本篇目錄
- Private VLAN概述
- Private VLAN配置限制
- Private VLAN配置步驟
- 端口工作模式詳解及配置
- Private VLAN配置過程示例
- 配置驗證命令
1. Private VLAN概述
Private VLAN(私有VLAN)是一種二層VLAN結構,通過配置Primary和Secondary兩類VLAN,在保證用户隔離的同時節省VLAN資源。Secondary VLAN間二層報文互相隔離,多個Secondary VLAN可映射到一個Primary VLAN,上行設備只需知道對應的Primary VLAN。
2. Private VLAN配置限制
- 不支持組播功能
- 不支持與VXLAN IP網關功能組合使用
- Primary VLAN和Secondary VLAN的VLAN接口MAC地址需保持一致
- 系統缺省VLAN(VLAN 1)不支持Private VLAN配置
- 配置完成後需驗證各端口VLAN成員關係是否正確
3. Private VLAN配置步驟
配置上行/下行端口詳見4端口工作模式詳解及配置
配置 VLAN
# 進入系統視圖
<H3C> system-view
# 創建VLAN並進入VLAN視圖
[H3C] vlan 10
# 配置VLAN類型為Primary VLAN
[H3C-vlan10] private-vlan primary
[H3C-vlan10] quit
# 創建Secondary VLAN
[H3C] vlan 2 to 3建立映射關係
# 進入Primary VLAN視圖
[H3C] vlan 10
# 建立Primary VLAN與Secondary VLAN的映射關係
[H3C-vlan10] private-vlan secondary 2 to 3
[H3C-vlan10] quit配置Secondary VLAN間三層互通(可選)
/*同一Secondary VLAN內端口二層互通*/
# 進入Secondary VLAN視圖
<H3C> system-view
[H3C] vlan 2
# 配置為Community VLAN(社區VLAN,默認互通)
[H3C-vlan2] private-vlan community
# 取消隔離(如果之前配置了隔離)
[H3C-vlan2] undo private-vlan isolated
[H3C-vlan2] quit
# 其他Secondary VLAN同理
/*Secondary VLAN間三層互通*/
# 創建Primary VLAN接口
[H3C] interface vlan-interface 10
# 配置IP地址(ipv6也行)
[H3C-Vlan-interface10] ip address 192.168.1.1 255.255.255.0
# 開啓本地代理ARP功能(實現Secondary VLAN間三層互通)
[H3C-Vlan-interface10] local-proxy-arp enable
# 如果是ipv6對應 -> local-proxy-nd enable
[H3C-Vlan-interface10] quit4. 端口工作模式詳解及配置
Promiscuous模式(混雜模式)-上行
連接上行設備,可與所有Secondary VLAN通信
# 進入上行端口視圖
[H3C] interface gigabitethernet 1/0/5
# 配置端口在指定VLAN中工作在promiscuous模式
[H3C-GigabitEthernet1/0/5] port private-vlan 10 promiscuous
[H3C-GigabitEthernet1/0/5] quitTrunk Promiscuous模式 -上行
上行端口需要傳輸多個Primary VLAN,允許攜帶VLAN Tag通過
# 進入上行端口視圖
[H3C] interface gigabitethernet 1/0/24
# 配置端口在指定VLAN中工作在Trunk Promiscuous模式
[H3C-GigabitEthernet1/0/24] port private-vlan 10 20 trunk promiscuous
[H3C-GigabitEthernet1/0/24] quitHost模式(主機模式)-下行
連接終端用户,只能與Primary VLAN和同一Secondary VLAN通信
# 進入下行端口視圖
[H3C] interface gigabitethernet 1/0/2
# 配置端口的鏈路類型(三者選其一)
[H3C-GigabitEthernet1/0/1] port link-type access/trunk/hybrid
# 將端口加入指定VLAN
# Access端口:
[H3C-GigabitEthernet1/0/1] port access vlan 2
# Trunk端口:
[H3C-GigabitEthernet1/0/1] port trunk permit vlan 2 3
# Hybrid端口:
[H3C-GigabitEthernet1/0/1] port hybrid vlan 2 3 untagged
# 配置端口工作在host模式
[H3C-GigabitEthernet1/0/2] port private-vlan host
[H3C-GigabitEthernet1/0/2] quitTrunk Secondary模式
下行端口需要接入多個Secondary VLAN允許指定Secondary VLAN以Tagged方式通過
# 進入下行端口視圖
[H3C] interface gigabitethernet 1/0/10
# 配置端口的鏈路類型
[H3C-GigabitEthernet1/0/10] port link-type trunk
# 將端口加入指定VLAN
[H3C-GigabitEthernet1/0/10] port private-vlan 2 3 trunk secondary
[H3C-GigabitEthernet1/0/10] quit5. Private VLAN配置過程示例
promiscuous模式
要求:Device B配置Primary VLAN 5,關聯Secondary VLAN 2、3,上行端口GigabitEthernet1/0/5工作在promiscuous模式,下行端口分別加入對應Secondary VLAN,工作在host模式。
/*Device B配置*/(配置 Device C類似)
<DeviceB> system-view
# 配置 VLAN 5 為 Primary VLAN
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# 創建Secondary VLAN
[DeviceB] vlan 2 to 3
# 建立映射關係
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# 配置上行端口
[DeviceB] interface gigabitethernet 1/0/5
# 工作在 promiscuous 模式
[DeviceB-GigabitEthernet1/0/5] port private-vlan 5 promiscuous
[DeviceB-GigabitEthernet1/0/5] quit
# 配置下行端口
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
# 工作在 host 模式
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-GigabitEthernet1/0/2] quit
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quitTrunk Promiscuous模式
要求:Device B配置多個Primary VLAN(VLAN 5和10),上行端口需要允許多個Primary VLAN以Tagged方式通過。從 Device A 看,下接的 Device B 只有 VLAN 5 和 VLAN 10。
/*Device B配置*/
# 配置Primary VLAN
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# 創建Secondary VLAN
[DeviceB] vlan 2 to 3 6 8
# 建立映射關係
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan secondary 6 8
[DeviceB-vlan10] quit
# 配置上行端口為Trunk Promiscuous模式
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port private-vlan 5 10 trunk promiscuous
[DeviceB-GigabitEthernet1/0/1] quit
# 配置下行端口工作在 host 模式
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-GigabitEthernet1/0/2] quit
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quit
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port access vlan 6
[DeviceB-GigabitEthernet1/0/4] port private-vlan host
[DeviceB-GigabitEthernet1/0/4] quit
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port access vlan 8
[DeviceB-GigabitEthernet1/0/5] port private-vlan host
[DeviceB-GigabitEthernet1/0/5] quit/*Device A配置*/
# 創建 VLAN
[DeviceA] vlan 5 10
# 配置端口為 Hybrid 端口
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
# 允許 VLAN 5 和 VLAN 10 攜帶 Tag 通過。
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 5 10 tagged
[DeviceA-GigabitEthernet1/0/1] quitSecondary VLAN間三層互通配置示例
要求:實現Secondary VLAN間二層隔離、三層互通,通過Primary VLAN接口實現路由功能
/*Device A配置*/
# 配置 Primary VLAN
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# 創建 Secondary VLAN
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# 配置 Primary VLAN 10 和 Secondary VLAN 11、12 的映射關係。
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan secondary 11 12
[DeviceA-vlan10] quit
# 配置 Primary VLAN 20 和 Secondary VLAN 21、22 的映射關係。
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan secondary 21 22
[DeviceA-vlan20] quit
# 配置上行端口 GE1/0/5 在 VLAN 10、 20 中工作在 trunk promiscuous 模式。
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous
[DeviceA-GigabitEthernet1/0/5] quit
# 將下行端口 GE1/0/1 加入 VLAN 22,工作在 host 模式。
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port access vlan 22
[DeviceA-GigabitEthernet1/0/1] port private-vlan host
[DeviceA-GigabitEthernet1/0/1] quit
# 將下行端口 GE1/0/3 加入 VLAN 12,工作在 host 模式。
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port access vlan 12
[DeviceA-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] quit
# 配置下行端口 GE1/0/2 在 VLAN 11 、21 中工作在 trunk secondary 模式。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port private-vlan 11 21 trunk secondary
[DeviceA-GigabitEthernet1/0/2] quit6. 配置驗證命令
# 查看Private VLAN配置
display private-vlan
# 查看VLAN信息
display vlan
# 查看接口狀態
display interface brief
# 查看MAC地址表
display mac-address以promiscuous模式示例為例:
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3
VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
GigabitEthernet1/0/5
VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5
VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: None
Untagged Ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/5可以看到,工作在 promiscuous 模式的端口 GE1/0/5 和工作在 host 模式的端口GE1/0/2 和 GE1/0/3 均以 Untagged 方式允許 VLAN 報文通過。
本文章為轉載內容,我們尊重原作者對文章享有的著作權。如有內容錯誤或侵權問題,歡迎原作者聯繫我們進行內容更正或刪除文章。
