要求
1、 外來電腦未經(jīng)允許禁止訪問內(nèi)網(wǎng)
2、 內(nèi)網(wǎng)用戶隨意變動位置不能訪問內(nèi)網(wǎng)
實驗拓撲如下:
操作步驟
LSW1詳細配置如下:
//更改設備名稱
[Huawei]sysname LSW1
//開啟dhcp功能
[LSW1]dhcp enable
//劃分內(nèi)網(wǎng)vlan10
[LSW1]vlan 10
[LSW1-vlan10]quit
//配置虛擬接口地址
[LSW1]inter vlan 10
[LSW1-Vlanif10]ip add 192.168.10.254 24
[LSW1-Vlanif10]dhcp select global //設置全局地址池
[LSW1-Vlanif10]quit
//配置dhcp地址池
[LSW1]ip pool vlan10
[LSW1-ip-pool-vlan10]gateway-list 192.168.10.254
[LSW1-ip-pool-vlan10]network 192.168.10.0 mask 24
[LSW1-ip-pool-vlan10]excluded-ip-address 192.168.10.1 192.168.10.100
[LSW1-ip-pool-vlan10]excluded-ip-address 192.168.10.200 192.168.10.253
[LSW1-ip-pool-vlan10]lease day 0 hour 8
[LSW1-ip-pool-vlan10]dns-list 61.139.2.69
[LSW1-ip-pool-vlan10]quit
//配置用戶接口
[LSW1-Ethernet0/0/1]port link-type access
[LSW1-Ethernet0/0/1]port default vlan 10
[LSW1-Ethernet0/0/1]port-security enable // 打開端口安全功能
[LSW1-Ethernet0/0/1]port-security mac-address sticky //打開安全粘貼MAC功能
[LSW1-Ethernet0/0/1]port-security max-mac-num 1 //限制安全MAC地址最大數(shù)量為1個
[LSW1-Ethernet0/0/1]port-security protect-action restrict // 阻止其他非安全mac地址并發(fā)出警告
//配置設備間接口
[LSW1-Ethernet0/0/1]inter g0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]undo port trunk allow-pass vlan 1
[LSW1-GigabitEthernet0/0/1]inter g0/0/2
[LSW1-GigabitEthernet0/0/2]port link-type trunk
[LSW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/2]undo port trunk allow-pass vlan 1
LSW2配置如下:
#
sysname LSW2
#
vlan batch 10
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
interface GigabitEthernet0/0/2
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
LSW3配置如下:
#
sysname LSW3
#
vlan batch 10
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
port-security enable
port-security mac-address sticky
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10
#
測試結果如下:
內(nèi)網(wǎng)用戶正常獲取ip,并能互訪
將外網(wǎng)用戶接入內(nèi)網(wǎng)用戶1接口,不能獲取ip地址,交換機產(chǎn)生警告信息
將內(nèi)網(wǎng)用戶2接入內(nèi)網(wǎng)用戶1接口,也不能獲取ip地址,交換機產(chǎn)生警告信息
如果內(nèi)用用戶2經(jīng)過允許連接LSW3,只需在LSW3 接口interface Ethernet0/0/1關閉粘貼功能,再打開即可
配置如下:
[LSW3]inter e0/0/1
[LSW3-Ethernet0/0/1]undo port-security mac-address sticky
[LSW3-Ethernet0/0/1]port-security mac-address sticky
正確獲取ip并入內(nèi)網(wǎng)用戶3正常通信
專注數(shù)字化方案建設,推動智慧企業(yè)生態(tài)圈的升級發(fā)展