在lsw 上操作,
change status to down
Jul 31 2025 16:32:52-08:00 Huawei %%01PHY/1/PHY(l)[1]: GigabitEthernet0/0/2:
change status to up
<Huawei>
<Huawei>
<Huawei>
<Huawei>
<Huawei>sy 进入系统视图
Jul 31 2025 16:33:11-08:00 Huawei %%01PHY/1/PHY(l)[2]: GigabitEthernet0/0/3:
change status to up
[Huawei]undo info-center enable 关闭系统信息显示(看个人习惯关不关)
Info: Information center is disabled.
[Huawei]sy SW1 修改名字
[SW1]vlanb
[SW1]vlan b
[SW1]vlan batch 10 20 划分vlan
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]dis v
[SW1]dis vl
[SW1]dis vlan 查看vlan 信息,
The total number of vlans is : 3
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/1(U) GE0/0/2(U) GE0/0/3(U) GE0/0/4(D)
GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D)
10 common
20 common
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
1 enable default enable disable VLAN 0001
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
[SW1]int g0/0/
[SW1]int g0/0/1 p
[SW1]int g0/0/1 po 下面就是进入接口,添加进vlan
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]po
[SW1-GigabitEthernet0/0/1]port l
[SW1-GigabitEthernet0/0/1]port link-t
[SW1-GigabitEthernet0/0/1]port link-type a
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port de
[SW1-GigabitEthernet0/0/1]port default v
[SW1-GigabitEthernet0/0/1]port default vlan 10
[SW1-GigabitEthernet0/0/1]int g0/0/2 进入接口2 设置access口,划分vlan
[SW1-GigabitEthernet0/0/2]p l a
[SW1-GigabitEthernet0/0/2]p d v 20
[SW1-GigabitEthernet0/0/2]dis vlan
The total number of vlans is : 3
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/3(U) GE0/0/4(D) GE0/0/5(D) GE0/0/6(D)
GE0/0/7(D) GE0/0/8(D) GE0/0/9(D) GE0/0/10(D)
GE0/0/11(D) GE0/0/12(D) GE0/0/13(D) GE0/0/14(D)
GE0/0/15(D) GE0/0/16(D) GE0/0/17(D) GE0/0/18(D)
GE0/0/19(D) GE0/0/20(D) GE0/0/21(D) GE0/0/22(D)
GE0/0/23(D) GE0/0/24(D)
10 common UT:GE0/0/1(U)
20 common UT:GE0/0/2(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
1 enable default enable disable VLAN 0001
10 enable default enable disable VLAN 0010
20 enable default enable disable VLAN 0020
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]po
[SW1-GigabitEthernet0/0/3]port link-type ? 接口3是需要设置成trunk
access Access port
dot1q-tunnel QinQ port
hybrid Hybrid port
trunk Trunk port
[SW1-GigabitEthernet0/0/3]port link-type t
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]po
[SW1-GigabitEthernet0/0/3]port t
[SW1-GigabitEthernet0/0/3]port trunk ?
allow-pass Allowed vlan
pvid Specify current port's PVID VLAN characteristics
[SW1-GigabitEthernet0/0/3]port trunk a
[SW1-GigabitEthernet0/0/3]port trunk allow-pass ?
vlan Virtual LAN
[SW1-GigabitEthernet0/0/3]port trunk allow-pass v 设置允许通过的接口,
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20
[SW1-GigabitEthernet0/0/3]
sw1 设置完毕,
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]un in
[Huawei]un info-center en
[Huawei]un info-center enable
Info: Information center is disabled.
[Huawei]sy AR1
[AR1]in g0/0/1
[AR1]int g0/0/1.10
[AR1-GigabitEthernet0/0/1.10]do
[AR1-GigabitEthernet0/0/1.10]dot1q t 进入子接口后是需要终结掉vid是10的
[AR1-GigabitEthernet0/0/1.10]dot1q termination vi
[AR1-GigabitEthernet0/0/1.10]dot1q termination vid 10
[AR1-GigabitEthernet0/0/1.10]ip add
[AR1-GigabitEthernet0/0/1.10]ip address 192.168.10.254 24 设置ip
[AR1-GigabitEthernet0/0/1.10]arp broadcast en
[AR1-GigabitEthernet0/0/1.10]arp broadcast enable 开启arp 广播,
[AR1-GigabitEthernet0/0/1.10]q
[AR1]in
[AR1]int g0/0/1.20
[AR1-GigabitEthernet0/0/1.20]do
[AR1-GigabitEthernet0/0/1.20]dot1q ?
termination Termination
[AR1-GigabitEthernet0/0/1.20]dot1q t
[AR1-GigabitEthernet0/0/1.20]dot1q termination ?
vid Configure PE VLAN ID
[AR1-GigabitEthernet0/0/1.20]dot1q termination vi
[AR1-GigabitEthernet0/0/1.20]dot1q termination vid 20
AR1-GigabitEthernet0/0/1.20]ip add
[AR1-GigabitEthernet0/0/1.20]ip address 192.168.20.254 24
[AR1-GigabitEthernet0/0/1.20]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip add
[AR1-GigabitEthernet0/0/0]ip address 10.1.1.254 24
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/1.20]dot1q termination vid 20
[AR1-GigabitEthernet0/0/1.20]ar
[AR1-GigabitEthernet0/0/1.20]arp b
[AR1-GigabitEthernet0/0/1.20]arp broadcast en
[AR1-GigabitEthernet0/0/1.20]arp broadcast enable 下面是设置acl
[AR1]acl
[AR1]acl ?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group
ipv6 ACL IPv6
name Specify a named ACL
number Specify a numbered ACL
介绍acl的用法
INTEGER<2000-2999>:基础访问控制列表(可添加规则)
INTEGER<3000-3999>:高级访问控制列表(可添加规则)
INTEGER<4000-4999>:第二层 ACL 组
ipv6:IPv6 的访问控制列表
name:命名的访问控制列表
number:编号的访问控制列表
AR1-acl-basic-2000]rule ? 允许,还是拒绝,
INTEGER<0-4294967294> ID of ACL rule
deny Specify matched packet deny
permit Specify matched packet permit
[AR1-acl-basic-2000]rule 5 d
[AR1-acl-basic-2000]rule 5 deny ?
fragment Check fragment packet
none-first-fragment Check the subsequence fragment packet
source Specify source address
time-range Specify a special time
vpn-instance Specify a VPN-Instance
<cr> Please press ENTER to execute command
[AR1-acl-basic-2000] 表示当前处于编号为 2000 的基本 ACL 配置视图(基本 ACL 编号范围 2000-2999)
rule 命令用于配置 ACL 规则,后面可跟:
整数 ID(0-4294967294):标识规则序号
deny/permit:指定规则是拒绝还是允许匹配的数据包
示例中输入 rule 5 deny 表示创建 ID 为 5 的拒绝规则,系统随后显示可附加的参数选项:
fragment:匹配分片数据包
source:指定源 IP 地址(基本 ACL 的核心配置项)
time-range:关联时间范围
其他选项用于特殊场景配置
这种配置模式用于通过 ACL 对网络流量进行过滤控制,通过规则序号确定匹配优先级(序号越小优先级越高)。
[AR1]ac 这里就是需要设置acl 了,
[AR1]acl
[AR1]acl ?
INTEGER<2000-2999> Basic access-list(add to current using rules)
INTEGER<3000-3999> Advanced access-list(add to current using rules)
INTEGER<4000-4999> Specify a L2 acl group
ipv6 ACL IPv6
name Specify a named ACL
number Specify a numbered ACL
[AR1]acl 200
[AR1]acl 2000
[AR1-acl-basic-2000]r
[AR1-acl-basic-2000]ru
[AR1-acl-basic-2000]rule ?
INTEGER<0-4294967294> ID of ACL rule
deny Specify matched packet deny
permit Specify matched packet permit
[AR1-acl-basic-2000]rule 5 d
[AR1-acl-basic-2000]rule 5 deny ?
fragment Check fragment packet
none-first-fragment Check the subsequence fragment packet
source Specify source address
time-range Specify a special time
vpn-instance Specify a VPN-Instance
<cr> Please press ENTER to execute command
[AR1-acl-basic-2000]rule 5 deny sou
[AR1-acl-basic-2000]rule 5 deny source ? 后面是拒绝所有,还是拒绝来着那个网段,
IP_ADDR<X.X.X.X> Address of source
any Any source
[AR1-acl-basic-2000]rule 5 deny source 192.168.10.0 ?
IP_ADDR<X.X.X.X> Wildcard of source
0 Wildcard bits : 0.0.0.0 ( a host )
[AR1-acl-basic-2000]rule 5 deny source 192.168.10.0 0.0.0.255 :定义规则 5,拒绝所有来自 192.168.10.0/24 网段的数据包(0.0.0.255 是通配符,匹配整个网段)。
[AR1-acl-basic-2000]q
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]t
[AR1-GigabitEthernet0/0/0]tr
[AR1-GigabitEthernet0/0/0]traffic-filter ?
inbound Apply ACL to the inbound direction of the interface
outbound Apply ACL to the outbound direction of the interface
[AR1-GigabitEthernet0/0/0]traffic-filter ou
[AR1-GigabitEthernet0/0/0]traffic-filter outbound ?
acl Specify ACL to match
ipv6 Specify IPv6
[AR1-GigabitEthernet0/0/0]traffic-filter outbound ac
[AR1-GigabitEthernet0/0/0]traffic-filter outbound acl 2000
[AR1-GigabitEthernet0/0/0]下面是pc 1 pc 2,server 的ip设置,
