Juniper EX2200几个常用vlan配置(创建,acl过滤,vlan间流量隔离)
1、创建VLAN其实只要分为2步,只需要2条命令:①如果需要把网关放在EX2200里,就是需要创建一个虚拟的三层接口SVI,所以我们可以先创建一个SVI作为即将创建的VLAN网关。
②创建VLAN的同时,把虚拟接口SVI与vlan匹配起来。
网络设备中接口一般都会有子接口的概念,unit就是vlan的子接口
//创建一个虚拟接口unit2,地址为192.168.2.1/24
root# set interfaces vlan unit 2 family inet address 192.168.2.1/24
//创建VLAN匹配SVI
root# set vlans vlan_name vlan-id 2 l3-interfacevlan.2
//記得還要在trunk口加入允許通過的VLAN
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 2
2、创建过滤的ACL也是分2步:
①创建过滤规则,可以带port口,今天参数可以在命令行按?查看
②把创建的ACL放在vlan的input或者output
创建ACL
//匹配流量
set firewall family ethernet-switching filter acl_name term rule_name1 from destination-address X.X.X.X/X
//定义行为
set firewall family ethernet-switching filter acl_name term rule_name1 then discard
//放行其他流量,这条很重要,因为生成的ACL里面会自动带有一条any discard的规则。
set firewall family ethernet-switching filter acl_name term rule_name1 then accept
放到有对应的vlan
set vlans vlan_name filter input acl_name
----------------------------------------------------------------------------------
set interfaces vlan unit 2 family inet address 192.168.2.1/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 2
set firewall family ethernet-switching filter acl_name term rule_name1 from destination-address X.X.X.X/X
set firewall family ethernet-switching filter acl_name term rule_name1 then discard
set firewall family ethernet-switching filter acl_name term rule_name1 then accept
set vlans vlan_name filter input acl_name
页:
[1]