Now the network safety requirements are increasingly high, a LAN sometimes also hope to be able to achieve mutual cannot access. I mainly introduce how to realize the needs of everyone in the Cisco switch.
The realizing method in Cisco low-end switches:
1 through the port protection (Switchitchport protected) to achieve.
2 through the PVLAN (priva te VLAN private VLAN) to achieve.
The main operation is as follows:
Relatively speaking, Cisco 3550 or 2950 switch configuration is relatively simple, access to the network interface configuration mode:
Switch (config) #int range f0/1 - 24 # operation at the same time f0/1 to f0/24 to select the port according to their own needs.
Switch (config-if-range) #Switchitchport protected # open port protection
Ok... So far, so as to achieve the purpose of each interface switch enable port protection,.
The 4500 series switch does not support port protection, can be realized through PVLAN.
The main operation is as follows:
Firstly, second Vlan 2
Switch (config) #vlan 101
Switch (config-vlan) #private-vlan community
### the establishment of vlan101 and specify the VLAN for the public VLAN
Switch (config) VLAN 102
Switch (config-vlan) private-vlan isolated
### the establishment of vlan102 and specify the VLAN for the isolation of VLAN
Switch (config) VLAN 200
Switch (config-vlan) private-vlan primary
Switch (config-vlan) private-vlan Association 101
Switch (config-vlan) private-vlan Association add 102
### the establishment of vlan200 and specify the VLAN as the main VLAN, and made the vlan101 and 102 for vlan200 second VLAN
Switch (config) #int VLAN 200
Switch (config-if) #private-vlan mapping 101102
### into the vlan200 configuration of IP address, the second vlan101 and the 102 route, so that it can communication
Switch (config) #int f3/1
Switch (config-if) #Switchitchport private-vlan host-association 200102
Switch (config-if) #Switchitchport private-vlan mapping 200102
Switch (config-if) #Switchitchport mode private-vlan host
### enter interface configuration mode, interface for the PVLAN host model, Pvlan VLAN and second VLAN Lord, must use the 102102 isolated VLAN
At this point, end of the configuration, after the test, no communication between various ports, but can communicate with the gateway itself.
Note: the configuration examples on the Cisco web site can't seem to follow this way, just enable the isolation but not with the VLAN gateway communication. According to the Cisco web site configuration, private VLAN not up. If there is more than one VLAN to PVLAN configuration, second VLAN must have a corresponding increase, a VLAN could be used as a second VLAN in private vlan.
没有评论:
发表评论