CISCO三层交换机VLAN配置说明。

实验目标：(1) 第一步实现划分4个vlan，将相应port置入到vlan号中(2) 第二步实现4个vlan间可以相互ping(3) 第三步实现sales,tech,manage不可以相互通讯，但允许和server通讯实现过程：第一步划分vlan如下：Switch#vlan dataSwitch(vlan)#vlan 10 name salesVLAN 10 added:Name: salesSwitch(vlan)#vlan 20 name techVLAN 20 added:Name: techSwitch(vlan)#vlan 30 name manageVLAN 30 added:Name: manageSwitch(vlan)#vlan 40 name serverVLAN 40 added:Name: serverSwitch(vlan)#Switch(config)#int range fa 0/0 - 3Switch(config-if-range)#switchport access vlan 10 Switch(config-if-range)#exitSwitch(config)#int range fa 0/4 - 6Switch(config-if-range)#switchport access vlan 20 Switch(config-if-range)#exitSwitch(config)#int range fa 0/7 - 8Switch(config-if-range)#switchport access vlan 30 Switch(config-if-range)#exitSwitch(config)#int fa 0/9Switch(config-if)#switSwitch(config-if)#switchport acceSwitch(config-if)#switchport access vlan 40 Switch(config-if)#exit查看Switch#sh vlan-switchVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/1510 sales active Fa0/1, Fa0/2, Fa0/320 tech active Fa0/4, Fa0/5, Fa0/630 manage active Fa0/7, Fa0/840 server active Fa0/91002 fddi-default active第二步实现4个vlan内的服务器互相pingSwitch(config)#int fa 0/0Switch(config-if)#switchport mode trunkRouter(config-if)#exitRouter(config)#int fa 0/0Router(config-if)#no shutRouter(config-if)#no ip addressRouter(config-if)#exitRouter(config)#int fa0/0.1Router(config-subif)#encapsulation dot1Q 10Router(config-subif)#ip addreRouter(config-subif)#ip address 192.168.33.1 255.255.255.0 Router(config-subif)#exitRouter(config)#int fa0/0.2Router(config-subif)#encapsulation dot1Q 20 Router(config-subif)#ip address 192.168.34.1 255.255.255.0 Router(config-subif)#exitRouter(config)#int fa0/0.3Router(config-subif)#encapsulation dot1Q 30 Router(config-subif)#ip address 192.168.35.1 255.255.255.0 Router(config-subif)#exitRouter(config)#int fa0/0.4Router(config-subif)#encapsulation dot1Q 40 Router(config-subif)#ip address 192.168.36.1 255.255.255.0Router(config-subif)#查看路由器：interface FastEthernet0/0no ip addressduplex autospeed auto!interface FastEthernet0/0.1 encapsulation dot1Q 10ip address 192.168.33.1 255.255.255.0 !interface FastEthernet0/0.2 encapsulation dot1Q 20ip address 192.168.34.1 255.255.255.0 !interface FastEthernet0/0.3 encapsulation dot1Q 30ip address 192.168.35.1 255.255.255.0!interface FastEthernet0/0.4encapsulation dot1Q 40ip address 192.168.36.1 255.255.255.0!测试：VPCS 1 >shNAME IP/CIDR GATEWAY LPORT RPORT PC1 192.168.33.2/24 192.168.33.1 10001 21001PC2 0.0.0.0/0 0.0.0.0 10002 21002PC3 0.0.0.0/0 0.0.0.0 10003 21003PC4 192.168.34.2/24 192.168.34.1 10004 21004PC5 0.0.0.0/0 0.0.0.0 10005 21005PC6 0.0.0.0/0 0.0.0.0 10006 21006PC7 192.168.35.2/24 192.168.35.1 10007 21007PC8 0.0.0.0/0 0.0.0.0 10008 21008PC9 192.168.36.2/24 192.168.36.1 10009 21009 VPCS 1 >ping 192.168.34.2192.168.34.2 icmp_seq=1 timeout192.168.34.2 icmp_seq=2 time=45.000 ms192.168.34.2 icmp_seq=3 time=47.000 ms192.168.34.2 icmp_seq=4 time=43.000 ms192.168.34.2 icmp_seq=5 time=8.000 msVPCS 1 >ping 192.168.35.2192.168.35.2 icmp_seq=1 time=43.000 ms192.168.35.2 icmp_seq=2 time=14.000 ms192.168.35.2 icmp_seq=3 time=8.000 ms192.168.35.2 icmp_seq=4 time=10.000 ms192.168.35.2 icmp_seq=5 time=12.000 msVPCS 1 >ping 192.168.36.2192.168.36.2 icmp_seq=1 timeout192.168.36.2 icmp_seq=2 time=47.000 ms192.168.36.2 icmp_seq=3 time=6.000 ms192.168.36.2 icmp_seq=4 time=10.000 ms192.168.36.2 icmp_seq=5 time=43.000 msOK,这一步也成功了。

第三步，实现我们的限制功能了Router(config)# access-list 111 deny ip 192.168.33.0 0.0.0.255 192.168.34.0 0.0.0.255Router(config)# access-list 111 deny ip 192.168.33.0 0.0.0.255 192.168.35.0 0.0.0.255Router(config)# access-list 111 permit ip any anyRouter(config)#Router(config)# access-list 112 deny ip 192.168.34.0 0.0.0.255 192.168.33.0 0.0.0.255Router(config)# access-list 112 deny ip 192.168.34.0 0.0.0.255 192.168.35.0 0.0.0.255Router(config)# access-list 112 permit ip any anyRouter(config)#Router(config)# access-list 113 deny ip 192.168.35.0 0.0.0.255 192.168.33.0 0.0.0.255Router(config)# access-list 113 deny ip 192.168.35.0 0.0.0.255 192.168.34.0 0.0.0.255Router(config)# access-list 113 permit ip any anyRouter(config)#int fa 0/0.1Router(config-subif)#ip access-group 111 inRouter(config-subif)#exitRouter(config)#int fa 0/0.2Router(config-subif)#ip access-group 112 inRouter(config-subif)#exitRouter(config)#int fa 0/0.3Router(config-subif)#ip acceRouter(config-subif)#ip access-group 113 inRouter(config-subif)#exit查看：Router(config)#do sh ip access-listExtended IP access list 11110 deny ip 192.168.33.0 0.0.0.255 192.168.34.0 0.0.0.255 20 deny ip 192.168.33.0 0.0.0.255 192.168.35.0 0.0.0.255 30 permit ip any anyExtended IP access list 11210 deny ip 192.168.34.0 0.0.0.255 192.168.33.0 0.0.0.255 20 deny ip 192.168.34.0 0.0.0.255 192.168.35.0 0.0.0.255 30 permit ip any anyExtended IP access list 11310 deny ip 192.168.35.0 0.0.0.255 192.168.33.0 0.0.0.255 20 deny ip 192.168.35.0 0.0.0.255 192.168.34.0 0.0.0.255 30 permit ip any anyRouter(config)#do sh run……interface FastEthernet0/0.1encapsulation dot1Q 10ip address 192.168.33.1 255.255.255.0ip access-group 111 in!interface FastEthernet0/0.2encapsulation dot1Q 20ip address 192.168.34.1 255.255.255.0ip access-group 112 in!interface FastEthernet0/0.3 encapsulation dot1Q 30ip address 192.168.35.1 255.255.255.0 ip access-group 113 in!interface FastEthernet0/0.4 encapsulation dot1Q 40ip address 192.168.36.1 255.255.255.0 !……测试:VPCS 1 >ping 192.168.34.2192.168.34.2 icmp_seq=1 timeout 192.168.34.2 icmp_seq=2 timeout 192.168.34.2 icmp_seq=3 timeout 192.168.34.2 icmp_seq=4 timeout192.168.34.2 icmp_seq=5 timeoutVPCS 1 >ping 192.168.35.2192.168.35.2 icmp_seq=1 timeout192.168.35.2 icmp_seq=2 timeout192.168.35.2 icmp_seq=3 timeout192.168.35.2 icmp_seq=4 timeout192.168.35.2 icmp_seq=5 timeoutVPCS 1 >ping 192.168.36.2192.168.36.2 icmp_seq=1 time=14.000 ms 192.168.36.2 icmp_seq=2 time=39.000 ms 192.168.36.2 icmp_seq=3 time=10.000 ms 192.168.36.2 icmp_seq=4 time=14.000 ms 192.168.36.2 icmp_seq=5 time=6.000 ms 换另一台测试VPCS 1 >4VPCS 4 >ping 192.168.33.2192.168.33.2 icmp_seq=1 timeout192.168.33.2 icmp_seq=2 timeout192.168.33.2 icmp_seq=3 timeout192.168.33.2 icmp_seq=4 timeout192.168.33.2 icmp_seq=5 timeoutVPCS 4 >ping 192.168.35.2192.168.35.2 icmp_seq=1 timeout192.168.35.2 icmp_seq=2 timeout192.168.35.2 icmp_seq=3 timeout192.168.35.2 icmp_seq=4 timeout192.168.35.2 icmp_seq=5 timeoutVPCS 4 >ping 192.168.36.2192.168.36.2 icmp_seq=1 time=17.000 ms192.168.36.2 icmp_seq=2 time=47.000 ms192.168.36.2 icmp_seq=3 time=39.000 ms192.168.36.2 icmp_seq=4 time=40.000 ms192.168.36.2 icmp_seq=5 time=47.000 ms好了，三步已经全部做完了，都已经实现了我所期望的。