文章目录
一、华为交换机配置
1️⃣开启Telnet
# 创建管理用户<Huawei> system-view[Huawei] aaa[Huawei-aaa] local-user admin password cipher Huawei@123[Huawei-aaa] local-user admin privilege level 15[Huawei-aaa] local-user admin service-type telnet# 配置VTY线路[Huawei] user-interface vty 0 4[Huawei-ui-vty0-4] authentication-mode aaa[Huawei-ui-vty0-4] protocol inbound telnet
2️⃣开启SSH
# 生成密钥对[Huawei] dsa local-key-pair create
[Huawei] rsa local-key-pair create # 创建管理用户 <Huawei> system-view [Huawei] aaa [Huawei-aaa] local-user admin password cipher Huawei@123 [Huawei-aaa] local-user admin privilege level 15 [Huawei-aaa] local-user admin service-type ssh
# 配置SSH服务[Huawei] stelnet serverenable[Huawei] ssh user admin authentication-type password[Huawei] ssh user admin service-type stelnet# VTY线路启用SSH
[Huawei] user-interface vty 0 4 [Huawei-ui-vty0-4] authentication-mode aaa
[Huawei-ui-vty0-4] protocol inbound ssh
二、华三交换机(H3C)配置
1️⃣开启Telnet
# 创建用户并授权<H3C> system-view[H3C] local-user admin class manage[H3C-luser-manage-admin] password simple H3C@123[H3C-luser-manage-admin] service-type telnet[H3C-luser-manage-admin] authorization-attribute user-role network-admin# VTY配置[H3C] line vty 0 63[H3C-line-vty0-63] authentication-mode scheme[H3C-line-vty0-63] protocol inbound telnet
2️⃣开启SSH
# 生成密钥[H3C] public-keylocalcreate rsa
[H3C] public-keylocalcreate dsa # 创建用户并授权 <H3C> system-view [H3C] local-user admin class manage [H3C-luser-manage-admin] password simple H3C@123 [H3C-luser-manage-admin] service-type telnet [H3C-luser-manage-admin] authorization-attribute user-role network-admin
# 启用SSH服务 [H3C] ssh serverenable[H3C] ssh user admin service-type stelnet authentication-type password
[H3C] line vty 0 63[H3C-line-vty0-63] authentication-mode scheme[H3C-line-vty0-63] protocol inbound ssh
三、思科交换机(Cisco)配置
1️⃣开启Telnet
# 配置本地用户Switch>enableSwitch# configure terminalSwitch(config)# username admin privilege 15 secret Cisco@123# VTY线路配置Switch(config)# line vty 0 15Switch(config-line)# login localSwitch(config-line)# transport input telnet
2️⃣开启SSH
# 生成域名密钥Switch(config)# ip domain-name cisco.comSwitch(config)# crypto key generate rsa modulus 2048# 配置SSH参数Switch(config)# ip ssh version 2Switch(config)# ip ssh authentication-retries 3Switch(config)# line vty 0 15Switch(config-line)# transport input ssh
四、中兴交换机(ZTE)配置
1️⃣开启Telnet
# 全局配置ZXR10>enableZXR10# configure terminalZXR10(config)# aaa new-modelZXR10(config)# username admin password ZTE@123 privilege 15# VTY配置ZXR10(config)# line vty 0 4ZXR10(config-line)# login authentication defaultZXR10(config-line)# transport input telnet
2️⃣开启SSH
# 生成密钥ZXR10(config)# crypto key generate rsaZXR10(config)# ip ssh server# 配置用户访问ZXR10(config)# username admin sshkey "ssh-rsa AAAAB3NzaC1yc..."ZXR10(config-line)# transport input ssh
五、锐捷交换机(Ruijie)配置
1️⃣开启Telnet
# 创建用户Ruijie>enableRuijie# configure terminalRuijie(config)# username admin privilege 15 password Ruijie@123# 启用服务Ruijie(config)# enable service telnet-server# VTY配置Ruijie(config)# line vty 0 4Ruijie(config-line)# login localRuijie(config-line)# transport input telnet
2️⃣开启SSH
# 生成密钥Ruijie(config)# crypto key generate rsaRuijie(config)# ip ssh version 2# 配置SSH参数Ruijie(config)# username admin sshkey "ssh-rsa AAAAB3NzaC1yc..."Ruijie(config-line)# transport input ssh
六、安全加固建议
#️⃣禁用telnet(优先用SSH):
# 华为/华三[Huawei-ui-vty0-4] protocol inbound ssh# 思科Switch(config-line)# transport input ssh
#️⃣限制访问源IP:
# 华为ACL示例[Huawei] acl 2000[Huawei-acl-basic-2000] rule permitsource10.1.1.0 0.0.0.255[Huawei-ui-vty0-4] acl 2000 inbound
#️⃣设置登陆超时:
# 思科配置Switch(config-line)# exec-timeout 5 0 # 5分钟无操作自动断开
💡运维提示:
⏩测试连通性:telnet ip 23或ssh admin@ip
⏩查看SSH状态:
🔍华为:display ssh server status
🔍思科:show ip ssh
⏩升级固件:部分旧设备需要升级IOS支持SSHv2END
发表回复