|
|
Private VLAN专有VLAN
PVLAN(Private VLAN)专有VLAN的主要作用就是实现同一VLAN下的相互隔离,在传统的VLAN的环境下,同一VLAN下的主机是可以相互通信的,为了保证通信的相对安全性,要求同一VLAN下的主机隔离,这样就可以采用PVLAN技术。
在Private VLAN的概念中,交换机端口有三种类型:Isolated port,Community port, Promiscuous port;它们分别对应不同的VLAN类型:Isolated port属于Isolated PVLAN,Community port属于Community PVLAN,而代表一个Private VLAN整体的是Primary VLAN,前面两类VLAN需要和它绑定在一起,同时它还包括Promiscuous port。在Isolated PVLAN中,Isolated port只能和Promiscuous port通信,彼此不能交换流量;在Community PVLAN中,Community port不仅可以和Promiscuous port通信,而且彼此也可以交换流量。Promiscuous port 与路由器或第3层交换机接口相连,它收到的流量可以发往Isolated port和Community port。PVLAN的应用对于保证接入网络的数据通信的安全性是非常有效的,用户只需与自己的默认网关连接,一个PVLAN不需要多个VLAN和IP子网就提供了具备第2层数据通信安全性的连接,所有的用户都接入PVLAN,从而实现了所有用户与默认网关的连接,而与PVLAN内的其他用户没有任何访问。PVLAN功能可以保证同一个VLAN中的各个端口相互之间不能通信,但可以穿过Trunk端口。这样即使同一VLAN中的用户,相互之间也不会受到广播的影响。
How configure to PVLAN?怎样配置PVLAN?
This example shows how to configure VLAN 20 as a primary VLAN, VLAN 501 as an isolated VLAN, and VLANs 502 and 503 as community VLANs, to associate them in a private VLAN, and to verify the configuration:
Switch# configure terminal
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# exit
Switch(config)# vlan 501
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# exit
Switch(config)# vlan 502
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# exit
Switch(config)# vlan 503
Switch(config-vlan)# private-vlan community
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan association 501-503 /主VLAN下关联Secondary VLAN
Switch(config-vlan)# end
Switch(config)# show vlan private vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
20 501 isolated
20 502 community
20 503 community
20 504 non-operational
综合实例:
一台cisco3560交换机,为了隔绝广播风暴,划了几个vlan,使用pvlan方式划分,1--28口为子vlan501,其中的口可相互通讯,29-38口为vlan502,其中的口相互隔离,39-46为主vlan50的共用出口。
hostname Switch
!
enable password cisco
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 50
private-vlan primary
private-vlan association 501-502
!
vlan 501
private-vlan community
!
vlan 502
private-vlan isolated
!
!
interface FastEthernet0/1
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/2
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/3
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/4
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/5
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/6
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/7
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/8
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/9
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/10
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/11
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/12
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/13
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/14
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/15
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/16
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/17
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/18
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/19
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/20
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/21
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/22
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/23
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/24
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/25
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/26
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/27
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/28
switchport private-vlan host-association 50 501
switchport mode private-vlan host
!
interface FastEthernet0/29
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/30
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/31
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/32
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/33
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/34
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/35
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/36
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/37
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/38
switchport private-vlan host-association 50 502
switchport mode private-vlan host
!
interface FastEthernet0/39
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/40
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/41
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/42
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/43
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/44
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/45
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/46
switchport private-vlan mapping 50 501-502
switchport mode private-vlan promiscuous
!
interface FastEthernet0/47
!
interface FastEthernet0/48
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface Vlan1
no ip address
!
interface Vlan50
ip address 10.180.16.254 255.255.255.0
!
ip classless
ip http server
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end |
|
IP卡
狗仔卡
发表于 2008-8-4 13:10:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡