Для примера возьму коммутатор D-Link DES-3200-18 С1 с прошивкой 4.36.B012. Команды аналогичны для коммутаторов с разным количеством портов, они могут немного отличатся лишь при разной версии прошивки и ревизии.
Настройка уведомлений о изменении температуры:
config temperature threshold high 79 config temperature threshold low 11 config temperature trap state disable config temperature log state enable
Создание аккаунта администратора:
create account admin имя config admin local_enable
Включение шифрования пароля:
enable password encryption
Параметры serial порта:
config serial_port baud_rate 115200 auto_logout never
Включения доступа через web интерфейс:
enable web 80
Включение отображения в постраничном режиме:
enable clipaging
Настройка ширины окна терминала:
config terminal width 80
Настройка количества отображаемых строк терминала:
config terminal_line default
Отключение логирования вводимых команд:
disable command logging
Включение возможности восстановления пароля:
enable password_recovery
Включение ограничения broadcast трафика для всех портов:
config traffic control 1 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 2 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 3 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 4 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 5 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 6 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 7 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 8 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 9 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 10 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 11 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 12 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 13 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 14 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 15 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 16 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 17 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control 18 broadcast enable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5 config traffic control auto_recover_time 0 config traffic trap none config traffic control log state enable
Включение защиты от петель на портах, кроме 17 входящего:
enable loopdetect config loopdetect recover_timer 1200 interval 10 mode port-based config loopdetect log state enable config loopdetect ports 1 state enable config loopdetect ports 2 state enable config loopdetect ports 3 state enable config loopdetect ports 4 state enable config loopdetect ports 5 state enable config loopdetect ports 6 state enable config loopdetect ports 7 state enable config loopdetect ports 8 state enable config loopdetect ports 9 state enable config loopdetect ports 10 state enable config loopdetect ports 11 state enable config loopdetect ports 12 state enable config loopdetect ports 13 state enable config loopdetect ports 14 state enable config loopdetect ports 15 state enable config loopdetect ports 16 state enable config loopdetect ports 17 state disable config loopdetect ports 18 state enable config loopdetect trap none
Отключение зеркалирования портов:
disable mirror
Настройка логов:
config log_save_timing on_demand disable syslog config system_severity trap information config system_severity log information
Настройка сегментации трафика, запрет хождения между портами:
config traffic_segmentation 1-16,18 forward_list 17 config traffic_segmentation 17 forward_list all
Запрет jumbo frame пакетов и настройка портов:
disable jumbo_frame config ports 1-16 speed auto flow_control disable learning enable state enable mdix auto config ports 17 medium_type copper speed auto flow_control disable learning enable state enable mdix auto config ports 17 medium_type fiber speed auto flow_control disable learning enable state enable config ports 18 speed auto flow_control disable learning enable state enable
Разрешение управлением коммутатора только с указанных IP адресов:
create trusted_host network 192.168.1.1/24 snmp telnet ssh http https ping create trusted_host network 172.16.100.100/32 snmp telnet ssh http https ping
Настройка snmp трапов:
disable snmp traps disable snmp authenticate_traps disable snmp linkchange_traps config snmp linkchange_traps ports 1-18 disable config snmp coldstart_traps enable config snmp warmstart_traps enable config rmon trap rising_alarm enable config rmon trap falling_alarm enable
Включение и пример настройки SNMP:
enable snmp config snmp system_contact [email protected] delete snmp community public delete snmp community private delete snmp user initial delete snmp group initial create snmp group public v1 read_view CommunityView notify_view CommunityView create snmp group public v2c read_view CommunityView notify_view CommunityView create snmp community public view CommunityView read_only create snmp group комьюнити v1 read_view CommunityView write_view CommunityView notify_view CommunityView create snmp group комьюнити v2c read_view CommunityView write_view CommunityView notify_view CommunityView create snmp community комьюнити view CommunityView read_write disable community_encryption
Отключение IGMP MULTICAST VLAN:
disable igmp_snooping multicast_vlan config igmp_snooping multicast_vlan forward_unmatched disable
Отключение автоматического назначения PVID портам, будем настраивать их вручную:
disable pvid auto_assign
Удаление стандартного VLAN:
config vlan default delete 1-18 config vlan default advertisement enable
Создание отдельного VLAN для управления коммутатором:
create vlan core tag 50 config vlan core add tagged 17 advertisement disable
Создание VLAN для пользователей:
create vlan local_smart tag 51 config vlan local_smart add tagged 17 config vlan local_smart add untagged 1-16,18 advertisement disable
Отключение инкапсуляции тегов VLAN в теги VLAN второго уровня:
disable qinq
Отключение авто настройки VLAN и назначение всем портам PVID клиентского влана:
disable gvrp config port_vlan 1-18 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 51
Настройка и отключение PORT SECURITY:
config port_security system max_learning_addr no_limit disable port_security trap_log config port_security ports 1-18 admin_state disable max_learning_addr 32 lock_address_mode deleteonreset
Отключение авторизации клиентов на портах, плюс немного стандартных настроек:
disable 802.1x config 802.1x auth_mode port_based config 802.1x auth_protocol radius_eap config 802.1x fwd_pdu system disable config 802.1x max_users no_limit config 802.1x authorization attributes radius enable config 802.1x capability ports 1-18 none config 802.1x auth_parameter ports 1-18 direction both port_control auto quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable config 802.1x auth_parameter ports 1-18 max_users 16
Время хранения (сек) mac адреса в таблице:
config fdb aging_time 300 config block tx ports 1-18 unicast disable
Настройка привязки на портах по связкам адресов mac + ip:
config address_binding dhcp_snoop max_entry ports 1 limit no_limit config address_binding dhcp_snoop max_entry ports 2 limit no_limit config address_binding dhcp_snoop max_entry ports 3 limit no_limit config address_binding dhcp_snoop max_entry ports 4 limit no_limit config address_binding dhcp_snoop max_entry ports 5 limit no_limit config address_binding dhcp_snoop max_entry ports 6 limit no_limit config address_binding dhcp_snoop max_entry ports 7 limit no_limit config address_binding dhcp_snoop max_entry ports 8 limit no_limit config address_binding dhcp_snoop max_entry ports 9 limit no_limit config address_binding dhcp_snoop max_entry ports 10 limit no_limit config address_binding dhcp_snoop max_entry ports 11 limit no_limit config address_binding dhcp_snoop max_entry ports 12 limit no_limit config address_binding dhcp_snoop max_entry ports 13 limit no_limit config address_binding dhcp_snoop max_entry ports 14 limit no_limit config address_binding dhcp_snoop max_entry ports 15 limit no_limit config address_binding dhcp_snoop max_entry ports 16 limit no_limit config address_binding dhcp_snoop max_entry ports 17 limit no_limit config address_binding dhcp_snoop max_entry ports 18 limit no_limit config address_binding ip_mac ports 1-18 protocol ipv4 config address_binding ip_mac ports 1-18 allow_zeroip enable disable address_binding dhcp_snoop disable address_binding trap_log enable address_binding roaming disable address_binding dhcp_snoop ipv6 disable address_binding nd_snoop config address_binding dhcp_snoop max_entry ports 1-18 limit no_limit ipv6 config address_binding nd_snoop ports 1-18 max_entry no_limit
Включение фильтрации NetBios на портах, так сказать запрет доступа к расшареным дискам:
config filter netbios 1-18 state enable config filter extensive_netbios 1-18 state enable
Настройка фильтрации вредных DoS пакетов:
config dos_prevention dos_type land_attack action drop state enable config dos_prevention dos_type blat_attack action drop state enable config dos_prevention dos_type tcp_null_scan action drop state enable config dos_prevention dos_type tcp_xmasscan action drop state enable config dos_prevention dos_type tcp_synfin action drop state enable config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state enable config dos_prevention dos_type ping_death_attack action drop state enable config dos_prevention dos_type tcp_tiny_frag_attack action drop state enable config dos_prevention trap disable config dos_prevention log disable
Блокировка DHCP серверов на всех портах кроме входящего:
config filter dhcp_server ports all state disable config filter dhcp_server ports 1-16,18 state enable config filter dhcp_server illegal_server_log_suppress_duration 30min config filter dhcp_server trap_log enable
Защита от BPDU флуда:
enable bpdu_protection config bpdu_protection recovery_timer 300 config bpdu_protection trap none config bpdu_protection log attack_detected config bpdu_protection ports 1-16,18 state enable config bpdu_protection ports 1-18 mode drop
Включение функции SAFEGUARD ENGINE:
config safeguard_engine state enable utilization rising 98 falling 90 trap_log enable mode fuzzy
Отключение управления коммутатором по SSH:
disable ssh
Включение доступа по telnet:
enable telnet 23
Отключение отправки сообщений на электронную почту по SMTP:
disable smtp
Настройка SNTP параметров времени:
enable sntp config time_zone operator + hour 2 min 0 config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 40000 config dst disable
Стандартные параметры агрегации портов:
config link_aggregation algorithm mac_source config lacp_port 1-18 mode passive
Назначение IP адресе коммутатору:
config ipif System ipaddress 192.168.1.100/24 config ipif System vlan core config ipif System dhcp_option12 state disable disable autoconfig config autoconfig timeout 50
Отключение поддержки протокола ERPS:
disable erps config erps log disable config erps trap disable
Отключение CFM:
disable cfm
Отключение LLDP:
disable lldp config lldp message_tx_interval 30 config lldp tx_delay 2 config lldp message_tx_hold_multiplier 4 config lldp reinit_delay 2 config lldp notification_interval 5 config lldp ports 1-18 notification disable config lldp ports 1-18 admin_status tx_and_rx
Отключение поддержки контроля трафика на основе MAC-адресов и немного стандартных параметров:
disable mac_based_access_control config mac_based_access_control authorization attributes radius enable local enable config mac_based_access_control ports 1-18 state disable config mac_based_access_control ports 1 max_users 128 config mac_based_access_control ports 1 aging_time 1440 config mac_based_access_control ports 1 block_time 300 config mac_based_access_control ports 2 max_users 128 config mac_based_access_control ports 2 aging_time 1440 config mac_based_access_control ports 2 block_time 300 config mac_based_access_control ports 3 max_users 128 config mac_based_access_control ports 3 aging_time 1440 config mac_based_access_control ports 3 block_time 300 config mac_based_access_control ports 4 max_users 128 config mac_based_access_control ports 4 aging_time 1440 config mac_based_access_control ports 4 block_time 300 config mac_based_access_control ports 5 max_users 128 config mac_based_access_control ports 5 aging_time 1440 config mac_based_access_control ports 5 block_time 300 config mac_based_access_control ports 6 max_users 128 config mac_based_access_control ports 6 aging_time 1440 config mac_based_access_control ports 6 block_time 300 config mac_based_access_control ports 7 max_users 128 config mac_based_access_control ports 7 aging_time 1440 config mac_based_access_control ports 7 block_time 300 config mac_based_access_control ports 8 max_users 128 config mac_based_access_control ports 8 aging_time 1440 config mac_based_access_control ports 8 block_time 300 config mac_based_access_control ports 9 max_users 128 config mac_based_access_control ports 9 aging_time 1440 config mac_based_access_control ports 9 block_time 300 config mac_based_access_control ports 10 max_users 128 config mac_based_access_control ports 10 aging_time 1440 config mac_based_access_control ports 10 block_time 300 config mac_based_access_control ports 11 max_users 128 config mac_based_access_control ports 11 aging_time 1440 config mac_based_access_control ports 11 block_time 300 config mac_based_access_control ports 12 max_users 128 config mac_based_access_control ports 12 aging_time 1440 config mac_based_access_control ports 12 block_time 300 config mac_based_access_control ports 13 max_users 128 config mac_based_access_control ports 13 aging_time 1440 config mac_based_access_control ports 13 block_time 300 config mac_based_access_control ports 14 max_users 128 config mac_based_access_control ports 14 aging_time 1440 config mac_based_access_control ports 14 block_time 300 config mac_based_access_control ports 15 max_users 128 config mac_based_access_control ports 15 aging_time 1440 config mac_based_access_control ports 15 block_time 300 config mac_based_access_control ports 16 max_users 128 config mac_based_access_control ports 16 aging_time 1440 config mac_based_access_control ports 16 block_time 300 config mac_based_access_control ports 17 max_users 128 config mac_based_access_control ports 17 aging_time 1440 config mac_based_access_control ports 17 block_time 300 config mac_based_access_control ports 18 max_users 128 config mac_based_access_control ports 18 aging_time 1440 config mac_based_access_control ports 18 block_time 300 config mac_based_access_control ports 1-18 mode host_based config mac_based_access_control method local config mac_based_access_control password default config mac_based_access_control max_users no_limit config mac_based_access_control trap state enable config mac_based_access_control log state enable
Отключение управлением мультикаст трафиком и немного стандартных параметров:
disable igmp_snooping config igmp_snooping data_driven_learning max_learned_entry 128 config igmp_snooping vlan_name default fast_leave disable report_suppression enable state disable config igmp_snooping querier vlan_name default query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 3 config igmp_snooping data_driven_learning vlan_name default expiry_time 260 state enable aged_out disable config igmp_snooping vlan_name core fast_leave disable report_suppression enable state disable config igmp_snooping querier vlan_name core query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 3 config igmp_snooping data_driven_learning vlan_name core expiry_time 260 state enable aged_out disable config igmp_snooping vlan_name local_smart fast_leave disable report_suppression enable state disable config igmp_snooping querier vlan_name local_smart query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 3 config igmp_snooping data_driven_learning vlan_name local_smart expiry_time 260 state enable aged_out disable config cpu_filter l3_control_pkt 1-18 all state disable disable mld_snooping config mld_snooping data_driven_learning max_learned_entry 128 config mld_snooping vlan_name default fast_done disable report_suppression enable state disable config mld_snooping querier vlan_name default query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable version 2 config mld_snooping data_driven_learning vlan_name default expiry_time 260 state enable aged_out disable config mld_snooping vlan_name core fast_done disable report_suppression enable state disable config mld_snooping querier vlan_name core query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable version 2 config mld_snooping data_driven_learning vlan_name core expiry_time 260 state enable aged_out disable config mld_snooping vlan_name local_smart fast_done disable report_suppression enable state disable config mld_snooping querier vlan_name local_smart query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable version 2 config mld_snooping data_driven_learning vlan_name local_smart expiry_time 260 state enable aged_out disable
Отключение расширенной системы авторизации:
config authen_login default method local config authen_enable default method local_enable config accounting default method none config authen application console login default config authen application console enable default config authen application telnet login default config authen application telnet enable default config authen application ssh login default config authen application ssh enable default config authen application http login default config authen application http enable default config authen parameter response_timeout 30 config authen parameter attempt 3 disable authen_policy config accounting service network state disable config accounting service shell state disable config accounting service system state disable config accounting service command administrator none config accounting service command operator none config accounting service command power_user none config accounting service command user none disable authen_policy_encryption
Отключение перенаправления DHCP запросов и немного стандартных параметров:
disable dhcp_local_relay config dhcp_local_relay option_82 remote_id default config dhcp_local_relay option_82 circuit_id default config dhcp_local_relay option_82 ports 1-18 policy keep disable dhcp_relay config dhcp_relay hops 4 time 0 config dhcp_relay option_82 state disable config dhcp_relay option_82 check disable config dhcp_relay option_82 policy replace config dhcp_relay option_82 remote_id default config dhcp_relay option_82 circuit_id default config dhcp_relay option_60 state disable config dhcp_relay option_61 state disable config dhcp_relay option_60 default mode drop config dhcp_relay option_61 default drop config dhcp_relay ports 1-18 state enable
Параметры ARP:
config arp_aging time 20 config gratuitous_arp send ipif_status_up enable config gratuitous_arp send dup_ip_detected enable config gratuitous_arp learning enable
Отключение авторизации igmp на портах через radius:
config igmp access_authentication ports 1-18 state disable
Добавление шлюза по умолчанию:
create iproute default 192.168.1.1 1 primary
Сохранение конфигурации:
save all
Источник http://ixnfo.com/nastroyka-kommutatora-d-link-des-3200.html