华为s3700交换机的vlan划分

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为s3700交换机的vlan划分相关的知识,希望对你有一定的参考价值。

请教大神,这该如何配置。将一台华为S3700交换机划分5个vlan,5个vlan分成了4个层级,vlan只能逐级通讯,也就是vlan1不能和vlan3 4 5通讯,相邻的层级才能通讯。并且最底层的vlan4和vlan5间也不能通讯。而且不同的vlan可能网段相同,如vlan3和vlan4都是3网段。
求大神赐教啊

参考技术A 一.中心交换的VLAN配置

(1)激活vlan路由
Switch1#config t
Switch1(config)#ip routing

(2)创建三个VLAN
Switch1#
Switch1#vlan database
Switch1(vlan)#vlan 2
Switch1(vlan)#vlan 3
Switch1(vlan)#vlan 10
Switch1(vlan)#exit

(3)给VLAN分配IP
Switch1#config t
Switch1(config)#config vlan2
Switch1(config-if)#ip address 192.168.2.1 255.255.255.0
Switch1(config-if)#no shutdown
Switch1#config t
Switch1(config)#config vlan3
Switch1(config-if)#ip address 192.168.3.1 255.255.255.0
Switch1(config-if)#no shutdown
Switch1#config t
Switch1(config)#config vlan10
Switch1(config-if)#ip address 192.168.10.1 255.255.255.0
Switch1(config-if)#no shutdown

(4)配VTP
Switch1#
Switch1#config t
Switch1(config)#vtp domain china_mobile
Switch1(config)#vtp mode server
Switch1(config)#end

(5)配Trunk
Switch1#
Switch1#config t
Switch1(config)#interface gigabitethernet0/1
Switch1(config-if)#switchport trunk encapsulation isl
Switch1(config-if)#switchport mode trunk
Switch1(config-if)#end

(6)给中心交换机通往路由器的接口配IP
Switch1#
Switch1#config t
Switch1(config)#interface fastethernet0/1
Switch1(config-if)#no switchport
Switch1(config-if)#ip address 200.1.1.1 255.255.255.0
Switch1(config-if)#no shutdown

(7)给中心交换机配置缺省路由
Switch1#
Switch1#config t
Switch(config)#ip route 0.0.0.0 0.0.0.0 200.1.1.2

(8)把VLAN号分配给IP接口
Switch1#
Switch1#config t
Switch1(config)#interface fastethernet0/2
Switch1(config-if)#switchport mode Access
Switch1(config-if)#switchport access vlan2
Switch1(config-if)#spanning-tree portfast
… …
Switch1#
Switch1#config t
Switch1(config)#interface fastethernet0/13
Switch1(config-if)#switchport mode access
Switch1(config-if)#switchport access vlan3
Switch1(config-if)#spanning-tree portfast
(其它同)

(9)配访问控制列表ACL禁VLAN3子网的客户机访问服务器
Switch1#
Switch1#config t
Switch1(config)#access-list 1 deny 192.168.3.0 0.0.0.255
Switch1(config)#access-list 1 permit any
Switch1(config)#interface fastethernet0/13 (此接口接服务器)
Switch1(config-if)#ip access-group 1 out

(10)检查上述配置
Switch1#show vlan
Switch1#show ip route
Switch1#show interface gigabitethernet0/1 switchport
Switch1#show run

Switch1#show vtp status

(11)存配置
Switch1#copy running-config startup-config

二.在接入层交换机Swith2上VLAN的配置

(1)配TRUNK
Switch2#
Swtich2#config t
Switch2(config)#interface gigabitethernet0/1
Switch2(config-if)#switchport trunk encapsulation isl
Switch2(config-if)#switchport mode trunk
Switch2(config-if)#end

Switch2#
Swtich2#config t
Switch2(config)#interface gigabitethernet0/2
Switch2(config-if)#switchport trunk encapsulation isl
Switch2(config-if)#switchport mode trunk
Switch2(config-if)#end

(2)配VTP
Switch2#
Switch2#config t
Switch2(config)#vtp mode client
Switch2(config)#vtp domain china_mobile
Switch2(config)#end

(3)给接口分配VLAN号
Switch2#
Switch2#config t
Switch2(config)#interface fastethernet0/1
Switch2(config-if)#switchport mode access
Switch2(config-if)#switchport access vlan2
Switch2(config-if)#spanning-tree portfast
… …
(其它端口配置同)
(4)存配置
Switch2#copy running-config startup-config
(其它交换机同)
参考技术B interface Ethernet0/0/1
port link-type access
port default vlan 2

命令不同

根据mac划分vlan

我们公司大概有100台电脑,分别要划分到4个vlan去,我想根据mac地址来划分vlan,为了不影响网络速度,我想请问大家用哪种交换机(三层的),华为或者是网建的,价格大概1万-1万5左右。最好能具体说说根据mac划分vlan的方法,谢谢!

华为的好。用S3552P-EA就可以。
基于MAC地址划分VLAN
这种划分VLAN的方法是根据每个主机的MAC地址来划分,即对每个MAC地址的主机都配置他属于哪个组。这种划分VLAN的方法的最大优点就是当用户物理位置移动时,即从一个交换机换到其他的交换机时,VLAN不用重新配置,所以,可以认为这种根据MAC地址的划分方法是基于用户的VLAN,这种方法的缺点是初始化时,所有的用户都必须进行配置,如果有几百个甚至上千个用户的话,配置是非常累的。尤其是用户的MAC地址用变换的时候就要重新配置。基于MAC地址划分VLAN所付出的管理成本比较高。
参考技术A 华为的好~用MAC地址划VLAN好处就是因为MAC地址唯一所以电脑更换位置都不会影响它所属VLAN不过缺点是麻烦因为每台电脑都要配~方法就是划ABCD四个VLAN然后在每台电脑上将各电脑的MAC添加到所属VLAN(电脑与交换机CONSCLE口相连在超级终端里进入交换机用户视图用命令应该是address+mac+vlan将MAC地址添加进VLAN各交换机可能命令不同用/?查看下吧)对于公司100台电脑还是建议划分子网再将子网添置VLAN工作量会小很多 参考技术B 动态vlan划分,需要预先知道某一mac地址属于哪一个vlan,出于稳定性和性能的原因需要安装一台vmps服务器,在器上存放mac于vlan对应关系等信息配置文件,具体格式可以参看相关文档,交换机上不存这些内容,可以提高性能,同时也提供多台交换机使用相同的配置原则。交换机如何得到这个配置文件呢?使用tftp协议,交换机在启动时将配置信息从服务器tftp获取过来,然后使用其中相关内容,进而按照预先设定根据mac地址动态决定特定端口的属于某一vlan划分。本回答被提问者和网友采纳 参考技术C 这种划分VLAN的方法是根据每个主机的MAC地址来划分,即对每个MAC地址的主机都配置他属于哪个组,它实现的机制就是每一块网卡都对应唯一的MAC地址,VLAN交换机跟踪属于VLAN MAC的地址。这种方式的VLAN允许网络用户从一个物理位置移动到另一个物理位置时,自动保留其所属VLAN的成员身份。

由这种划分的机制可以看出,这种VLAN的划分方法的最大优点就是当用户物理位置移动时,即从一个交换机换到其他的交换机时,VLAN不用重新配置,因为它是基于用户,而不是基于交换机的端口。这种方法的缺点是初始化时,所有的用户都必须进行配置,如果有几百个甚至上千个用户的话,配置是非常累的,所以这种划分方法通常适用于小型局域网。而且这种划分的方法也导致了交换机执行效率的降低,因为在每一个交换机的端口都可能存在很多个VLAN组的成员,保存了许多用户的MAC地址,查询起来相当不容易。另外,对于使用笔记本电脑的用户来说,他们的网卡可能经常更换,这样VLAN就必须经常配置。

参考资料:http://www.itjj.net/tech/cisco/net/vLan/20070612/167817.html

参考技术D 好好读读,能读懂的
To use VMPS, you first must create a VMPS database and store it on1 a TFTP server. The VMPS parser is line based. Start each entry in the file on1 a new line. The example at the end of this section corresponds to the information described below.

The VMPS database can have up to five sections:

Section 1, Global settings, lists the settings for the VMPS domain name, security mode, fallback VLAN, and the policy for VMPS and VTP domain name mismatches.

Begin the configuration file with the word "VMPS," to prevent other types of configuration files from incorrectly being read by the VMPS server.

Define the VMPS domain. The VMPS domain should correspond to the VTP domain name configured on1 the switch.

Define the security mode. VMPS can operate in open or secure mode. If you set it to open mode, VMPS returns an access denied response for an unauthorized MAC address and returns the fallback VLAN for a MAC address not listed in the VMPS database. In secure mode, VMPS shuts down the port for a MAC address that is unauthorized or that is not listed in the VMPS database.

(Optional) Define a fallback VLAN. Assign the fallback VLAN is assigned if the MAC addresses of the connected host is not defined in the database.

In the example at the end of this section, the VMPS domain name is WBU, the VMPS mode is set to open, the fallback VLAN is set to the VLAN default, and if the VTP domain name does match the VMPS domain name, then VMPS sends an access denied response message.

Section 2, MAC addresses, lists MAC addresses and authorized VLAN names for each MAC address.

Enter the MAC address of each host and the VLAN name to which each should belong.

Use the --NONE-- keyword as the VLAN name to deny the specified host network connectivity.

You can enter up to 21,051 MAC addresses in a VMPS database file for the Catalyst 2948G switch.

In the example at the end of this section, MAC addresses are listed in the MAC table. Notice that the MAC address fedc.ba98.7654 is set to --NONE--. This setting explicitly denies this MAC address from accessing the network.

Section 3, Port groups, lists groups of ports on1 various switches in your network that you want grouped together. You use these port groups when defining VLAN port policies.

Define a port group name for each port group; then list all ports you want included in the port group.

A port is identified by the IP address of the switch and the module/port number of the port in the form mod_num/port_num. Ranges are not allowed for the port numbers.

Use the all-ports keyword to specify all the ports in the specified switch.

The example at the end of this section has two port groups:

WiringCloset1 consists of the two ports: port 3/2 on1 the VMPS client 198.92.30.32 and port 2/8 on1 the VMPS client 172.20.26.141

Executive Row consists of three ports: port 1/2 and 1/3 on1 the VMPS client 198.4.254.222, and all ports on1 the VMPS client 198.4.254.223

Section 4, VLAN groups, lists groups of VLANs you want to associate together. You use these VLAN groups when defining VLAN port policies.

Define the VLAN group name; then list each VLAN name you want to include in the VLAN group.

You can enter a maximum of 256 VLANS in a VMPS database file for the Catalyst 2948G switch.

The example at the end of this section has the VLAN group Engineering, which consists of the VLANs hardware and software.

Section 5, VLAN port policies, lists the VLAN port policies, which use the port groups and VLAN groups to further restrict access to the network.

You can configure a restricted access using MAC addresses and the port groups or VLAN groups.

The example at the end of this section has three VLAN port policies specified.

In the first VLAN port policy, the VLAN hardware or software is restricted to port 3/2 on1 the VMPS client 198.92.30.32 and port 2/8 on1 the VMPS client 172.20.23.141.

In the second VLAN port policy, the devices specified in VLAN Green can connect on1ly to port 4/8 on1 the VMPS client 198.92.30.32.

In the third VLAN port policy, the devices specified in VLAN Purple can connect to on1ly port 1/2 on1 the VMPS client 198.4.254.22 and the ports specified in the port group Executive Row.

The following example shows a sample VMPS database configuration file.

!Section 1: GLOBAL SETTINGS

!VMPS File Format, version 1.1

! Always begin the configuration file with

! the word "VMPS"

!

!vmps domain

! The VMPS domain must be defined.

!vmps mode open | secure

! The default mode is open.

!vmps fallback

!vmps no-domain-req allow | deny

!

! The default value is allow.

vmps domain WBU

vmps mode open

vmps fallback default

vmps no-domain-req deny

!

!Section 2: MAC ADDRESSES

!MAC Addresses

vmps-mac-addrs

!

! address vlan-name

!

address 0012.2233.4455 vlan-name hardware

address 0000.6509.a080 vlan-name hardware

address aabb.ccdd.eeff vlan-name Green

address 1223.5678.9abc vlan-name ExecStaff

address fedc.ba98.7654 vlan-name --NONE--

address fedc.ba23.1245 vlan-name Purple

!

!Section 3: PORT GROUPS

!Port Groups

!vmps-port-group

! device port | all-ports

!

vmps-port-group WiringCloset1

device 198.92.30.32 port 3/2

device 172.20.26.141 port 2/8

vmps-port-group "Executive Row"

device 198.4.254.222 port 1/2

device 198.4.254.222 port 1/3

device 198.4.254.223 all-ports

!

!Section 4: VLAN GROUPS

!VLAN groups

!

!vmps-vlan-group

! vlan-name

!

vmps-vlan-group Engineering

vlan-name hardware

vlan-name software

!

!Section 5: VLAN PORT POLICIES

!VLAN port Policies

!

!vmps-port-policies vlan-name | vlan-group

! port-group | device port

!

vmps-port-policies vlan-group Engineering

ort-group WiringCloset1

vmps-port-policies vlan-name Green

device 198.92.30.32 port 4/8

vmps-port-policies vlan-name Purple

device 198.4.254.22 port 1/2

ort-group "Executive Row"

在交换机上好像要做:VMPS SERVER ip primary

以上是关于华为s3700交换机的vlan划分的主要内容,如果未能解决你的问题,请参考以下文章

华为交换机批量加入 Vlan 方法

华为S5700怎么划分VLAN

华为交换机基本命令配置:建立VLAN,把端口划分到对于vlan上

华为交换机基本命令配置:建立VLAN,把端口划分到对于vlan上

划分VLAN(华为)

根据mac划分vlan