前言

在实际的企业应用中，我们会先建立不同的vlan把用户先隔开来。然后再通过三次交换机技术打通vlan直接的网络。

这样的目的如下：

• 隔离： 隔离是广播域，也就是隔离的是故障
• 连通： 连通的是正常的通信

比如校园网，你通过arp攻击是无法攻击老师的电脑的。

但是你正常发文件给老师又是可以正常发送文件的。

拓扑图

配置

## 检测ip地址
display  ip interface brief


## S2的交换机配置如下
vlan 10
vlan 20
vlan 30
[S2]interface Vlanif20
[S2]ip addr 192.168.10.254 255.255.255.0

### 交换机的接口配置成Trunk模式，并且准许所有vlan的报文通过
int g0/0/x
port link-type trunk
port trunk allow-pass vlan all

S1交换机配置

## S1 交换机
S1-GigabitEthernet0/0/3]display current-configuration
Aug  5 2023 21:07:16-08:00 S1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.
191.3.1 configurations have been changed. The current change number is 13, the c
hange loop count is 0, and the maximum number of records is 4095.
#
sysname S1
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5

S2交换机配置

[S2]display current-configuration 
#
sysname S2
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
 ip address 192.168.1.254 255.255.255.0
#
interface Vlanif20
 ip address 192.168.2.254 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#

检验

##
192.168.1.3 能正常ping通192.168.2.6