华三交换机NTP配置

1.H3C交换机修改密码：

[FC-RX_6F-SW-06]local-user admin class manage
[FC-RX_6F-SW-06-luser-manage-admin]password simple K**TYEKmL#d8 

2.H3C交换机SSH远程登录配置

public-key local create rsa  # 生成RSA密钥对。
public-key local create dsa  # 生成DSA密钥对。
ssh server enable  # 使能SSH服务器功能。 

[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode scheme  # 设置用户接口上的认证模式为AAA认证。
[H3C-ui-vty0-4] protocol inbound ssh  # 设置用户接口上支持SSH协议。

[H3C] local-user client001 class manage
New local user addedd
[H3C-luser-manage-client001] password simple aabbcc
[H3C-luser-manage-client001] service-type ssh
[H3C-luser-manage-client001] authorization-attribute user-role level-15
[H3C-luser-manage-client001] authorization-attribute user-role network-operator  # 创建本地用户client001，并设置用户密码、服务类型和用户角色。

3.H3C交换机DNS配置

dns source-interface Vlan-interface348
 dns domain cdg.local
 dns server 10.1.41.101 

4.H3C交换机NTP配置

clock protocol ntp
ntp-service enable
ntp-service unicast-server ntp.service.cdg.local
clock timezone beijing add 8

5.H3C交换机snmp配置

snmp-agent
snmp-agent community read cdgsnmp666
snmp-agent sys-info version v2c v3

6.H3C交换机配置密码复杂度

1）举例：口令长度不低于12位，为数字、字母、特殊字符混合组合；密码有效期限为90天；输入密码次数过多后锁定。用户成功登录后10分钟内无任何操作，则断开该登录连接 。

[CN-HBDHY-OA-5-1F407-DSW01]password-control enable  #开启密码策略
[CN-HBDHY-OA-5-1F407-DSW01]password-control length 12  #配置密码长度最短为12位
[CN-HBDHY-OA-5-1F407-DSW01]password-control composition type-number 3 type-length 1  #密码复杂度为包含3种类型
[CN-HBDHY-OA-5-1F407-DSW01]password-control login-attempt 5 exceed lock-time 5  #配置本地帐号连续输入错误密码的限制次数为5次，本地帐号锁定时间为5分钟
[CN-HBDHY-OA-5-1F407-DSW01]password-control aging 90  #配置密码失效时间为90天，默认即90天
[CN-HBDHY-OA-5-1F407-DSW01]password-control alert-before-expire 30  #配置密码过期前30天提醒
[CN-HBDHY-OA-5-1F407-DSW01]password-control history 5  #配置历史密码记录为5条
[CN-HBDHY-OA-5-1F407-DSW01]password-control login idle-time 0  #配置用户帐号的闲置时间为无限制
[CN-HBDHY-OA-5-1F407-DSW01]line vty 0 4
[CN-HBDHY-OA-5-1F407-DSW01-line-vty0-4]idle-timeout 10  #配置远程登录的闲置超时时间为为10分钟，默认为10分钟

2）登录源IP限制

[CN-HBDHY-OA-5-1F407-DSW01]acl number 2001 name sourlimit
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit]rule 11 permit source 10.1.13.100 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit]rule 12 permit source 10.1.21.131 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit] rule 15 permit source 10.1.41.170 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit] rule 21 permit source 10.16.2.100 0

[CN-HBDHY-OA-5-1F407-DSW01]ssh server acl 2001

3）管理员三权分开

local-user admin class manage
 service-type ssh terminal
 authorization-attribute user-role level-15  #系统管理员分配管理级权限，即有全部权限
 authorization-attribute user-role network-operator

local-user audit class manage
 service-type ssh terminal
 authorization-attribute user-role level-1  #审计管理员分配监控级权限，只有部门查看权限
 undo authorization-attribute user-role network-operator
 password simple Abc123123#

local-user security class manage
 service-type ssh terminal
 authorization-attribute user-role level-2  #安全管理员分配配置级权限，有日常配置查看和修改的权限，不能进行FTP、文件下载、故障诊断等
 undo authorization-attribute user-role network-operator
 password simple Abc123123#

7.H3C交换机syslog配置

0-7共八个级别，0最高，7最低

1）保存到buffer

info-center logbuffer：开启Log信息向Log缓冲区的发送功能，此功能默认开启

2）保存到syslog服务器

[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0 

3）查看syslog配置

[CN-HBDHY-6-F202-Office-ACC02]dis info-center
Information Center: Enabled
Console: Enabled
Monitor: Enabled
Log host: Enabled
    Source address interface: Vlan-interface348
    10.1.33.10,
    port number: 514, DSCP value:0, host facility: local0
Log buffer: Enabled
    Max buffer size 1024, current buffer size 512
    Current messages 512, dropped messages 0, overwritten messages 1677
Log file: Enabled
Security log file: Disabled
Information timestamp format:
    Log host: Date
    Other output destination: Date