Private VLAN技术
服务提供商如果给每个用户一个VLAN,则由于一台设备支持的VLAN数最大只有
4096而限制了服务提供商能支持的用户数;在三层设备上,每个VLAN被分配一
个子网地址或一系列地址,这种情况导致IP地址的浪费,一种解决方法就是应用Private VLAN技术。
私有VLAN(Private VLAN)将一个VLAN的二层广播域划分成多个子域,每个子域
都由一个私有VLAN对组成:主VLAN(Primary VLAN)和辅助VLAN(Secondary
VLAN)。
一个私有VLAN域可以有多个私有VLAN对,每一个私有VLAN对代表一个子域。
在一个私有VLAN域中所有的私有VLAN对共享同一个主VLAN。每个子域的辅
助VLAN ID不同。
一个私有VLAN域中只有一个主VLAN,辅助VLAN实现同一个私有VLAN域中
的二层隔离,有两种类型的辅助VLAN: 隔离VLAN(Isolated VLAN):同一个隔离VLAN中的端口不能互相进行二层通信。一个私有VLAN域中只有一个隔离VLAN。 群体VLAN(Community VLAN):同一个群体VLAN中的端口可以互相进行二
层通信,但不能与其它群体VLAN中的端口进行二层通信。一个私有VLAN
域中可以有多个群体VLAN。
混杂端口(Promiscuous Port),属于主VLAN中的端口,可以与任意端口通讯,
包括同一个私有VLAN域中辅助VLAN的隔离端口和群体端口。
隔离端口(Isolated Port),隔离VLAN中的端口,只能与混杂口通讯。
群体端口(Community port),属于群体VLAN中的端口,同一个群体VLAN的群体
端口可以互相通讯,也可以与混杂通讯。不能与其它群体VLAN中的群体端口及
隔离VLAN中的隔离端口通讯。
私有VLAN中,只有主VLAN可以创建SVI接口,辅助VLAN不可以创建SVI。
私有VLAN中的端口可以为SPAN源端口,不可以为镜像目的端口。
服务提供商如果给每个用户一个VLAN,则由于一台设备支持的VLAN数最大只有
4096而限制了服务提供商能支持的用户数;在三层设备上,每个VLAN被分配一
个子网地址或一系列地址,这种情况导致IP地址的浪费,一种解决方法就是应用Private VLAN技术。
私有VLAN(Private VLAN)将一个VLAN的二层广播域划分成多个子域,每个子域
都由一个私有VLAN对组成:主VLAN(Primary VLAN)和辅助VLAN(Secondary
VLAN)。
一个私有VLAN域可以有多个私有VLAN对,每一个私有VLAN对代表一个子域。
在一个私有VLAN域中所有的私有VLAN对共享同一个主VLAN。每个子域的辅
助VLAN ID不同。
一个私有VLAN域中只有一个主VLAN,辅助VLAN实现同一个私有VLAN域中
的二层隔离,有两种类型的辅助VLAN: 隔离VLAN(Isolated VLAN):同一个隔离VLAN中的端口不能互相进行二层通信。一个私有VLAN域中只有一个隔离VLAN。 群体VLAN(Community VLAN):同一个群体VLAN中的端口可以互相进行二
层通信,但不能与其它群体VLAN中的端口进行二层通信。一个私有VLAN
域中可以有多个群体VLAN。
混杂端口(Promiscuous Port),属于主VLAN中的端口,可以与任意端口通讯,
包括同一个私有VLAN域中辅助VLAN的隔离端口和群体端口。
隔离端口(Isolated Port),隔离VLAN中的端口,只能与混杂口通讯。
群体端口(Community port),属于群体VLAN中的端口,同一个群体VLAN的群体
端口可以互相通讯,也可以与混杂通讯。不能与其它群体VLAN中的群体端口及
隔离VLAN中的隔离端口通讯。
私有VLAN中,只有主VLAN可以创建SVI接口,辅助VLAN不可以创建SVI。
私有VLAN中的端口可以为SPAN源端口,不可以为镜像目的端口。
配置实例:
!
version RGNOS 10.2.00(2), Release(29287)(Tue Dec 25 20:39:14 CST 2007 -ngcf49)
co-operate enable
!
!
!
vlan 1
!
vlan 2
name MZD
private-vlan community
!
vlan 3
name youpan
private-vlan community
!
vlan 4
name wz
private-vlan community
!
vlan 11
name Master
private-vlan primary
private-vlan association add 2-4
!
vlan 100
name to_router
!
!
no service password-encryption
!
!
!
!
!
!
!
!
!
!
!
!
!
enable secret 5 $1$masn$yCpAxvzF40tssyF1
!
!
!
!
interface GigabitEthernet 0/1
port-group 1
!
interface GigabitEthernet 0/2
port-group 1
!
interface GigabitEthernet 0/3
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/4
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/5
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/6
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/7
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/8
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/9
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/10
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/11
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/12
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/13
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/14
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/15
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/16
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/17
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/18
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/19
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/20
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/21
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/22
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/23
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/24
switchport access vlan 100
!
interface AggregatePort 1
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface VLAN 1
!
interface VLAN 11
ip address 192.168.0.254 255.255.255.0
private-vlan mapping add 2-4
!
interface VLAN 100
ip address 192.168.100.1 255.255.255.0
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.100.2
!
!
line con 0
line vty 0 4
login
password infotech
!
!
!
!
!
end
version RGNOS 10.2.00(2), Release(29287)(Tue Dec 25 20:39:14 CST 2007 -ngcf49)
co-operate enable
!
!
!
vlan 1
!
vlan 2
name MZD
private-vlan community
!
vlan 3
name youpan
private-vlan community
!
vlan 4
name wz
private-vlan community
!
vlan 11
name Master
private-vlan primary
private-vlan association add 2-4
!
vlan 100
name to_router
!
!
no service password-encryption
!
!
!
!
!
!
!
!
!
!
!
!
!
enable secret 5 $1$masn$yCpAxvzF40tssyF1
!
!
!
!
interface GigabitEthernet 0/1
port-group 1
!
interface GigabitEthernet 0/2
port-group 1
!
interface GigabitEthernet 0/3
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/4
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/5
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/6
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/7
switchport mode private-vlan host
switchport private-vlan host-association 11 4
!
interface GigabitEthernet 0/8
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/9
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/10
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/11
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/12
switchport mode private-vlan promiscuous
switchport private-vlan mapping 11 add 2-4
!
interface GigabitEthernet 0/13
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/14
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/15
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/16
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface GigabitEthernet 0/17
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/18
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/19
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/20
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/21
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/22
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/23
switchport mode private-vlan host
switchport private-vlan host-association 11 3
!
interface GigabitEthernet 0/24
switchport access vlan 100
!
interface AggregatePort 1
switchport mode private-vlan host
switchport private-vlan host-association 11 2
!
interface VLAN 1
!
interface VLAN 11
ip address 192.168.0.254 255.255.255.0
private-vlan mapping add 2-4
!
interface VLAN 100
ip address 192.168.100.1 255.255.255.0
!
!
!
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.100.2
!
!
line con 0
line vty 0 4
login
password infotech
!
!
!
!
!
end
转载于:https://blog.51cto.com/infotech/123833
760
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
