如何实现VLAN之间的隔离

如何实现VLAN之间的隔离

问题描述

在核心交换机上划分了多个VLAN，需要实现不同VLAN之间的隔离，即禁止VLAN间的相互访问。具体场景是：核心交换机上划分了VLAN 10和VLAN 20，其中PC1属于VLAN 10，PC2属于VLAN 20，要求VLAN 10和VLAN 20之间不能互相访问。

组网图

配置步骤

1. 接口配置及VLAN划分

<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] vlan 10
[H3C] quit
[H3C] vlan 20
[H3C] quit
[H3C] int g1/0/10
[H3C-GigabitEthernet1/0/10] port access vlan 10
[H3C-GigabitEthernet1/0/10] quit
[H3C] int vlan 10
[H3C-Vlan-interface10] ip add 192.168.10.1 24
[H3C-Vlan-interface10] quit
[H3C] int g1/0/20
[H3C-GigabitEthernet1/0/20] port access vlan 20
[H3C-GigabitEthernet1/0/20] quit
[H3C] int vlan 20
[H3C-Vlan-interface20] ip add 192.168.20.1 24
[H3C-Vlan-interface20] quit

2. 创建包过滤策略

[H3C] acl advanced 3000
[H3C-acl-ipv4-adv-3000] rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
[H3C-acl-ipv4-adv-3000] rule 5 permit ip
[H3C-acl-ipv4-adv-3000] quit
[H3C] int vlan 10
[H3C-Vlan-interface10] packet-filter 3000 inbound
[H3C-Vlan-interface10] quit
[H3C] save force

3. 验证配置

• 接交换机10口的电脑地址为192.168.10.2
• 接交换机20口的电脑地址为192.168.20.2

通过上述配置，可以实现VLAN 10和VLAN 20之间的隔离，确保两个VLAN内的设备无法互相访问。