VLAN分四个网段,要求:所有网段能访问1;2、3、4不能相互访问;3、4网段内部不能相互访问? H3C S系列交换机不同网段之间的VLAN互访问题
\u601d\u79d1\u4e09\u5c42\u4ea4\u6362\u673a\u914d\u7f6e\uff1a 24\u53e3\u4e09\u5c42\u4ea4\u6362\u673a\u5212\u5206\u4e0d\u901a\u7684\u7f51\u6bb5 \u90e8\u95e8\u4e4b\u95f4\u5904\u4e8e\u4e00\u4e2a\u5c40\u57df\u7f51 \u4f46\u4e0d\u80fd\u4e92\u76f8\u901a\u4fe1 \u600e\u4e48\u914d\u7f6e\uff1f
\u914d\u7f6e\u5982\u4e0b\uff0c\u4f60\u53ea\u8981\u590d\u5236\u8fc7\u53bb\u5c31\u884c\u4e86\u3002
Switch#show runBuilding configuration...
Current configuration : 1912 bytes!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
interface FastEthernet0/1 switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 100
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/4
switchport access vlan 100
!
interface FastEthernet0/5
switchport access vlan 100
!
interface FastEthernet0/6
switchport access vlan 100
!
interface FastEthernet0/7
switchport access vlan 100
!
interface FastEthernet0/8
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 100
!
interface FastEthernet0/10
switchport access vlan 100
!
interface FastEthernet0/11
switchport access vlan 101
!
interface FastEthernet0/12
switchport access vlan 101
!
interface FastEthernet0/13
switchport access vlan 101
!
interface FastEthernet0/14
switchport access vlan 100
!
interface FastEthernet0/15
switchport access vlan 102
!
interface FastEthernet0/16
switchport access vlan 102
!
interface FastEthernet0/17
switchport access vlan 102
!
interface FastEthernet0/18
switchport access vlan 102
!
interface FastEthernet0/19
switchport access vlan 103
!
interface FastEthernet0/20
switchport access vlan 103
!
interface FastEthernet0/21
switchport access vlan 103
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan101
ip address 192.168.1.1 255.255.255.0
!
interface Vlan102
ip address 192.168.2.1 255.255.255.0
!
interface Vlan103
ip address 192.168.3.1 255.255.255.0
!
router rip
!
ip classless
!
line con 0
line vty 0 4
login
!
!
!
end
Switch#
\u90e8\u95e8\u4e4b\u95f4\u4e0d\u80fd\u76f8\u4e92\u901a\u4fe1\u7684\u95ee\u9898\uff0c\u4f60\u81ea\u5df1\u5904\u7406\u4e00\u4e0b\uff0c\u65b9\u6cd5\u662fACL
\u7528\u6cd5\u5982\u4e0b\u3002
\u6807\u51c6ACL
\u547d\u4ee4\uff1aaccess-list {1-99} {permit/deny} source-ip source-wildcard [log]
\u4f8b\uff1aaccess-list 1 penmit 192.168.2.0 0.0.0.255 \u5141\u8bb8192.168.2.0\u7f51\u6bb5\u7684\u8bbf\u95ee
access-list 1 deny 192.168.1.0 0.0.0.255 \u62d2\u7edd192.168.1.0\u7f51\u6bb5\u7684\u8bbf\u95ee
\u8bf4\u660e\uff1awildcard\u4e3a\u53cd\u63a9\u7801\uff0chost\u8868\u793a\u7279\u5b9a\u4e3b\u673a\u7b49\u540c\u4e8e192.168.2.3 0.0.0.0\uff1bany\u8868\u793a\u6240\u6709\u7684\u6e90\u6216\u76ee\u6807\u7b49\u540c\u4e8e0.0.0.0 255.255.255.255 \uff1blog\u8868\u793a\u6709\u5339\u914d\u65f6\u751f\u6210\u65e5\u5fd7\u4fe1\u606f\uff1b\u6807\u51c6ACL\u4e00\u822c\u7528\u5728\u79bb\u76ee\u7684\u6700\u8fd1\u7684\u5730\u65b9
\u6269\u5c55ACL
\u547d\u4ee4\uff1aaccess-list {100-199} {permit/deny} protocol source-ip source-wildcard [operator port] destination-ip destination-wildcard [operator port] [established][log]
\u4f8b\uff1aaccess-list 101 permit tcp 192.168.2.0 0.0.0.255 gt 1023 host 192.168.1.2 eq 80
\u5141\u8bb8192.168.2.0\u7f51\u6bb5\u7684\u4e3b\u673a\u8bbf\u95ee\u4e3b\u673a192.168.1.2\u7684web\u670d\u52a1
access-list 101 permit udp 192.168.2.0 0.0.0.255 gt 1023 any eq 53
\u5141\u8bb8192.168.2.0\u7f51\u6bb5\u7684\u4e3b\u673a\u8bbf\u95ee\u5916\u7f51\u4ee5\u505adns\u67e5\u8be2
\u8bf4\u660e\uff1agt 1023\u8868\u793a\u6240\u6709\u5927\u4e8e1023\u7684\u7aef\u53e3\uff0c\u8fd9\u662f\u56e0\u4e3a\u4e00\u822c\u8bbf\u95eeweb\u3001ftp\u7b49\u670d\u52a1\u5668\u65f6\u5ba2\u6237\u7aef\u7684\u4e3b\u673a\u662f\u4f7f\u7528\u4e00\u4e2a1023\u4ee5\u4e0a\u7684\u968f\u673a\u7aef\u53e3\uff1bestablished \u8868\u793a\u5141\u8bb8\u4e00\u4e2a\u5df2\u7ecf\u5efa\u7acb\u7684\u8fde\u63a5\u7684\u6d41\u91cf\uff0c\u4e5f\u5c31\u662f\u6570\u636e\u5305\u7684ACK\u4f4d\u5df2\u8bbe\u7f6e\u7684\u5305\u3002
\u5047\u8bbeS3600 1.2.3\u63a5\u53e3\u5206\u522b\u63a5S3100\u76841\u53e3\uff0c2.3\u53e3\u63a5\u7535\u8111,\u90fd\u91c7\u7528C\u7c7b\u5730\u5740
S3600\uff1a
VLAN 10
ip address 192.168.1.0 255.255.255.0
VLAN 20
ip address 172.1.1.0 255.255.255.0
VLAN 30
ip address 10.1.1.0 255.255.255.0
interface f0/1
port link-type trunk
port trunk permit vlan all
interface f0/2
port link-type trunk
port trunk permit vlan all
interface f0/3
port link-type trunk
port trunk permit vlan all
S3100-1:
interface f0/1
port link-type trunk
port trunk permit vlan all
interface f0/2
port access vlan 10
interface f0/3
port access vlan 10
S3100-2:
interface f0/1
port link-type trunk
port trunk permit vlan all
interface f0/2
port access vlan 20
interface f0/3
port access vlan 20
S3100-3:
interface f0/1
port link-type trunk
port trunk permit vlan all
interface f0/2
port access vlan 30
interface f0/3
port access vlan 30
\u73b0\u5728\u6240\u6709\u7684\u673a\u5668\u662f\u4e92\u901a\u7684\uff0c\u4f60\u53ea\u9700\u8981\u5728vlan10.20.30\u52a0\u4e0a\u8bbf\u95ee\u8bbf\u95ee\u63a7\u5236\u5217\u8868\u5c31\u884c\u4e86\uff0c\u6bd4\u5982\u670d\u52a1\u5668\u653e\u5728S3600\u4e0a\uff0c\u5c5e\u4e8eVLAN 40\uff0c\u5c31\u884c\u4e86\uff0c\u5c31\u53ef\u4ee5\u8bbf\u95ee\u3002
有两个方法可以实现:
mux vlan隔离机制:将1设置为主vlan,将2设置为互通型从vlan,将3、4设置为隔离型从vlan。
通过三层交换机+acl+端口隔离可以实现。
推荐第一种方法。
绛旓細mux vlan闅旂鏈哄埗锛氬皢1璁剧疆涓轰富vlan锛灏2璁剧疆涓轰簰閫氬瀷浠巚lan锛屽皢3銆4璁剧疆涓洪殧绂诲瀷浠巚lan銆傞氳繃涓夊眰浜ゆ崲鏈+acl+绔彛闅旂鍙互瀹炵幇銆傛帹鑽愮涓绉嶆柟娉曘
绛旓細鍙兘鍛婅瘔浣 瀛愮綉鎺╃爜鐩稿悓鐨勬儏鍐典笅 缃戠粶鏍囩ず甯冧竴鑷 灏变笉鏄悓缃戞 Vlan鏈韩灏辨槸涓嶅悓缃戞
绛旓細璧风爜瑕192.168.1.0锛192.168.2.0锛192.168.3.0锛192.168.4.0鍔犺捣鏉ユ墠鑳借揪鍒拌繖涓暟瀛锛佹樉鐒剁敤涓涓綉娈垫槸瀹炵幇涓嶄簡鐨勶紒濡傛灉鍋忚瀹炵幇鍦ㄤ竴涓綉娈甸噷闈㈠疄鐜板涓獀lan锛屼篃鍙互浣跨敤鍒掑垎瀛愮綉鎺╃爜鐨勬柟娉曪紝铏氭嫙鐨勬妸缃戞鍒嗗紑銆
绛旓細姣斿1鍒4鍙风鍙e垎鍒负涓涓VLAN 1-4鍙锋瘡涓涓涓氦鎹㈡満 H3C 鍏朵粬浠绘剰涓涓鍙f帴鍒拌矾鐢卞氨濂 浣嗘槸浣犵殑璺敱鍙兘鍏佽涓涓猇LAN涓婄綉 鑷充簬璺敱涓婄綉 灏辨槸涓涓棶棰樹簡 鍥犱负浣4涓猇LAN 鐢ㄤ簡4涓笉鍚岀綉娈 瑕佹兂鎵鏈閮戒笂缃 杩欒矊浼兼湁浜涢夯鐑 闄ら潪浣犵殑璺敱鏀寔4涓綉娈 ...
绛旓細浣犻偅璺敱鍣ㄦ湁4涓lan鍙g殑璇濓紝瀹屽叏鍙互鐢ㄤ笉鍚岀殑鎺ュ彛灏嗕笉鍚岀殑缃戞鍒嗗紑锛涜嫢鏄綘鎯宠冭檻鍦板煙鏂归潰鍥犵礌璇濓紝鍙娇鐢VLAN鏂瑰紡锛岄変竴鎺ュ彛锛屼娇鐢ㄥ崟鑷傝矾鐢憋紱鍐嶈咃紝浣犺繕鍙互鍍忔ゼ涓婅繖浣嶅悓瀛﹂偅鑸紝灏嗕綘鎵璇寸殑涓嶅悓缃戞姹囨绘垚涓涓綉娈銆傛垜瑕佽涓涓嬪氨鏄崟鑷傝矾鐢辨槸涓绉嶇壒鍒傚悎2灞備氦鎹㈣澶囩殑璺敱鎵嬫.鍥犱负2灞傝澶囨病鏈...
绛旓細娌″お鏄庣櫧浣犵殑鎰忔濄傚湪浜ゆ崲鏈轰笂閰嶇疆鍩轰簬鍏ㄥ眬鍦板潃姹犵殑DHCP鏈嶅姟銆
绛旓細鍒欙細 2^n(2鐨刵娆″箓)-2>=4 寰楋細鏈灏忔鏁存暟n涓3 鍗筹細浣庡叓浣嶅瓙缃戞帺鐮佷负锛11100000锛2锛2鏄笅鏍囷級=锛224锛10锛10鏄笅鏍囷級鎵浠ワ細瀛愮綉鎺╃爜涓255.255.255.224 鍥犱负缃戠粶鍙蜂笉鑳戒负锛111锛2锛岋紙000锛2 涓旓紝涓绘満鍙蜂笉鑳戒负锛11111锛2锛岋紙00000锛2 鎵浠ュ湴鍧浣庡叓浣嶄簩杩涘埗鑼冨洿涓猴細00000001--11111110 ...
绛旓細缁勫缓鏄熷瀷缃戝晩銆傘傘傛妸鎵鏈IP璁剧疆濂 192.168.1.1 255.255.255.0 GW192.168.1.2 192.168.2.0 255.255.255.0 GW192.168.2.2 192.168.3.1 255.255.255.0 GW192.168.3.2 192.168.4.1 255.255.255.0 GW192.168.4.2 鐒跺悗閰嶇疆浜ゆ崲鏈 ip routing router ospf 1 network ...
绛旓細3銆侀厤缃VLAN 2鐨凞HCP鏈嶅姟鍣ㄣ傞〉闈㈠悜瀵硷細鎺ュ彛绠$悊鈫扗HCP璁剧疆鈫扗HCP璁剧疆 4銆侀厤缃浉搴旀ā鏉匡紝SSID妗ユ帴鍒癡LAN 2銆傞〉闈㈠悜瀵硷細AP绠$悊鈫掑湪绾緼P绠$悊鈫掑湪绾緼P鍒楄〃 5銆佺粰AP缁戝畾瀵瑰簲鐨勬ā鏉裤傞〉闈㈠悜瀵硷細AP绠$悊鈫掑湪绾緼P绠$悊鈫掑湪绾緼P鍒楄〃 6銆侀獙璇侀厤缃紝Host閫氳繃DHCP鑾峰彇鍒192.168.1.X/24缃戞鐨処P鍦板潃锛屽彲浠ラ氳繃172.17...
绛旓細鍚屼竴涓vlan ,鑲畾鏄悓涓涓箍鎾煙銆傚箍鎾煙 鏄簩灞傜殑姒傚康锛屽拰ip鍦板潃娌″叧绯汇
