知识库与软件

如何使用private vlan 技术实现vlan 内部的通信隔离

文档编号:2106
浏览:5433 评分:5
最后更新于:2016-07-21

此文档是基于ST3528Fv2版本
 
环境描述
    内网有一台ST3528F,上网设备全部属于vlan1,需要实现端口隔离。
 
用求分析
    三层交换机内部不划分vlan,内网5台服务器分别接18-22号口,财务部人员接1-8号口,其他人员接9-17号口,需要实现内网全部可以访问服务器,财务部和其他人员不能互访,且保证财务部内部以及其他人员的内部可以互访。
 
配置方法:
    1、把mac地址学习的CPU控制方式打开   
ST3528F(config)#mac-address-learning cpu-control
 
    2、建立一个VLAN并设置为主VLAN
ST3528F(config)#vlan 100
ST3528F(config-vlan100)#private-vlan primary
Note:This will remove all the access ports from vlan 100
ST3528F(config-vlan100)#exit
 
    3、配置团体vlan,例如VLAN 10和VLAN20
ST3528F(config)#vlan 10
ST3528F(config-vlan10)#private-vlan community
Note:This will remove all the access ports from vlan 10
ST3528F(config-vlan10)#exit
ST3528F(config)#vlan 20
ST3528F(config-vlan20)#private-vlan community
Note:This will remove all the access ports from vlan 20
ST3528F(config-vlan20)#exit
 
    4、配置关联VLAN,将团体vlan10和20关联到100,成为VLAN100的内部子VLAN
ST3528F(config)#vlan 100
ST3528F(config-vlan100)#private-vlan association 10;20
Set vlan 100 associated vlan successfully
ST3528F(config-vlan100)#exit
 
    5、给VLAN 100接口配置IP地址,否则公共口加入VLAN后无法登陆交换机
ST3528F(config)#int vlan 100
ST3528F(config-if-vlan100)#ip add 192.168.100.1 255.255.255.0
ST3528F(config-if-vlan100)#exit
 
    6、将端口添加到对应VLAN,1-8添加到VLAN10,9-17添加到vlan20,18-22添加到vlan100
ST3528F(config)#interface ethernet 1/0/1-8
ST3528F(config-if-port-range)#switchport access vlan 10
Set the port Ethernet1/0/1 access vlan 10 successfully
Set the port Ethernet1/0/2 access vlan 10 successfully
Set the port Ethernet1/0/3 access vlan 10 successfully
Set the port Ethernet1/0/4 access vlan 10 successfully
Set the port Ethernet1/0/5 access vlan 10 successfully
Set the port Ethernet1/0/6 access vlan 10 successfully
Set the port Ethernet1/0/7 access vlan 10 successfully
Set the port Ethernet1/0/8 access vlan 10 successfully
ST3528F(config-if-port-range)#exit
ST3528F(config)#int ethernet 1/0/9-17
ST3528F(config-if-port-range)#switchport access vlan 20
Set the port Ethernet1/0/9 access vlan 20 successfully
Set the port Ethernet1/0/10 access vlan 20 successfully
Set the port Ethernet1/0/11 access vlan 20 successfully
Set the port Ethernet1/0/12 access vlan 20 successfully
Set the port Ethernet1/0/13 access vlan 20 successfully
Set the port Ethernet1/0/14 access vlan 20 successfully
Set the port Ethernet1/0/15 access vlan 20 successfully
Set the port Ethernet1/0/16 access vlan 20 successfully
Set the port Ethernet1/0/17 access vlan 20 successfully
ST3528F(config-if-port-range)#exit
ST3528F(config)#int ethernet 1/0/18-22
ST3528F(config-if-port-range)#switchport access vlan 100
Set the port Ethernet1/0/18 access vlan 100 successfully
Set the port Ethernet1/0/19 access vlan 100 successfully
Set the port Ethernet1/0/20 access vlan 100 successfully
Set the port Ethernet1/0/21 access vlan 100 successfully
Set the port Ethernet1/0/22 access vlan 100 successfully
ST3528F(config-if-port-range)#
 
    7、保存配置
ST3528F#wr
Confirm to overwrite current startup-config configuration [Y/N]:y
 
 
 
 
 

  

   2024 ©上海艾泰科技有限公司 版权所有 沪ICP备05037453号-1

   

      沪公网安备 31011702003579号