IPCPU——网络之路 » 端口隔离 http://www.ipcpu.com Fri, 10 Feb 2012 15:05:04 +0000 en hourly 1 http://wordpress.org/?v=3.1.2 Cisco PVLAN的配置 http://www.ipcpu.com/2010/05/cisco-pvlan/ http://www.ipcpu.com/2010/05/cisco-pvlan/#comments Sun, 09 May 2010 10:05:38 +0000 admin http://www.ipcpu.com/?p=532 PVLAN即私有VLAN(Private VLAN),PVLAN采用两层VLAN隔离技术,只有上层VLAN全局可见,下层VLAN相互隔离。

每个pVLAN 包含2种VLAN :主VLAN(primary VLAN)和辅助VLAN(Secondary VLAN)。辅助VLAN(Secondary VLAN)包含两种类型:隔离VLAN(isolated VLAN)和团体VLAN(community VLAN)。
pVLAN中的两种接口类型:处在pVLAN中的交换机物理端口,有两种接口类型。
①混杂端口(Promiscuous Port)
②主机端口(Host Port)

Catalyst3560, 45,    65系列支持

 配置pVLAN的实例:
      SwitchA(config)#vlan 100
      SwitchA(config-vlan)#private-vlan primary                           
      !设置主VLAN 100
              
      SwitchA(config)#vlan 200
      SwitchA(config-vlan)#private-vlan community 
     !设置团体VLAN 200                                    

      SwitchA(config)#vlan 300
      SwitchA(config-vlan)#private-vlan isolated 
     !设置隔离VLAN 300                                         

      SwitchA(config)#vlan 100
      SwitchA(config-vlan)#private-vlan association 200,300  
      !将辅助VLAN关联到主VLAN                       

     
      SwitchA(config)#interface vlan 100
      SwitchA(config-if)#private-vlan mapping add 200,300                 
      !将辅助VLAN映射到主VLAN接口,允许pVLAN入口流量的三层交换     
     
      SwitchA(config)# interface fastethernet 0/2
      SwitchA(config-if)#switchport mode private-vlan host
      SwitchA(config-if)#switchport private-vlan host-association 100 200
      !2号口划入团体VLAN 200

      SwitchA(config)# interface fastethernet 0/3
      SwitchA(config-if)#switchport mode private-vlan host
      SwitchA(config-if)#switchport private-vlan host-association 100 300
      !3号口划入隔离VLAN 300

      SwitchA(config)# interface fastethernet 0/1
      SwitchA(config-if)#switchport mode private-vlan promiscuous
      SwitchA(config-if)#switchport private-vlan mapping 100 add 200-300
      !1号口杂合模式

CatOS的配置
      set vlan 100 pvlan-type primary
      set vlan 200 pvlan-type community     
      set vlan 300 pvlan-type isolated     
      set pvlan 100 200 5/1
      set pvlan 100 300 5/2
      set pvlan mapping 100,200 15/1
      set pvlan mapping 100,300 15/1    //指定混杂模式的接口

参考资料:
http://hi.baidu.com/n6630/blog/item/c6e6974cb3d362fdd62afc64.html
http://yixuelian.blog.51cto.com/133058/56824
http://hi.baidu.com/coghost/blog/item/4f4dfb22e3bdd5a24723e83e.html
http://baike.baidu.com/view/1065646.htm
关于端口隔离

Switch(config)# interface gigabitethernet1/0/2
Switch(config-if)# switchport protected

Catalyst 29 35系列支持
网关 及共享口 不敲protected 即可通信

]]> http://www.ipcpu.com/2010/05/cisco-pvlan/feed/ 0