Настройка коммутатора D-Link DES-3200

Для примера возьму коммутатор D-Link DES-3200-18 С1 с прошивкой 4.36.B012. Команды аналогичны для коммутаторов с разным количеством портов, они могут немного отличатся лишь при разной версии прошивки и ревизии.

Настройка уведомлений о изменении температуры:

config temperature threshold high 79
 config temperature threshold low 11
 config temperature trap state disable
 config temperature log state enable

Создание аккаунта администратора:

 create account admin имя
 config admin local_enable

Включение шифрования пароля:

 enable password encryption

Параметры serial порта:

 config serial_port baud_rate 115200 auto_logout never

Включения доступа через web интерфейс:

 enable web 80

Включение отображения в постраничном режиме:

 enable clipaging

Настройка ширины окна терминала:

 config terminal width 80

Настройка количества отображаемых строк терминала:

 config terminal_line default

Отключение логирования вводимых команд:

 disable command logging

Включение возможности восстановления пароля:

 enable password_recovery

Включение ограничения broadcast трафика для всех портов:

 config traffic control 1 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 2 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 3 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 4 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 5 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 6 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 7 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 8 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 9 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 10 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 11 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 12 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 13 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 14 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 15 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 16 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 17 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control 18 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
 config traffic control auto_recover_time 0
 config traffic trap none
 config traffic control log state enable

Включение защиты от петель на портах, кроме 17 входящего:

 enable loopdetect
 config loopdetect recover_timer 1200 interval 10 mode port-based
 config loopdetect log state enable
 config loopdetect ports 1 state enable
 config loopdetect ports 2 state enable
 config loopdetect ports 3 state enable
 config loopdetect ports 4 state enable
 config loopdetect ports 5 state enable
 config loopdetect ports 6 state enable
 config loopdetect ports 7 state enable
 config loopdetect ports 8 state enable
 config loopdetect ports 9 state enable
 config loopdetect ports 10 state enable
 config loopdetect ports 11 state enable
 config loopdetect ports 12 state enable
 config loopdetect ports 13 state enable
 config loopdetect ports 14 state enable
 config loopdetect ports 15 state enable
 config loopdetect ports 16 state enable
 config loopdetect ports 17 state disable
 config loopdetect ports 18 state enable
 config loopdetect trap none

Отключение зеркалирования портов:

 disable mirror

Настройка логов:

 config log_save_timing on_demand
 disable syslog
 config system_severity trap information
 config system_severity log information

Настройка сегментации трафика, запрет хождения между портами:

 config traffic_segmentation 1-16,18 forward_list 17
 config traffic_segmentation 17 forward_list all

Запрет jumbo frame пакетов и настройка портов:

 disable jumbo_frame
 config ports 1-16 speed auto flow_control disable learning enable state enable mdix auto
 config ports 17 medium_type copper speed auto flow_control disable learning enable state enable mdix auto
 config ports 17 medium_type fiber speed auto flow_control disable learning enable state enable
 config ports 18 speed auto flow_control disable learning enable state enable

Разрешение управлением коммутатора только с указанных IP адресов:

 create trusted_host network 192.168.1.1/24 snmp telnet ssh http https ping
 create trusted_host network 172.16.100.100/32 snmp telnet ssh http https ping

Настройка snmp трапов:

 disable snmp traps
 disable snmp authenticate_traps
 disable snmp linkchange_traps
 config snmp linkchange_traps ports 1-18 disable
 config snmp coldstart_traps enable
 config snmp warmstart_traps enable
 config rmon trap rising_alarm enable
 config rmon trap falling_alarm enable

Включение и пример настройки SNMP:

 enable snmp
 config snmp system_contact admin@example.com
 delete snmp community public
 delete snmp community private
 delete snmp user initial
 delete snmp group initial
 create snmp group public v1 read_view CommunityView notify_view CommunityView
 create snmp group public v2c read_view CommunityView notify_view CommunityView
 create snmp community public view CommunityView read_only
 create snmp group комьюнити v1 read_view CommunityView write_view CommunityView notify_view CommunityView
 create snmp group комьюнити v2c read_view CommunityView write_view CommunityView notify_view CommunityView
 create snmp community комьюнити view CommunityView read_write
 disable community_encryption

Отключение IGMP MULTICAST VLAN:

 disable igmp_snooping multicast_vlan
 config igmp_snooping multicast_vlan forward_unmatched disable

Отключение автоматического назначения PVID портам, будем настраивать их вручную:

 disable pvid auto_assign

Удаление стандартного VLAN:

 config vlan default delete 1-18
 config vlan default advertisement enable

Создание отдельного VLAN для управления коммутатором:

 create vlan core tag 50
 config vlan core add tagged 17 advertisement disable

Создание VLAN для пользователей:

 create vlan local_smart tag 51
 config vlan local_smart add tagged 17
 config vlan local_smart add untagged 1-16,18 advertisement disable

Отключение инкапсуляции тегов VLAN в теги VLAN второго уровня:

 disable qinq

Отключение авто настройки VLAN и назначение всем портам PVID клиентского влана:

 disable gvrp
 config port_vlan 1-18 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 51

Настройка и отключение PORT SECURITY:

 config port_security system max_learning_addr no_limit
 disable port_security trap_log
 config port_security ports 1-18 admin_state disable max_learning_addr 32 lock_address_mode deleteonreset

Отключение авторизации клиентов на портах, плюс немного стандартных настроек:

 disable 802.1x
 config 802.1x auth_mode port_based
 config 802.1x auth_protocol radius_eap
 config 802.1x fwd_pdu system disable
 config 802.1x max_users no_limit
 config 802.1x authorization attributes radius enable
 config 802.1x capability ports 1-18 none
 config 802.1x auth_parameter ports 1-18 direction both port_control auto quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable
 config 802.1x auth_parameter ports 1-18 max_users 16

Время хранения (сек) mac адреса в таблице:

 config fdb aging_time 300
 config block tx ports 1-18 unicast disable

Настройка привязки на портах по связкам адресов mac + ip:

 config address_binding dhcp_snoop max_entry ports 1 limit no_limit
 config address_binding dhcp_snoop max_entry ports 2 limit no_limit
 config address_binding dhcp_snoop max_entry ports 3 limit no_limit
 config address_binding dhcp_snoop max_entry ports 4 limit no_limit
 config address_binding dhcp_snoop max_entry ports 5 limit no_limit
 config address_binding dhcp_snoop max_entry ports 6 limit no_limit
 config address_binding dhcp_snoop max_entry ports 7 limit no_limit
 config address_binding dhcp_snoop max_entry ports 8 limit no_limit
 config address_binding dhcp_snoop max_entry ports 9 limit no_limit
 config address_binding dhcp_snoop max_entry ports 10 limit no_limit
 config address_binding dhcp_snoop max_entry ports 11 limit no_limit
 config address_binding dhcp_snoop max_entry ports 12 limit no_limit
 config address_binding dhcp_snoop max_entry ports 13 limit no_limit
 config address_binding dhcp_snoop max_entry ports 14 limit no_limit
 config address_binding dhcp_snoop max_entry ports 15 limit no_limit
 config address_binding dhcp_snoop max_entry ports 16 limit no_limit
 config address_binding dhcp_snoop max_entry ports 17 limit no_limit
 config address_binding dhcp_snoop max_entry ports 18 limit no_limit
 config address_binding ip_mac ports 1-18 protocol ipv4
 config address_binding ip_mac ports 1-18 allow_zeroip enable
 disable address_binding dhcp_snoop
 disable address_binding trap_log
 enable address_binding roaming
 disable address_binding dhcp_snoop ipv6
 disable address_binding nd_snoop
 config address_binding dhcp_snoop max_entry ports 1-18 limit no_limit ipv6
 config address_binding nd_snoop ports 1-18 max_entry no_limit

Включение фильтрации NetBios на портах, так сказать запрет доступа к расшареным дискам:

 config filter netbios 1-18 state enable
 config filter extensive_netbios 1-18 state enable

Настройка фильтрации вредных DoS пакетов:

 config dos_prevention dos_type land_attack action drop state enable
 config dos_prevention dos_type blat_attack action drop state enable
 config dos_prevention dos_type tcp_null_scan action drop state enable
 config dos_prevention dos_type tcp_xmasscan action drop state enable
 config dos_prevention dos_type tcp_synfin action drop state enable
 config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state enable
 config dos_prevention dos_type ping_death_attack action drop state enable
 config dos_prevention dos_type tcp_tiny_frag_attack action drop state enable
 config dos_prevention trap disable
 config dos_prevention log disable

Блокировка DHCP серверов на всех портах кроме входящего:

 config filter dhcp_server ports all state disable
 config filter dhcp_server ports 1-16,18 state enable
 config filter dhcp_server illegal_server_log_suppress_duration 30min
 config filter dhcp_server trap_log enable

Защита от BPDU флуда:

 enable bpdu_protection
 config bpdu_protection recovery_timer 300
 config bpdu_protection trap none
 config bpdu_protection log attack_detected
 config bpdu_protection ports 1-16,18 state enable
 config bpdu_protection ports 1-18 mode drop

Включение функции SAFEGUARD ENGINE:

 config safeguard_engine state enable utilization rising 98 falling 90 trap_log enable mode fuzzy

Отключение управления коммутатором по SSH:

 disable ssh

Включение доступа по telnet:

 enable telnet 23

Отключение отправки сообщений на электронную почту по SMTP:

 disable smtp

Настройка SNTP параметров времени:

 enable sntp
 config time_zone operator + hour 2 min 0
 config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 40000
 config dst disable

Стандартные параметры агрегации портов:

 config link_aggregation algorithm mac_source
 config lacp_port 1-18 mode passive

Назначение IP адресе коммутатору:

 config ipif System ipaddress 192.168.1.100/24
 config ipif System vlan core
 config ipif System dhcp_option12 state disable
 disable autoconfig
 config autoconfig timeout 50

Отключение поддержки протокола ERPS:

 disable erps
 config erps log disable
 config erps trap disable

Отключение CFM:

 disable cfm

Отключение LLDP:

 disable lldp
 config lldp message_tx_interval 30
 config lldp tx_delay 2
 config lldp message_tx_hold_multiplier 4
 config lldp reinit_delay 2
 config lldp notification_interval 5
 config lldp ports 1-18 notification disable
 config lldp ports 1-18 admin_status tx_and_rx

Отключение поддержки контроля трафика на основе MAC-адресов и немного стандартных параметров:

 disable mac_based_access_control
 config mac_based_access_control authorization attributes radius enable local enable
 config mac_based_access_control ports 1-18 state disable
 config mac_based_access_control ports 1 max_users 128
 config mac_based_access_control ports 1 aging_time 1440
 config mac_based_access_control ports 1 block_time 300
 config mac_based_access_control ports 2 max_users 128
 config mac_based_access_control ports 2 aging_time 1440
 config mac_based_access_control ports 2 block_time 300
 config mac_based_access_control ports 3 max_users 128
 config mac_based_access_control ports 3 aging_time 1440
 config mac_based_access_control ports 3 block_time 300
 config mac_based_access_control ports 4 max_users 128
 config mac_based_access_control ports 4 aging_time 1440
 config mac_based_access_control ports 4 block_time 300
 config mac_based_access_control ports 5 max_users 128
 config mac_based_access_control ports 5 aging_time 1440
 config mac_based_access_control ports 5 block_time 300
 config mac_based_access_control ports 6 max_users 128
 config mac_based_access_control ports 6 aging_time 1440
 config mac_based_access_control ports 6 block_time 300
 config mac_based_access_control ports 7 max_users 128
 config mac_based_access_control ports 7 aging_time 1440
 config mac_based_access_control ports 7 block_time 300
 config mac_based_access_control ports 8 max_users 128
 config mac_based_access_control ports 8 aging_time 1440
 config mac_based_access_control ports 8 block_time 300
 config mac_based_access_control ports 9 max_users 128
 config mac_based_access_control ports 9 aging_time 1440
 config mac_based_access_control ports 9 block_time 300
 config mac_based_access_control ports 10 max_users 128
 config mac_based_access_control ports 10 aging_time 1440
 config mac_based_access_control ports 10 block_time 300
 config mac_based_access_control ports 11 max_users 128
 config mac_based_access_control ports 11 aging_time 1440
 config mac_based_access_control ports 11 block_time 300
 config mac_based_access_control ports 12 max_users 128
 config mac_based_access_control ports 12 aging_time 1440
 config mac_based_access_control ports 12 block_time 300
 config mac_based_access_control ports 13 max_users 128
 config mac_based_access_control ports 13 aging_time 1440
 config mac_based_access_control ports 13 block_time 300
 config mac_based_access_control ports 14 max_users 128
 config mac_based_access_control ports 14 aging_time 1440
 config mac_based_access_control ports 14 block_time 300
 config mac_based_access_control ports 15 max_users 128
 config mac_based_access_control ports 15 aging_time 1440
 config mac_based_access_control ports 15 block_time 300
 config mac_based_access_control ports 16 max_users 128
 config mac_based_access_control ports 16 aging_time 1440
 config mac_based_access_control ports 16 block_time 300
 config mac_based_access_control ports 17 max_users 128
 config mac_based_access_control ports 17 aging_time 1440
 config mac_based_access_control ports 17 block_time 300
 config mac_based_access_control ports 18 max_users 128
 config mac_based_access_control ports 18 aging_time 1440
 config mac_based_access_control ports 18 block_time 300
 config mac_based_access_control ports 1-18 mode host_based
 config mac_based_access_control method local
 config mac_based_access_control password default
 config mac_based_access_control max_users no_limit
 config mac_based_access_control trap state enable
 config mac_based_access_control log state enable

Отключение управлением мультикаст трафиком и немного стандартных параметров:

 disable igmp_snooping
 config igmp_snooping data_driven_learning max_learned_entry 128
 config igmp_snooping vlan_name default fast_leave disable report_suppression enable state disable
 config igmp_snooping querier vlan_name default query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 3
 config igmp_snooping data_driven_learning vlan_name default expiry_time 260 state enable aged_out disable
 config igmp_snooping vlan_name core fast_leave disable report_suppression enable state disable
 config igmp_snooping querier vlan_name core query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 3
 config igmp_snooping data_driven_learning vlan_name core expiry_time 260 state enable aged_out disable
 config igmp_snooping vlan_name local_smart fast_leave disable report_suppression enable state disable
 config igmp_snooping querier vlan_name local_smart query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 3
 config igmp_snooping data_driven_learning vlan_name local_smart expiry_time 260 state enable aged_out disable
 config cpu_filter l3_control_pkt 1-18 all state disable
 disable mld_snooping
 config mld_snooping data_driven_learning max_learned_entry 128
 config mld_snooping vlan_name default fast_done disable report_suppression enable state disable
 config mld_snooping querier vlan_name default query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable version 2
 config mld_snooping data_driven_learning vlan_name default expiry_time 260 state enable aged_out disable
 config mld_snooping vlan_name core fast_done disable report_suppression enable state disable
 config mld_snooping querier vlan_name core query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable version 2
 config mld_snooping data_driven_learning vlan_name core expiry_time 260 state enable aged_out disable
 config mld_snooping vlan_name local_smart fast_done disable report_suppression enable state disable
 config mld_snooping querier vlan_name local_smart query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable version 2
 config mld_snooping data_driven_learning vlan_name local_smart expiry_time 260 state enable aged_out disable

Отключение расширенной системы авторизации:

 config authen_login default method local
 config authen_enable default method local_enable
 config accounting default method none
 config authen application console login default
 config authen application console enable default
 config authen application telnet login default
 config authen application telnet enable default
 config authen application ssh login default
 config authen application ssh enable default
 config authen application http login default
 config authen application http enable default
 config authen parameter response_timeout 30
 config authen parameter attempt 3
 disable authen_policy
 config accounting service network state disable
 config accounting service shell state disable
 config accounting service system state disable
 config accounting service command administrator none
 config accounting service command operator none
 config accounting service command power_user none
 config accounting service command user none
 disable authen_policy_encryption

Отключение перенаправления DHCP запросов и немного стандартных параметров:

 disable dhcp_local_relay
 config dhcp_local_relay option_82 remote_id default
 config dhcp_local_relay option_82 circuit_id default
 config dhcp_local_relay option_82 ports 1-18 policy keep
 disable dhcp_relay
 config dhcp_relay hops 4 time 0
 config dhcp_relay option_82 state disable
 config dhcp_relay option_82 check disable
 config dhcp_relay option_82 policy replace
 config dhcp_relay option_82 remote_id default
 config dhcp_relay option_82 circuit_id default
 config dhcp_relay option_60 state disable
 config dhcp_relay option_61 state disable
 config dhcp_relay option_60 default mode drop
 config dhcp_relay option_61 default drop
 config dhcp_relay ports 1-18 state enable

Параметры ARP:

 config arp_aging time 20
 config gratuitous_arp send ipif_status_up enable
 config gratuitous_arp send dup_ip_detected enable
 config gratuitous_arp learning enable

Отключение авторизации igmp на портах через radius:

 config igmp access_authentication ports 1-18 state disable

Добавление шлюза по умолчанию:

 create iproute default 192.168.1.1 1 primary

Сохранение конфигурации:

 save all

Источник http://ixnfo.com/nastroyka-kommutatora-d-link-des-3200.html

Запись опубликована в рубрике *Сети, Сетевое. Добавьте в закладки постоянную ссылку.

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *

Я не спамер This plugin created by Alexei91