H3C交换机VLAN配置实例.doc

交换机VLAN基础配置实例一 功能需求及组网说明：配置环境参数：PCA和PCB分别连接到S5600的端口G1/0/2和G1/0/3。产品版本信息：S5600系列交换机采用任何版本皆可。组网要求：PCA和PCB都属于VLAN2。二 数据配置步骤：1创建VLAN；2将相应端口加入VLAN。三 配置命令参考：S5600相关配置：方法一：1将交换机改名为S5600Quidwaysysname S56003创建（进入）VLAN2S5600vlan 24将端口G1/0/2和G1/0/3加入VLAN2S5600-vlan2port GigabitEthernet 1/0/2 to GigabitEthernet 1/0/3方法二：1将交换机改名为S5600Quidwaysysname S56002创建（进入）VLAN2S5600vlan 23退出到系统视图S5600-vlan3quit4进入端口GigabitEthernet1/0/2S5600interface GigabitEthernet 1/0/25将GigabitEthernet1/0/2的PVID更改为2Quidway-GigabitEthernet1/0/2port access vlan 26进入端口GigabitEthernet1/0/3Quidway-GigabitEthernet1/0/2interface GigabitEthernet 1/0/37将GigabitEthernet1/0/3的PVID更改为2Quidway-GigabitEthernet1/0/3port access vlan 2四补充说明：1缺省情况下，交换机有一个默认的VLAN，即VLAN 1，所有端口都默认属于该VLAN。2在系统视图下，可以利用命令undo vlan-number以删除相应VLAN，但交换机的默认VLAN 1不能被删除。3当端口模式为trunk/hybrid的时候，只能在该端口下使用port trunk/hybrid vlan-number命令将端口加入VLAN。4. 本案例适用于Quidway系列交换机任何版本。如果是不同台的交换机上相同id的vlan要相互通信，那么可以通过共享的trunk端口就可以实现，如果是同一台上不同id的vlan/不同台不同id的vlan它们之间要相互通信，需要通过第三方的路由来实现；vlan的划分有两个需要注意的地方：一是划分了几个不同的vlan组，都有不同的vlanid号；分配到vlan组里面的交换机端口也有portid.比如端口1，2，3，4划分到vlan10，5，6，7，8划分到vlan20，我可以把1，3，4的端口的portid设置为10，而把2端口的portid设置为20；把5，6，7端口的portid设置为20，而把8端口的portid设置为10.这样的话，vlan10中的1，3，4端口能够和vlan20中8端口相互通信；而vlan10中的2端口能够和vlan20中的5，6，7端口相互通信；虽然vlanid不同，但是portid相同，就能通信，同样vlanid相同，portid不同的端口之间却不能相互访问，比如vlan10中的2端口就不能和1，3，4端口通信。H3C S5600配置实例：需求：某公司局域网要划分为4个网段，0网段可以访问其他网段，其他网段之间不可以互访，但可以访问0网段。dis cu# sysname H3C#radius scheme system#domain system#acl number 3000 rule 0 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255 /1.0网段不允许访问2.0 3.0 100.0/ rule 1 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 rule 2 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 rule 3 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.3.0 0.0.0.255 /2.0网段不允许访问1.0 3.0 100.0/ rule 4 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 5 deny ip source 192.168.2.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 rule 6 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.100.0 0.0.0.255 /3.0网段不允许访问2.0 1.0 100.0/ rule 7 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 rule 8 deny ip source 192.168.3.0 0.0.0.255 destination 192.168.2.0 0.0.0.255rule 9 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.1.1 0 /只能访问各自的网关/ rule 10 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.2.1 0 rule 11 permit ip source 192.168.3.0 0.0.0.255 destination 192.168.3.1 0 rule 12 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.0.0 0.0.255.255 /0.0可以访问所有网段/#vlan 1#vlan 10#vlan 11#vlan 12#vlan 13#interface Vlan-interface10 ip address 192.168.0.254 255.255.255.0#interface Vlan-interface11 ip address 192.168.1.1 255.255.255.0#interface Vlan-interface12 ip address 192.168.2.1 255.255.255.0#interface Vlan-interface13 ip address 192.168.3.1 255.255.255.0#interface Aux1/0/0#interface GigabitEthernet1/0/1 port access vlan 10#interface GigabitEthernet1/0/2 port access vlan 10#interface GigabitEthernet1/0/17 /应用到VLAN中的所有端口 packet-filter inbound ip-group 3000/ port access vlan 11 packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 10 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 #interface GigabitEthernet1/0/21 port access vlan 12 packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 10 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 #interface GigabitEthernet1/0/22 port access vlan 12 packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-filter inbound ip-group 3000 rule 9 packet-filter inbound ip-group 3000 rule 10 packet-filter inbound ip-group 3000 rule 11 packet-filter inbound ip-group 3000 rule 12 #interface GigabitEthernet1/0/23 port access vlan 13 packet-filter inbound ip-group 3000 rule 0 packet-filter inbound ip-group 3000 rule 1 packet-filter inbound ip-group 3000 rule 2 packet-filter inbound ip-group 3000 rule 3 packet-filter inbound ip-group 3000 rule 4 packet-filter inbound ip-group 3000 rule 5 packet-filter inbound ip-group 3000 rule 6 packet-filter inbound ip-group 3000 rule 7 packet-filter inbound ip-group 3000 rule 8 packet-fil