文章目录

• • 写在前面
  • DHCP
  • • 案例
    • 拓扑
    • 具体配置过程
    • 检验
  • ACL
  • • 案例
    • 拓扑
    • 具体配置过程
    • 验证
  • 结语
  • 参考资料

写在前面

还有几天就软考了，考个证混混分。

DHCP

案例

目的： 对交换机配置DHCP，实现PC自动获取IP地址。

设备概述： 设置两个vlan，分别为vlan10 和 vlan 20。然后将两个PC分别划分到两个vlan里。设置两个交换机S5700，分别为辅助交换机（acsw）和核心交换机（coresw）。

拓扑

具体配置过程

acsw：

<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname acsw
[acsw]vlan batch 10 20
[acsw]int g0/0/1 // 有些地方命令直接简写执行了，勿喷
[acsw-GigabitEthernet0/0/1]port link-type access // 配置acsw与PC1连接方式为access
[acsw-GigabitEthernet0/0/1]port default vlan 10 // 默认vlan为vlan 10
[acsw-GigabitEthernet0/0/1]quit
[acsw]int g0/0/2
[acsw-GigabitEthernet0/0/2]port link-type access
[acsw-GigabitEthernet0/0/2]port default vlan 20
[acsw-GigabitEthernet0/0/2]quit
[acsw]int g0/0/3
[acsw-GigabitEthernet0/0/3]port link-type trunk 
[acsw-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20
[acsw-GigabitEthernet0/0/3]q

PC1：

PC2：

coresw：

<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname coresw
[coresw]vlan batch 10 20
[coresw]int g0/0/1
[coresw-GigabitEthernet0/0/1]port link-type trunk
[coresw-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20
[coresw-GigabitEthernet0/0/1]q
[coresw]dhcp enable
[coresw]ip pool vlan10
[coresw-ip-pool-vlan20]? // 这里看一下都有那些选项可以配置
ip-pool view commands:
  configuration        Configuration interlock
  display              Display current system information
  dns-list             Configure DNS servers
  domain-name          Configure domain name 
  excluded-ip-address  Mark disable IP addresses 
  gateway-list         Configure the gateway
  lease                Configure the lease of the IP pool
  lock                 Lock the IP pool
  mtrace               Trace route to multicast source
  nbns-list            Configure the windows's netbios name servers 
  netbios-type         Netbios node type
  network              Add a network
  next-server          The address of the server to use in the next step of the
                       client's bootstrap process.
  option               Configure the DHCP options
  option121            DHCP option 121 
  option184            DHCP option 184
  ping                 Send echo messages
  quit                 Exit from current command view
  reset                Reset operation
  return               Exit to user view
  screen-width         Set screen width
  set                  Set
  stack                Stack 
  static-bind          Static bind
  test-aaa             Accounts test
  trace                Trace route (switch) to host on Data Link Layer
  tracert              Trace route to host
  undo                 Cancel current configuration
  vpn-instance         Config VPN instance

[coresw-ip-pool-vlan10]network 192.168.10.0 mask 24
[coresw-ip-pool-vlan10]gateway-list 192.168.10.254 // 设置vlan10的网关
[coresw-ip-pool-vlan10]excluded-ip-address 192.168.10.150 192.168.10.200 // 设置不用于分配的IP范围
[coresw-ip-pool-vlan10]lease day 3 // 也可以同时设置 hour、minute
[coresw-ip-pool-vlan10]dns-list 8.8.8.8 // 由于用不到DNS，就随便配了
[coresw-ip-pool-vlan10]q
[coresw]interface vlanif 10
[coresw-Vlanif10]ip address 192.168.10.254 24
[coresw-Vlanif10]q
[coresw]int Vlanif 20
[coresw-Vlanif20]ip address 192.168.20.254 24
[coresw-Vlanif20]q
[coresw]ip pool vlan20
[coresw-ip-pool-vlan20]network 192.168.20.0 mask 24
[coresw-ip-pool-vlan20]gateway-list 192.168.20.254
[coresw-ip-pool-vlan20]dns-list 8.8.8.8
[coresw-ip-pool-vlan20]excluded-ip-address 192.168.20.150 192.168.20.200 
[coresw-ip-pool-vlan20]lease day 3
[coresw-ip-pool-vlan20]q
[coresw]int vlanif 10
[coresw-Vlanif10]dhcp select global // 选择全局地址池
[coresw-Vlanif10]q
[coresw]int vlanif 20
[coresw-Vlanif20]dhcp select global
[coresw-Vlanif20]q

检验

在PC1终端中输入ipconfig，可以看到华为DHCP默认将最大的可分配IP分配给当前主机：192.168.10.253

PC2同理：

ACL

案例

要求：

设备概述：

设置两台PC，分别属于不同子网，要求PC1所在子网不得访问服务器，PC2所在子网可以访问服务器。同时外界网络无法访问服务器。设置一台服务器。设置两台路由器AR2220。其中AR2220端口不够的可以自行添加：

拓扑

具体配置过程

PC1：

PC2：

Server1：

AR1：

<Huawei>system-view
[Huawei]sysname AR1
[AR1]undo info-center enable
[AR1]display acl all // 查看所有acl规则
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.2.254 24
[AR1-GigabitEthernet0/0/0]q
[AR1]int g0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.3.254 24
[AR1-GigabitEthernet0/0/1]q
[AR1]int g4/0/0
[AR1-GigabitEthernet4/0/0]ip address 10.10.10.1 24
[AR1-GigabitEthernet4/0/0]q
[AR1]acl 3000 // 2000-2999为基础acl配置，3000-3999为高级acl配置	
[AR1-acl-adv-3000]rule 10 deny ip source 192.168.2.0 0.0.0.255 destination 192.1
68.4.4 0 // 不允许子网192.168.2.0/24访问金融服务器
[AR1-acl-adv-3000]rule 20 permit ip source 192.168.3.0 0.0.0.255 destination 192
.168.4.4 0 // 允许子网192.168.3.0/24访问金融服务器
[AR1-acl-adv-3000]rule 30 deny ip source any destination 192.168.4.4 0 // 在前面的规则都不匹配时，不允许任何源ip访问服务器
[AR1-acl-adv-3000]q
[AR1]int g0/0/2
[AR1-GigabitEthernet0/0/2]ip address 192.168.4.254 24
[AR1-GigabitEthernet0/0/2]traffic-filter outbound acl 3000
[AR1-GigabitEthernet0/0/2]q
[AR1]display acl all // 可以验证acl规则是否配置成功
 Total quantity of nonempty ACL number is 1 

Advanced ACL 3000, 3 rules
Acl's step is 5
 rule 10 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.4 0 (4 match
es)
 rule 20 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.4.4 0 (5 mat
ches)
 rule 30 deny ip destination 192.168.4.4 0 

[AR1]

AR2：

<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname AR2
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 10.10.10.2 24
[AR2-GigabitEthernet0/0/0]q

验证

PC1：

PC2：

AR2：

结语

网工的配置还挺好玩的

参考资料

B站BV号：BV1uK4y1d7JW