等保三级交换机加固配置解析（华为交换机为例）

最新推荐文章于 2025-06-06 15:53:23 发布

normanhere

最新推荐文章于 2025-06-06 15:53:23 发布

阅读量1k

点赞数 6

CC 4.0 BY-SA版权

文章标签：华为

本文链接：https://blog.youkuaiyun.com/normanhere/article/details/147674776

华为交换机：
#得命名交换机
sysname Hexin_backup
#将日志指向日志服务器
info-center loghost source Vlanif4000
info-center loghost 10.0.0.247
#配置DNS，为了NTP服务器解析IP使用
dns resolve
dns server 223.5.5.5
dns server 223.6.6.6
#设置专用安全设备管理VLAN；服务器VLAN；业务VLAN
vlan batch 4000 to 4003
#配置根保护，TC保护
stp instance 0 root secondary
stp tc-protection threshold 10
#可以打开lldp
undo lldp enable
#关闭高危服务，包括http https telnet
undo http server enable
undo http secure-server enable
#调整时区
clock timezone BJ add 08:00:00
#创建标准ACL仅允许堡垒机管理设备；仅允许MNS网管设备
acl number 2000
description Baoleiji_to_Hexin
rule 5 permit source 10.0.0.248 0
rule 10 deny
acl number 2002
rule 5 permit source 172.16.8.135 0
rule 10 deny

vlan 4000
description MGMT
vlan 4001
description YeWu
vlan 4002
description Server
vlan 4003
description HuLian
#配置AAA 这部分必须配置
aaa
authentication-scheme default
authentication-mode local
authentication-scheme radius
authentication-mode radius
authorization-scheme default
authorization-mode local
accounting-scheme default
accounting-mode none
local-aaa-user password policy administrator
domain default
authentication-scheme radius
accounting-scheme default
radius-server default
domain default_admin
authentication-scheme default
accounting-scheme default
local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 10
user-password complexity-check enhance
undo local-user guanliyuansuiji1
local-user guanliyuansuiji1 password suijimima@123.A
local-user guanliyuansuiji1 privilege level 15
local-user guanliyuansuiji1 service-type ssh
local-user anquanguanliyuan1 password suijimima@123.B
local-user anquanguanliyuan1 privilege level 1
local-user anquanguanliyuan1 service-type ssh
local-user anquanshenjiyuan1 password suijimima@123.C
local-user anquanshenjiyuan1 privilege level 0
local-user anquanshenjiyuan1 service-type ssh
#配置NTP服务器
ntp-service ipv6 server disable
ntp-service source-interface Vlanif4000
ntp-service unicast-server ntp1.aliyun.com
ntp-service unicast-server ntp2.aliyun.com
#配置管理网，网关，可以使用VRRP或者堆叠高可用
interface Vlanif4000
ip address 10.0.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.0.0.1
vrrp vrid 2 preempt-mode timer delay 5
vrrp vrid 2 authentication-mode simple suijimima@123D
#创建聚合口，用于上下联
interface Eth-Trunk1
description Connect_to_CoreSwitch
port link-type trunk
port trunk allow-pass vlan 2 to 4094

interface Eth-Trunk2
description Connect_to_Firewall
port link-type access
port default vlan 4001

#关闭没用的管理口
interface Ethernet0/0/0
shutdown
#配置接安全设备的端口
interface GigabitEthernet3/0/0
description MGMT
port link-type access
port default vlan 4000
stp edged-port enable
#针对服务器做IP MAC绑定
arp static 172.160.1.10 e861-1f65-bd00
arp static 172.160.1.8 e861-1f65-8b01
arp static 172.160.1.7 e861-1a39-f731
arp static 172.160.1.9 e861-1f65-baa9
arp static 172.160.1.6 e861-1a39-f4b4
#建议配置浮动静态路由作为逃生链路
ip route-static 0.0.0.0 0.0.0.0 10.255.255.2
#配置SNMPV3用于NMS
snmp-agent
snmp-agent local-engineid 8000DDED033CC7868D8CE0
snmp-agent sys-info version v3
snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view isoview acl 2002
snmp-agent mib-view included isoview iso
snmp-agent usm-user v3 user001
snmp-agent usm-user v3 user001 group group001
snmp-agent usm-user v3 user001 authentication-mode sha suijimima@123E
snmp-agent usm-user v3 user001 privacy-mode aes128 cipher suijimima@123R
undo snmp-agent protocol source-status all-interface
snmp-agent protocol source-interface Vlanif1
undo snmp-agent protocol source-status ipv6 all-interface
#配置SSH加密算法
stelnet server enable
ssh user guanliyuansuiji1
ssh user guanliyuansuiji1 authentication-type password
ssh user guanliyuansuiji1 service-type stelnet
ssh user anquanguanliyuan1
ssh user anquanguanliyuan1 authentication-type password
ssh user anquanguanliyuan1 service-type stelnet
ssh user anquanshenjiyuan1
ssh user anquanshenjiyuan1 authentication-type password
ssh user anquanshenjiyuan1 service-type stelnet
ssh client first-time enable
ssh server-source -i Vlanif4000
ssh server cipher aes256_ctr aes128_ctr
ssh server hmac sha2_256
ssh server key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
ssh client cipher aes256_ctr aes128_ctr
ssh client hmac sha2_256
ssh client key-exchange dh_group16_sha512 dh_group15_sha512 dh_group14_sha256 dh_group_exchange_sha256
ssh server dh-exchange min-len 2048
ssh server publickey rsa_sha2_512 rsa_sha2_256
#配置登录前后提示
header shell information " Warning:Your operation will be recorded!!! "
header login information " Warning:only authorize login is allowed!!! "
#配置权限1级别命令
command-privilege level 1 view shell display logbuffer
command-privilege level 1 view shell display memory-usage
command-privilege level 1 view shell display saved-configuration
command-privilege level 1 view shell display patch-information
command-privilege level 1 view shell display device
command-privilege level 1 view shell display current-configuration
command-privilege level 1 view shell display diagnostic-information
#配置登录方式和带外登录保护
user-interface con 0
authentication-mode password
set authentication password suijimima@123T
idle-timeout 30 0
user-interface vty 0 4
acl 2000 inbound
authentication-mode aaa
user privilege level 15
idle-timeout 30 0