华为设备配置通过流策略实现VLAN间三层隔离
作者:互联网
1.配置VLAN并将各接口加入VLAN,PC、服务器间二层隔离
[LSW2]vlan 10
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 10
[LSW2-GigabitEthernet0/0/1]port link-type trunk
[LSW2-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW3]vlan 20
[LSW3-GigabitEthernet0/0/2]port link-type access
[LSW3-GigabitEthernet0/0/2]port default vlan 20
[LSW3-GigabitEthernet0/0/3]port link-type access
[LSW3-GigabitEthernet0/0/3]port default vlan 20
[LSW3-GigabitEthernet0/0/1]port link-type trunk
[LSW3-GigabitEthernet0/0/1]port trunk allow-pass vlan 20
[LSW4]vlan 30
[LSW4-GigabitEthernet0/0/2]port link-type access
[LSW4-GigabitEthernet0/0/2]port default vlan 30
[LSW4-GigabitEthernet0/0/1]port link-type trunk
[LSW4-GigabitEthernet0/0/1]port trunk allow-pass vlan 30
[LSW1]vlan batch 10 20 30 100
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/3]port link-type trunk
[LSW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 20
[LSW1-GigabitEthernet0/0/4]port link-type trunk
[LSW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 30
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100
[LSW1-GigabitEthernet0/0/1]port trunk pvid vlan 100
2.配置VLANIF接口及其IP地址,使PC、服务器间可以三层互通
[LSW1]int Vlanif 10
[LSW1-Vlanif10]ip add 10.1.1.1 24
[LSW1-Vlanif10]int Vlanif 20
[LSW1-Vlanif20]ip add 10.1.2.1 24
[LSW1-Vlanif20]int Vlanif 30
[LSW1-Vlanif30]ip add 10.1.3.1 24
[LSW1-Vlanif30]int Vlanif 100
[LSW1-Vlanif100]ip add 10.1.100.1 24
3.配置上行路由,使PC、服务器均可通过LSW1访问Internet
[LSW1]ospf 1
[LSW1-ospf-1]area 0
[LSW1-ospf-1-area-0.0.0.0]network 10.1.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.2.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.3.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.0]network 10.1.100.0 0.0.0.255
4.配置AR1
[AR1-GigabitEthernet0/0/0]ip add 10.1.100.2 24
[AR1]ospf 1
[AR1-ospf-1]area 0
[AR1-ospf-1-area-0.0.0.0]network 10.1.100.0 0.0.0.255
5.配置PC和服务器
6. 配置并应用流策略,控制PC、服务器之间的访问
(1)通过ACL定义每个流
[LSW1]acl 3000 //禁止访问PC2、PC3和服务器
[LSW1-acl-adv-3000]rule deny ip destination 10.1.2.0 0.0.0.255
[LSW1-acl-adv-3000]rule deny ip destination 10.1.3.0 0.0.0.255
[LSW1]acl 3001 //使PC2可以访问服务器的所有资源,其他PC只能访问服务器的21端口
[LSW1-acl-adv-3001]rule permit ip source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255
[LSW1-acl-adv-3001]rule permit tcp destination 10.1.3.2 0 destination-port eq 21
[LSW1-acl-adv-3001]rule deny ip destination 10.1.3.0 0.0.0.255
(2)配置流分类,区分不同的流
[LSW1]traffic classifier c1
[LSW1-classifier-c1]if-match acl 3000
[LSW1-classifier-c1]traffic classifier c2
[LSW1-classifier-c2]if-match acl 3001
(3)配置流行为,指定流动作为允许
[LSW1]traffic behavior b1
[LSW1-behavior-b1]permit
(4)配置流策略,关联流分类和流行为
[LSW1]traffic policy p1
[LSW1-trafficpolicy-p1]classifier c1 behavior b
[LSW1]traffic policy p2
[LSW1-trafficpolicy-p2]classifier c2 behavior b1
(5)应用流策略,实现PC、服务器之间的访问控制
[LSW1]vlan 10
[LSW1-vlan10]traffic-policy p1 inbound
[LSW1]vlan 20
[LSW1-vlan20]traffic-policy p2 inbound
7.验证配置
标签:10.1,LSW1,0.0,VLAN,GigabitEthernet0,华为,三层,port,vlan 来源: https://blog.csdn.net/Tony_long7483/article/details/122271773