端口隔离—MUX VLAN
产生背景
MUX VLAN(Multiplex VLAN)提供了一种通过VLAN进行网络资源控制的机制。
例如,在企业网络中,企业员工和企业客户可以访问企业的服务器。对于企业来说,希望企业内部员工之间可以互相交流,而企业客户之间是隔离的,不能够互相访问。
为了实现所有用户都可访问企业服务器,可通过配置VLAN间通信实现。如果企业规模很大,拥有大量的用户,那么就要为不能互相访问的用户都分配VLAN,这不但需要耗费大量的VLAN ID,还增加了网络管理者的工作量同时也增加了维护量。
通过MUX VLAN提供的二层流量隔离的机制可以实现企业内部员工之间互相交流,而企业客户之间是隔离的。
基本概念
MUX VLAN分为Principal VLAN和Subordinate VLAN,Subordinate VLAN又分为Separate VLAN和Group VLAN。
通信原理
根据MUX VLAN特性,企业可以用Principal port连接企业服务器,Separate port连接企业客户,Group port连接企业员工。这样就能够实现企业客户、企业员工都能够访问企业服务器,而企业员工内部可以通信、企业客户间不能通信、企业客户和企业员工之间不能互访的目的。
对于汇聚层设备,可以为Principal VLAN创建VLANIF接口,VLANIF接口的IP地址可以作为Host或Server的网关地址。如图2所示,在汇聚设备Switch1上配置MUX VLAN,可以灵活实现接入流量的隔离或者互通。
实验拓扑
| 命令 | 备注 |
| [SW] vlan batch 2 3 10 | 创建VLAN |
| [SW] vlan 10 | 进入vlan |
| [SW-vlan 10] mux-vlan | 配置主vlan |
| [SW-vlan 10] subordinate group 2 | 配置互通信从VLAN |
| [SW-vlan 10] subordinate separate 3 | 配置隔离型从VLAN |
| [SW-GigabitEthernet0/0/1] port mux-vlan enable | 开启Mux-Vlan功能 |
配置SW1的相关参数
sys sys SW1 vlan batch 2 3 10 int g0/0/1 p l a p d v 10 int g0/0/2 p l a p d v 2 int g0/0/3 p l a p d v 2 int g0/0/4 p l a p d v 3 int g0/0/5 p l a p d v 3 [SW1]vlan 10 [SW1-vlan10]mux-vlan //配置vlan 10为主vlan [SW1-vlan10]subordinate ? group Vlan Group separate Separate vlan [SW1-vlan10]subordinate group 2 //配置vlan 2 为互通型从vlan [SW1-vlan10]subordinate separate 3 //配置vlan 3 为隔离型从vlan [SW1-vlan10]dis thi # vlan 10 mux-vlan subordinate separate 3 subordinate group 2 # return [SW1-vlan10]display mux-vlan //查询配置参数 Principal Subordinate Type Interface ----------------------------------------------------------------------------- 10 - principal 10 3 separate 10 2 group ----------------------------------------------------------------------------- [SW1-vlan10]quit ——————————————————————————————————————————————————————————— # 在加入的vlan的每个端口执行`port mux-vlan enable`命令即可。 [SW1-GigabitEthernet0/0/1]port mux-vlan enable [SW1-GigabitEthernet0/0/1]dis thi # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 port mux-vlan enable # return [SW1-GigabitEthernet0/0/1]int g0/0/2 [SW1-GigabitEthernet0/0/2]dis thi # interface GigabitEthernet0/0/2 port link-type access port default vlan 2 port mux-vlan enable # return [SW1-GigabitEthernet0/0/2]quit [SW1]interface GigabitEthernet 0/0/3 [SW1-GigabitEthernet0/0/3]dis thi # interface GigabitEthernet0/0/3 port link-type access port default vlan 2 port mux-vlan enable # return [SW1-GigabitEthernet0/0/3] [SW1]interface GigabitEthernet 0/0/4 [SW1-GigabitEthernet0/0/4]dis thi # interface GigabitEthernet0/0/4 port link-type access port default vlan 3 port mux-vlan enable # return [SW1-GigabitEthernet0/0/4]quit [SW1-GigabitEthernet0/0/5]dis thi # interface GigabitEthernet0/0/5 port link-type access port default vlan 3 port mux-vlan enable # return [SW1-GigabitEthernet0/0/5] [SW1]display mux-vlan Principal Subordinate Type Interface ----------------------------------------------------------------------------- 10 - principal 10 3 separate GigabitEthernet0/0/4 GigabitEthernet0/0/5 10 2 group GigabitEthernet0/0/2 GigabitEthernet0/0/3 ----------------------------------------------------------------------------- [SW1]
测试结果:
vlan 2中企业员工能够相互通信并能够访问服务器。
vlan 3企业客户之间不能通信但能够访问服务器。
端口优化—Super-VLAN、Sub-VlAN
背景信息
Super-VLAN由多个Sub-VLAN组成,不能加入物理接口,但可以创建VLANIF接口并配置IP地址。
在配置Super-VLAN之前必须已完成配置Sub-VLAN。
实验拓扑
配置AR1参数:
<Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei] [Huawei]sys R1 [R1] [R1]int g0/0/0 [R1-GigabitEthernet0/0/0] [R1-GigabitEthernet0/0/0]ip add 12.0.0.1 24 Aug 10 2020 17:13:13-08:00 R1 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP on the interface GigabitEthernet0/0/0 has entered the UP state. [R1-GigabitEthernet0/0/0] [R1-GigabitEthernet0/0/0]int lo 1 [R1-LoopBack1] [R1-LoopBack1]ip add 1.1.1.1 32 [R1-LoopBack1]dis thi [V200R003C00] # interface LoopBack1 ip address 1.1.1.1 255.255.255.255 # return [R1-LoopBack1] [R1]ip route-s 0.0.0.0 0 12.0.0.2 //引入默认路由
配置SW1参数:
<Huawei>sys Enter system view, return user view with Ctrl+Z. [Huawei]sys SW1 [SW1]vlan batch 2 3 10 12 //创建vlan ,其中vlan 12作为和R1之间正常通信使用,vlan 10 为超级vlan,vlan 2 3为子vlan Info: This operation may take a few seconds. Please wait for a moment...done. [SW1]int g0/0/3 [SW1-GigabitEthernet0/0/3]p l a [SW1-GigabitEthernet0/0/3]p d v 12 [SW1-GigabitEthernet0/0/3]int vlanif 12 [SW1-Vlanif12]ip add 12.0.0.2 24 [SW1-Vlanif12] [SW1-Vlanif12]ip route-s 1.1.1.1 32 12.0.0.1 //配置静态路由 Aug 10 2020 17:14:05-08:00 SW1 %%01IFNET/4/IF_STATE(l)[0]:Interface Vlanif12 has turned into UP state. Aug 10 2020 17:14:05-08:00 SW1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP on the interface Vlanif12 has entered the UP state. [SW1] [SW1]vlan 10 [SW1-vlan10]a [SW1-vlan10]aggregate-vlan ? <cr> [SW1-vlan10]aggregate-vlan //设置vlan 10 为Super VLAN [SW1-vlan10]access-vlan ? INTEGER<1-4094> [SW1-vlan10]access-vlan 2 //添加子VLAN 2 3 [SW1-vlan10]access-vlan 3 [SW1-vlan10]dis thi # vlan 10 aggregate-vlan access-vlan 2 to 3 # return [SW1-vlan10] [SW1-vlan10]display sub-vlan //查询sub vlan VLAN ID Super-vlan -------------------------------------------------------------------------------- 2 10 3 10 [SW1-vlan10]dis [SW1-vlan10]display sup [SW1-vlan10]display super-vlan //查询super vlan VLAN ID Sub-vlan -------------------------------------------------------------------------------- 10 2-3 [SW1-vlan10] [SW1]interface Vlanif 10 //配置vlan 10的IP地址 [SW1-Vlanif10]dis thi # interface Vlanif10 ip address 192.168.0.254 255.255.255.0 # return [SW1-Vlanif10]
测试结果
此时,PC1 和PC2之间不能互相通信访问。
***此时,需要开启vlan间的ARP代理即可。***
配置SW1参数:
[SW1]interface Vlanif 10 [SW1-Vlanif10]arp-proxy ? enable Enable proxy ARP(Address Resolve Protocol) inner-sub-vlan-proxy Proxy ARP within a VLAN inter-sub-vlan-proxy Proxy ARP between VLANs [SW1-Vlanif10]arp-proxy inter-sub-vlan-proxy ? enable Enable proxy ARP(Address Resolve Protocol) [SW1-Vlanif10]arp-proxy inter-sub-vlan-proxy enable //开启ARP代理功能 [SW1-Vlanif10]
测试结果
至此,不同vlan间的PC也可以相互通信。
