分别使用路由器、防火墙和三层交换机实现VLAN间的通信

VLAN间通信

实施环境：最新华为模拟器eNSP1、要求：现有一台路由器、三台交换机和四台PC机，PC1、PC3在VLAN 10中，PC2、PC4在VLAN 20中，要求能够实现不同VLAN间的通信。2、网络拓扑图

3、设备配置（1）路由器R1的配置<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname R1
[R1]int eth0/0/0.1
[R1-Ethernet0/0/0.1]ip add
[R1-Ethernet0/0/0.1]ip address 1//给VLAN打标签[R1-Ethernet0/0/0.1]vlan-type dot1q 10[R1-Ethernet0/0/0.1]quit
[R1]int eth0/0/0.2//配置IP地址[R1-Ethernet0/0/0.2]ip address 192.168.20.1 24//给VLAN打标签[R1-Ethernet0/0/0.2]vlan-type dot1q 20（2）交换机SW1的配置<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname SW1
//创建VLAN
[SW1]vlan10[SW1-vlan10]vlan 20[SW1]int eth0/0/1//把eth0/0/1设为trunk[SW1-Ethernet0/0/1]port link-type trunk //trunk下允许所有VLAN通过[SW1-Ethernet0/0/1]port trunk allow-pass vlan all[SW1]int eth0/0/2//把eth0/0/2设为trunk[SW1-Ethernet0/0/2]port link-type trunk//trunk下允许所有VLAN通过[SW1-Ethernet0/0/2]port trunk allow-pass vlan all[SW1-Ethernet0/0/1]int eth0/0/3//把eth0/0/3设为trunk[SW1-Ethernet0/0/3]port link-type trunk//trunk下允许所有VLAN通过[SW1-Ethernet0/0/3]port trunk allow-pass vlan all（3）交换机SW2的配置<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname SW2
[SW2]vlan 10[SW2-vlan10]vlan 20[SW2-vlan20]quit
[SW2]int eth0/0/1//把eth0/0/1设为trunk类型[SW2-Ethernet0/0/1]port link-type trunk//在trunk下允许所有VLAN通过[SW2-Ethernet0/0/1]port trunk allow-pass vlan all[SW2-Ethernet0/0/1]int eth0/0/2//把eth0/0/2设为access类型[SW2-Ethernet0/0/2]port link-type access[SW2]vlan 10
[SW2-vlan10]por
//把eth0/0/2加入VLAN 10[SW2-vlan10]port eth0/0/2[SW2]int eth0/0/3
//把eth0/0/3设为access类型[SW2-Ethernet0/0/3]port link-type ac
[SW2-Ethernet0/0/3]port link-type access[SW2]vlan 20
[SW2-vlan20]port
//把eth0/0/3加入VLAN 20[SW2-vlan20]port eth0/0/3（4）交换机SW3的配置<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sy
//修改名称
[Huawei]sysname SW3//创建VLAN[SW3]vlan 10[SW3-vlan10]vlan 20[SW3-vlan20]quit
[SW3]int eth0/0/1[SW3-Ethernet0/0/1]port link-type tr
[SW3-Ethernet0/0/1]port link-type trunk[SW3-Ethernet0/0/1]port trunk allow-pass vlan all[SW3-Ethernet0/0/1]quit
[SW3]int eth0/0/2
[SW3-Ethernet0/0/2]port link-type ac
[SW3-Ethernet0/0/2]port link-type access [SW3-Ethernet0/0/2]quit
[SW3]vlan 10
[SW3-vlan10]port
[SW3-vlan10]port eth0/0/2[SW3-vlan10]quit
[SW3]int eth0/0/3
[SW3-Ethernet0/0/3]port link-type access[SW3]vlan 20
[SW3-vlan20]port eth0/0/3（5）PC1的配置

（6）PC2的配置

（7）PC3的配置

（8）PC4的配置

4、测试验证（1）PC1 ping PC3

（2）PC1 ping PC4

从上面可以看出相同VLAN和不同VLAN间都已经相互了通信思考：如果把路由器换成三层交换机或者防火墙该怎么实现？1、把路由器换成三层交换机，具体操作如下：如果把路由器换成三层交换机，则其他交换机和PC机的配置都不变，只需配置三层交换机，三层交换机的配置如下：<Huawei>sys
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sys
[Huawei]sysname S1//创建VLAN[S1]vlan 10
[S1-vlan10]vlan 20[S1]int GigabitEthernet0/0/1
//把GigabitEthernet0/0/1设为trunk
[S1-GigabitEthernet0/0/1]port link-type tr
[S1-GigabitEthernet0/0/1]port link-type trunk //在trunk下允许所有VLAN通过[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan all//在VLAN 10配置IP地址[S1]int Vlanif 10[S1-Vlanif10]ip add
[S1-Vlanif10]ip address 192.168.10.1 24//在VLAN 20配置IP地址[S1-Vlanif10]quit
[S1]int Vlanif 20[S1-Vlanif20]ip address 192.168.20.1 24这样就配置好了可以测试一下PC4分别ping PC1和PC2，如下所示：

2、把路由器换成防火墙，具体操作如下：如果把路由器换成防火墙，则其他交换机和PC机的配置都不变，只需配置防火墙，防火墙的配置如下：<SRG>system-view 20:39:34 2014/04/26Enter system view, return user view with Ctrl+Z.[SRG]sys[SRG]sysname firewall[firewall]int GigabitEthernet0/0/0.120:41:01 2014/04/26[firewall-GigabitEthernet0/0/0.1] ip add[firewall-GigabitEthernet0/0/0.1] ip address 192.168.10.1 24[firewall-GigabitEthernet0/0/0.1]vlan-type dot1q 10[firewall]int GigabitEthernet0/0.2[firewall-GigabitEthernet0/0/0.2]ip ad[firewall-GigabitEthernet0/0/0.2]ip address 192.168.20.1 24[firewall-GigabitEthernet0/0/0.2]vlan-type do[firewall-GigabitEthernet0/0/0.2]vlan-type dot1q 20[firewall]firewall zone trust[firewall-zone-trust]add interface g[firewall-zone-trust]add interface GigabitEthernet0/0/0.120:45:43 2014/04/26[firewall-zone-trust]add interface GigabitEthernet0/0/0.2此时已经配置完成，可以进行测试一下用PC3 ping PC1和PC2结果如下图所示：