本文主要讲华三H3C三层交换机多VLAN通讯的相关配置。

一、实验环境

vlan2:192.168.20.1 255.255.255.0 server-network 不开启DHCP,手动配置IP地址,允许访问其他vlan

vlan3:192.168.30.1 255.255.255.0 office-network 开启DHCP与其他vlan不互通,可以访问vlan2的打印服务器和文件服务器

vlan4:192.168.40.1 255.255.255.0 guest-network 开启DHCP,与其他vlan不互通,可以访问vlan2的打印服务器

vlan5:192.168.50.1 255.255.255.0 product-network 开启DHCP,与其他vlan不互通,可以访问vlan2的文件服务器和vlan2的网站服务器

328-1.png

二、创建vlan

[H3C]vlan 2 to 5    //配置vlan2vlan5
[H3C]int vlan 2
[H3C-Vlan-interface2]description server-network
[H3C-Vlan-interface2]ip address 192.168.20.1 255.255.255.0
[H3C-Vlan-interface2]int vlan 3
[H3C-Vlan-interface3]description office-network
[H3C-Vlan-interface3]ip address 192.168.30.1 255.255.255.0
[H3C-Vlan-interface3]int vlan 4
[H3C-Vlan-interface4]description guest-network
[H3C-Vlan-interface4]ip address 192.168.40.1 255.255.255.0
[H3C-Vlan-interface4]int vlan 5
[H3C-Vlan-interface5]description product-network
[H3C-Vlan-interface5]ip address 192.168.50.1 255.255.255.0
[H3C-Vlan-interface5]quit

三、配置DHCP服务

[H3C]dhcp server ip-pool vlan3
[H3C-dhcp-pool-vlan3]network 192.168.30.0 24
[H3C-dhcp-pool-vlan3]gateway-list 192.168.30.1
[H3C-dhcp-pool-vlan3]dns-list 192.168.30.1
[H3C-dhcp-pool-vlan3]expired day 7
[H3C-dhcp-pool-vlan3]dhcp server ip-pool vlan4
[H3C-dhcp-pool-vlan4]network 192.168.40.0 24
[H3C-dhcp-pool-vlan4]gateway-list 192.168.40.1
[H3C-dhcp-pool-vlan4]dns-list 192.168.40.1
[H3C-dhcp-pool-vlan4]expired day 1
[H3C-dhcp-pool-vlan4]dhcp server ip-pool vlan5
[H3C-dhcp-pool-vlan5]network 192.168.50.0 24
[H3C-dhcp-pool-vlan5]gateway-list 192.168.50.1
[H3C-dhcp-pool-vlan5]dns-list 192.168.50.1
[H3C-dhcp-pool-vlan5]expired day 30
[H3C-dhcp-pool-vlan5]quit
[H3C]dhcp server forbidden-ip 192.168.30.1
[H3C]dhcp server forbidden-ip 192.168.40.1
[H3C]dhcp server forbidden-ip 192.168.50.1
[H3C]dhcp server enable
[H3C]int vlan 3
[H3C-Vlan-interface3]dhcp select server
[H3C-Vlan-interface3]int vlan 4
[H3C-Vlan-interface4]dhcp select server
[H3C-Vlan-interface4]int vlan 5
[H3C-Vlan-interface5]dhcp select server
[H3C-Vlan-interface5]quit

四、配置vlan互通策略

[H3C]acl number 3002 name vlan2      //配置vlan2的策略
[H3C-acl-ipv4-adv-3002]rule 10 permit tcp source 192.168.20.10 0 source-port eq 443 destination 192.168.50.0 0.0.0.255      //允许192.168.20.10:443访问vlan5
[H3C-acl-ipv4-adv-3002]rule 20 permit ip source 192.168.20.20 0 destination 192.168.30.0 0.0.0.255      //允许192.168.20.20访问vlan3
[H3C-acl-ipv4-adv-3002]rule 21 permit ip source 192.168.20.20 0 destination 192.168.40.0 0.0.0.255      //允许192.168.20.20访问vlan4
[H3C-acl-ipv4-adv-3002]rule 30 permit ip source 192.168.20.30 0 destination 192.168.30.0 0.0.0.255      //允许192.168.20.30访问vlan3
[H3C-acl-ipv4-adv-3002]rule 31 permit ip source 192.168.20.30 0 destination 192.168.40.0 0.0.0.255      //允许192.168.20.30访问vlan4
[H3C-acl-ipv4-adv-3002]rule 99 deny ip      //禁止访问vlan2
[H3C-acl-ipv4-adv-3002]int vlan 2      //进入vlan2
[H3C-Vlan-interface2]packet-filter 3002 inbound      //应用策略3002vlan2上面
[H3C-Vlan-interface2]quit
[H3C]acl number 3003 name vlan3      //配置vlan3的策略
[H3C-acl-ipv4-adv-3003]rule 10 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255      //允许vlan3访问vlan2网段
[H3C-acl-ipv4-adv-3003]rule 99 deny ip      //禁止访问vlan3
[H3C-acl-ipv4-adv-3003]int vlan 3      //进入vlan3
[H3C-Vlan-interface3]packet-filter 3003 inbound      //应用策略3003vlan3上面
[H3C-Vlan-interface3]quit
[H3C]acl number 3004 name vlan4     //配置vlan4的策略
[H3C-acl-ipv4-adv-3004]rule 10 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255      //允许vlan4访问vlan2网段
[H3C-acl-ipv4-adv-3004]rule 99 deny ip      //禁止访问vlan4
[H3C-acl-ipv4-adv-3004]int vlan 4      //进入vlan4
[H3C-Vlan-interface4]packet-filter 3004 inbound      //应用策略3004vlan4上面
[H3C-Vlan-interface4]quit
[H3C]acl number 3005 name vlan5     //配置vlan5的策略
[H3C-acl-ipv4-adv-3005]rule 10 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255      //允许vlan5访问vlan2网段
[H3C-acl-ipv4-adv-3005]rule 99 deny ip      //禁止访问vlan5
[H3C-acl-ipv4-adv-3005]int vlan 5      //进入vlan5
[H3C-Vlan-interface5]packet-filter 3005 inbound      //应用策略3005vlan5上面
[H3C-Vlan-interface5]quit
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。