轉自:https://forum.huawei.com/enterprise/zh/forum.php?mod=viewthread&tid=247591
公司最近的無線覆蓋做好了,但讓人無語的是無線AP和內部網絡混在一起了,他們把poe交換機接到了S3700下面了,並且無線是自動獲取的vlan 1的地址(我們自己都舍不得用那地址),只好在s5700上給無線單獨划分個vlan 20,然后把vlan20和局域網中的其它vlan進行隔離,以免訪問到內網的用戶數據.思路理好了,然后就上網查資料吧,大部分都是關於做接口隔離的我這不能用,vlan隔離的很少,還是h3c的,還好最后終於是實現了,拓撲圖如下:
先按圖配置好各客戶端,AR1是個AR220,簡單配置的能上網就可以了.配置如下:
#
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
#
interface GigabitEthernet0/0/0
ip address 192.168.3.5 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 192.168.3.1
ip route-static 192.168.0.0 255.255.0.0 1.1.1.2
#
S3700的配置如下:
#
sysname Huawei
#
undo info-center enable
#
vlan batch 10 20 100
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif100
ip address 1.1.1.3 255.255.255.0
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20 100
#
interface Ethernet0/0/2
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Ethernet0/0/3
port hybrid pvid vlan 20
port hybrid untagged vlan 20
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
#
接下來就開始關鍵的了,配置S5700,先做基礎配置
[Huawei]undo info-center enable
Info: Information center is disabled.
[Huawei]vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[Huawei]interface vlanif 10
[Huawei-Vlanif10]ip address 192.168.10.1 24
[Huawei-Vlanif10]q
[Huawei]interface vlanif 20
[Huawei-Vlanif20]ip address 192.168.20.1 24
[Huawei-Vlanif20]q
[Huawei]interface vlanif 30
[Huawei-Vlanif30]ip address 192.168.30.1 24
[Huawei-Vlanif30]q
[Huawei]vlan 100
[Huawei-vlan100]q
[Huawei-vlan100]quit
[Huawei]interface vlanif 100
[Huawei-Vlanif100]ip address 1.1.1.2 24
[Huawei-Vlanif100]q
[Huawei]interface giga 0/0/3
[Huawei-GigabitEthernet0/0/3]port hybrid untagged vlan 30
[Huawei-GigabitEthernet0/0/3]port hybrid pvid vlan 30
[Huawei-GigabitEthernet0/0/3]q
[Huawei-GigabitEthernet0/0/2]port link-type trunk
[Huawei-GigabitEthernet0/0/2]port trunk allow-pass vlan 10 20 100
[Huawei-GigabitEthernet0/0/2]q
[Huawei]interface giga 0/0/1
[Huawei-GigabitEthernet0/0/1]port link-type access
[Huawei-GigabitEthernet0/0/1]port default vlan 100
[Huawei-GigabitEthernet0/0/1]q
[Huawei]ip route-static 0.0.0.0 0.0.0.0 1.1.1.1
經過配置后三個電腦都可以相互訪問了,接下來做vlan間的隔離.
[Huawei]acl number 3001
[Huawei-acl-adv-3001]rule 0 deny ip source 192.168.20.0 0.0.0.255 des 192.168.10.0 0.0.0.255
[Huawei-acl-adv-3001]q
[Huawei]traffic classifier 1
[Huawei-classifier-1]if-match acl 3001
[Huawei-classifier-1]q
[Huawei]traffic behavior 2
[Huawei-behavior-2]deny
[Huawei-behavior-2]q
[Huawei]traffic policy 3
[Huawei-trafficpolicy-3]classifier 1 behavior 2
[Huawei-trafficpolicy-3]q
[Huawei]vlan 20
[Huawei-vlan20]traffic-policy 3 inbound
[Huawei-vlan20]q
先把vlan20和vlan10進行了隔離,這時在PC2上ping PC1會發現無法ping通,ping PC3則沒有任何問題,ping 192.168.3.5也沒有問題,然后接着隔離Vlan 30,也可以在前面時一起做了
[Huawei]acl number 3001
[Huawei-acl-adv-3001]dis this
#
acl number 3001
rule 0 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
#
return
[Huawei-acl-adv-3001]rule 1 deny ip source 192.168.20.0 0.0.0.255 des 192.168.30.0 0.0.0.255
[Huawei-acl-adv-3001]dis this
#
acl number 3001
rule 0 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255
rule 1 deny ip source 192.168.20.0 0.0.0.255 destination 192.168.30.0 0.0.0.255
#