| 中兴三层交换机开局指南   开通3928或者3952以及32系列三层交换机时。一般用户要给一个上联地址。并且给三层交换机分一个网段   现举例如下:
 局方提供上联地址为:  219.150.247.0 /30    (可用地址为219.150.247.1 219.150.247.2)
 分配给三层交换机的网段为:
 222.88.33.0/23   (半个C 共126个可用地址。) 上层会将这半个C路由指向3928
 zxr10#conf t
 zxr10(config)#vlan 3000            //创建VLAN 3000 注意:互联vlan要与对端设备vlan号一致
 zxr10(config-vlan)#name to-HW8016
 zxr10(config-vlan)#switchport pvid fei_1/1
 ///把端口增加到vlan中。只适应于access
 将端口加入vlan还有一种方法:(推荐用)
 zxr10(config)#interface fei_1/1        /////进入1口
 zxr10(config-if)#switchport mode ?    ////改变为trunk或者access
 access  Switchport in access mode
 hybrid  Switchport in hybrid mode
 trunk   Switchport in trunk mode
 zxr10(config-if)#switchport mode access
 zxr10(config-if)#switchport access vlan 3000    ////// 加入vlan3000,
 如果打tag加入则:
 zxr10(config-if)#switchport mode trunk
 zxr10(config-if)#switchport trunk vlan 3000
 zxr10(config-vlan)#exit
 zxr10(config)#interface vlan 3000            //进入vlan给这个vlan配置地址(即网关)
 zxr10(config-if)#ip address 219.150.247.1 255.255.255.252
 zxr10(config-if)#exit
 zxr10(config)#username zxr10 password zxr10  //配置登录用户名密码,不配则不能远程登录
 zxr10(config)#enable secret zxr10            //enable密码。一般都是zxr10
 配置成功后。
 zxr10(config)#ip route 0.0.0.0 0.0.0.0 219.150.247.1
 zxr10(config)#exit
 zxr10#ping 219.150.247.1
 应该能通。3928通显示为5个感叹号。如果光路通。也应可以ping通219.150.247.133
 zxr10#conf t
 修改提示符
 Zxr10(config)#hostname zhongxinju
 最后保存即可。配置上述信息便可远程进行配置。
 地址分配原则(一般情况):
 A)     如果条件允许建议MSAG最好设置为30位掩码地址,保证每一台MSAG自己的网段内没有其他主机。便于语音质量。
 B)      39系列或者32系列下挂网吧时,也建议使用每个网吧一个30位地址。
 C)     如果地址非常紧张。可以采用8个或16个地址一个网段(即29或28位掩码多个可用地址)接多台设备,这些设备属于同一个vlan。建议使用PVLAN将多个端口进行隔离。――具体参考用户手册
 附录:一台3928配置举例:
 qipeizhongxin#show run
 Building configuration...
 Current configuration:
 !
 version V4.6.02B
 !
 enable secret 5 Cb8+B/Pm1P3PFV2DeUkCbQ==
 !
 nvram mng-ip-address 10.40.88.177 255.255.0.0
 !
 nvram boot-username target
 !
 nvram boot-password target
 !
 nvram boot-server 10.40.88.170
 !
 nvram default-gateway 10.40.88.170
 !
 nvram imgfile-location local
 !
 hostname qipeizhongxin
 !
 username admin password nydx#@
 !
 user-authentication-type local
 !
 snmp-server contact +86-25-52870000
 snmp-server location No.68 Zijinghua Rd. Yuhuatai District, Nanjing, China
 snmp-server packetSize 1400
 snmp-server engine-id 830900020300010289d64401
 snmp-server view DefaultView system included
 snmp-server view AllView internet included
 !
 logging on
 logging buffer 200
 logging mode fullcycle
 logging console notifications
 logging level notifications
 !
 line console idle-timeout 120
 line console absolute-timeout 1440
 line telnet idle-timeout 120
 line telnet absolute-timeout 1440
 !
 banner incoming @
 ********************************************************************
 Welcome to ZXR10 Fast and Intelligent 3928 Switch of ZTE Corporation
 ********************************************************************
 @
 !
 !
 vlan 1
 !
 vlan 302
 name lailaiwangwang
 !
 vlan 303
 name qijianwangba
 !
 vlan 307
 name fengyunwangba
 !
 vlan 308
 name yangguangcaixian
 !
 vlan 309
 name tianxiwangba
 !
 vlan 310
 name chunziwangba
 !
 vlan 311
 name xiangdongwangba
 !
 vlan 312
 name xinsenwangcheng
 !
 vlan 313
 name jingyingwangba
 !
 vlan 314
 name qianshouwangba
 !
 vlan 315
 name yixinwangba
 !
 vlan 317
 name xinjiwangba
 !
 vlan 1000
 !
 Vlan 1001
 !
 Vlan 1002
 !
 !
 virus-scan set disable
 !
 interface vlan 302               //网吧属于vlan 302地址为30位掩码。
 ip address  222.88.226.109 255.255.255.252 255.255.255.255
 !
 interface vlan 303               //一般MSAG也最好设置为30位掩码地址。便于语音质量
 ip address  222.88.226.53 255.255.255.252 255.255.255.255
 !
 interface vlan 307
 ip address  222.88.226.113 255.255.255.252 255.255.255.255
 !
 interface vlan 308
 ip address  222.88.226.117 255.255.255.252 255.255.255.255
 !
 interface vlan 309
 ip address  222.88.233.161 255.255.255.252 255.255.255.255
 !
 interface vlan 310
 ip address  222.88.233.97 255.255.255.252 255.255.255.255
 !
 interface vlan 311
 ip address  222.88.233.193 255.255.255.252 255.255.255.255
 !
 interface vlan 312
 ip address  219.150.241.189 255.255.255.252 255.255.255.255
 !
 interface vlan 313
 ip address  222.88.242.145 255.255.255.248 255.255.255.255
 !
 interface vlan 314
 ip address  219.150.241.17 255.255.255.248 255.255.255.255
 !
 interface vlan 315
 ip address  222.88.233.133 255.255.255.252 255.255.255.255
 !
 interface vlan 317
 ip address  222.88.233.153 255.255.255.252 255.255.255.255
 !
 interface vlan 1000
 ip address  219.150.241.182 255.255.255.248 255.255.255.255
 !
 interface fei_1/1
 negotiation auto              //关闭自协商。执行speed 100 duf full后为强制100兆全双工
 ip access-group 101 in        //应用ACL.前提是ACL已经被创建。
 switchport access vlan 1      //加入vlan1 ,默认端口都属于vlan1
 switchport qinq normal        //qinq配置。一般不会用到。感兴趣可以看看资料。Qinq可以使交换机支持4096*4096个VLAN
 !
 interface fei_1/2
 negotiation auto
 ip access-group 101 in
 switchport access vlan 302
 switchport qinq normal
 !
 interface fei_1/3
 negotiation auto
 ip access-group 101 in
 switchport access vlan 303
 switchport qinq normal
 !
 interface fei_1/4
 negotiation auto
 ip access-group 101 in
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/5
 negotiation auto
 ip access-group 101 in
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/6
 negotiation auto
 ip access-group 101 in
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/7
 negotiation auto
 ip access-group 101 in
 switchport access vlan 307
 switchport qinq normal
 !
 interface fei_1/8
 negotiation auto
 ip access-group 101 in
 switchport access vlan 308
 switchport qinq normal
 !
 interface fei_1/9
 negotiation auto
 ip access-group 101 in
 switchport access vlan 309
 switchport qinq normal
 !
 interface fei_1/10
 negotiation auto
 ip access-group 101 in
 switchport access vlan 310
 switchport qinq normal
 !
 interface fei_1/11
 negotiation auto
 ip access-group 101 in
 switchport access vlan 311
 switchport qinq normal
 !
 interface fei_1/12
 negotiation auto
 ip access-group 101 in
 switchport access vlan 312
 switchport qinq normal
 !
 interface fei_1/13
 negotiation auto
 ip access-group 101 in
 switchport access vlan 313
 switchport qinq normal
 !
 interface fei_1/14
 negotiation auto
 ip access-group 101 in
 switchport access vlan 314
 switchport qinq normal
 !
 interface fei_1/15
 negotiation auto
 ip access-group 101 in
 switchport access vlan 315
 switchport qinq normal
 !
 interface fei_1/16
 negotiation auto
 ip access-group 101 in
 switchport mode trunk                     ///端口打TAG
 switchport trunk vlan 1000                 ///属于多个vlan
 switchport trunk vlan 1001
 switchport trunk vlan 1002
 switchport qinq normal
 !
 interface fei_1/17
 negotiation auto
 ip access-group 101 in
 switchport access vlan 317
 switchport qinq normal
 !
 interface fei_1/18
 negotiation auto
 ip access-group 101 in
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/19
 negotiation auto
 switchport access vlan 314
 switchport qinq normal
 !
 interface fei_1/20
 negotiation auto
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/21
 negotiation auto
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/22
 negotiation auto
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/23
 negotiation auto
 switchport access vlan 1
 switchport qinq normal
 !
 interface fei_1/24
 negotiation auto
 ip access-group 101 in
 switchport access vlan 1000
 switchport qinq normal
 !
 ip route 0.0.0.0 0.0.0.0 219.150.241.177         //静态默认路由。
 !
 !
 acl extend number 101                            //定义一个访问控制列表。防止一般病毒。
 rule 1 deny tcp any  any eq 135                //注意最后一条允许any any一定要存在。
 rule 2 deny tcp any  any eq 139                //否则不能上网
 rule 3 deny tcp any  any eq 136
 rule 4 deny tcp any  any eq 137
 rule 5 deny tcp any  any eq 445
 rule 6 deny tcp any  any eq 5554
 rule 7 deny tcp any  any eq 9996
 rule 8 deny tcp any  any eq 1433
 rule 9 deny tcp any  any eq 1434
 rule 10 deny udp any  any eq 1433
 rule 11 deny udp any  any eq 1434
 rule 12 deny udp any  any eq 135
 rule 13 deny udp any  any eq 139
 rule 14 deny udp any  any eq 136
 rule 15 deny udp any  any eq 137
 rule 16 deny udp any  any eq 445
 rule 18 deny udp any  any eq 5554
 rule 17 deny udp any  any eq 9996
 rule 19 permit ip any  any
 !
 !
 !
 protocol-packet-protect enable          //默认配置
 !
 no ip igmp snooping                     //新开通时建议关闭组播。
 !
 nas
 !
 !
 end
 qipeizhongxin#
 注意几点:
 1、   配置用户名密码
 2、   设置时钟---对分析故障有作用
 3、   关闭组播、STP
 4、   设置hostname。
 5、   养成习惯,每个接口或者vlan都要加描述
 6、   养成习惯,一般上联设备地址小于下挂设备地址
   |