新项目设备上架,最怕的就是现场一边查文档一边敲命令,手忙脚乱还容易漏配置。这篇文章给你一套五厂家通用开局模板,每家命令对照着敲,拿到新设备照着改 IP 就完事。覆盖华为、华三、中兴、锐捷、迈普,五家配置全在里面。
模板思路:开局要配哪些东西?
不管哪家设备,新交换机上架的标准流程基本一致:
1. 基础系统设置(命名、时间、管理IP)
2. VLAN 规划(创建VLAN、划分端口)
3. 链路聚合(增加带宽、提高可靠性)
4. 端口安全(MAC限制、防环路)
5. 远程管理(Telnet/SSH)
6. 验证保存
按这个顺序来,不会漏。
一、华为(VRP 系统)
基础系统设置
# 进入系统视图,改设备名
<Huawei> system-view
[Huawei] sysname SW-Core-01
# 设备名建议按"项目-位置-编号"来,方便现场辨认
# 配置时区和时间
[Huawei] clock timezone BJ add8
[Huawei] clock datetime 11:05:00 2026-04-24
# 时区设置东八区,日期按实际填写
# 创建管理VLAN和接口IP(用于远程管理)
[Huawei] vlan 100
[Huawei-vlan100] quit
[Huawei] interface Vlanif100
[Huawei-Vlanif100]ip address 192.168.100.10 24
[Huawei-Vlanif100] quit
# 管理VLAN单独建一个,日常不要混在业务VLAN里
创建业务 VLAN
# 批量创建业务VLAN
[Huawei] vlan batch 10203040
# 一次创多个,用空格隔开,不用一条一条敲
# 进入接口,划为Access口,加入VLAN 10
[Huawei] interface GigabitEthernet0/0/1
[Huawei-GigabitEthernet0/0/1] port link-type access
[Huawei-GigabitEthernet0/0/1] port default vlan 10
[Huawei-GigabitEthernet0/0/1] quit
# 进入接口,划为Trunk口,允许多VLAN通过
[Huawei] interface GigabitEthernet0/0/24
[Huawei-GigabitEthernet0/0/24] port link-type trunk
[Huawei-GigabitEthernet0/0/24] port trunk allow-pass vlan 10203040
[Huawei-GigabitEthernet0/0/24] port trunk pvid vlan 100
# PVID 是本征VLAN,Trunk口如果有untagged流量需求要配这个
[Huawei-GigabitEthernet0/0/24] quit
链路聚合
# 创建聚合端口,手工模式(不依赖LACP)
[Huawei] interface Eth-Trunk 1
[Huawei-Eth-Trunk1] trunkport GigabitEthernet 0/0/22 to 0/0/23
# 把22和23口加入聚合组,捆绑成一条逻辑链路
[Huawei-Eth-Trunk1] port link-type trunk
[Huawei-Eth-Trunk1] port trunk allow-pass vlan all
[Huawei-Eth-Trunk1] quit
端口安全
# 进入接口,启用端口安全,限制MAC地址数
[Huawei] interface GigabitEthernet0/0/2
[Huawei-GigabitEthernet0/0/2] port link-type access
[Huawei-GigabitEthernet0/0/2] port default vlan 10
[Huawei-GigabitEthernet0/0/2] port security enable
[Huawei-GigabitEthernet0/0/2] port security max-mac-num 3
[Huawei-GigabitEthernet0/0/2] port security protect-action restrict
# 最大允许3个MAC地址,超过后丢弃流量并告警(protect-action还有shutdown和restrict两种)
[Huawei-GigabitEthernet0/0/2] quit
# 防环路,启用环路检测
[Huawei] loopback-detect enable
[Huawei] interface GigabitEthernet0/0/3
[Huawei-GigabitEthernet0/0/3] loopback-detect enable
[Huawei-GigabitEthernet0/0/3] loopback-detect action shutdown
# 检测到环路自动关闭端口
[Huawei-GigabitEthernet0/0/3] quit
远程管理(SSH)
# 生成密钥,启用SSH
[Huawei] rsa local-key-pair create
[Huawei] stelnet server enable
# 创建管理账号
[Huawei] aaa
[Huawei-aaa] local-user admin password irreversible-cipher Admin@123
[Huawei-aaa] local-user admin privilege level 15
[Huawei-aaa] local-user admin service-type ssh
[Huawei-aaa] quit
# VTY绑定SSH
[Huawei] user-interface vty 04
[Huawei-ui-vty0-4] acl 2000 inbound
[Huawei-ui-vty0-4] authentication-mode aaa
[Huawei-ui-vty0-4] protocol inbound ssh
[Huawei-ui-vty0-4] quit
# 配置ACL,只允许管理网段登录
[Huawei] acl 2000
[Huawei-acl-basic-2000] rule 5 permit source192.168.100.0 0.0.0.255
[Huawei-acl-basic-2000] rule 100 deny source any
[Huawei-acl-basic-2000] quit
验证保存
[Huawei] display vlan # 查看VLAN配置
[Huawei] display port vlan # 查看端口VLAN归属
[Huawei] display eth-trunk 1# 查看链路聚合状态
[Huawei] display mac-address # 查看MAC地址表
[Huawei] save # 保存配置,敲这个!
二、华三 H3C(Comware 系统)
基础系统设置
<H3C> system-view
[H3C] sysname SW-Core-01
# 设备名,与华为一致,方便团队统一管理
# 配置时区
[H3C] clock timezone BJ 8
[H3C] ntp-server 192.168.100.1
# 如果现场有NTP服务器,直接配上去
# 创建管理VLAN和接口IP
[H3C] vlan 100
[H3C-vlan100] quit
[H3C] interface Vlan-interface100
[H3C-Vlan-interface100]ip address 192.168.100.10 24
[H3C-Vlan-interface100] quit
创建业务 VLAN
[H3C] vlan 10
[H3C-vlan10] quit
[H3C] vlan 20
[H3C-vlan20] quit
# 华三没有批量命令,一个一个建
# Access口
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] port link-type access
[H3C-GigabitEthernet1/0/1] port access vlan 10
[H3C-GigabitEthernet1/0/1] quit
# Trunk口
[H3C] interface GigabitEthernet 1/0/24
[H3C-GigabitEthernet1/0/24] port link-type trunk
[H3C-GigabitEthernet1/0/24] port trunk permit vlan 10203040100
[H3C-GigabitEthernet1/0/24] quit
链路聚合
[H3C] interface Bridge-Aggregation 1
[H3C-Bridge-Aggregation1] port link-type trunk
[H3C-Bridge-Aggregation1] port trunk permit vlan all
[H3C-Bridge-Aggregation1] quit
[H3C] interface GigabitEthernet 1/0/22
[H3C-GigabitEthernet1/0/22] port link-type trunk
[H3C-GigabitEthernet1/0/22] port trunk permit vlan all
[H3C-GigabitEthernet1/0/22] port aggregation group 1
[H3C-GigabitEthernet1/0/22] quit
[H3C] interface GigabitEthernet 1/0/23
[H3C-GigabitEthernet1/0/23] port link-type trunk
[H3C-GigabitEthernet1/0/23] port trunk permit vlan all
[H3C-GigabitEthernet1/0/23] port aggregation group 1
[H3C-GigabitEthernet1/0/23] quit
端口安全
[H3C] interface GigabitEthernet 1/0/2
[H3C-GigabitEthernet1/0/2] port link-type access
[H3C-GigabitEthernet1/0/2] port access vlan 10
[H3C-GigabitEthernet1/0/2] port security enable
[H3C-GigabitEthernet1/0/2] port security max-mac-num 3
[H3C-GigabitEthernet1/0/2] port security action alarm
# 华三的惩罚动作用 alarm,不同于华为的 restrict
[H3C-GigabitEthernet1/0/2] quit
# 防环路
[H3C] loopback-detection enable
[H3C] interface GigabitEthernet 1/0/3
[H3C-GigabitEthernet1/0/3] loopback-detection enable
[H3C-GigabitEthernet1/0/3] loopback-detection action shutdown
[H3C-GigabitEthernet1/0/3] quit
远程管理
[H3C] public-key local create rsa
[H3C]ssh server enable
[H3C] local-user admin
[H3C-luser-manage-admin] password simple Admin@123
[H3C-luser-manage-admin] authorization-attribute user-role network-admin
[H3C-luser-manage-admin] service-type ssh
[H3C-luser-manage-admin] quit
[H3C] line vty 04
[H3C-line-vty0-4] authentication-mode scheme
[H3C-line-vty0-4] acl ipv4 2000 inbound
[H3C-line-vty0-4] protocol inbound ssh
[H3C-line-vty0-4] quit
[H3C] acl basic 2000
[H3C-acl-ipv4-basic-2000] rule 5 permit source192.168.100.0 0.0.0.255
[H3C-acl-ipv4-basic-2000] rule 100 deny
[H3C-acl-ipv4-basic-2000] quit
验证保存
[H3C] display vlan # 查看VLAN
[H3C] display interface brief # 查看接口状态
[H3C] display link-aggregation # 查看聚合组
[H3C] save
三、中兴(ZTE,ZXROS 系统)
基础系统设置
Router>enable
Router# configure terminal
Router(config)# hostname SW-Core-01
# 中兴的hostname命令在全局模式下直接敲
# 配置管理VLAN和IP
Router(config)# vlan 100
Router(config-vlan)# exit
Router(config)# interface vlan 100
Router(config-if)# ip address 192.168.100.10 255.255.255.0
Router(config-if)# exit
# 中兴用255掩码写法,而不是CIDR格式
创建业务 VLAN
Router(config)# vlan 10
Router(config-vlan)# exit
Router(config)# vlan 20
Router(config-vlan)# exit
# Access口
Router(config)# interface gigabitEthernet 0/1
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 10
Router(config-if)# exit
# 中兴的端口模式命令和思科一致,switchport mode access
# Trunk口
Router(config)# interface gigabitEthernet 0/24
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allow-pass vlan 10 20 30 40 100
Router(config-if)# exit
链路聚合
Router(config)# interface port-aggregator 1
Router(config-if)# switchport mode trunk
Router(config-if)# switchport trunk allow-pass vlan all
Router(config-if)# exit
Router(config)# interface gigabitEthernet 0/22
Router(config-if)# port-aggregation group 1
Router(config-if)# exit
Router(config)# interface gigabitEthernet 0/23
Router(config-if)# port-aggregation group 1
Router(config-if)# exit
端口安全
Router(config)# interface gigabitEthernet 0/2
Router(config-if)# switchport mode access
Router(config-if)# switchport access vlan 10
Router(config-if)# switchport port-security
Router(config-if)# switchport port-security max-mac-count 3
Router(config-if)# switchport port-security violation protect
# 中兴的惩罚动作:protect、restrict、shutdown三种
Router(config-if)# exit
远程管理
Router(config)# crypto key generate rsa modulus 2048
Router(config)# ip ssh server enable
Router(config)# ip ssh version 2
Router(config)# username admin privilege 15 password Admin@123
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# access-class LOGIN-ACL in
Router(config-line)# transport input ssh
Router(config-line)# exit
Router(config)# ip access-list standard LOGIN-ACL
Router(config-std-nacl)# permit 192.168.100.0 0.0.0.255
Router(config-std-nacl)# deny any
Router(config-std-nacl)# exit
验证保存
Router# show vlan # 查看VLAN
Router# show interface switchport # 查看端口模式
Router# show port-aggregation # 查看聚合
Router# show running-config # 查看完整配置
Router# copy running-config startup-config
# 中兴保存用这条,不是 save
四、锐捷(Ruijie,RGOS 系统)
基础系统设置
Ruijie>enable
Ruijie# configure terminal
Ruijie(config)# hostname SW-Core-01
# 管理VLAN和IP
Ruijie(config)# vlan 100
Ruijie(config-vlan)# exit
Ruijie(config)# interface vlan 100
Ruijie(config-if)# ip address 192.168.100.10 255.255.255.0
Ruijie(config-if)# exit
创建业务 VLAN
Ruijie(config)# vlan 10
Ruijie(config-vlan)# exit
Ruijie(config)# vlan 20
Ruijie(config-vlan)# exit
# Access口
Ruijie(config)# interface gigabitEthernet 0/1
Ruijie(config-if)# switchport mode access
Ruijie(config-if)# switchport access vlan 10
Ruijie(config-if)# exit
# Trunk口
Ruijie(config)# interface gigabitEthernet 0/24
Ruijie(config-if)# switchport mode trunk
Ruijie(config-if)# switchport trunk allowed vlan add 10,20,30,40,100
Ruijie(config-if)# exit
# 锐捷的VLAN命令格式略有不同,用 add 来追加
链路聚合
Ruijie(config)# interface aggregatePort 1
Ruijie(config-if)# switchport mode trunk
Ruijie(config-if)# switchport trunk allowed vlan add all
Ruijie(config-if)# exit
Ruijie(config)# interface gigabitEthernet 0/22
Ruijie(config-if)# port-group 1
# 锐捷用 port-group 命令加入聚合组
Ruijie(config-if)# exit
Ruijie(config)# interface gigabitEthernet 0/23
Ruijie(config-if)# port-group 1
Ruijie(config-if)# exit
端口安全
Ruijie(config)# interface gigabitEthernet 0/2
Ruijie(config-if)# switchport mode access
Ruijie(config-if)# switchport access vlan 10
Ruijie(config-if)# switchport port-security
Ruijie(config-if)# switchport port-security max-mac-count 3
Ruijie(config-if)# switchport port-security violation restrict
# 锐捷的惩罚动作:protect、restrict、shutdown
Ruijie(config-if)# exit
# 防环路(锐捷用特有命令)
Ruijie(config)# loopback-detection global
Ruijie(config)# interface gigabitEthernet 0/3
Ruijie(config-if)# loopback-detection control shutdown
Ruijie(config-if)# exit
远程管理
Ruijie(config)# crypto key generate rsa
Ruijie(config)# ip ssh server enable
Ruijie(config)# ip ssh version 2
Ruijie(config)# username admin privilege 15 password Admin@123
Ruijie(config)# line vty 0 4
Ruijie(config-line)# login local
Ruijie(config-line)# access-class LOGIN-ACL in
Ruijie(config-line)# transport input ssh
Ruijie(config-line)# exit
Ruijie(config)# ip access-list standard LOGIN-ACL
Ruijie(config-std-nacl)# permit 192.168.100.0 0.0.0.255
Ruijie(config-std-nacl)# exit
验证保存
Ruijie# show vlan # 查看VLAN
Ruijie# show interface switchport # 查看端口模式
Ruijie# show aggregatePort # 查看聚合端口
Ruijie# show port-security # 查看端口安全
Ruijie# write
# 锐捷保存用 write,比 copy 命令更常用
五、迈普(Maipu,MyPower 系统)
基础系统设置
maipu>enable
maipu# configure terminal
maipu(config)# hostname SW-Core-01
# 管理VLAN和IP
maipu(config)# vlan 100
maipu(config-vlan)# exit
maipu(config)# interface vlan 100
maipu(config-if)# ip address 192.168.100.10 255.255.255.0
maipu(config-if)# exit
# 迈普的配置和思科/锐捷非常像,操作习惯一致
创建业务 VLAN
maipu(config)# vlan 10
maipu(config-vlan)# exit
maipu(config)# vlan 20
maipu(config-vlan)# exit
# Access口
maipu(config)# interface gigabitEthernet 0/1
maipu(config-if)# switchport mode access
maipu(config-if)# switchport access vlan 10
maipu(config-if)# exit
# Trunk口
maipu(config)# interface gigabitEthernet 0/24
maipu(config-if)# switchport mode trunk
maipu(config-if)# switchport trunk allowed vlan 10 20 30 40 100
maipu(config-if)# exit
链路聚合
maipu(config)# interface aggregatePort 1
maipu(config-if)# switchport mode trunk
maipu(config-if)# switchport trunk allowed vlan all
maipu(config-if)# exit
maipu(config)# interface gigabitEthernet 0/22
maipu(config-if)# port-group 1
maipu(config-if)# exit
maipu(config)# interface gigabitEthernet 0/23
maipu(config-if)# port-group 1
maipu(config-if)# exit
端口安全
maipu(config)# interface gigabitEthernet 0/2
maipu(config-if)# switchport mode access
maipu(config-if)# switchport access vlan 10
maipu(config-if)# switchport port-security
maipu(config-if)# switchport port-security max-mac-count 3
maipu(config-if)# switchport port-security violation restrict
maipu(config-if)# exit
远程管理
maipu(config)# crypto key generate rsa modulus 2048
maipu(config)# ip ssh server enable
maipu(config)# ip ssh version 2
maipu(config)# username admin privilege 15 password Admin@123
maipu(config)# line vty 0 4
maipu(config-line)# login local
maipu(config-line)# access-class LOGIN-ACL in
maipu(config-line)# transport input ssh
maipu(config-line)# exit
maipu(config)# ip access-list standard LOGIN-ACL
maipu(config-std-nacl)# permit 192.168.100.0 0.0.0.255
maipu(config-std-nacl)# exit
验证保存
maipu# show vlan # 查看VLAN
maipu# show interface switchport # 查看端口模式
maipu# show aggregatePort # 查看聚合
maipu# write # 保存配置
五厂家开局命令对照速查
system-view | system-view | configure terminal | configure terminal | configure terminal | |
sysname | sysname | hostname | hostname | hostname | |
vlan batch | vlan | vlan | vlan | vlan | |
port link-type accessport default vlan | port link-type accessport access vlan | switchport mode accessswitchport access vlan | switchport mode accessswitchport access vlan | switchport mode accessswitchport access vlan | |
port link-type trunkport trunk allow-pass vlan | port link-type trunkport trunk permit vlan | switchport mode trunkswitchport trunk allow-pass vlan | switchport mode trunkswitchport trunk allowed vlan add | switchport mode trunkswitchport trunk allowed vlan | |
Eth-Trunktrunkport | Bridge-Aggregationaggregation group | port-aggregatorport-aggregation group | aggregatePortport-group | aggregatePortport-group | |
port security | port security | switchport port-security | switchport port-security | switchport port-security | |
stelnet server enable | ssh server enable | ip ssh server enable | ip ssh server enable | ip ssh server enable | |
save | save | copy running-config startup-config | write | write |
几个容易漏的点
开局第一步别忘了配管理IP
设备名改了、时间对了,但管理 IP 没配,现场拿着 console 线满地找设备的事我见过不止一次。
Trunk口的PVID别漏配
如果对端设备打的是 untagged 帧过来,Trunk 口没配 PVID 就会收不到。这在接第三方设备时特别容易踩。
端口安全不会自动恢复
配了 protect-action shutdown 的端口关掉后不会自动恢复,要手动 undo shutdown,现场心里要有数。
迈普/锐捷/中兴三家命令基本一样
这三家都是类思科风格,配置逻辑一样,学会了任意一个其他两个直接照搬就行。
最后
开局这件事,模板有了就不难。把这份配置存好,下次新项目到场,打开模板、改 IP、改 VLAN、拉聚合,一路下来二十分钟收工。
剩下的时间留给现场调试和排障,不香吗?
如果觉得这些经验对你有用,不妨动动手指点赞,再顺手收藏起来,方便后续回看或分享给有需要的朋友 —— 您的每一份支持,都是我继续分享的动力,感谢阅读!
夜雨聆风