前言
今天我们介绍一种可以在部分情况代替ACL流量过滤去管理设备的vlan隔离技术——MUX VLAN。
文章目录
- 前言
- 1. 网络拓扑图
- 2. 配置主辅vlan
- 3. 接口开启功能
- 4. 测试
- 4.1. PC1与PC2要隔离
- 4.2. PC3与PC4要能通
- 5. 扩展-端口隔离
- 后记
- 修改记录
1. 网络拓扑图
现有一个类似于华为官方给出的场景:公司有顾客来参观,使用了部分电脑。为了安全,仅希望顾客访问公司的服务器,顾客与顾客之间不能互相访问(避免黑客攻击)。公司内部的员工可以相互访问,也能够访问公司的服务器。
我们的配置将分为两步:首先配置好主辅vlan,然后再在各交换机接口上开启mux-vlan功能。
2. 配置主辅vlan
<Huawei>system-view
[Huawei]sysname SW1
[SW1]undo info-center enable
Info: Information center is disabled.
[SW1]vlan batch 100 200 300
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]vlan 100
[SW1-vlan100]mux-vlan
[SW1-vlan100]subordinate separate 200
[SW1-vlan100]subordinate group 300
[SW1-vlan100]q
我们在配置各辅助vlan时,要首先进入主vlan。
3. 接口开启功能
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 200
[SW1-GigabitEthernet0/0/1]port mux-vlan enable
[SW1-GigabitEthernet0/0/1]q
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port defualt vlan 200
[SW1-GigabitEthernet0/0/2]port mux-vlan enable
[SW1-GigabitEthernet0/0/2]q
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 300
[SW1-GigabitEthernet0/0/3]port mux-vlan enable
[SW1-GigabitEthernet0/0/3]q
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port link-type access
[SW1-GigabitEthernet0/0/4]port default vlan 300
[SW1-GigabitEthernet0/0/4]q
[SW1]interface GigabitEthernet 0/0/5
[SW1-GigabitEthernet0/0/5]port link-type access
[SW1-GigabitEthernet0/0/5]port default vlan 100
[SW1-GigabitEthernet0/0/5]port mux-vlan enable
4. 测试
4.1. PC1与PC2要隔离
PC>ping 192.168.1.2Ping 192.168.1.2: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: Destination host unreachable
From 192.168.1.1: Destination host unreachable
From 192.168.1.1: Destination host unreachable
From 192.168.1.1: Destination host unreachable
From 192.168.1.1: Destination host unreachable--- 192.168.1.2 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet lossPC>ping 192.168.1.5Ping 192.168.1.5: 32 data bytes, Press Ctrl_C to break
From 192.168.1.5: bytes=32 seq=1 ttl=255 time=32 ms
From 192.168.1.5: bytes=32 seq=2 ttl=255 time=32 ms
From 192.168.1.5: bytes=32 seq=3 ttl=255 time=16 ms
From 192.168.1.5: bytes=32 seq=4 ttl=255 time=32 ms
From 192.168.1.5: bytes=32 seq=5 ttl=255 time=32 ms--- 192.168.1.5 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 16/28/32 ms
4.2. PC3与PC4要能通
PC>ping 192.168.1.4Ping 192.168.1.4: 32 data bytes, Press Ctrl_C to break
From 192.168.1.4: bytes=32 seq=1 ttl=128 time=47 ms
From 192.168.1.4: bytes=32 seq=2 ttl=128 time=47 ms
From 192.168.1.4: bytes=32 seq=3 ttl=128 time=62 ms
From 192.168.1.4: bytes=32 seq=4 ttl=128 time=63 ms
From 192.168.1.4: bytes=32 seq=5 ttl=128 time=46 ms--- 192.168.1.4 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 46/53/63 msPC>ping 192.168.1.5Ping 192.168.1.5: 32 data bytes, Press Ctrl_C to break
From 192.168.1.5: bytes=32 seq=1 ttl=255 time=31 ms
From 192.168.1.5: bytes=32 seq=2 ttl=255 time=16 ms
From 192.168.1.5: bytes=32 seq=3 ttl=255 time=31 ms
From 192.168.1.5: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.1.5: bytes=32 seq=5 ttl=255 time=32 ms--- 192.168.1.5 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 16/28/32 ms
5. 扩展-端口隔离
如果我们不适用 MUX VLAN 技术,仅对端口进行隔离,比如1口和2口隔离。我们可以使用端口隔离(Port Isolation)技术。
假设此时我们将PC3和PC4隔离,就可以敲击:
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port-isolate enable group 1
[SW1-GigabitEthernet0/0/3]q
[SW1]interface GigabitEthernet 0/0/4
[SW1-GigabitEthernet0/0/4]port-isolate enable group 1
此时我们发现两个端口已隔离,PC3已无法ping通PC4:
PC>ping 192.168.1.4Ping 192.168.1.4: 32 data bytes, Press Ctrl_C to break
From 192.168.1.3: Destination host unreachable
From 192.168.1.3: Destination host unreachable
From 192.168.1.3: Destination host unreachable
From 192.168.1.3: Destination host unreachable
From 192.168.1.3: Destination host unreachable--- 192.168.1.4 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss后记
文中有任何错误、遗漏,烦请各位老铁在评论区指出,共同学习进步。
修改记录
| 更新日期 | 修改内容 |
|---|---|
| 2025年5月17日 | 完成初稿 |
