分别使用路由器、防火墙和三层交换机实现VLAN间的通信

VLAN间通信

实施环境：最新华为模拟器eNSP

1、要求：

现有一台路由器、三台交换机和四台PC机，PC1、PC3在VLAN 10中，PC2、PC4在VLAN 20中，要求能够实现不同VLAN间的通信。

2、网络拓扑图

3、设备配置

（1）路由器R1的配置

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sysname R1

[R1]int eth0/0/0.1

[R1-Ethernet0/0/0.1]ip add

[R1-Ethernet0/0/0.1]ip address 1

//给VLAN打标签

[R1-Ethernet0/0/0.1]vlan-type dot1q 10

[R1-Ethernet0/0/0.1]quit

[R1]int eth0/0/0.2

//配置IP地址

[R1-Ethernet0/0/0.2]ip address 192.168.20.1 24

//给VLAN打标签

[R1-Ethernet0/0/0.2]vlan-type dot1q 20

（2）交换机SW1的配置

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sys

[Huawei]sysname SW1

//创建VLAN

[SW1]vlan10

[SW1-vlan10]vlan 20

[SW1]int eth0/0/1

//把eth0/0/1设为trunk

[SW1-Ethernet0/0/1]port link-type trunk

//trunk下允许所有VLAN通过

[SW1-Ethernet0/0/1]port trunk allow-pass vlan all

[SW1]int eth0/0/2

//把eth0/0/2设为trunk

[SW1-Ethernet0/0/2]port link-type trunk

//trunk下允许所有VLAN通过

[SW1-Ethernet0/0/2]port trunk allow-pass vlan all

[SW1-Ethernet0/0/1]int eth0/0/3

//把eth0/0/3设为trunk

[SW1-Ethernet0/0/3]port link-type trunk

//trunk下允许所有VLAN通过

[SW1-Ethernet0/0/3]port trunk allow-pass vlan all

（3）交换机SW2的配置

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sys

[Huawei]sysname SW2

[SW2]vlan 10

[SW2-vlan10]vlan 20

[SW2-vlan20]quit

[SW2]int eth0/0/1

//把eth0/0/1设为trunk类型

[SW2-Ethernet0/0/1]port link-type trunk

//在trunk下允许所有VLAN通过

[SW2-Ethernet0/0/1]port trunk allow-pass vlan all

[SW2-Ethernet0/0/1]int eth0/0/2

//把eth0/0/2设为access类型

[SW2-Ethernet0/0/2]port link-type access

[SW2]vlan 10

[SW2-vlan10]por

//把eth0/0/2加入VLAN 10

[SW2-vlan10]port eth0/0/2

[SW2]int eth0/0/3

//把eth0/0/3设为access类型

[SW2-Ethernet0/0/3]port link-type ac

[SW2-Ethernet0/0/3]port link-type access

[SW2]vlan 20

[SW2-vlan20]port

//把eth0/0/3加入VLAN 20

[SW2-vlan20]port eth0/0/3

（4）交换机SW3的配置

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sy

//修改名称

[Huawei]sysname SW3

//创建VLAN

[SW3]vlan 10

[SW3-vlan10]vlan 20

[SW3-vlan20]quit

[SW3]int eth0/0/1

[SW3-Ethernet0/0/1]port link-type tr

[SW3-Ethernet0/0/1]port link-type trunk

[SW3-Ethernet0/0/1]port trunk allow-pass vlan all

[SW3-Ethernet0/0/1]quit

[SW3]int eth0/0/2

[SW3-Ethernet0/0/2]port link-type ac

[SW3-Ethernet0/0/2]port link-type access

[SW3-Ethernet0/0/2]quit

[SW3]vlan 10

[SW3-vlan10]port

[SW3-vlan10]port eth0/0/2

[SW3-vlan10]quit

[SW3]int eth0/0/3

[SW3-Ethernet0/0/3]port link-type access

[SW3]vlan 20

[SW3-vlan20]port eth0/0/3

（5）PC1的配置

（6）PC2的配置

（7）PC3的配置

（8）PC4的配置

4、测试验证

（1）PC1 ping PC3

（2）PC1 ping PC4

从上面可以看出相同VLAN和不同VLAN间都已经相互了通信

思考：

如果把路由器换成三层交换机或者防火墙该怎么实现？

1、把路由器换成三层交换机，具体操作如下：

如果把路由器换成三层交换机，则其他交换机和PC机的配置都不变，只需配置三层交换机，三层交换机的配置如下：

<Huawei>sys

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]sys

[Huawei]sysname S1

//创建VLAN

[S1]vlan 10

[S1-vlan10]vlan 20

[S1]int GigabitEthernet0/0/1

//把GigabitEthernet0/0/1设为trunk

[S1-GigabitEthernet0/0/1]port link-type tr

[S1-GigabitEthernet0/0/1]port link-type trunk

//在trunk下允许所有VLAN通过

[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan all

//在VLAN 10配置IP地址

[S1]int Vlanif 10

[S1-Vlanif10]ip add

[S1-Vlanif10]ip address 192.168.10.1 24

//在VLAN 20配置IP地址

[S1-Vlanif10]quit

[S1]int Vlanif 20

[S1-Vlanif20]ip address 192.168.20.1 24

这样就配置好了可以测试一下PC4分别ping PC1和PC2，如下所示：

2、把路由器换成防火墙，具体操作如下：

如果把路由器换成防火墙，则其他交换机和PC机的配置都不变，只需配置防火墙，防火墙的配置如下：

<SRG>system-view

20:39:34  2014/04/26

Enter system view, return user view with Ctrl+Z.

[SRG]sys

[SRG]sysname firewall

[firewall]int GigabitEthernet0/0/0.1

20:41:01  2014/04/26

[firewall-GigabitEthernet0/0/0.1] ip add

[firewall-GigabitEthernet0/0/0.1] ip address 192.168.10.1 24

[firewall-GigabitEthernet0/0/0.1]vlan-type dot1q 10

[firewall]int GigabitEthernet0/0.2

[firewall-GigabitEthernet0/0/0.2]ip ad

[firewall-GigabitEthernet0/0/0.2]ip address 192.168.20.1 24

[firewall-GigabitEthernet0/0/0.2]vlan-type do

[firewall-GigabitEthernet0/0/0.2]vlan-type dot1q 20

[firewall]firewall zone trust

[firewall-zone-trust]add interface g

[firewall-zone-trust]add interface GigabitEthernet0/0/0.1

20:45:43  2014/04/26

[firewall-zone-trust]add interface GigabitEthernet0/0/0.2

此时已经配置完成，可以进行测试一下用PC3 ping PC1和PC2结果如下图所示：