image.png

image.png

image.png

image.png

image.png

image.png

[sw01]vlan batch 10 20 30
創(chuàng)建10 20 30的vlan
[sw01]dis vlan
查看vlan信息
[sw01]vlan 10
進(jìn)入vlan10
[sw01-vlan10]mux-vlan 
設(shè)置為mux-vlan
把10vlan設(shè)置為主vlan
[sw01-vlan10]subordinate separate 20
配置VLAN20為隔離型從VLAN
[sw01-vlan10]subordinate group 30
配置VLAN30為互通型從VLAN
[sw01-vlan10]description LINK-TO-XXX
添加描述信息
[sw01-vlan10]dis this 
查看描述信息
#
vlan 10
 description LINK-TO-XXX
 mux-vlan
 subordinate separate 20
 subordinate group 30
接下來(lái)進(jìn)行接口配置

[sw01]int GigabitEthernet 0/0/1
進(jìn)入到1接口
[sw01-GigabitEthernet0/0/1]port link-type access 
[sw01-GigabitEthernet0/0/1]port default vlan 20
設(shè)置為vlan20
[sw01-GigabitEthernet0/0/1]q
[sw01]int g 0/0/2
[sw01-GigabitEthernet0/0/2]port link-type access 
[sw01-GigabitEthernet0/0/2]port default vlan 20
[sw01-GigabitEthernet0/0/2]q
[sw01]int g 0/0/1
[sw01-GigabitEthernet0/0/1]port mux-vlan enable 
[sw01]int g 0/0/2
[sw01-GigabitEthernet0/0/2]port mux-vlan enable 
[sw01-GigabitEthernet0/0/2]dis this
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
 port mux-vlan enable
[sw01]int g 0/0/3
[sw01-GigabitEthernet0/0/3]port link-type access 
[sw01-GigabitEthernet0/0/3]port default vlan 30
[sw01-GigabitEthernet0/0/3]port mux-vlan enable 
[sw01]int g 0/0/4
[sw01-GigabitEthernet0/0/4]port link-type access 
[sw01-GigabitEthernet0/0/4]port default vlan 30
[sw01-GigabitEthernet0/0/4]port mux-vlan enable 
[sw01]int g 0/0/5
[sw01-GigabitEthernet0/0/5]port link-type  access 
[sw01-GigabitEthernet0/0/5]port default vlan 10
[sw01-GigabitEthernet0/0/5]dis this
[sw01-GigabitEthernet0/0/5]port mux-vlan enable 

pc1ping不通pc2
pc3ping不通pc1或者pc2
pc1和2都可以ping通pc5

端口隔離應(yīng)用場(chǎng)景

單臂路由用trunk
三層對(duì)三層用的是access

image.png

<Huawei>sy
[Huawei]sysname R1
[R1]dis ip int bri
查看端口
[R2]interface GigabitEthernet 0/0/0.10
[R2-GigabitEthernet0/0/0.10]vlan-type  dot1q 10
[R2-GigabitEthernet0/0/0.10]ip address 192.168.1.1 24
[R2]int GigabitEthernet 0/0/0.2
[R2-GigabitEthernet0/0/0.2]ip address 192.168.2.1 24
[R2-GigabitEthernet0/0/0.2]dis this
查看當(dāng)前的ip地址
interface GigabitEthernet0/0/0.2
 ip address 192.168.2.1 255.255.255.0
[R2-GigabitEthernet0/0/0.2]vlan-type dot1q 20
[R2-GigabitEthernet0/0/0.2]dis this
查看信息华坦，當(dāng)前接口的信息
interface GigabitEthernet0/0/0.2
 vlan-type dot1q 20
 ip address 192.168.2.1 255.255.255.0
[R2]dis ip int bri
查看信息

接下來(lái)配置

<Huawei>sy
[Huawei]sys 
[Huawei]sysname sw01
[sw01]int GigabitEthernet 0/0/2
<sw01>undo terminal monitor 
關(guān)閉屏幕輸出開(kāi)關(guān)
[sw01]vlan batch 10 20
[sw01]int g 0/0/2
[sw01-GigabitEthernet0/0/2]port link-type trunk 
[sw01-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
允許10和20vlan的訪問(wèn)
[sw01]interface g 0/0/3
[sw01-GigabitEthernet0/0/3]port link-type access 
[sw01-GigabitEthernet0/0/3]port default vlan 10
[sw01-GigabitEthernet0/0/3]int g 0/0/4
[sw01-GigabitEthernet0/0/4]port link-type access 
[sw01-GigabitEthernet0/0/4]port default vlan 20
[sw01-GigabitEthernet0/0/4]dis this
#查看接口信息
interface GigabitEthernet0/0/4
 port link-type access
 port default vlan 20
<Huawei>sys
[Huawei]sysname sw02
[sw02]dis ip int bri
[sw02]vlan batch 10 20
[sw02]interface GigabitEthernet 0/0/2
[sw02-GigabitEthernet0/0/2]port link-type trunk 
[sw02-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20
<sw02>undo terminal monitor
關(guān)閉屏幕輸出開(kāi)關(guān)

<sw02>dis ip int bri
查看顯示信息
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 2
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 1
The number of interface that is DOWN in Protocol is 2

Interface                         IP Address/Mask      Physical   Protocol  
MEth0/0/1                         unassigned           down       down      
NULL0                             unassigned           up         up(s)     
Vlanif1                           unassigned           up         down  
[sw02]int g 0/0/3
[sw02-GigabitEthernet0/0/3]port link-type trunk 
[sw02-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20
[sw02]int g 0/0/4
[sw02-GigabitEthernet0/0/4]port link-type access 
[sw02-GigabitEthernet0/0/4]port default vlan 10
[sw02-GigabitEthernet0/0/4]int g 0/0/1
[sw02-GigabitEthernet0/0/1]port link-type access 
[sw02-GigabitEthernet0/0/1]port default vlan 20
[sw02-GigabitEthernet0/0/1]dis this
查看一下信息
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 20

接下來(lái)配置最右側(cè)的交換機(jī)

[Huawei]sys 
[Huawei]sysname sw03
[sw03]vlan batch 10 20
[sw03-GigabitEthernet0/0/3]
[sw03-GigabitEthernet0/0/3]port link-type trunk 
[sw03-GigabitEthernet0/0/3]port trunk allow-pass vlan 10 20
[sw03]int g 0/0/1
[sw03-GigabitEthernet0/0/1]port link-type access 
[sw03-GigabitEthernet0/0/1]port default vlan 20

image.png

image.png

image.png

image.png

image.png

ping測(cè)試

ping測(cè)試

[sw01]int g 0/0/3
[sw01-GigabitEthernet0/0/3]port-isolate enable
使用端口隔離
[sw02]int g 0/0/4
[sw02-GigabitEthernet0/0/4]port-isolate enable 
PC>ping 192.168.1.3
[sw01]int g 0/0/1
[sw01-GigabitEthernet0/0/1]port link-type trunk 
[sw01-GigabitEthernet0/0/1]port trunk allow-pass vlan 10 20

這會(huì)可以ping通了

目前都是從路由經(jīng)過(guò)的，需要把

[R2]int g 0/0/0.10
[R2-GigabitEthernet0/0/0.10]shut

在加一臺(tái)pc

[sw01-GigabitEthernet0/0/1]int g 0/0/05
[sw01-GigabitEthernet0/0/5]port link-type access 
[sw01-GigabitEthernet0/0/5]port-isolate enable 

用1.2ping1.4金踪，實(shí)現(xiàn)了通一個(gè)交換機(jī)上的端口隔離

這個(gè)隔離是阻隔網(wǎng)絡(luò)間的報(bào)文

同一個(gè)交換機(jī)上端口接入
[sw01]display interface GigabitEthernet 0/0/1

端口隔離應(yīng)用場(chǎng)景

端口隔離基本概念

隔離組只在本地的交換機(jī)有效浊洞，主要是為了防止廣播
（同一個(gè)隔離組不通，不通隔離組通）

image.png

<R2>sys
[R2]int g 0/0/0.10
[R2-GigabitEthernet0/0/0.10]undo shut
無(wú)限網(wǎng)絡(luò)下的ap胡岔，每個(gè)ap都要做端口隔離
<sw01>sys
[sw01]int g0/0/3
[sw01-GigabitEthernet0/0/3]undo port-isolate enable 

這會(huì)就ping不通了

[sw01]dis port-isolate group all
  The ports in isolate group 1:
GigabitEthernet0/0/3     GigabitEthernet0/0/5  
查看那些口加入隔離組

不在一個(gè)交換機(jī)上只能通過(guò)三層交換機(jī)來(lái)隔離
端口隔離法希，隔離的是二層

端口安全

image.png

image.png

image.png

image.png

image.png

<sw01>sys
[sw01]int g 0/0/3
[sw01-GigabitEthernet0/0/3]
[sw01-GigabitEthernet0/0/3]port-security enable 
開(kāi)啟端口安全
<sw01>undo terminal monitor 
<sw01>sys
[sw01]int g 0/0/3
[sw01-GigabitEthernet0/0/3]port-security mac-address sticky 
[sw01-GigabitEthernet0/0/3]port-security max-mac-num 1
設(shè)置mac最大的接入地址數(shù)為一個(gè)
[sw01-GigabitEthernet0/0/3]dis this
查看信息
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 10
 port-security enable
 port-security mac-address sticky
 port-isolate enable group 1

查看pc6的mac地址

[sw01-GigabitEthernet0/0/3]port-security mac-address sticky 5489-98DE-79F6 
vlan 10
把這個(gè)mac地址劃分給vlan  10

image.png

[sw01]dis current-configuration interface g 0/0/3
查看3接口的配置命令

接下來(lái)把pc8和pc6換個(gè)位置

還是3接口的位置

[sw01]int g 0/0/3

抓ge0/0/01的包上邊的

在抓3口發(fā)現(xiàn)直接丟包

image.png

[sw01]dis mac-address sticky 
查看接口信息
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI                                              MAC-Tunnel  
-------------------------------------------------------------------------------
5489-98de-79f6 10          -      -      GE0/0/3         sticky    -           
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1 

通過(guò)mac地址查看，不對(duì)應(yīng)的就拒絕

有線(xiàn)是一對(duì)一的靶瘸，無(wú)線(xiàn)是一對(duì)多的

image.png

image.png