VLAN隔离葵花宝典（二）

上篇说了端口隔离（port-isolate）和二层隔离mux-vlan

但是现实中一般都是有三层交换，并且做了三层设备VLAN间路由，这种情况下，就该基于流策略来实现VLAN隔离

VLAN间三层互通后，如果需要禁止部分用户互访或者只允许用户单向访问，则需要配置VLAN间三层隔离功能。VLAN间三层隔离一般通过流策略实现。

组网要求：

1、VLAN10、VLAN20、VLAN30均可以访问Internet

2、访客只能访问Internet，不能与其他任何VLAN的用户通信

3、员工A可以访问服务器区的所有资源，但其他员工只能访问服务器

配置

第一步，连通性配置

L2SW-1:

[Huawei]sysname L2SW-1
[L2SW-1]int gi 0/0/1
[L2SW-1-GigabitEthernet0/0/1]port link-type trunk
[L2SW-1-GigabitEthernet0/0/1]q
[L2SW-1]vlan 10
[L2SW-1-vlan10]q
[L2SW-1]int gi 0/0/1
[L2SW-1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[L2SW-1-GigabitEthernet0/0/1]q
[L2SW-1]int gi 0/0/2
[L2SW-1-GigabitEthernet0/0/2]port link-type access
[L2SW-1-GigabitEthernet0/0/2]port default vlan 10
[L2SW-1-GigabitEthernet0/0/2]

L2SW-2、L2SW-3配置类似，忽略

2、三层交换配置：

The device is running!

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname L3SW
[L3SW]un in en
Info: Information center is disabled.
[L3SW]vlan batch 10 20 30 
Info: This operation may take a few seconds. Please wait for a moment...done.
[L3SW]int gi 0/0/2
[L3SW-GigabitEthernet0/0/2]port link-type trunk
[L3SW-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[L3SW-GigabitEthernet0/0/2]int gi 0/0/3
[L3SW-GigabitEthernet0/0/3]port link-type trunk
[L3SW-GigabitEthernet0/0/3]port trunk allow-pass vlan 20
[L3SW-GigabitEthernet0/0/3]int gi 0/0/4
[L3SW-GigabitEthernet0/0/4]port link-type trunk
[L3SW-GigabitEthernet0/0/4]port trunk allow-pass vlan 30
[L3SW-GigabitEthernet0/0/4]int gi 0/0/1
[L3SW-GigabitEthernet0/0/1]port link-type access
[L3SW-GigabitEthernet0/0/1]q
[L3SW]vlan 300
[L3SW-vlan300]int gi 0/0/1
[L3SW-GigabitEthernet0/0/1]port default vlan 300
[L3SW-GigabitEthernet0/0/1]int vlanif 300
[L3SW-Vlanif300]ip addr 192.168.200.2 24
[L3SW-Vlanif300]int vlanif 10
[L3SW-Vlanif10]ip addr 10.1.1.1 24
[L3SW-Vlanif10]int vlanif 20
[L3SW-Vlanif20]ip addr 10.1.2.1 24
[L3SW-Vlanif20]int vlanif 30
[L3SW-Vlanif30]ip addr 10.1.3.1 24
[L3SW-Vlanif30]q
[L3SW]ospf 1 router-id 2.2.2.2
[L3SW-ospf-1]area 0
[L3SW-ospf-1-area-0.0.0.0]network 10.1.1.1 0.0.0.0
[L3SW-ospf-1-area-0.0.0.0]network 10.1.2.1 0.0.0.0
[L3SW-ospf-1-area-0.0.0.0]network 10.1.3.1 0.0.0.0
[L3SW-ospf-1-area-0.0.0.0]network 192.168.200.2 0.0.0.0
[L3SW-ospf-1-area-0.0.0.0]

3、Internet路由器配置

The device is running!

<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]un in en
Info: Information center is disabled.
[Huawei]sysname Internet
[Internet]int gi 0/0/0
[Internet-GigabitEthernet0/0/0]ip addr 192.168.200.1 24
[Internet-GigabitEthernet0/0/0]int lo0
[Internet-LoopBack0]ip addr 114.114.114.114 32
[Internet-LoopBack0]q
[Internet]ospf 1 router-id 1.1.1.1
[Internet-ospf-1]area 0
[Internet-ospf-1-area-0.0.0.0]network 192.168.200.1 0.0.0.0
[Internet-ospf-1-area-0.0.0.0]network 114.114.114.114 0.0.0.0
[Internet-ospf-1-area-0.0.0.0]q
[Internet-ospf-1]q
[Internet]dis ospf peer

     OSPF Process 1 with Router ID 1.1.1.1
         Neighbors 

 Area 0.0.0.0 interface 192.168.200.1(GigabitEthernet0/0/0)'s neighbors
 Router ID: 2.2.2.2          Address: 192.168.200.2   
   State: Full  Mode:Nbr is  Master  Priority: 1
   DR: 192.168.200.2  BDR: 192.168.200.1  MTU: 0    
   Dead timer due in 38  sec 
   Retrans timer interval: 5 
   Neighbor is up for 00:00:15     
   Authentication Sequence: [ 0 ] 

连通性测试：

访客可以访问任何局域网PC

第二步、流策略配置

[L3SW]acl 3000
[L3SW-acl-adv-3000]rule deny ip destination 10.1.2.1 0.0.0.255            //禁止访客访问员工区
[L3SW-acl-adv-3000]rule deny ip destination 10.1.3.1 0.0.0.255            //禁止访客访问服务器区
[L3SW-acl-adv-3000]q
[L3SW]acl 3001
[L3SW-acl-adv-3001]rule permit ip source 10.1.2.2 0 destination 10.1.3.1 0.0.0.255    //员工A可以访问服务器
[L3SW-acl-adv-3001]rule deny ip destination 10.1.3.1 0.0.0.255                                  //其他员工不能访问服务器
[L3SW-acl-adv-3001]q
[L3SW]traffic classifier c_custom
[L3SW-classifier-c_custom]if-match acl 3000                        //配置流分类c_custom，匹配acl3000
[L3SW-classifier-c_custom]q
[L3SW]traffic classifier c_staff
[L3SW-classifier-c_staff]if-match acl 3001                              //配置流分类c_staff，匹配acl 3001
[L3SW-classifier-c_staff]q
[L3SW]traffic behavior b1                  
[L3SW-behavior-b1]permit                                                   //配置流行为b1，动作为permit
[L3SW-behavior-b1]q
[L3SW]traffic policy p_custom
[L3SW-trafficpolicy-p_custom]classifier c_custom behavior b1            //配置流策略p_custom将p_custom和b1关联
[L3SW-trafficpolicy-p_custom]q
[L3SW]traffic policy p_staff
[L3SW-trafficpolicy-p_staff]classifier c_staff behavior b1                 配置流策略p_staff将p_staff和b1关联
[L3SW-trafficpolicy-p_staff]q
[L3SW]q
<L3SW>sys
Enter system view, return user view with Ctrl+Z.
[L3SW]vlan 10
[L3SW-vlan10]traffic-policy p_custom inbound                 //应用流策略p_custom
[L3SW-vlan10]q
[L3SW]vlan 20
[L3SW-vlan20]traffic-policy p_staff inbound                     //应用流策略p_staff
[L3SW-vlan20]q
[L3SW]

实验目的测试：