前言
在实际的企业应用中,我们会先建立不同的vlan把用户先隔开来。然后再通过三次交换机技术打通vlan直接的网络。
这样的目的如下:
- 隔离: 隔离是广播域,也就是隔离的是故障
- 连通: 连通的是正常的通信
比如校园网,你通过arp攻击是无法攻击老师的电脑的。
但是你正常发文件给老师又是可以正常发送文件的。
拓扑图
配置
## 检测ip地址
display ip interface brief
## S2的交换机配置如下
vlan 10
vlan 20
vlan 30
[S2]interface Vlanif20
[S2]ip addr 192.168.10.254 255.255.255.0
### 交换机的接口配置成Trunk模式,并且准许所有vlan的报文通过
int g0/0/x
port link-type trunk
port trunk allow-pass vlan all
S1交换机配置
## S1 交换机
S1-GigabitEthernet0/0/3]display current-configuration
Aug 5 2023 21:07:16-08:00 S1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.
191.3.1 configurations have been changed. The current change number is 13, the c
hange loop count is 0, and the maximum number of records is 4095.
#
sysname S1
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
S2交换机配置
[S2]display current-configuration
#
sysname S2
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.1.254 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.254 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
检验
##
192.168.1.3 能正常ping通192.168.2.6