两个做稍微高级一点的2层IOU
链接:https://pan.xunlei.com/s/VNJtFqjBu-gN8YRlq7NsXuyxA1提取码:bb7t
当时记录的:
●同一台交换机上划分有两个Vlan,要求10.10.2.X网络(Vlan 20)里的主机不能访问服务器10.10.1.100;主机10.10.1.4和10.10.1.8(Vlan 10)虽然和服务器在同地址段内,但也不能访问服务器。该实验曾在2016年4510R交换机上做过实机测试,但当时的模拟器不支持配置相关命令,2019年8月发现有版本支持VlanMap命令,测试可成功。
conf t
logging console alerts
no enable secret
ip routing
line con 0
no password
logging sync
exec-time 0 0
exit
no service tcp-small-servers
no service udp-small-servers
no ip finger
no service finger
no ip http server
no ip source-route
no ip classless
no ip domain-lookup
no ip bootp server
no boot network
no service config
no snmp-server community public RO
no snmp-server community admin RW
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-source
no snmp-server
username admin privilege 15 password qweasd
line vty 0 4
no password
login local
exec-time 0 0
exit
vlan 10
exit
vlan 20
exit
int Vlan 10
ip add 10.10.1.254 255.255.255.0
no shut
exit
int Vlan 20
ip add 10.10.2.254 255.255.255.0
no shut
exit
int e0/0
des =10.10.2.8 Vlan20=
sw mode acc
sw acc vlan 20
duplex full
no shut
exit
int e0/1
des =10.10.1.4 vlan10=
sw mode acc
sw acc vlan 10
no shut
exit
int e0/2
des =10.10.1.8 Vlan10=
sw mode acc
sw acc vlan 10
duplex full
no shut
exit
int e0/3
des =10.10.1.100 Server=
sw mode acc
sw acc vlan 10
duplex full
no shut
exit
ip access-list extended test
permit ip host 10.10.1.4 host 10.10.1.100
permit ip host 10.10.1.8 host 10.10.1.100
permit ip 10.10.2.0 0.0.0.255 host 10.10.1.100
exit
vlan access-map AABB 10
match ip address test
action drop
exit
vlan access-map AABB 20
action forward
exit
vlan filter AABB vlan-list 10
vlan filter AABB vlan-list 20
●取消时复制粘贴:
no vlan filter AABB vlan-list 10
no vlan filter AABB vlan-list 20
no vlan access-map AABB 10
no vlan access-map AABB 20
no ip access-list extended test
====================
●PVlan
主要作用就是实现同一Vlan下的相互隔离,在传统的Vlan的环境下,同一Vlan下的主机是可以相互通信的,为了保证通信的相对安全性,要求同一Vlan下的主机隔离,这样就可以采用PVlan技术。在用户的角度看存在第二层Vlan201和Vlan202但在运营商的角度它们都在第一层Vlan100中。主Vlan和其所关联的隔离Vlan、团体Vlan都可以通信。隔离Vlan和团体Vlan都属于次级Vlan,他们之间的区别是同属于一个隔离Vlan的主机不能通信,同属于一个团体Vlan的主机可以通信,但它们都可以和所关联的主Vlan进行通信。
在私有Vlan的概念中,交换机端口有三种类型:隔离端口、团体端口、混杂端口;它们分别对应不同的Vlan类型:隔离端口属于隔离PVlan,团体端口属于团体PVlan,而代表一个私有Vlan整体的是主Vlan,前面两类Vlan需要和它绑定在一起,同时它还包括混杂端口。
●PVlan实验
所有主机都可以访问R2服务器
R3和R4彼此不能访问
R5和R6彼此可以访问
conf t
logging console alerts
no enable secret
line con 0
no password
logging sync
exec-time 0 0
exit
hostname SW-1
vtp mode transparent
Vlan 10
name GeLi-Vlan
private-Vlan isolated
exit
Vlan 20
private-Vlan community
name TuanTi-Vlan
exit
Vlan 800
name Zhu-Vlan
private-Vlan primary
private-Vlan association 10,20
exit
int Vlan800
private-Vlan mapping 10,20
no shut
ip add 1.1.10.254 255.255.255.0
exit
int e0/0
des =R3-GeLi-1.1.10.3=
duplex full
sw private-Vlan host-association 800 10
sw mode private-Vlan host
no shut
exit
int e0/1
des =R4-GeLi-1.1.10.4=
duplex full
sw private-Vlan host-association 800 10
sw mode private-Vlan host
no shut
exit
int e0/2
des =R5-TuanTi-1.1.10.5=
duplex full
sw private-Vlan host-association 800 20
sw mode private-Vlan host
no shut
exit
int e0/3
des =R6-TuanTi-1.1.10.6=
duplex full
sw private-Vlan host-association 800 20
sw mode private-Vlan host
no shut
exit
int e1/0
duplex full
des =R2-FuWuQi-1.1.10.2=
sw private-Vlan mapping 800 10,20
sw mode private-Vlan promiscuous
no shut
exit
●测试结果
隔离Vlan 10之间不能够通信,但可以跟Server端口通信;团体Vlan 20不能跟隔离Vlan通信,可以跟自己Vlan内的用户通信,同时也可以跟Server端口通。
6666666
页:
[1]