本文主要讲华三H3C三层交换机多VLAN通讯的相关配置。
一、实验环境
vlan2:192.168.20.1 255.255.255.0 server-network 不开启DHCP,手动配置IP地址,允许访问其他vlan
vlan3:192.168.30.1 255.255.255.0 office-network 开启DHCP与其他vlan不互通,可以访问vlan2的打印服务器和文件服务器
vlan4:192.168.40.1 255.255.255.0 guest-network 开启DHCP,与其他vlan不互通,可以访问vlan2的打印服务器
vlan5:192.168.50.1 255.255.255.0 product-network 开启DHCP,与其他vlan不互通,可以访问vlan2的文件服务器和vlan2的网站服务器
二、创建vlan
[H3C]vlan 2 to 5 //配置vlan2到vlan5 [H3C]int vlan 2 [H3C-Vlan-interface2]description server-network [H3C-Vlan-interface2]ip address 192.168.20.1 255.255.255.0 [H3C-Vlan-interface2]int vlan 3 [H3C-Vlan-interface3]description office-network [H3C-Vlan-interface3]ip address 192.168.30.1 255.255.255.0 [H3C-Vlan-interface3]int vlan 4 [H3C-Vlan-interface4]description guest-network [H3C-Vlan-interface4]ip address 192.168.40.1 255.255.255.0 [H3C-Vlan-interface4]int vlan 5 [H3C-Vlan-interface5]description product-network [H3C-Vlan-interface5]ip address 192.168.50.1 255.255.255.0 [H3C-Vlan-interface5]quit
三、配置DHCP服务
[H3C]dhcp server ip-pool vlan3 [H3C-dhcp-pool-vlan3]network 192.168.30.0 24 [H3C-dhcp-pool-vlan3]gateway-list 192.168.30.1 [H3C-dhcp-pool-vlan3]dns-list 192.168.30.1 [H3C-dhcp-pool-vlan3]expired day 7 [H3C-dhcp-pool-vlan3]dhcp server ip-pool vlan4 [H3C-dhcp-pool-vlan4]network 192.168.40.0 24 [H3C-dhcp-pool-vlan4]gateway-list 192.168.40.1 [H3C-dhcp-pool-vlan4]dns-list 192.168.40.1 [H3C-dhcp-pool-vlan4]expired day 1 [H3C-dhcp-pool-vlan4]dhcp server ip-pool vlan5 [H3C-dhcp-pool-vlan5]network 192.168.50.0 24 [H3C-dhcp-pool-vlan5]gateway-list 192.168.50.1 [H3C-dhcp-pool-vlan5]dns-list 192.168.50.1 [H3C-dhcp-pool-vlan5]expired day 30 [H3C-dhcp-pool-vlan5]quit [H3C]dhcp server forbidden-ip 192.168.30.1 [H3C]dhcp server forbidden-ip 192.168.40.1 [H3C]dhcp server forbidden-ip 192.168.50.1 [H3C]dhcp server enable [H3C]int vlan 3 [H3C-Vlan-interface3]dhcp select server [H3C-Vlan-interface3]int vlan 4 [H3C-Vlan-interface4]dhcp select server [H3C-Vlan-interface4]int vlan 5 [H3C-Vlan-interface5]dhcp select server [H3C-Vlan-interface5]quit
四、配置vlan互通策略
[H3C]acl number 3002 name vlan2 //配置vlan2的策略 [H3C-acl-ipv4-adv-3002]rule 10 permit tcp source 192.168.20.10 0 source-port eq 443 destination 192.168.50.0 0.0.0.255 //允许192.168.20.10:443访问vlan5 [H3C-acl-ipv4-adv-3002]rule 20 permit ip source 192.168.20.20 0 destination 192.168.30.0 0.0.0.255 //允许192.168.20.20访问vlan3 [H3C-acl-ipv4-adv-3002]rule 21 permit ip source 192.168.20.20 0 destination 192.168.40.0 0.0.0.255 //允许192.168.20.20访问vlan4 [H3C-acl-ipv4-adv-3002]rule 30 permit ip source 192.168.20.30 0 destination 192.168.30.0 0.0.0.255 //允许192.168.20.30访问vlan3 [H3C-acl-ipv4-adv-3002]rule 31 permit ip source 192.168.20.30 0 destination 192.168.40.0 0.0.0.255 //允许192.168.20.30访问vlan4 [H3C-acl-ipv4-adv-3002]rule 99 deny ip //禁止访问vlan2 [H3C-acl-ipv4-adv-3002]int vlan 2 //进入vlan2 [H3C-Vlan-interface2]packet-filter 3002 inbound //应用策略3002到vlan2上面 [H3C-Vlan-interface2]quit [H3C]acl number 3003 name vlan3 //配置vlan3的策略 [H3C-acl-ipv4-adv-3003]rule 10 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 //允许vlan3访问vlan2网段 [H3C-acl-ipv4-adv-3003]rule 99 deny ip //禁止访问vlan3 [H3C-acl-ipv4-adv-3003]int vlan 3 //进入vlan3 [H3C-Vlan-interface3]packet-filter 3003 inbound //应用策略3003到vlan3上面 [H3C-Vlan-interface3]quit [H3C]acl number 3004 name vlan4 //配置vlan4的策略 [H3C-acl-ipv4-adv-3004]rule 10 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 //允许vlan4访问vlan2网段 [H3C-acl-ipv4-adv-3004]rule 99 deny ip //禁止访问vlan4 [H3C-acl-ipv4-adv-3004]int vlan 4 //进入vlan4 [H3C-Vlan-interface4]packet-filter 3004 inbound //应用策略3004到vlan4上面 [H3C-Vlan-interface4]quit [H3C]acl number 3005 name vlan5 //配置vlan5的策略 [H3C-acl-ipv4-adv-3005]rule 10 permit ip source 192.168.50.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 //允许vlan5访问vlan2网段 [H3C-acl-ipv4-adv-3005]rule 99 deny ip //禁止访问vlan5 [H3C-acl-ipv4-adv-3005]int vlan 5 //进入vlan5 [H3C-Vlan-interface5]packet-filter 3005 inbound //应用策略3005到vlan5上面 [H3C-Vlan-interface5]quit
目前有 2 条评论
neza 2023-08-18 14:271楼
很不错,不过你这个注释好像写反了评论
星之宇 2023-08-18 14:29
嗯嗯,写反了。回复