdown # shutdown #interface NULL0#clusterip-pool 10.0.1.1 255.255.255.0build YSYDholdtime 100#YSYD_0.YS_XianJu_S3552G -cluster add-member 1 mac-address 00e0-fc01-0011YSYD_0.YS_XianJu_S3552G -cluster add-member 2 mac-address 00e0-fc01-

21、0013YSYD_0.YS_XianJu_S3552G -cluster add-member 3 mac-address 00e0-fc01-0011#ip route-static 0.0.0.0 0.0.0.0 221.131.31.129 preference 60# snmp-agentsnmp-agent local-engineid 8007DB000FE215Dsnmp-agent sys-info location BeiJing Chinasnmp-agent sys-info version allsnmp-agent target-host trap address u

22、dp-domain 211.142.42.68params securityname jzydsnmp-agent target-host trap address udp-domain 211.142.42.69params securityname jzydsnmp-agent trap enable standardsnmp-agent trap enable configurationsnmp-agent trap enable vrrpsnmp-agent trap enable bgpsnmp-agent trap source Vlan-interface4051#ntp-ser

23、vice unicast-server 211.138.98.2ntp-service unicast-server 211.138.98.1#user-interface aux 0authentication-mode schemeuser-interface vty 0 4authentication-mode scheme #Return2、榆社水利小区3号楼S2016C配置如下：dis cu# sysname YS_ShuiLi_3#Lou_S2016C 对交换机进行命名 #super password level 3 cipher 八#:+/G*8P,:）&CZHH（&1!#inf

24、o-center loghost 10.0.1.1#management-vlan 4051 修改集群 管理vlan （根据汇聚层交换机管理 vlan确定）#que-scheduler wrr 1 2 4 8#vlan 1#vlan 45port-isolate enable小区交换机端口隔离配置 #vlan46#vlan 47#vlan 48#vlan 49#vlan 50#vlan 51#vlan 3527#vlan 4051增加交换机集群 管理 vlan 号（根据汇聚层交换机管理 vlan 确定） #interface Vlan-interface4051#description to_

25、 （描述该交换机的上联交换机及端口）port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 45 to 51 （上联口透传集群管理 vlan 号） port-isolate uplink-port vlan 45（上联口配置本交换机端口隔离 vlan） #description 对交换机联端口进行描述port link-type trunkundo port trunk permit vlan 1（透传集群管理 VLAN）（透传集群管理 VLAN）port trunk permit vlan 464051

26、description 对交换机联端口进行描述port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 474051broadcast-suppression 5 （对 ACCESS 口进行广播抑制） port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadca

27、st-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#broadc

28、ast-suppression 5port access vian 45#broadcast-suppression 5port access vian 45#interface NULL0# snmp-agentsnmp-agent iocai-engineid 8007DB000FE237E4CB6877snmp-agent sys-info iocation BeiJing Chinasnmp-agent sys-info version aiisnmp-agent target-host trap address udp-domain 10.0.1.1params securityna

29、me ciustersnmp-agent trap enabie standardsnmp-agent trap enabie configurationsnmp-agent trap source Vlan-interface4051#user-interface aux 0 authentication-mode passwordset authe nticati on password cipher NC55QKv二/QQMAF4v1!#Retur n3、榆社水利1号楼S2024C交换机配置如下：dis cu# sysname YS_ShuiLi_1#Lou_S2024C 对交换机进行命

30、名 #super password level 3 cipher A#:+/G*8P,:）&CZHH（&1!#info-center loghost 10.0.1.1#management-vlan 4051修改集群 管理vlan （根据汇聚层交换机管理 vlan确定）#que-scheduler wrr 1 2 4 8#vlan 1#vlan 47port-isolate enable小区交换机端口隔离配置 #vlan 4051增加交换机集群管理 vlan 号（根据汇聚层交换机管理 vlan 确定） #interface Vlan-interface4051#description to_

31、（描述该交换机的上联交换机及端口）port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 474051 （上联口透传集群管理 vlan 号） port-isolate uplink-port vlan 47（上联口配置本交换机端口隔离 vlan） #broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#br

32、oadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppressio n 5ACCESS 口进行广播抑制）（对por

33、t access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5po

34、rt access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#broadcast-suppression 5port access vlan 47#interface NULL0#clustera

35、dministrator-address 000f-e22e-0f80 name huawei # snmp-agent snmp-agent local-engineid 8007DB00E0FC2D944E6877snmp-agent sys-info contact HuaWei BeiJing Chinasnmp-agent sys-info location BeiJing Chinasnmp-agent sys-info version allsnmp-agent target-host trap address udp-domain 10.10.0.1params securit

36、yname clustersnmp-agent trap enable standard #user-interface aux 0authentication-mode passwordset authe nticati on password cipher NC55QKv二/QQMAF4v1!#Retur n4、水利小区2号S2403H配置如下：dis cu # sysname YS_ShuiLi_2#Lou_S2403H 对交换机进行命名 #radius scheme systemserver-type huaweiprimary authentication 127.0.0.1 164

37、5primary accounting 127.0.0.1 1646user-name-format without-domaindomain systemradius-scheme systemaccess-limit disablestate activeidle-cut disableself-service-url disablemessenger time disabledomain default enable system # local-server nas-ip 127.0.0.1 key huawei #info- center loghost 10.10.0.1#mana

38、gement-vlan 4051修改集群管理 vian （根据汇聚层 交换机管理 vlan 确定） #vlan 1#vlan 46port-isolate enable小区交换机端口隔离配置 #vlan 4051增加交换机集群管理vlan号（根据汇聚层交换机管理vlan确定）#in terface Via n-i nterface4051#descriptio n to_ （描述该交换机的上联交换机及 端口） port link-type trunkundo port trunk permit vlan 1port trunk permit vlan 464051 （上联口透传集群管理 vla

39、n 号） port-isolate uplink-port vlan 46（上联口配置本交换机端口隔离 vlan） #broadcast-suppression 5 （对 ACCESS 口进行广播抑制） port access vian 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadc

40、ast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broad

41、cast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broa

42、dcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#broadcast-suppression 5port access vlan 46#interface NULL0#cluster administrator-address 000f-e22e-0f80 name YSYD # snmp-agent snmp-

43、agent local-engineid 8007DB00E0FC2D944E6877snmp-agent sys-info contact HuaWei BeiJing Chinasnmp-agent sys-info location BeiJing Chinasnmp-agent sys-info version allsnmp-agent target-host trap address udp-domain 10.10.0.1params securityname clustersnmp-agent trap enable standard #user-interface aux 0

44、user-interface vty 0 4#Return五、二层交换机管理说明：由于本次二层交换机集群管理的时间紧迫性，为了以后更好的维护，配置 一定要规范，具体规范内容在配置举例中说明，并用红色字体标明，有什么不 对的地方及时提出。1、交换机命名一定要规范，要不在集群网管上不能区分是哪个小区哪个楼 的交换机，不便于网管查看和管理。2、交换机TRUNK端口不要进行广播抑制配置，如有要去掉。3、如有交换机是老版本的如 S2403H的，如果不支持 management-vlan命 令的要进行BOOTROM和APP软件升级或者更换交换机。4、将小区交换机的拓朴结构一定要搞清楚，尤其是上联端口及光猫、网 线、尾纤一定要粘贴标签，为以后更好的维护提供便利。5、对一些不需要认证的在核心机房 R2811路由器上下挂的小区交换机也要 进行集群管理。6、对交换机的端口一定要隔离，这样可以对病毒等的传播进行抑制。7、对access端口增加广播抑制配置，即 broadcast 5的配置。8、对一些小区不是华为交换机的一定要更换成华为交换机并对其进行数据 配置及集群管理。9、 将二层交换机集群管理信息表小区交换机M