VLAN技術(shù)原理與配置-文檔資料

1、Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. VLAN技術(shù)原理與配置Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page1前 言 虛擬局域網(wǎng)（VLAN）技術(shù)為以太網(wǎng)引入了靈活的控制手段，被廣泛應(yīng)用。 本文旨在介紹VLAN及相關(guān)技術(shù)的基本原理和實現(xiàn)。Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page2培訓(xùn)目標(biāo) 學(xué)完本課程后，您應(yīng)該能：l

2、了解VLAN的基本原理及基本配置l了解VLAN相關(guān)技術(shù)的基本原理及配置Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page3目 錄lVLAN的基本原理lVLAN相關(guān)技術(shù)的基本原理及配置Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page4目 錄lVLAN的基本原理的基本原理1.1 VLAN起源1.2 VLAN數(shù)據(jù)幀結(jié)構(gòu)1.3 VLAN劃分方式1.4 VLAN接口方式Copyright 2012 Huawei Techno

3、logies Co., Ltd. All rights reserved. Page5用戶：我不想收到C的廣播報文管理員：B不能訪問ACBA以太網(wǎng)缺少轉(zhuǎn)發(fā)控制手段VLAN的產(chǎn)生原因Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page6VLAN技術(shù)的目標(biāo)組1組2Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page7通過標(biāo)簽管理實現(xiàn)VLAN5Permit VLAN 1 onlySWASWB組 1組 2ABCopyright

4、2012 Huawei Technologies Co., Ltd. All rights reserved. Page8VLAN標(biāo)簽介紹DASATYPEDATAFCSSAFCSDATATYPETAGDAUntagged frameTagged framePRIVLAN ID（12b）CFI0 x8100TPIDTCI6B6B2B64-1500B4B6B6B2B64-1500B4B4B2B2BCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page9如何生成VLAN標(biāo)簽主機主機A主機主機B主機主機C主機主機DP

5、ort 1Port 2 Port 7Port 10端口PVIDPort15Port210Port75Port1010Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page10VLAN劃分方式 根據(jù)端口劃分: 基于端口的VLAN 根據(jù)MAC劃分: 基于MAC的VLAN 根據(jù)IP進(jìn)行劃分: 基于IP子網(wǎng)的VLAN 根據(jù)協(xié)議劃分: 基于協(xié)議的VLAN 根據(jù)幾種劃分依據(jù)組合進(jìn)行劃分: 基于策略的VLANCopyright 2012 Huawei Technologies Co., Ltd. All rights re

6、served. Page11基于端口劃分VLANVLAN信息表信息表Port 4Port 2Port 1VLAN 10VLAN 20VLAN 30Port1Port 2Port 3Port4Port 3主機主機C主機主機A主機主機B主機主機DCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page12基于MAC劃分VLANVLAN信息表信息表VLAN 10VLAN 20VLAN 30主機A MAC主機B MAC主機C MAC主機D MACPort 4Port 2Port 1Port 3主機主機C主機主機A主機主

7、機B主機主機DVlan10mac-vlan mac-address 0011-0011-0011Int e/0/0mac-vlan enable Port hy unt vlan 10Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page13基于IP網(wǎng)段劃分VLANVLAN信息表信息表Port 4Port 2Port 1VLAN 10VLAN 20VLAN 301.1.1.*1.1.2.*1.1.3.*Port 3主機主機CIP: 1.1.1.2主機主機AIP:1.1.1.1主機主機BIP: 1.1.2.1主

8、機主機DIP:1.1.3.1Vlan 10ip-subnet-vlan ip 12.12.12.0 24Int e/0/0ip-subnet-vlan enCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page14VLAN信息表信息表VLAN 10VLAN 20VLAN 30IP 協(xié)議號.IPX 協(xié)議號.運行運行IPX協(xié)議協(xié)議運行運行IP協(xié)議協(xié)議運行運行IPX協(xié)議協(xié)議運行運行IP協(xié)議協(xié)議基于協(xié)議劃分VLANPort 4Port 2Port 1Port 3Vlan 10protocol-vlan ipv4Int

9、 e/0/0protocol-vlan vlan 10 allCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page15基于策略劃分VLANVLAN信息表信息表VLAN 10VLAN 20VLAN 30IP 1 + MAC1IP2+MAC2+Port2IP3+MAC3+Port3 IP4 +MAC4+Port4 IP 3, MAC 3IP1,MAC1IP2,MAC2 IP 4, MAC 4Port 4Port 2Port 1Port 3Vlan 10policy-vlan mac-address 0011-0

10、011-0011 ip 1.1.1.1 int Ethernet 0/0/1Int e/0/0/1常規(guī)配置就可以 不用額外配置Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page16VLAN接口類型 Access 端口 Trunk 端口 Hybrid端口Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page17Access端口VLAN屬性Quidway-2-GigabitEthernet2/0/2display this#

11、interface GigabitEthernet2/0/2 port link-type access port default vlan 2#return端口默認(rèn)VLAN為2,Untagged幀添加VLAN 2后再轉(zhuǎn)發(fā)Access端口，一般用于連接主機Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page18配置Access端口屬性Port-0/1:VLAN-3Port-0/2:VLAN-5Switch-Ethernet0/1port link-type accessSwitch-Ethernet0/2p

12、ort link-type access配置端口類型Switchvlan 3Switchvlan 5創(chuàng)建VLANSwitch-Ethernet0/1port default vlan 3Switch-Ethernet0/2port default vlan 5設(shè)置端口PVIDSWACopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page19Trunk端口VLAN屬性Quidway-GigabitEthernet2/0/3display this#interface GigabitEthernet2/0/3 po

13、rt link-type trunk port trunk pvid vlan 3 port trunk allow-pass vlan 5 100 undo negotiation auto speed 100#return端口為trunk類型允許多個VLAN通過為untagged報文加上默認(rèn)VLANCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page20配置Trunk端口屬性Switchvlan 3創(chuàng)建VLANSwitch-Ethernet0/3port link-type trunk配置端口類型Swi

14、tch-Ethernet0/3port trunk pvid vlan 3配置Trunk-Link端口PVIDSwitch-Ethernet0/3port trunk allow-pass vlan 5配置Trunk-Link所允許通過的VLANPort-0/3Port-0/3SWASWBCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page21Hybird端口VLAN屬性Quidway-GigabitEthernet2/0/6display this#interface GigabitEthernet2/0

15、/6 port hybrid pvid vlan 5 port hybrid tagged vlan 100 101 port hybrid untagged vlan 10 to 12#return端口默認(rèn)模式為Hybrid對untagged報文加VLAN標(biāo)簽指接口在發(fā)送幀時不將幀中的標(biāo)簽移除移除標(biāo)簽后轉(zhuǎn)發(fā)Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page22配置Hybrid端口Quidway-Ethernet1/0/1port link-type hybridQuidway-Ethernet1/0/1

16、port hybrid pvid vlan 2Quidway-Ethernet1/0/1port hybrid untagged vlan 2Quidway-Ethernet1/0/24port link-type hybridQuidway-Ethernet1/0/24port hybrid pvid vlan 3Quidway-Ethernet1/0/24port hybrid untagged vlan 3Quidway-Ethernet2/0/0port link-type hybridQuidway-Ethernet2/0/0port hybrid pvid vlan 99Quidw

17、ay-Ethernet2/0/0port hybrid untagged vlan 2 to 3Port-2/0/0Port-1/0/1Port-1/0/24Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page23目 錄 VLAN的基本原理 VLAN相關(guān)技術(shù)的基本原理及配置相關(guān)技術(shù)的基本原理及配置Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page242. VLAN相關(guān)技術(shù)的基本原理及配置相關(guān)技術(shù)的基本原理及配置2.1

18、Mux VLAN 基本原理及配置2.2 Super VLAN原理2.3 ARP Proxy2.4 VLAN mapping2.5 端口隔離目 錄Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page25Mux VLAN基本原理 MUX VLAN 提供了一種在VLAN 的端口間進(jìn)行二層流量隔離的機制。部門 AVLAN 2部門 AVLAN 2部門B VLAN 3部門 BVLAN 3ServerCopyright 2012 Huawei Technologies Co., Ltd. All rights reser

19、ved. Page26Mux VLAN 配置Quidwayvlan batch 2 3 10/創(chuàng)建VLANQuidwayvlan 10Quidway-vlan10mux-vlan/配置主VLANQuidway-vlan10subordinate group 3/配置MUX VLAN中的互通型從VLANQuidway-vlan10subordinate separate 2/配置MUX VLAN中的隔離型從VLANQuidwayinterface gigabitethernet1/0/1Quidway-GigabitEthernet1/0/1port mux-vlan enableQuidway

20、-GigabitEthernet1/0/2port mux-vlan enableQuidway-GigabitEthernet1/0/3port mux-vlan enableQuidway-GigabitEthernet1/0/4port mux-vlan enable/使能端口下的MUX-VLAN功能部門 AVLAN 2部門 AVLAN 2部門B VLAN 3部門 BVLAN 3GE1/0/1 GE1/0/2GE1/0/3GE1/0/4Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page27Super

21、 VLAN原理Super VLAN 10Vlanif10:10.1.1.1/24 VLAN聚合，只在super-VLAN 接口上配置IP 地址，而不必為每個sub-VLAN 分配IP 地址。所有sub-VLAN 共用IP 網(wǎng)段，解決了IP 地址資源浪費的問題。10.1.1.2/24網(wǎng)關(guān):10.1.1.1/24Sub-vlan: VLAN 310.1.1.2/2410.1.1.2/2410.1.1.3/24網(wǎng)關(guān):10.1.1.1/24Sub-van: VLAN 2Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. P

22、age28ARP Proxy概述 ARP（Address Resolution Protocol）用于將一個IP地址映射到正確的MAC地址。 一個物理網(wǎng)絡(luò)的子網(wǎng)（Subnet）中的源主機向另一個物理網(wǎng)絡(luò)的子網(wǎng)中的目的主機發(fā)ARP request，和源主機直連的網(wǎng)關(guān)用自己接口的MAC地址代替目的主機回ARP reply，這個過程稱為ARP 代理。默認(rèn)默認(rèn)ARP不能跨跳，在路由上不能跨跳，在路由上 如果如果ARP request的目的地址的目的地址不是路由器接收接口，路由器不回應(yīng)，會造成無法通信。不是路由器接收接口，路由器不回應(yīng)，會造成無法通信。Copyright 2012 Huawei Tech

23、nologies Co., Ltd. All rights reserved. Page29ARP Proxy基本原理 當(dāng)主機上沒有配置缺省網(wǎng)關(guān)地址,它可以發(fā)送一個ARP請求,請求目的主機的MAC地址。使能ARP Proxy功能的交換機收到這樣的請求后，會使用自己的MAC地址作為該ARP請求的回應(yīng)，使得處于不同物理網(wǎng)絡(luò)但網(wǎng)絡(luò)號相同的主機之間可以正常的相互通信。 思科默認(rèn)開啟思科默認(rèn)開啟 ARP Proxy ，華為默認(rèn)關(guān)閉，華為默認(rèn)關(guān)閉 ARP Proxy需要進(jìn)入接口手工開啟需要進(jìn)入接口手工開啟 ARP Proxy int g0/0/0 arp-proxy enable#Dis arp 可查可查

24、ARP表表Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page30ARP Proxy方式ARP Proxy方式方式解決的問題解決的問題路由式ARP Proxy 解決同一網(wǎng)段不同物理網(wǎng)絡(luò)上計算機的互通問題。VLAN 內(nèi)ARP Proxy 解決相同VLAN 內(nèi)，且VLAN 配置用戶隔離后的網(wǎng)絡(luò)上計算機互通問題。VLAN 間ARP Proxy 解決不同VLAN 之間對應(yīng)計算機的三層互通問題。Copyright 2012 Huawei Technologies Co., Ltd. All rights reserv

25、ed. Page31路由式ARP ProxyHost BARP proxyVlanif 20De0-fc39-80aa172.16.2.2/160De0-fc39-80ab172.16.2.1/240De0-fc39-80bb172.16.4.4/160De0-fc39-80bb172.16.4.1/24Host ASWASWBVlanif 3ARP proxyCopyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page32VLAN內(nèi)ARP ProxyGE1/0/0VLANIF10(ARP Proxy)172.16

26、.2.10/24DSLAMSWAVLAN 10HOSTAHOSTB172.16.2.20/24172.16.2.30/24在端口隔離時，需要使用。在端口隔離時，需要使用。隔離隔離vlan 不能使用不能使用interface Vlanif10 ip address 1.1.1.1 255.255.255.0 arp-proxy inner-sub-vlan-proxy enableInner 內(nèi)部內(nèi)部Inter 外部外部interface Ethernet0/0/2 port link-type access port default vlan 10 port-isolate enable gr

27、oup 1#Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page33VLAN間ARP ProxyGE1/0/0VLANIF30(ARP Proxy )172.16.2.10/24DSLAMSWAVLAN 20VLAN 10HOSTBVLANIF 20172.16.2.30/24HOSTAVLANIF 10172.16.2.20/24interface Vlanif10 ip address 1.1.1.1 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable

28、用于super VLAN使vlan間可通信Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page34VLAN Mapping概述 VLAN Mapping 也叫做VLAN translation，可以實現(xiàn)在用戶VLAN ID（私有VLAN）和運營商VLAN ID(業(yè)務(wù)VLAN,也可以說是公有VLAN)之間相互轉(zhuǎn)換的一個功能。Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page35VLAN Mapping原理Internet

29、VLAN Mapping from 100 to 10VLAN Mapping from 10 to 100VLAN 10VLAN 100VLAN 100VLAN 10VLAN 10GE1/0/1Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page36VLAN Mapping的配置Quidway interface gigabitethernet 2/0/1 Quidway-GigabitEthernet2/0/1port link-type trunk/配置接口的類型配置接口的類型Quidway-Giga

30、bitEthernet2/0/1port trunk allow-pass vlan 100/配置接口允許通過的配置接口允許通過的VLAN，為，為mapping后的后的VLANQuidway-GigabitEthernet2/0/1qinq vlan-translation enable /使能接口使能接口VLAN轉(zhuǎn)換功能轉(zhuǎn)換功能Quidway-GigabitEthernet2/0/1port vlan-mapping vlan 1 to 20 map-vlan 100/配置接口配置接口2/0/1上上VLAN 120的報文的報文mapping成成VLAN100Copyright 2012 Hu

31、awei Technologies Co., Ltd. All rights reserved. Page37端口隔離GE3/0/1GE3/0/2GE3/0/3GE5/0/0端口隔離是交換機端口之間的一種訪問控制安全控制機制。Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved. Page38端口隔離配置Quidway port-isolate mode all /配置端口隔離模式Quidway interface gigabitethernet2/0/1Quidway-GigabitEthernet2/0/1port-isolate enable/在端口GE2/0/1使能端口隔離功能Quidway-Gig