h3cs5130-ei系列以太網(wǎng)交換機典型配置舉例vlan

1簡介12配置前提 13基于端口的VLAN典型配置舉例13.1組網(wǎng)需求 13.2使用版本 13.3配置步驟 13.4驗證配置 23.5配置文件 24動態(tài)MACVLAN34.1組網(wǎng)需求 34.2使用版本 44.3配置注意事項 44.4配置步驟 54.4.1DeviceA4.4.2DeviceB4.4.3配置RADIUS 4.4.44.4.4HostA94.4.5HostB4.4.6HostC的配置4.5驗證配置4.6配置文件5SuperVLAN5.1組網(wǎng)需求5.2使用版本5.3配置注意事項5.4配置步驟5.4.1DeviceA5.4.2DeviceB5.5驗證配置5.6配置文件6PrivateVLAN典型配置舉例6.1組網(wǎng)需求6.2配置思路6.3使用版本6.4配置注意事項6.5配置步驟6.5.1DeviceB6.5.2DeviceA6.6驗證配置6.7配置文件7相關(guān)資料本文檔中的配置均是在環(huán)境下進行的配置和驗證，配置前設(shè)備的所有參數(shù)均采用出廠時的缺本文檔假設(shè)您已了解VLAN特性基于端口的VLAN典型配置1stA和st屬于部門A，但是通過不同的設(shè)備接入公司網(wǎng)絡(luò)；stB和st屬于部門B，也通過不同的設(shè)備接入公司網(wǎng)絡(luò)。為了通信的安全性，以及避免廣播報文泛濫，公司網(wǎng)絡(luò)中使用VLA技術(shù)來部門間的二層流量。其中部門A使用VLAN100，部門B使用VLAN200。現(xiàn)要求同一VLAN內(nèi)的主機能夠HostAHostC能夠互通，HostBHostD能夠互本舉例是在S5130EI_E-CMW710-R3106版本上進行配置和驗證的[DeviceA]vlan[DeviceA-vlan100]portgigabitethernet1/0/1[DeviceA-vlan100]quit[DeviceA]vlan[DeviceA-vlan200]portgigabitethernet1/0/2[DeviceA-vlan200]quitDeviceAVLAN100VLAN200的報文能發(fā)送給DeviceB[DeviceA]interfacegigabitethernet[DeviceA-GigabitEthernet1/0/3]porttrunkpermitvlan100一個網(wǎng)段，比如192.168.200.0/24。HostA和HostC能夠互相通，但是均不能通HostB。HostB和HostD能夠互相通，但是均不能通HostA。DeviceAVLAN100VLAN200的配置信息，VLAN100的報文僅允許通過接口[DeviceA-GigabitEthernet1/0/3]displayvlan100VLANID:100VLANtype:Routeinterface:NotconfiguredDescription:VLAN0100Name:VLANTagged Untagged [DeviceA-GigabitEthernet1/0/3]displayvlan200VLANID:200VLANtype:Routeinterface:NotconfiguredDescription:VLAN0200Name:VLANTagged Untagged DeviceB上的配置與DeviceA上的配置相同，此處僅以DeviceA的配置文件#vlan100vlan200interfaceGigabitEthernet1/0/1portaccessvlan100#interfaceGigabitEthernet1/0/2portaccessvlan200#interfaceGigabitEthernet1/0/3portlink-typetrunkporttrunkpermitvlan1100200售部屬于VLAN2，技術(shù)支持部屬于VLAN3，研發(fā)部屬于VLAN4。終端用戶通過802.1X認證后接入網(wǎng)網(wǎng)絡(luò)，但接入后只能劃分到自己部門所在的VLAN。圖2MACVLANRADIUSVLAN技術(shù)支持VLANVLAN

Device

IPVLAN-int2:192.168.2.1/24VLAN-int3:192.168.3.1/24VLAN-int4:192.168.4.1/24MeetingVLAN

Device

VLANHostIP:192.168Gateway:192.168

VLANHostIP:Gateway:

HostIP:本舉例是在S5130EI_E-CMW710-R3106版本上進行配置和驗證的iNode5.2(E0406)MACVLAN功能主要用于在用戶的接入設(shè)備的下行端口上進行配置，因此不需要且不能和聚SuperVLAN不能作為MACVLAN表項中的VLAN#RADIUSmacvlanIP10.0.1.15，密鑰均為expert（該參數(shù)需要和iMC服務(wù)器上的配置保持一致，認證時不需要攜帶。<DeviceA>system-view[DeviceA]radiusschememacvlanNewRADIUSscheme.[DeviceA-radius-macvlan]pri uthentication10.0.1.15[DeviceA-radius-macvlan]pri ccounting10.0.1.15[DeviceA-radius-macvlan]keyauthenticationsimpleexpert[DeviceA-radius-macvlan]keyaccountingsimpleexpert[DeviceA-radius-macvlan]user-name-formatwithout-[DeviceA-radius-macvlan]quit [DeviceA-isp-system]authenticationlan-accessradius-schememacvlan[DeviceA-isp-system]authorizationlan-accessradius-schememacvlan[DeviceA-isp-system]accountinglan-accessradius-schememacvlan[DeviceA-isp-system]quit[DeviceA]interfacerangegigabitethernet1/0/2togigabitethernet1/0/4[DeviceA-if-range]dot1x#MACVLAN功能[DeviceA-if-range]portlink-typehybrid[DeviceA-if-range]mac-vlanenable[DeviceA-if-range]quit[DeviceA]vlan100[DeviceA-vlan100]quitGigabitEthernet1/0/5TrunkVLAN2、VLAN3、VLAN4VLAN100[DeviceA]interfacegigabitethernet[DeviceA-GigabitEthernet1/0/5]porttrunkpermitvlan2to4100[DeviceA-GigabitEthernet1/0/5]quit[DeviceA]interfacevlan-interface[DeviceA-Vlan-interface100]ipaddress10.0.1.5624[DeviceA-Vlan-interface100]quit#全局使能802.1X功能[DeviceA]<DeviceB>system-view[DeviceB]vlan2to4#創(chuàng)建VLAN100。[DeviceB]vlan100[DeviceB-vlan100]quit#[DeviceB]vlan[DeviceB-vlan100]portgigabitethernet1/0/1[DeviceB-vlan100]quit[DeviceB]vlan[DeviceB-vlan2]portgigabitethernet1/0/2[DeviceB-vlan2]vlan3[DeviceB-vlan3]portgigabitethernet1/0/3[DeviceB-vlan3]vlan4[DeviceB-vlan4]portgigabitethernet1/0/4[DeviceB-vlan4]quit#[DeviceB]interfacevlan-interface[DeviceB-Vlan-interface2]ipaddress192.168.2.124[DeviceB-Vlan-interface2]interfacevlan-interface3[DeviceB-Vlan-interface3]ipaddress192.168.3.124[DeviceB-Vlan-interface3]interfacevlan-interface4[DeviceB-Vlan-interface4]ipaddress192.168.4.124[DeviceB-Vlan-interface4]quit[DeviceB]interfacegigabitethernet[DeviceB-GigabitEthernet1/0/5]porttrunkpermitvlan2to4100[DeviceB-GigabitEthernet1/0/5]quit配置RADIUS接入設(shè)備DeviceA，將DeviceA增加到“已選擇的設(shè)備”區(qū)域。圖3圖4VLAN4VLANVLAN4。配置服務(wù)名為serverA，缺省接入規(guī)則選擇VLAN2”，其他參數(shù)使用缺省值即可圖5serverC，缺省接入規(guī)則選擇“下發(fā)VLAN4件號碼可以輸入用戶的，方便iMC管理員聯(lián)系用戶，如下圖所示。圖6服務(wù)serverA，其他參數(shù)使用缺省值，單擊<確定>按鈕，接入用戶增加成功。圖7聯(lián)服務(wù)serverC。HostAPCIP192.168.2.2255.255.255.0IP192.168.2.1/24圖8iNode圖11802.1X用戶名、配置示意#圖12802.1X#圖13HostBPCIP192.168.3.2255.255.255.0IP192.168.3.1/24名為userb，為bbb。配置過程與配置HostA類似，具體步驟略。PCIP192.168.4.2255.255.255.0IP192.168.4.1/24名為userc，為ccc。配置過程與配置HostA類似，具體步驟略。在HostA上使用802.1X連接，用戶名usera，aaa，上線成功；在HostB上使用802.1Xccc，上線成功。MACVLANHostAVLAN2、HostBVLAN3、HostCVLAN4GigabitEthernet1/0/2HostAVLAN2TagGigabitEthernet1/0/3HostB的報文時，會給它添加VLAN3Tag；當(dāng)GigabitEthernet1/0/4HostC的報文時，會給它添加VLAN4Tag。[DeviceA]displaymac-vlThefollowingMACVLANentriesState:S-Static,D–MAC VLAN 20D30D40D#vlan1ipaddress10.0.1.56255.255.255.0radiusscheme uthentication ccountingkeyauthenticationcipher$c$3$XwInB0VNLWc77yS07KunkmBbfdiFoou3sw==keyaccountingcipher$c$3$mBUM9K5MWY4dOwH9NG+W2sVjbxiB9iEQcA==user-name-formatwithout-#authenticationlan-accessradius-schememacvlanauthorizationlan-accessradius-schememacvlanaccountinglan-accessradius-schememacvlan#interfaceGigabitEthernet1/0/2portlink-typehybridporthybridvlan1untaggedmac-vlanenable#interfaceGigabitEthernet1/0/3portlink-typehybridporthybridvlan1untaggedmac-vlanenableinterfaceGigabitEthernet1/0/4portlink-typehybridporthybridvlan1untaggedmac-vlanenableinterfaceGigabitEthernet1/0/5portlink-typetrunkporttrunkpermitvlan1to4Device#vlan2to4vlan100ipaddress192.168.2.1255.255.255.0ipaddress192.168.3.1255.255.255.0ipaddress192.168.4.1255.255.255.0interfaceGigabitEthernet1/0/1portaccessvlan100#interfaceGigabitEthernet1/0/2portaccessvlan2#interfaceGigabitEthernet1/0/3portaccessvlan3#interfaceGigabitEthernet1/0/4portaccessvlan4#interfaceGigabitEthernet1/0/5portlink-typetrunkporttrunkpermitvlan1to410014VLAN2DeviceAGigabitEthernet1/0/1接入網(wǎng)絡(luò)，VLAN3中的用戶通過使用192.168.1.1作為網(wǎng)關(guān)地址。VLAN2、VLAN3、VLAN20中的終端用戶二層，三層互通圖14本舉例是在S5130EI_E-CMW710-R3106版本上進行配置和驗證的配置為SuperVLAN。<DeviceA>system-view[DeviceA]vlan10[DeviceA-vlan10]supervlan[DeviceA-vlan10]quit[DeviceA]vlan[DeviceA-vlan2]portgigabitethernet1/0/1[DeviceA-vlan2]quit[DeviceA]vlan[DeviceA-vlan3]portgigabitethernet1/0/2[DeviceA-vlan3]quitSuperVLAN10SubVLAN2SubVLAN3[DeviceA]vlan[DeviceA-vlan10]subvlan23[DeviceA-vlan10]quit[DeviceA]interfacevlan-interface[DeviceA-Vlan-interface10]ipaddress192.168.1.124[DeviceA-Vlan-interface10]local-proxy-arpenable[DeviceA-Vlan-interface10]quit[DeviceA]vlan20[DeviceA-vlan20]quit[DeviceA]interfacegigabitethernet[DeviceA-GigabitEthernet1/0/3]undoporttrunkpermitvlan1[DeviceA-GigabitEthernet1/0/3]porttrunkpermitvlan20[DeviceA]interfaceVlan-interface[DeviceA-Vlan-interface20]ipaddress192.168.2.124[DeviceA-Vlan-interface20]quit#創(chuàng)建VLAN20。[DeviceB]vlan20[DeviceB-vlan20quit[DeviceB]interfacegigabitethernet[DeviceB-GigabitEthernet1/0/1]undoporttrunkpermitvlan1[DeviceB-GigabitEthernet1/0/1]porttrunkpermitvlan20#將端口GigabitEthernet1/0/2加入VLAN20[DeviceB]vlan[DeviceB-vlan20]portgigabitethernet1/0/2[DeviceB-vlan20]quit查看SuperVLAN[DeviceA]displaysupervlanSuperVLANID:10SubVLANID:23VLANID:VLANType:ItisaSuperRouteInterface:IPAddress:SubnetMask:Description:VLANName:VLAN Ports:noneUntaggedPorts:VLANID:VLANType:ItisaSubRouteInterface:IPAddress:SubnetMask:Description:VLANName:VLAN Ports:noneUntaggedPorts:VLANID:VLANType:ItisaSubRouteInterface:IPAddress:SubnetMask:Description:VLANName:VLAN Ports:noneUntaggedPorts:HostA和HostB可以互相通。查看HostA的ARP表，表中HostB的IP地址對應(yīng)的MACVlan-interface10MAC地址。查看HostBARP表，表中HostAIP地址對應(yīng)的MAC地址也是Vlan-interface10MAC地址。HostA和HostC可以互相通。查看HostA的ARP表，表中沒有HostC的ARP表項。HostCARP表，表中也沒有HostAARP表項。說VLAN2VLAN20二層隔離，三層互通。HostB和HostC互相的情況同理。Device#vlan2vlan3vlan10subvlan23#vlan20ipaddress192.168.1.1local-proxy-arpenableipaddress192.168.2.1255.255.255.0interfaceGigabitEthernet1/0/1portaccessvlan2#interfaceGigabitEthernet1/0/2portaccessvlan3#interfaceGigabitEthernet1/0/3portlink-typetrunkundoporttrunkpermitvlan1porttrunkpermitvlan20#Device#vlan20interfaceGigabitEthernet1/0/1portlink-typetrunkundoporttrunkpermitvlan1porttrunkpermitvlan20#interfaceGigabitEthernet1/0/2portaccessvlan20#15匯聚層設(shè)備DeviceA為接入設(shè)備DeviceB分配VLAN10，網(wǎng)關(guān)接口VLAN-interface10可以和所有用戶互通，以便用戶可以通過DeviceA來外部網(wǎng)絡(luò)。DeviceB連接的所有用戶均處于同一網(wǎng)段10.0.0.0/24。HostA和B屬于銷售部，HostC和D屬于財務(wù)部。為保證安全，需要使不同部門之間二層隔DeviceB在PrimaryVLAN10下為配置不同的SecondaryVLAN使部門間二層圖15PrivateVLAN本舉例是在S5130EI_E-CMW710-R3106版本上進行配置和驗證的系統(tǒng)缺省VLAN（VLAN1）不支持PrivateVLAN相關(guān)配<DeviceB>system-view[DeviceB]vlan10[DeviceB-vlan10]private-vlanprimary[DeviceB-vlan10]quit[DeviceB]vlan201to#建立PrimaryVLAN10和SecondaryVLAN201、202的關(guān)系[DeviceB]vlan[DeviceB-vlan10]private-vlansecondary201to202[DeviceB-vlan10]quit[DeviceB]interfacegigabitethernet[DeviceB-GigabitEthernet1/0/1]portprivate-vlan10promiscuous[DeviceB-GigabitEthernet1/0/1]quit#將下行端口GigabitEthernet1/0/2GigabitEthernet1/0/3添加到VLAN201GigabitEthernet1/0/4GigabitEthernet1/0/5添加到VLAN202，并配置它們工作在host模式。[DeviceB]interfacerangegigabitethernet1/0/2togigabitethernet1/0/3[DeviceB-if-range]portaccessvlan201[DeviceB-if-range]portprivate-vlanhost[DeviceB-if-range]quit[DeviceB]interfacerangegigabitethernet1/0/4togigabitethernet1/0/5[DeviceB-if-range]portaccessvlan202[DeviceB-if-range]portprivate-vlanhost[DeviceB-if-range]quit#VLAN10。將接口GigabitEthernet1/0/1加入VLAN10<DeviceA>system-view[DeviceA]vlan10[DeviceA]quit[DeviceA]interfacegigabitethernet1/0/1[DeviceA-GigabitEthernet1/0/1]portaccessvlan10[DeviceA-GigabitEthernet1/0/1]quit#[DeviceA]interfacevlan-interface[DeviceA-Vlan-interface10]ipaddress10.0.0.124[DeviceA-Vlan-interface10]quit[DeviceA]displayType:S- M-MultiportI-IPMACDDDD[DeviceB]displayprivate-vlanPrimaryVLANID:10SecondaryVLANID:201-202VLANID:10VLANtype:PrivateVLANtype:PrimaryRouteinterface:NotconfiguredDescription:VLAN0010Name:VLANTagged Untagged VLANID:201VLANtype:PrivateVLANtype:SecondaryRouteinterface:NotconfiguredDescription:VLAN0201Name:VLANTagged Untagged VLANID:202VLANtype:PrivateVLANtype:Secon