Welcome to our Online Store!

Interface configuration,how to interface configuration 2

2018-02-24 09:44:22

Zhang Fei said to military information security camp Zhuge issued the decree of God, can not help but to head. To remind Jiang Wei, Zhuge remembered that God left second tips. Two people open kit, looked into it and saw the brocade book: against the armed forces, information security, first, only isolated.

Zhang Fei stared at the tiger eye eye, face: "vivi brother, Prime Minister of the kit hidden what mystery, you made?"

Jiang Wei smiled: "I do not worry, and the road to listen to me slowly. The next picture is the large distribution map of our army.

1.jpg

Feifei, you see, military camp, camp and camp soldiers of our army major y belong to a VLAN and is located in the same network. By default, three big businesses can access each other. Now, let's ask prime minister does not change in our army network planning and VLAN planning case: 1) military camp and camp soldiers can not access each other; 2) the military camp can access the camp, but the camp can not access the military camp, camp and camp and the soldiers always can visit each other.

So, how do you do it?

This requires us to port this big move. This trick a powerful, will be able to complete the prime minister and the prime minister must boast military orders, you are a good boy love learning, willing to move the brain, ha ha ha ha!"

After Jiang Wei teased Zhang Fei, he was happy to laugh.

Zhang Fei pretended to sulk: "vivi brother, don't let it go, you tell me how to configure port isolation!"

"Well, in short. When it comes to port isolation, the concept of port isolation group is introduced. The port of switch can be added to a specific port isolation group. The ports of the isolation port of the same port are isolated from each other, and ports between different port isolation groups are not isolated. Therefore, the prime minister to complete orders for the configuration idea is actually very simple. As shown below, the ports GE0/0/1 and GE0/0/2 will be added to the same port isolation group on the switch. GE0/0/3 will not join the port isolation group or join another port isolation group to OK.

2.jpg

The configuration steps are as follows:

<Huawei> system-view

[Huawei] sysname Switch

[Switch] interface gigabitEthernet 0/0/1

[Switch-GigabitEthernet0/0/1] port link-type access

[Switch-GigabitEthernet0/0/1] port default vlan 10

[Switch-GigabitEthernet0/0/1] port-isolate enable group 5   //Port GE0/0/1 is added to port isolation group 5

[Switch-GigabitEthernet0/0/1] quit

[Switch] interface gigabitEthernet 0/0/2

[Switch-GigabitEthernet0/0/2] port link-type access

[Switch-GigabitEthernet0/0/2] port default vlan 10

[Switch-GigabitEthernet0/0/2] port-isolate enable group 5   //Port GE0/0/2 is added to port isolation group 5

[Switch-GigabitEthernet0/0/2] quit

[Switch] interface gigabitEthernet 0/0/3

[Switch-GigabitEthernet0/0/3] port link-type access

[Switch-GigabitEthernet0/0/3] port default vlan 10         //Port GE0/0/3 is added to port isolation group 5

[Switch-GigabitEthernet0/0/3] quit

When the configuration is completed, port GE0/0/1 and GE0/0/2 join the same port isolation group, and port GE0/0/3 does not join any port isolation group. In this way, military soldiers and Camp Camp can not visit each other, but the military camp and the camp, camp and the camp soldiers still can visit each other."

Jianghu tip: how to view the configuration information of the port isolation group?

Port-isolate group command: display {group-id all} | command can view port configuration information isolation group.

Zhang Fei smell speech exultation, but his heart is still holding a small bundle of Vivian: "brother, the prime minister also we can access the implementation of Military Camp Camp, but the camp can not access the military camp. Can this problem be solved by port isolation, too? "

Jiang Wei smiled, calmly said: "since the port isolation is a trick, of course, not only the port isolation group kill myself, it's also an arsenal of kill -- one-way isolation, just to solve your question."

Zhang Fei, a little disbelieving, said doubtfully, "the God is one way of isolation." Is it amazing? "

Jiang Wei laughed and said: "one-way isolation, as the name suggests, only in a single direction of information isolation. A chestnut can be configured on the interface A and isolated from the interface B. The message sent from the interface A cannot reach the interface B, but the message sent from the interface B can reach the interface A. The problem with you for it, to achieve access to the Military Camp Camp, but the camp can not access the military camp, you can use a one-way isolation function. As shown below, in the configuration of single port GE0/0/3 isolation function, and specify the port isolation is GE0/0/1, so GE0/0/3, a message can not reach GE0/0/1, and the message from GE0/0/1 to GE0/0/3, so as to realize the military camp can access the camp, but the camp can not access the military camp.

4.jpg

The configuration steps are as follows:

[Switch] interface GigabitEthernet 0/0/3

[Switch-GigabitEthernet0/0/3] am isolate gigabitethernet 0/0/1   // configuring port isolation on GE0/0/3 and specifying the isolated port is GE0/0/1

[Switch-GigabitEthernet0/0/3] quit

Configuration one-way isolation, look, it is so simple! "

According to Zhang Fei Zhuge and kit, easily configured on the switch port isolation function, after verification, the military camp and soldiers can not really camp visit each other, and the camp cannot access the military camp.

Second days, Zhang Fei happily waiting for praise, Zhuge and Zhuge unexpectedly, God told Zhang Fei: "Feifei, port GE0/0/1 and port GE0/0/2 is now two isolation, although ARP cannot pass through what come over, but through the Proxy ARP function VLAN, military camp and camp soldiers can still use their own gateway the realization of the three layer visits, which is called the two layer three layer isolation but not isolated."

Zhang Fei, a little depressed: "prime minister, two layer three layer isolation tube which can realize the information isolation, as long as the isolation is not it? I can't see the difference between two layers of isolation and three layers of isolation now.

Zhuge and unhurried shaking feather fan: "Facts speak louder than words. Let's do a little experiment, and you understand it completely.

The experiment process is as follows:

Step 1 as shown below, the military camp host PC1 and host PC2 soldiers in the camp, in the PC1 and PC2 join the same port isolation conditions, using PC1 and PC2 Ping each other each other, the two can not Ping each other, that port isolation function play a role.

5.jpg

In the process of PC1 Ping PC2, the packets passing through the GE0/0/1 and GE0/0/2 are captured on the switch.

L GE0/0/1 capture information is shown in figure:

5.jpg

Capture information display, PC1 sends the ARP request message (green box surrounded by ARP message Protocol), did not receive a response message from PC2 ARP.

L GE0/0/2 capture information is shown in figure:

6.jpg

Capture information display, PC2 has not received from the PC1 ARP request message.

Conclusion GE0/0/1 and GE0/0/2 capture information that PC1 sends the ARP request message to the PC2 through the switch can not pass, so that between the PC1 and the PC2 ARP was unable to complete the learning process between the two will not be able to achieve mutual visits.

The gateway configured on step 2 PC1 and PC2 is the IP address of VLANIF10: 10.10.10.250/24, we make the Proxy ARP function within VLAN on VLANIF10. The following steps are as follows:

[Switch] interface vlanif 10

[Switch-Vlanif10] IP address 10.10.10.250 24

[Switch-Vlanif10] arp-proxy inner-sub-vlan-proxy enable / / in VLANIF10 enable the Proxy ARP function in VLAN

[Switch-Vlanif10] quit

Then PC1 and PC2 are used to Ping each other, and the results can be connected to each other, which indicates that the port isolation function fails. What's the matter? Let us capture analysis.

L GE0/0/1 capture information is shown in figure:

7.jpg

First, the PC1 sends the ARP request message to find the MAC address of the PC2 (such as the yellow line label).

Second, VLANIF10 acts as an ARP agent to send ARP response messages instead of PC2, such as blue line tagging. Note: 4c1f-cc6b-263c is the MAC address of VLANIF10).

Then, after PC1 receives the ARP reply message from VLANIF10, the MAC address of the PC2 in the ARP table item is modified to the MAC address of the VLANIF10, as shown in the following figure.

8.jpg

Finally, the Ping Request PC1 message is sent to the PC2 (such as green label). The following is the message of Ping Request message. The destination of Ping Request message is MAC address of VLANIF10, which is MAC address of VLANIF10. It is clear that Ping Request message will first send to VLANIF10.

9.jpg

Jianghu tip: how to look at the MAC address of VLANIF10?

The display ARP all command on the switch can look at the ARP table item of the VLANIF10, and the ARP table entry contains the MAC address of the VLANIF10. As shown in the following figure.

1.jpg

The GE0/0/2 capture information is shown in figure:

2.jpg

First, the VLANIF10 sends the ARP request message to find the MAC address of the PC2 (such as the yellow line label).

Second, VLANIF10 receives the ARP reply message from the PC2 and gets the MAC address of the PC2 (such as the blue line label).

Finally, forwarding VLANIF10 will receive from the PC1 ARP Request message to PC2 (as shown by the green line).

Conclusion GE0/0/1 and GE0/0/2 capture information can be seen, Ping PC1 will send the Request message sent to the VLANIF10 for layer three forwarding, rather than layer two forwarding. The Ping Reply message that PC2 responds to PC1 also forwards three layers, and this post will no longer be described.

"Wow," Zhang Fei said, "PC1 and PC2 can communicate through three layers. Then, the prime minister, how to realize PC1 and PC2 two or three layer isolation?"

Zhuge smile: "very simple, only need to execute the port-isolate mode all command under the system view to achieve the two or three layer isolation. Let's try again.

The experimental steps are as follows:

Step 1 executes the port-isolate mode all command under the system view while retaining the configuration of the Proxy ARP function within the VLAN under the interface VLANIF10.

[Switch] port-isolate mode all / / port isolation mode for two layer three layer isolation

Step 2 Ping each other with PC1 and PC2, and the result can not be Ping through each other.

To analyze why PC1 and PC2 capture each other to pass Ping.

L GE0/0/1 capture information is shown in figure:

1.jpg

Capture information display, PC1 sends the ARP request message, receive message from the VLANIF10 interface of ARP response. PC1 sends Ping Request messages to VLANIF10 for three layers of forwarding.

L GE0/0/2 capture information is shown in figure:

1.jpg

Capture information display, VLANIF10 did not send the ARP request message for PC2 MAC address, did not put forward ARP Request PC1 message to be sent to PC2.

Conclusion VLANIF10 does not forward the ARP Request message from PC1, so that the three layer of mutual visits can not be achieved between PC1 and PC2.

Feifei you see, just add a little configuration, port isolation function and the return of the king!"

Zhang Fei believes nodded, exclaimed: "it is not really the prime minister! But the prime minister, now you see we configured so many port isolation command on the switch, we do not need the port isolation function if the day after, a command to delete these trouble ah!"

Zhuge and Zhang Fei praised: "who said, more brave than wise? The idea is very brainy. In fact, under the system view, executing clear configuration port-isolate command can remove all port isolation configurations on one device, including port isolation group, port one-way isolation and isolated mode related configuration. However, because the number of Feifei, execute clear command configuration port-isolate one click Remove more, may affect other business, when in use must be careful oh!"

Zhang Fei laughed and said: "the prime minister, you can rest assured that you don't know what I say is? Haha! "

Zhuge God smiled and said: "Feifei progress more and more. But recently our army has purchased a number of HUAWEI switches, this batch of switch type, transmission capacity are different, and these switches distributed in each camp, the switch and before buying directly connected. Now we want to parameter consistency between connected switch interface, so as to ensure the normal transmission of data, how can we fly configuration, you made it?" Are all at sea Zhang Fei puzzled, I do not know what time Jiang Wei came from behind, patted Zhang Fei on the shoulder: "Feifei, you forgot the prime minister and third tips?"

Zhang Fei laughed, "fast take third tips."

For his funeral, please listen to the next time

Address: Room110,No.389 Jinwan Road,Shanghai,China

Email: daisy.dai@ccitel.com
service time: 7x24 hour

CCIT ICT PRODUCTS