09-VLAN典型配置举例

Copyright © 2014杭州华三通信技术有限公司 版权所有，保留一切权利。

非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。本文档中的信息可能变动，恕不另行通知。

目 录

1 简介 ······················································································································································ 1 2 配置前提 ··············································································································································· 1 3 基于端口的VLAN典型配置举例············································································································· 1 

3.1 组网需求 ··············································································································································· 1 3.2 使用版本 ··············································································································································· 1 3.3 配置步骤 ··············································································································································· 1 3.4 验证配置 ··············································································································································· 2 3.5 配置文件 ··············································································································································· 2 

4 Private VLAN典型配置举例 ·················································································································· 3 

4.1 组网需求 ··············································································································································· 3 4.2 配置思路 ··············································································································································· 4 4.3 使用版本 ··············································································································································· 4 4.4 配置注意事项 ········································································································································ 4 4.5 配置步骤 ··············································································································································· 4 

4.5.1 Device B的配置 ························································································································· 4 4.5.2 Device A的配置 ························································································································· 5 4.6 验证配置 ··············································································································································· 5 4.7 配置文件 ··············································································································································· 6 

5 相关资料 ··············································································································································· 7 

i

1 简介

本文档介绍基于端口的VLAN和Private VLAN的典型应用场景和配置举例。

2 配置前提

本文档中的配置均是在实验室环境下进行的配置和验证，配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置，为了保证配置效果，请确认现有配置和以下举例中的配置不冲突。

本文档假设您已了解VLAN特性。

3 基于端口的VLAN典型配置举例

3.1 组网需求

如图1所示，Host A和Host C属于部门A，但是通过不同的设备接入公司网络；Host B和Host D属于部门B，也通过不同的设备接入公司网络。为了通信的安全性，以及避免广播报文泛滥，公司网络中使用VLAN技术来隔离部门间的二层流量。其中部门A使用VLAN 100，部门B使用VLAN 200。 现要求同一VLAN内的主机能够互通，即Host A和Host C能够互通，Host B和Host D能够互通。 图1 基于端口的VLAN组网图

3.2 使用版本

本举例是在S6300-CMW710-R2310版本上进行配置和验证的。

3.3 配置步骤

(1) 配置Device A

# 创建VLAN 100，并将Ten-GigabitEthernet1/0/1加入VLAN 100。

[DeviceA] vlan 100

[DeviceA-vlan100] port ten-gigabitethernet 1/0/1 [DeviceA-vlan100] quit

# 创建VLAN 200，并将Ten-GigabitEthernet1/0/2加入VLAN 200。

[DeviceA] vlan 200

1

[DeviceA-vlan200] port ten-gigabitethernet 1/0/2 [DeviceA-vlan200] quit

# 为了使Device A上VLAN 100和VLAN 200的报文能发送给Device B，将Ten-GigabitEthernet1/0/3的链路类型配置为Trunk，并允许VLAN 100和VLAN 200的报文通过。

[DeviceA] interface ten-gigabitethernet 1/0/3

[DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk

[DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 100 200

(2) Device B上的配置与Device A上的配置相同，不再赘述。

(3) 将Host A和Host C配置在一个网段，例如192.168.100.0/24；将Host B和Host D配置在

一个网段，比如192.168.200.0/24。

3.4 验证配置

(1) Host A和Host C能够互相ping通，但是均不能ping通Host B。Host B和Host D能够互相

ping通，但是均不能ping通Host A。 (2) 通过查看显示信息验证配置是否成功。

# 查看Device A上VLAN 100和VLAN 200的配置信息，VLAN 100的报文仅允许通过接口XGE1/0/3和XGE1/0/1，VLAN 200的报文仅允许通过接口XGE1/0/3和XGE1/0/2。

[DeviceA-Ten-GigabitEthernet1/0/3] display vlan 100 VLAN ID: 100 VLAN type: Static

Route interface: Not configured Description: VLAN 0100 Name: VLAN 0100 Tagged ports:

Ten-GigabitEthernet1/0/3 Untagged ports:

Ten-GigabitEthernet1/0/1

[DeviceA-Ten-GigabitEthernet1/0/3] display vlan 200 VLAN ID: 200 VLAN type: Static

Route interface: Not configured Description: VLAN 0200 Name: VLAN 0200 Tagged ports:

Ten-GigabitEthernet1/0/3 Untagged ports:

Ten-GigabitEthernet1/0/2

3.5 配置文件

Device B上的配置与Device A上的配置相同，此处仅以Device A的配置文件举例

#

vlan 100 #

vlan 200

2

#

interface Ten-GigabitEthernet1/0/1 port access vlan 100 #

interface Ten-GigabitEthernet1/0/2 port access vlan 200 #

interface Ten-GigabitEthernet1/0/3 port link-type trunk

port trunk permit vlan 1 100 200 #

4 Private VLAN典型配置举例

4.1 组网需求

如图2所示： •

汇聚层设备Device A为接入设备Device B分配了VLAN 10，网关接口VLAN-interface10可以和所有用户互通，以便用户可以通过Device A来访问外部网络。Device B连接的所有用户均处于同一网段10.0.0.0/24。

Host A和B属于销售部，Host C和D属于财务部。为保证安全，需要使不同部门之间二层隔离，同部门的用户之间则可以互通。

•

现由于Device A不能为Device B分配更多VLAN，要求通过Private VLAN功能实现： • •

Device A只需识别VLAN 10。

Device B在Primary VLAN 10下为各部门配置不同的Secondary VLAN，使部门间二层隔离。

图2 Private VLAN典型配置举例组网图

XGE1/0/2XGE1/0/3/5/0E14XG/0/E1XG

3

4.2 配置思路

Private VLAN功能只需要在接入设备Device B上配置。

4.3 使用版本

本举例是在S6300-CMW710-R2310版本上进行配置和验证的。

4.4 配置注意事项

系统缺省VLAN（VLAN 1）不支持Private VLAN相关配置。

4.5 配置步骤

4.5.1 Device B的配置

# 配置VLAN 10为Primary VLAN。

system-view [DeviceB] vlan 10

[DeviceB-vlan10] private-vlan primary [DeviceB-vlan10] quit

# 创建Secondary VLAN 201、202。

[DeviceB] vlan 201 to 202

# 建立Primary VLAN 10和Secondary VLAN 201、202的映射关系。

[DeviceB] vlan 10

[DeviceB-vlan10] private-vlan secondary 201 to 202 [DeviceB-vlan10] quit

# 配置上行端口Ten-GigabitEthernet1/0/1在VLAN 10中工作在promiscuous模式。

[DeviceB] interface ten-gigabitethernet 1/0/1

[DeviceB-Ten-GigabitEthernet1/0/1] port private-vlan 10 promiscuous [DeviceB-Ten-GigabitEthernet1/0/1] quit

# 将下行端口Ten-GigabitEthernet1/0/2、Ten-GigabitEthernet1/0/3添加到VLAN 201，Ten-GigabitEthernet1/0/4、Ten-GigabitEthernet1/0/5添加到VLAN 202，并配置它们工作在host模式。

[DeviceB] interface range ten-gigabitethernet 1/0/2 to ten-gigabitethernet 1/0/3 [DeviceB-if-range] port access vlan 201 [DeviceB-if-range] port private-vlan host [DeviceB-if-range] quit

[DeviceB] interface range ten-gigabitethernet 1/0/4 to ten-gigabitethernet 1/0/5 [DeviceB-if-range] port access vlan 202 [DeviceB-if-range] port private-vlan host [DeviceB-if-range] quit

4

4.5.2 Device A的配置

# 创建VLAN 10。将接口Ten-GigabitEthernet1/0/1加入VLAN 10。

system-view [DeviceA] vlan 10 [DeviceA] quit

[DeviceA] interface ten-gigabitethernet 1/0/1

[DeviceA-Ten-GigabitEthernet1/0/1] port access vlan 10 [DeviceA-Ten-GigabitEthernet1/0/1] quit

# 配置网关接口VLAN-interface10。

[DeviceA] interface vlan-interface 10

[DeviceA-Vlan-interface10] ip address 10.0.0.1 24 [DeviceA-Vlan-interface10] quit

4.6 验证配置

# Device A可以ping通任意用户。查看ARP表，可以看到所有用户均属于VLAN 10。

[DeviceA] display arp

Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid

IP address MAC address VLAN Interface Aging Type 10.0.0.2 d485-a1-7e4a 10 XGE1/0/1 19 D 10.0.0.3 7446-a0aa-7774 10 XGE1/0/1 19 D 10.0.0.4 6805-ca05-39ae 10 XGE1/0/1 20 D 10.0.0.5 6805-ca05-414e 10 XGE1/0/1 20 D

# 显示Device B上的Private VLAN配置情况。

[DeviceB] display private-vlan Primary VLAN ID: 10

Secondary VLAN ID: 201-202 VLAN ID: 10 VLAN type: Static

Private VLAN type: Primary Route interface: Not configured Description: VLAN 0010 Name: VLAN 0010 Tagged ports: None Untagged ports:

Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/3 Ten-GigabitEthernet1/0/4 Ten-GigabitEthernet1/0/5 VLAN ID: 201 VLAN type: Static

Private VLAN type: Secondary Route interface: Not configured Description: VLAN 0201 Name: VLAN 0201 Tagged ports: None Untagged ports:

5

Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/3 VLAN ID: 202 VLAN type: Static

Private VLAN type: Secondary Route interface: Not configured Description: VLAN 0202 Name: VLAN 0202 Tagged ports: None Untagged ports:

Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/4 Ten-GigabitEthernet1/0/5

可以看到，工作在promiscuous模式的端口Ten-GigabitEthernet1/0/1和工作在host模式的端口Ten-GigabitEthernet1/0/2～Ten-GigabitEthernet1/0/5均以Untagged方式允许VLAN报文通过。 # Host A、B之间可以互相ping通，Host C、D之间可以互相ping通。Host A、B与Host C、D之间均不能ping通。

4.7 配置文件

•

# vlan 1 # vlan 10

private-vlan primary

private-vlan secondary 201 to 202 #

vlan 201 to 202 #

interface Ten-GigabitEthernet1/0/1 port link-type hybrid undo port hybrid vlan 1

port hybrid vlan 10 201 to 202 untagged port hybrid pvid vlan 10

port private-vlan 10 promiscuous #

interface Ten-GigabitEthernet1/0/2 port link-type hybrid undo port hybrid vlan 1

port hybrid vlan 10 201 untagged port hybrid pvid vlan 201 port private-vlan host #

interface Ten-GigabitEthernet1/0/3 port link-type hybrid undo port hybrid vlan 1

port hybrid vlan 10 201 untagged

Device B

6

port hybrid pvid vlan 201 port private-vlan host #

interface Ten-GigabitEthernet1/0/4 port link-type hybrid undo port hybrid vlan 1

port hybrid vlan 10 202 untagged port hybrid pvid vlan 202 port private-vlan host #

interface Ten-GigabitEthernet1/0/5 port link-type hybrid undo port hybrid vlan 1

port hybrid vlan 10 202 untagged port hybrid pvid vlan 202 port private-vlan host #

•

#

Device A

vlan 1 # vlan 10 #

interface Vlan-interface10

ip address 10.0.0.1 255.255.255.0 #

interface Ten-GigabitEthernet1/0/1 port access vlan 10 #

5 相关资料

• •

H3C S6300系列以太网交换机 二层技术-以太网交换配置指导-Release 2310 H3C S6300系列以太网交换机 二层技术-以太网交换命令参考-Release 2310

7