背景
由于外包员工没有固定工位,经常在好几个地方办公,为了方便管理,不管在任何地方都只能获取到外包的vlan网段。
实验环境
华为ensp平台
技术
这里需要用到MAC-VLAN技术,绑定外包员工电脑的MAC地址,不管外包员工在哪里,都能根据他电脑的MAC地址获取外包的vlan网段。
网络拓扑
设备配置
核心交换机
#
vlan batch 10 20 30
#
ip pool vlan10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool vlan30
gateway-list 192.168.30.1
network 192.168.30.0 mask 255.255.255.0
dns-list 8.8.8.8
#
interface Vlanif10
ip address 192.168.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 192.168.20.1 255.255.255.0
dhcp select global
#
interface Vlanif30
ip address 192.168.30.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
接入交换机1
#
vlan batch 10 20 30
#
vlan 30
mac-vlan mac-address 5489-9870-62b2 priority 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port hybrid pvid vlan 10
port hybrid untagged vlan 10 30
#
interface GigabitEthernet0/0/3
port hybrid pvid vlan 10
port hybrid untagged vlan 10 30
mac-vlan enable
#
接入交换机2
#
vlan batch 10 20 30
#
vlan 30
mac-vlan mac-address 5489-984c-3431 priority 0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
port hybrid pvid vlan 20
port hybrid untagged vlan 20 30
#
interface GigabitEthernet0/0/3
port hybrid pvid vlan 20
port hybrid untagged vlan 20 30
mac-vlan enable
#
实验结果
员工2:vlan10
外包员工1:vlan30
管理2:vlan20
外包2:vlan30
总结
外包员工在那个地方办公,都只能获取到外包vlan30网段,就算下面接了傻瓜交换机,公司员工会获取到自己业务网段,不会影响到外包员工的获取地址。
这样做方便管理,不用频繁更改设备配置,更利于制定安全策略。适用于频繁变动工位的员工和部门。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
