S5700上三层Vlan间隔离的例子

转自：https://forum.huawei.com/enterprise/zh/forum.php?mod=viewthread&tid=247591

公司最近的无线覆盖做好了,但让人无语的是无线AP和内部网络混在一起了,他们把poe交换机接到了S3700下面了,并且无线是自动获取的vlan 1的地址(我们自己都舍不得用那地址),只好在s5700上给无线单独划分个vlan 20,然后把vlan20和局域网中的其它vlan进行隔离,以免访问到内网的用户数据.思路理好了,然后就上网查资料吧,大部分都是关于做接口隔离的我这不能用,vlan隔离的很少,还是h3c的,还好最后终于是实现了,拓扑图如下:

先按图配置好各客户端,AR1是个AR220,简单配置的能上网就可以了.配置如下:

#
acl number 2000  
 rule 5 permit source 192.168.0.0 0.0.255.255 
#
interface GigabitEthernet0/0/0
 ip address 192.168.3.5 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0 
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.1
ip route-static 192.168.0.0 255.255.0.0 1.1.1.2
#

---

S3700的配置如下:

#
sysname Huawei
#
undo info-center enable
#
vlan batch 10 20 100
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa 
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default 
 domain default_admin 
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif100
 ip address 1.1.1.3 255.255.255.0 
#
interface MEth0/0/1
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 10 20 100
#
interface Ethernet0/0/2
 port hybrid pvid vlan 10
 port hybrid untagged vlan 10
#
interface Ethernet0/0/3
 port hybrid pvid vlan 20
 port hybrid untagged vlan 20
#

#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#

 

---

接下来就开始关键的了,配置S5700,先做基础配置

[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]interface vlanif 10 
[Huawei-Vlanif10]ip address 192.168.10.1 24
[Huawei-Vlanif10]q
[Huawei]interface vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.1 24
[Huawei-Vlanif20]q
[Huawei]interface vlanif 30
[Huawei-Vlanif30]ip address 192.168.30.1 24
[Huawei-Vlanif30]q
[Huawei]vlan 100
[Huawei-vlan100]q
[Huawei-vlan100]quit 
[Huawei]interface vlanif 100
[Huawei-Vlanif100]ip address 1.1.1.2 24
[Huawei-Vlanif100]q
[Huawei]interface giga 0/0/3
[Huawei-GigabitEthernet0/0/3]port hybrid untagged vlan 30
[Huawei-GigabitEthernet0/0/3]port hybrid pvid vlan 30
[Huawei-GigabitEthernet0/0/3]q
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 100
[Huawei-GigabitEthernet0/0/2]q
[Huawei]interface giga 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access 
[Huawei-GigabitEthernet0/0/1]port default vlan 100
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1

经过配置后三个电脑都可以相互访问了,接下来做vlan间的隔离.

[Huawei]acl number 3001
[Huawei-acl-adv-3001]rule 0 deny ip source 192.168.20.0 0.0.0.255 des 192.168.10.0  0.0.0.255
[Huawei-acl-adv-3001]q
[Huawei]traffic classifier 1
[Huawei-classifier-1]if-match acl 3001
[Huawei-classifier-1]q
[Huawei]traffic behavior 2
[Huawei-behavior-2]deny
[Huawei-behavior-2]q
[Huawei]traffic policy 3
[Huawei-trafficpolicy-3]classifier 1 behavior 2
[Huawei-trafficpolicy-3]q

[Huawei]vlan 20
[Huawei-vlan20]traffic-policy 3 inbound
[Huawei-vlan20]q

 

先把vlan20和vlan10进行了隔离,这时在PC2上ping PC1会发现无法ping通,ping PC3则没有任何问题,ping 192.168.3.5也没有问题,然后接着隔离Vlan 30,也可以在前面时一起做了

[Huawei]acl number 3001
[Huawei-acl-adv-3001]dis this
#
acl number 3001
 rule 0 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
return
[Huawei-acl-adv-3001]rule 1 deny ip source 192.168.20.0 0.0.0.255 des 192.168.30.0 0.0.0.255
[Huawei-acl-adv-3001]dis this
#
acl number 3001
 rule 0 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
 rule 1 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
#

好了,到此就把vlan 20给隔离了,它无法访问vlan10和vlan30了,但可以访问外网,vlan10 20 30 三个都可以访问外网.