[H3C/华三]VLAN技术简述与配置
本篇目录
- VLAN报文封装
- VLAN基础配置
- 基于端口的VLAN配置
- 基于MAC的VLAN配置
- 基于IP子网/的VLAN配置
- VLAN组配置
- VLAN流量统计
- 典型配置示例
VLAN(Virtual Local Area Network,虚拟局域网) 技术将一个物理LAN划分为多个逻辑LAN:不同的VLAN主机间不能直接通信,广播报文被限制在同一VLAN内,同一工作组主机可位于不同物理位置。
1. VLAN报文封装
IEEE 802.1Q协议规定VLAN Tag包含四个字段:
| 字段 | 说明 | 长度/bit |
|---|---|---|
| TPID | 标签协议标识符,取值为0x8100 | 16 |
| Priority | 802.1p优先级 | 3 |
| CFI | 标准格式指示位(0/1) | 1 |
| VLAN ID | VLAN编号(1-4094) | 12 |
2. VLAN基础配置
创建VLAN及基本属性配置
# 进入系统视图
<H3C>system-view
# 创建VLAN(批量或单个)
[H3C]vlan 100
[H3C]vlan 200 300 # 批量创建
# 进入VLAN视图
[H3C]vlan 100
# 配置VLAN名称和描述
[H3C-vlan100]name *Department-A* # 默认为VLAN 0100
[H3C-vlan100]description *VLAN for Marketing Department*
# 退出VLAN视图
[H3C-vlan100]quit
注:
- VLAN 1为系统缺省VLAN,不能手工创建和删除
- 动态学习到的VLAN不能直接删除
VLAN接口配置
# 创建对应VLAN接口并配置IP地址
[H3C]interface vlan-interface 100
[H3C-Vlan-interface100]ip address 192.168.100.1 255.255.255.0
# 配置VLAN接口的描述信息
[H3C-Vlan-interface100]description Gateway for VLAN 100 # 默认该VLAN接口的接口名
# 配置VLAN接口的MTU值
[H3C-Vlan-interface100]mtu 1500 # 默认1500字节
# 配置VLAN接口MAC地址(可选)
[H3C-Vlan-interface100]mac-address 0001-0001-0001
# 恢复VLAN接口的缺省配置
[H3C-Vlan-interface100]default
# 启用接口(取消手工关闭VLAN接口)
[H3C-Vlan-interface100]undo shutdown
注意点:
- 创建VLAN接口前对应的VLAN必须存在
mtu指的是该接口能处理的IP包的最大长度
3. 基于端口的VLAN配置
端口链路类型
| 类型 | 特点 | 应用场景 |
|---|---|---|
| Access | 只能发送一个VLAN的报文,不带Tag | 连接终端设备 |
| Trunk | 发送多个VLAN报文,缺省VLAN不带Tag | 设备间互连 |
| Hybrid | 可灵活配置某些VLAN带Tag或不带Tag | 特殊应用场景 |
Access端口配置
缺省情况下,系统将所有端口都加入到VLAN 1
# 在VLAN视图下配置
[H3C]vlan 100
[H3C-vlan100]port gigabitethernet 1/0/1 to gigabitethernet 1/0/5
# 在接口视图下配置
[H3C]interface gigabitethernet 1/0/1
# 配置端口的链路类型为Access类型(默认就是)
[H3C-gigabitethernet 1/0/1]port link-type access
# 将Access端口加入到指定VLAN
[H3C-gigabitethernet 1/0/1]port access vlan 100
Trunk端口配置
Trunk 端口可以允许多个 VLAN 通过,只能在接口视图下进行配置。
[H3C]interface gigabitethernet 1/0/24
# 配置端口的链路类型为Trunk类型
[H3C-gigabitethernet 1/0/24]port link-type trunk
# 允许指定的VLAN通过当前Trunk端口(默认只允许1)
[H3C-gigabitethernet 1/0/24]port trunk permit vlan 100 200 300
# (可选)配置Trunk端口的缺省VLAN(默认为1)
[H3C-gigabitethernet 1/0/24]port trunk pvid vlan 1
Hybrid端口配置
Hybrid 端口可以允许多个 VLAN 通过,只能在接口视图下进行配置。
缺省情况下,Hybrid端口只允许该端口在链路类型为Access时的所属VLAN的报文以Untagged方式通过。
[H3C]interface gigabitethernet 1/0/10
# 配置端口的链路类型为Hybrid类型
[H3C-gigabitethernet 1/0/10]port link-type hybrid
# 允许指定的VLAN通过当前Hybrid端口
[H3C-gigabitethernet 1/0/10]port hybrid vlan 100 200 tagged
[H3C-gigabitethernet 1/0/10]port hybrid vlan 300 untagged
# (可选)配置Hybrid端口的缺省VLAN
[H3C-gigabitethernet 1/0/10]port hybrid pvid vlan 300
- 配置端口缺省VLAN后,必须使用port trunk/hybrid permit vlan命令配置允许端口缺省VLAN的报文通过,接口才能转发端口缺省VLAN的报文
- Trunk端口与Hybrid端口不能直接项目切换,只能先将端口配置为Access 端口,再配置为Hybrid/Trunk端口。
4. 基于MAC的VLAN配置
基于 MAC 的 VLAN 只对 Hybrid 端口配置有效
手动配置静态MAC VLAN
# 配置MAC-VLAN映射
[H3C]mac-vlan mac-address 000d-88f8-4e71 vlan 100
[H3C]mac-vlan mac-address 0014-222c-aa69 vlan 200
# 端口配置
[H3C]interface gigabitethernet 1/0/1
[H3C-gigabitethernet 1/0/1]port link-type hybrid
# 允许基于MAC的VLAN通过当前Hybrid端口
[H3C-gigabitethernet 1/0/1]port hybrid vlan 100 200 untagged
# 开启MAC VLAN功能
[H3C-gigabitethernet 1/0/1]mac-vlan enable
动态触发端口加入静态MAC VLAN
# 配置MAC-VLAN表项
[H3C]mac-vlan mac-address 000d-88f8-4e71 vlan 100
# 端口配置
[H3C]interface gigabitethernet 1/0/1
[H3C-gigabitethernet 1/0/1]port link-type hybrid
# 开启MAC VLAN功能
[H3C-gigabitethernet 1/0/1]mac-vlan enable
# 开启MAC VLAN的动态触发功能
[H3C-gigabitethernet 1/0/1]mac-vlan trigger enable
# (可选)配置接口优先根据MAC地址来匹配VLAN
[H3C-gigabitethernet 1/0/1]vlan precedence mac-vlan
# (可选)配置当报文源MAC地址与MAC VLAN表项的MAC地址未精确匹配时,禁止该报文在PVID内转发(默认同意)
[H3C-gigabitethernet 1/0/1]port pvid forbidden
配置动态 MAC VLAN
# 端口配置
[H3C]interface gigabitethernet 1/0/1
[H3C-gigabitethernet 1/0/1]port link-type hybrid
# 允许基于MAC的VLAN通过当前Hybrid端口
[H3C-gigabitethernet 1/0/1]port hybrid vlan 100 200 untagged
# 开启MAC VLAN功能
[H3C-gigabitethernet 1/0/1]mac-vlan enable
# (可选)配置接口的VLAN优先匹配方式
[H3C-gigabitethernet 1/0/1]vlan precedence mac-vlan
/*配置接入认证功能(二者至少选其一)*/
# 方式一:配置802.1X认证
[H3C]dot1x
[H3C-GigabitEthernet1/0/1]dot1x port-method macbased
[H3C-GigabitEthernet1/0/1] quit
# 方式二:配置MAC地址认证
[H3C] mac-authentication
[H3C-GigabitEthernet1/0/1] mac-authentication domain system
[H3C-GigabitEthernet1/0/1] quit
5. 基于IP子网/的VLAN配置
只对 Hybrid 端口配置有效,只对 Untagged 报文应用。
IP子网
# 进入VLAN视图
[H3C]vlan 100
# 配置VLAN与指定的IP子网或IP地址关联
[H3C-vlan100]ip-subnet-vlan ip 192.168.100.0 255.255.255.0
[H3C-vlan100]quit
# 端口配置
[H3C]interface gigabitethernet 1/0/1
[H3C-gigabitethernet 1/0/1]port link-type hybrid
# 允许子网VLAN通过当前端口
[H3C-gigabitethernet 1/0/1]port hybrid vlan 100 tagged
# 配置端口与子网VLAN关联
[H3C-gigabitethernet 1/0/1]port hybrid ip-subnet-vlan vlan 100
协议
# 进入VLAN视图VLAN
[H3C]vlan 100
# VLAN与协议模板关联
[H3C-vlan100]protocol-vlan 1 ipv4
[H3C-vlan100]protocol-vlan 2 mode ethernetii etype 0806 # ARP协议
[H3C-vlan100]quit
# 端口配置
[H3C]interface gigabitethernet 1/0/1
[H3C-gigabitethernet 1/0/1]port link-type hybrid
# 允许协议VLAN通过当前端口
[H3C-gigabitethernet 1/0/1]port hybrid vlan 100 untagged
# 配置端口与协议VLAN关联
[H3C-gigabitethernet 1/0/1]port hybrid protocol-vlan vlan 100 1 to 2
6. VLAN组配置
# 创建VLAN组
[H3C]vlan-group Dept-Group
# 在VLAN组内添加VLAN成员
[H3C-vlan-group-Dept-Group]vlan-list 100-110,200-210
7. VLAN流量统计
# 开启VLAN流量统计
[H3C]vlan 100
[H3C-vlan100]statistics enable
# 查看统计信息
[H3C-vlan100]display vlan 100 statistics
8. 典型配置示例
基于端口的VLAN配置
要求:Host A 和 Host C 能够互相 ping 通,但是均不能 ping 通 Host B 和 Host D。Host B 和 Host D能够互相 ping 通,但是均不能 ping 通 Host A 和 Host C。
/*Device A配置*/
# 创建 VLAN 100,并将 GigabitEthernet1/0/1 加入 VLAN 100。
<DeviceA> system-view
[DeviceA]vlan 100
[DeviceA-vlan100]port gigabitethernet 1/0/1
[DeviceA-vlan100]quit
# 创建 VLAN 200,并将 GigabitEthernet1/0/2 加入 VLAN 200。
[DeviceA]vlan 200
[DeviceA-vlan200]port gigabitethernet 1/0/2
[DeviceA-vlan200]quit
# 将 GE1/0/3的链路类型配置为Trunk,并允许VLAN 100和200的报文通过
[DeviceA]interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3]port link-type trunk
[DeviceA-GigabitEthernet1/0/3]port trunk permit vlan 100 200
/*
Device B配置与Device A上的配置类似
将Host A和Host C配置在一个网段,比如 192.168.100.0/24;将Host B和Host D配置在一个网段,比如 192.168.200.0/24。
*/
# 查看Device A 上VLAN 100 和VLAN 200 的配置信息,验证配置是否生效
[DeviceA-GigabitEthernet1/0/3] display vlan 100
↓
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:
GigabitEthernet1/0/3(U)
Untagged ports:
GigabitEthernet1/0/1(U)
[DeviceA-GigabitEthernet1/0/3] display vlan 200
↓
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
GigabitEthernet1/0/3(U)
Untagged ports:
GigabitEthernet1/0/2(U)
基于MAC的VLAN配置示例
/*Device A配置(Device C与其一致)*/
# 创建VLAN
<DeviceA> system-view
[DeviceA]vlan 100
[DeviceA-vlan100] quit
[DeviceA]vlan 200
[DeviceA-vlan200] quit
# MAC-VLAN映射
[DeviceA]mac-vlan mac-address 000d-88f8-4e71 vlan 100 # Laptop1
[DeviceA]mac-vlan mac-address 0014-222c-aa69 vlan 200 # Laptop2
# 接入端口配置
[DeviceA]interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1]port link-type hybrid
# 发送 VLAN 100 和 VLAN 200 的报文时去掉 VLAN Tag
[DeviceA-GigabitEthernet1/0/1]port hybrid vlan 100 200 untagged
# 开启MAC VLAN 功能
[DeviceA-GigabitEthernet1/0/1]mac-vlan enable
[DeviceA-GigabitEthernet1/0/1]quit
# 上行端口配置(终端访问 Server1 和 Server2)
[DeviceA]interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2]port link-type trunk
[DeviceA-GigabitEthernet1/0/2]port trunk permit vlan 100 200
[DeviceA-GigabitEthernet1/0/2] quit
/*Device B配置*/
# 创建VLAN
[DeviceB] vlan 100
# 将GE1/0/3 加入 VLAN 100
[DeviceB-vlan100] port gigabitethernet 1/0/3
[DeviceB-vlan100] quit
[DeviceB] vlan 200
# GE1/0/4加入 VLAN 200。
[DeviceB-vlan200] port gigabitethernet 1/0/4
[DeviceB-vlan200] quit
# 配置端口为 Trunk 端口,允许VLAN 100和200的报文通过。
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/2] quit
9. 显示和维护命令
# 显示VLAN信息
[H3C]display vlan
[H3C]display vlan brief
# 显示MAC VLAN信息
[H3C]display mac-vlan all
[H3C]display mac-vlan interface
# 显示子网VLAN信息
[H3C]display ip-subnet-vlan vlan all
[H3C]display ip-subnet-vlan interface gigabitethernet 1/0/1
# 显示协议VLAN信息
[H3C]display protocol-vlan vlan all
[H3C]display protocol-vlan interface gigabitethernet 1/0/1
# 清除统计信息
<H3C>reset vlan 100 statistics
浙公网安备 33010602011771号