VLAN隔离葵花宝典(一)
VLAN隔离分类
一、端口隔离
端口隔离实验
实验要求:
PC1与PC2在VLAN 10内不能互访,但是PC3与PC1、PC2之间可以互访。
配置:
1、将三个PC的端口划入vlan10
[Huawei]vlan 10
[Huawei-vlan10]q
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]int gi0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 10
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 10
[Huawei-GigabitEthernet0/0/3]q
完成后,PC1与PC2之间互通
gi0/0/2抓包
2、启用端口隔离
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port-isolate enable
[Huawei-GigabitEthernet0/0/1]
[Huawei-GigabitEthernet0/0/1]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port-isolate enable
[Huawei-GigabitEthernet0/0/2]
将gi0/0/1和gi0/0/2加入端口隔离组,gi0/0/3不加入,只有隔离组之间不能互访,不是隔离组可以和隔离组互访,所以PC3和PC1\2互通
二、MUX VLAN
mux vlan只适用于二层网络中,对同一网段的用户进行部分VLAN间互通、部分VLAN间隔离和VLAN内用户隔离
实验要求:
PC1\2\3\4都可以访问PC5
PC1和PC2可以互访,PC3和PC4不能互访
配置:
1、配置端口vlan(不需按部就班,这步不需要配置,如配置则报错)
[Huawei]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 10
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 20
[Huawei-GigabitEthernet0/0/3]int gi 0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 20
[Huawei-GigabitEthernet0/0/4]int gi 0/0/5
[Huawei-GigabitEthernet0/0/5]port link-type access
[Huawei-GigabitEthernet0/0/5]port default vlan 30
因为并没有三层设备,也没有vlan间路由,所以vlan10 、vlan20 、vlan30是不通的;
2、配置mux-vlan
[Huawei]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]vlan 30
[Huawei-vlan30]mux-vlan //指定VLAN 30为Principal VLAN
[Huawei-vlan30]subordinate group 10 //指定VLAN10为Group VLAN
[Huawei-vlan30]subordinate separate 20 //指定VLAN20为Separate VLAN
[Huawei-vlan30]q
[Huawei]int gi 0/0/5
[Huawei-GigabitEthernet0/0/5]port link-type access
[Huawei-GigabitEthernet0/0/5]port default vlan 30
[Huawei-GigabitEthernet0/0/5]port mux-vlan enable vlan 30
^
Error:Too many parameters found at '^' position.
//VLAN30指的是端口所加入的VLAN,V200R003C00及之前版本不需要指定VLAN,即命令为port mux-vlan enbale
[Huawei-GigabitEthernet0/0/5]port mux-vlan enable
[Huawei-GigabitEthernet0/0/5]q
[Huawei]dis version
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.110 (S5700 V200R001C00)
Copyright (c) 2000-2011 HUAWEI TECH CO., LTD
Quidway S5700-28C-HI Routing Switch uptime is 0 week, 0 day, 0 hour, 4 minutes
[Huawei-GigabitEthernet0/0/5]int gi 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 10
[Huawei-GigabitEthernet0/0/1]port mux-vlan enable
[Huawei-GigabitEthernet0/0/1]int gi 0/0/2
[Huawei-GigabitEthernet0/0/2]port link-type access
[Huawei-GigabitEthernet0/0/2]port default vlan 10
[Huawei-GigabitEthernet0/0/2]port mux-vlan enable
[Huawei-GigabitEthernet0/0/2]int gi 0/0/3
[Huawei-GigabitEthernet0/0/3]port link-type access
[Huawei-GigabitEthernet0/0/3]port default vlan 20
[Huawei-GigabitEthernet0/0/3]port mux-vlan enable
[Huawei-GigabitEthernet0/0/3]int gi 0/0/4
[Huawei-GigabitEthernet0/0/4]port link-type access
[Huawei-GigabitEthernet0/0/4]port default vlan 20
[Huawei-GigabitEthernet0/0/4]port mux-vlan enable
[Huawei-GigabitEthernet0/0/4]
由下图,PC1与PC5互访、PC1与PC2互访、PC1与PC3不通
PC3与PC5互访,PC3与PC4不通