dell N1500 安全配置

http://www.dell.com/Support/Article/us/en/19/HOW10832

Setting a management IP address

A reachable IP address is needed to manage the switch when not using a serial connection. IP addresses must be configured on VLAN interfaces. To set an IP address input the following commands. This example assigns 192.168.0.254 to VLAN 1.

console>enable
console#configure
console(config)#interface vlan 1
console(config-if)#ip address 192.168.0.254 /24

It is recommended to make a separate VLAN for management of all your network devices when possible. This separates management traffic from data traffic, which increases performance and can have side effect of increased security.

If managing the switch from a separate network, the switch will need a default gateway just like a workstation so management protocols such as telnet, or TFTP, can find other networks. The following command configures a default gateway.

console(config)#ip default-gateway 192.168.0.1

Setting user accounts and enable password

To manage the switch without serial, you will need a username, and password. Telnet and SSH will require an enable password. Use the following commands to set a user account and enable password. This example uses the username Dell with a password of P@ $$w0rd. The enable password example is ENP@$$ w0rd.

console>enable
console#configure
console(config)#username Dell password P@$$w0rd encrypted privilege 15
console(config)#enable password ENP@$$w0rd

Choosing Telnet, SSH, HTTP, or HTTPS for management

The default protocols are Telnet and HTTP. Telnet and SSH provide command line based management through a tool such as Putty or Terraterm. HTTP and HTTPS provide a GUI based management through a web browser such as Internet Explorer or Chrome. It is possible to run all four, or none of the protocols. If all are disabled, the only management on the switch is Serial.

For security, it is recommended to turn off enable SSH and HTTPS, and disable Telnet and HTTP. Telnet and HTTP transfer packets over plain text, meaning if a person is capturing packets, he can read all the commands, and username and password of the switch while managing it. SSH and HTTPS encrypts the packets with strengthens security.

To enable SSH and HTTPS input the following commands.

console(config)#crypto key generate dsa
console(config)#crypto key generate rsa
console(config)#ip ssh server
console(config)#crypto certificate 1 generate
console(config-crypto-cert)#key-generate
console(config-crypto-cert)#exit
console(config)#ip http secure-server

console(config)#ip telnet server disable
console(config)#no ip http server

Saving configuration

When satisfied with the configuration, you must save it. Without saving configuration, if the switch reboots it will lose all configuration not saved.

console#wr
This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y

组播抑制

interface vlan 10
ip address 10.180.1.8 255.255.255.0
exit

interface vlan 20
ip igmp snooping vlan 20
ip igmp snooping querier vlan 20
exit

interface vlan 30
exit

interface range gi1/0/1-24
switchport access vlan 10
exit

interface range gi1/0/25-40
switchport access vlan 20
exit

interface range gi1/0/41-48
switchport access vlan 30
exit