VLAN isolation

One, the scene and implementation

2. Port isolation

Isolation of ports in the same VLAN

If you do not want some users on the same VLAN to communicate with each other, you can configure port isolation. You only need to add ports to an isolation group to implement layer 2 data isolation between ports in the isolation group.

1. Configuration cases

scenario

PC1 and PC2 cannot access each other in VLAN1, but PC3, PC1, and PC2 can access each other

Port Isolation Configuration

interface GigabitEthernet0/0/1 port link-type access port-isolate enable group 1 interface GigabitEthernet0/0/2 port link-type access port-isolate enable group 1Copy the code

==PC1pingPC2 and PC3,PC2 cannot communicate and PC3 can communicate. = ===PC2pingPC1 and PC3,PC1 cannot communicate and PC3 can communicate. = ===PC3pingPC1 and PC2,PC1 and PC2 can communicate. = =

MUX VLAN:Multiplex VLAN

Intervlan communication, isolation between vlans, and isolation within vlans

• A mechanism for controlling network resources over vlans.
• Users on the same network segment can communicate with and be isolated only on layer 2 networks.
• After devices on the same network segment are assigned to different vlans, they can communicate with the specified VLAN and cannot communicate with other devices on the same VLAN.
• That is, inter-vlan communication, inter-VLAN isolation, and intra-VLAN isolation can be implemented at the same time
• Cisco technology: Private VLAN

1. Configuration cases

scenario

• All users can access the Server
• PC1 and PC2 can communicate with each other, but PC3 and PC4 cannot

PC3 and PC4 are isolated and cannot communicate with each other

Basic configuration PC1, PC2, PC3, PC4, and Server MUX – VLAN configuration

Vlan Batch 2 3 4 # Creating a VLAN VLAN 2 # Accessing the VLAN MUx-VLAN # Configuring the main VLAN separate 4 # Configuring the interworking slave VLAN group 3 Interface gigabitethernet0/0/1 port link-type access port default VLAN 2 port mux-vlan enable interface GigabitEthernet0/0/2 port link-type access port default vlan 3 port mux-vlan enable interface GigabitEthernet0/0/3 port link-type access port default vlan 3 port mux-vlan enable interface GigabitEthernet0/0/4 port link-type access port default vlan 4 port mux-vlan enable interface GigabitEthernet0/0/5 port link-type access port default vlan 4 port mux-vlan enableCopy the code

validation

Iv. MQC- Flow strategy

After different vlans communicate with each other, isolate some vlans or users

MQC: Modular QoS Command Line Interface

• A powerful configuration method.
• This configuration method classifies the packets with a certain type of common characteristics into one type and provides the same service for the same type of packets.
• The biggest advantage of modularity is that it saves configuration and supports batch modification.

1. Three elements of MQC

Traffic classification, traffic behavior, and traffic policy

2. Apply traffic policies to vlans

• Layer 2 isolation within a VLAN: Users in a VLAN can be isolated freely (single or bidirectional isolation between any users).
• Layer 3 isolation between vlans: Some users are prohibited from communicating with each other or only one-way access is allowed

3. MQC configuration process

1. Configuring traffic classification: Classifies packets according to certain rules, which is the basis for providing differential services.
2. Configure traffic behavior: Specify traffic control or resource allocation actions for the packets that comply with traffic classification rules.
3. Configure a traffic policy: Binds a specified traffic class to a specified traffic behavior to form a complete policy.
4. Apply traffic policies: Apply traffic policies globally, to interfaces, and to vlans.

4. Configuration cases

scenario

• Visitors can only access the Internet and cannot communicate with users on any other VLAN.
• Employee A can access all resources in the server area, but other employees can access only port 21 of server A (FTP service).

Basic Configuration Visitor AEmployees AEmployee BServer A SW1

sy sy SW1 vlan b 10 20 30 100 int g0/0/1 p l t p t a v all int g0/0/2 p l a p d v 10Copy the code

SW2

sy sy SW2 vlan b 10 20 30 100 int g0/0/1 p l t p t a v all int g0/0/2 p l a p d v 20 int g0/0/3 p l a p d v 20Copy the code

SW3

sy sy SW3 vlan b 10 20 30 100 int g0/0/1 p l t p t a v all int g0/0/2 p l a p d v 30Copy the code

SW4

Sy sy SW4 VLAN B 10 20 30 100 int VLAN10 IP add 10.1.1.254 24 int VLAN20 IP add 10.1.2.254 24 int VLAN30 IP add 10.1.3.254 24 int VLAN100 IP add 10.1.100.254 24 int g0/0/1 p L t p T a v all int g0/0/2 p L t p t a v all int g0/0/3 P l t p t a v all int g0/0/4 p l t p t a v allCopy the code

MQC- Traffic policy configuration

Acl number 3000 rule 5 deny IP destination 10.1.2.0 0.0.0.255 rule 10 deny IP destination 10.1.3.0 0.0.0.255 // Prohibit visitors from accessing the server ACL Number 3001 rule 5 permit IP source 10.1.2.2 0 destination 10.1.3.0 0.0.0.255 // Employee A can access all resources of the server Rule 10 Permit TCP source 10.1.3.2 0 destination-port eq FTP rule 15 deny IP destination 10.1.3.0 0.0.0.255 // Other employees can access only port 21 of the server Traffic classifier libai operator and if-match acl 3000 Matching acL3000 traffic classifier Huawei operator and if-match ACL 3001 // Configure the traffic classifier to match ACL3001 traffic Behavior B1 permit // Configure the traffic behavior. The action is: perimt traffic policy admin classifier libai Behavior b1 Associate libai with B1 by traffic policy root classifier Huawei behavior b1 Associate HUAWEI with B1 with VLAN 10 traffic-policy admin inbound // Apply traffic policies admin vlan 20 traffic-policy root inbound // Apply traffic policies rootCopy the code

validation

Visitors can only access the Internet and cannot communicate with users on any other VLAN.

Employee A can access all resources (HTTP, FTP) in the server area.

Employee B can access only port 21 of server A (FTP service).