Juniper EX2200几个常用vlan配置（创建，acl过滤，vlan间流量隔离）

435421

1、创建VLAN其实只要分为2步，只需要2条命令：
    ①如果需要把网关放在EX2200里，就是需要创建一个虚拟的三层接口SVI，所以我们可以先创建一个SVI作为即将创建的VLAN网关。
    ②创建VLAN的同时，把虚拟接口SVI与vlan匹配起来。
网络设备中接口一般都会有子接口的概念，unit就是vlan的子接口

//创建一个虚拟接口unit2，地址为192.168.2.1/24
root# set interfaces vlan unit 2 family inet address 192.168.2.1/24


//创建VLAN匹配SVI
root# set vlans vlan_name vlan-id 2 l3-interfacevlan.2

//記得還要在trunk口加入允許通過的VLAN

root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 2


2、创建过滤的ACL也是分2步：
    ①创建过滤规则，可以带port口，今天参数可以在命令行按？查看

    ②把创建的ACL放在vlan的input或者output


创建ACL
//匹配流量
set firewall family ethernet-switching filter acl_name term rule_name1 from destination-address X.X.X.X/X
//定义行为
set firewall family ethernet-switching filter acl_name term rule_name1 then discard
//放行其他流量，这条很重要，因为生成的ACL里面会自动带有一条any discard的规则。
set firewall family ethernet-switching filter acl_name term rule_name1 then accept

放到有对应的vlan
set vlans vlan_name filter input acl_name

----------------------------------------------------------------------------------
set interfaces vlan unit 2 family inet address 192.168.2.1/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 2
set firewall family ethernet-switching filter acl_name term rule_name1 from destination-address X.X.X.X/X
set firewall family ethernet-switching filter acl_name term rule_name1 then discard
set firewall family ethernet-switching filter acl_name term rule_name1 then accept
set vlans vlan_name filter input acl_name