华为路由器 标准完整版配置

weixin_604236672026-06-05 17:27

适配华为AR2200/AR3200/AR6200/AR6300全系列、VRP5/VRP8系统,中小企业出口标准配置,包含:系统初始化、本地/远程安全运维、内外网接口、ACL放行、NAT上网、静态路由、安全加固、防攻击、配置保存,无冗余、无BUG、符合等保基础规范。

1. 系统初始化配置

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <Huawei> system-view # 进入系统视图 Huawei sysname HW-Edge-Router # 配置设备主机名,便于运维识别 HW-Edge-Router undo info-center enable # 关闭命令行日志刷屏,优化配置体验 HW-Edge-Router clock timezone BJ add 8 # 配置时区为东八区北京时间 HW-Edge-Router ntp server 114.114.114.114 # 配置公共NTP服务器,自动同步设备时间 |

2. Console本地控制台安全加固

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router user-interface console 0 # 进入本地Console接口视图 HW-Edge-Router-ui-console0 authentication-mode password # 开启密码认证 HW-Edge-Router-ui-console0 set password irreversible-cipher Console@2026 # 配置加密管理员密码 HW-Edge-Router-ui-console0 idle-timeout 3 # 3分钟无操作自动退出,防止终端挂死 HW-Edge-Router-ui-console0 quit # 退出接口视图 |

3. AAA用户 + SSH远程完整配置(核心远程管理)

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router local-user admin password irreversible-cipher Admin@2026 # 创建最高权限管理员账号 HW-Edge-Router local-user admin privilege level 15 # 配置账号最高操作权限 HW-Edge-Router local-user admin service-type ssh terminal # 允许SSH远程、本地终端登录 HW-Edge-Router ssh server enable # 全局开启SSH加密远程服务 HW-Edge-Router ssh server port 2222 # 修改SSH端口为2222,规避22端口批量扫描爆破 HW-Edge-Router ssh server encryption-algorithm aes-256 # 启用AES256高强度加密 HW-Edge-Router ssh server hmac-algorithm sha2-256 # 启用SHA256校验,防止传输数据篡改 HW-Edge-Router user-interface vty 0 15 # 进入所有远程VTY虚拟终端 HW-Edge-Router-ui-vty0-15 authentication-mode aaa # 采用AAA账号密码认证 HW-Edge-Router-ui-vty0-15 protocol inbound ssh # 仅保留SSH,彻底禁用明文Telnet HW-Edge-Router-ui-vty0-15 idle-timeout 5 # 远程终端5分钟无操作自动下线 HW-Edge-Router-ui-vty0-15 quit # 远程IP白名单:仅允许指定运维电脑远程登录,杜绝非法接入 HW-Edge-Router acl number 3000 HW-Edge-Router-acl-adv-3000 rule permit tcp source 192.168.1.10 0 destination-port eq 2222 HW-Edge-Router-acl-adv-3000 rule deny tcp any destination-port eq 2222 HW-Edge-Router-acl-adv-3000 quit HW-Edge-Router user-interface vty 0 15 HW-Edge-Router-ui-vty0-15 acl 3000 inbound # 入方向绑定白名单策略 HW-Edge-Router-ui-vty0-15 quit |

4. 内外网接口IP基础配置

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| # 外网接口(上联运营商宽带/专线) HW-Edge-Router interface GigabitEthernet 0/0/0 HW-Edge-Router-GigabitEthernet0/0/0 description WAN_Operator # 标注外网链路用途 HW-Edge-Router-GigabitEthernet0/0/0 ip address 220.xx.xx.xx 255.255.255.248 # 运营商分配公网IP HW-Edge-Router-GigabitEthernet0/0/0 undo shutdown # 启用接口 HW-Edge-Router-GigabitEthernet0/0/0 quit # 内网接口(下联核心交换机) HW-Edge-Router interface GigabitEthernet 0/0/1 HW-Edge-Router-GigabitEthernet0/0/1 description LAN_CoreSwitch # 标注内网链路用途 HW-Edge-Router-GigabitEthernet0/0/1 ip address 192.168.1.1 255.255.255.0 # 内网全网网关 HW-Edge-Router-GigabitEthernet0/0/1 undo shutdown # 启用接口 HW-Edge-Router-GigabitEthernet0/0/1 quit |

5. ACL访问控制策略(内网上网放行)

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router acl number 2000 # 创建基础ACL,用于匹配上网流量 HW-Edge-Router-acl-basic-2000 rule permit source 192.168.1.0 0.0.0.255 # 放行主办公网段 HW-Edge-Router-acl-basic-2000 rule deny source any # 拒绝所有陌生网段上网,防止非法接入 HW-Edge-Router-acl-basic-2000 quit |

6. 源NAT上网配置(内网全员上网)

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router interface GigabitEthernet 0/0/0 HW-Edge-Router-GigabitEthernet0/0/0 nat outbound 2000 # 匹配ACL网段,统一转换公网IP上网 HW-Edge-Router-GigabitEthernet0/0/0 quit |

7. 端口映射配置(可选,发布内网服务器)

|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router interface GigabitEthernet 0/0/0 HW-Edge-Router-GigabitEthernet0/0/0 nat server protocol tcp global 220.xx.xx.xx 443 inside 192.168.1.200 443 # HTTPS服务映射 HW-Edge-Router-GigabitEthernet0/0/0 nat server protocol tcp global 220.xx.xx.xx 80 inside 192.168.1.200 80 # HTTP服务映射 HW-Edge-Router-GigabitEthernet0/0/0 quit |

8. 全网路由配置(标准上网+回程路由)

|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router ip route-static 0.0.0.0 0.0.0.0 220.xx.xx.1 # 默认路由,所有流量转发至运营商网关(上网核心) HW-Edge-Router ip route-static 192.168.2.0 255.255.255.0 192.168.1.254 # 内网分支网段回程路由 |

9. 全网安全加固 & 防攻击配置(等保必备)

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router firewall enable # 开启设备防火墙功能 HW-Edge-Router firewall default deny # 外网默认拒绝所有主动入站流量,安全兜底 # 关闭高危无用服务,缩小攻击面 HW-Edge-Router undo telnet server enable # 关闭明文Telnet服务 HW-Edge-Router undo ftp server enable # 关闭不安全FTP服务 HW-Edge-Router undo http server enable # 关闭WEB管理页面 HW-Edge-Router undo snmp agent enable # 关闭SNMP服务,防止信息泄露 # 防攻击策略 HW-Edge-Router tcp syn-cookie enable # 防御SYN-DDOS攻击 HW-Edge-Router icmp rate-limit total 50 # 限制ICMP报文,防外网PING洪水攻击 HW-Edge-Router arp anti-attack valid-check enable # 开启ARP校验,防御内网ARP欺骗 |

10. 上线核查 & 保存配置(必做)

|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HW-Edge-Router display current-configuration # 查看完整配置,核查无误 HW-Edge-Router display ip routing-table # 检查路由表生效状态 HW-Edge-Router display nat session all # 检查NAT上网转换状态 HW-Edge-Router display ssh server status # 检查远程SSH服务状态 HW-Edge-Router save # 永久保存配置,断电不丢失 Y |

相关推荐
网络与设备以及操作系统学习使用者3 小时前
路由器如何实现跨VLAN通信
运维·网络·学习·华为·智能路由器
不爱吃糖的程序媛4 小时前
鸿蒙 6 新华字典实战:从零到一用 ArkTS 开发原生鸿蒙应用
华为·ar·harmonyos
再见6584 小时前
HarmonyOS NEXT 实战:开发一个实用的文本分析器应用
华为·harmonyos
小雨下雨的雨5 小时前
家庭药品管理系统智能过期预警鸿蒙PC Electron框架技术深度解析
前端·javascript·人工智能·华为·electron·鸿蒙·鸿蒙系统
程序猿追5 小时前
给手机做一次“体检”——我在 HarmonyOS 上写了个存储空间与内存查看器
华为·智能手机·harmonyos
nashane5 小时前
HarmonyOS 6学习:HAR包跨平台编译陷阱与架构优化实战
学习·华为·harmonyos
坚果的博客5 小时前
ycium_plusplus 项目全景解读:OpenHarmony 三方库构建的“大管家“
华为·harmonyos
小雨下雨的雨6 小时前
鸿蒙PC用Electron框架实现矿产分布图
华为·electron·鸿蒙
李二。6 小时前
鸿蒙原生ArkTS-系外行星百科AI
人工智能·华为·harmonyos
热门推荐
01GitHub 镜像站点02【AI】2026 年具身智能模型和世界模型总结03Codex 下载安装指南:Windows 和 macOS 官方版下载042026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf05Codex 桌面端更新后 Chrome 插件和 Computer Use 不可用,怎么排查和修复06【踩坑记录 | 第一篇】微软商店无法使用时,如何手动安装 OpenAI Codex?附`.msix`文件系统错误解决方法07CC-Switch 下载、安装与使用配置指南【2026.5.29】08Codex 接入 DeepSeek API 完整配置文档09CC-Switch & Claude 基于 Linux 服务器安装使用指南10裂开!ChatGPT 居然开始要手机号验证,附详细解决方法