两台设备直连。
华为侧配置:
[HUAWEI] interface GigabitEthernet1/0/0
[HUAWEI-GigabitEthernet1/0/0] ospfv3 authentication-mode hmac-sha256 key-id 1 plain 123
我司侧使用keychain进行配置,两端的key-id编号需要一致,否则不能建立邻居,现场修改编号一致后,成功与华为设备建立邻居关系。
实验室两台SR88-X之间的测试情况如下:
RTA:
#
ospfv3 1
router-id 2.2.2.1
#
keychain test mode absolute
key 1
key-string plain 123
authentication-algorithm hmac-sha-256
send-lifetime utc 08:00:00 2020/05/13 duration infinite
accept-lifetime utc 08:00:00 2020/05/13 duration infinite
#
interface GigabitEthernet5/1/5
ip address 2.2.2.1 255.255.255.0
ospfv3 1 area 0.0.0.0
ospfv3 authentication-mode keychain test
ipv6 address 2001::2/62
#
RTB:
#
ospfv3 1
router-id 2.2.2.9
#
keychain abc mode absolute
key 1
key-string plain 123
authentication-algorithm hmac-sha-256
send-lifetime utc 08:00:00 2020/05/13 duration infinite
accept-lifetime utc 08:00:00 2020/05/13 duration infinite
#
interface GigabitEthernet5/1/5
ip address 2.2.2.9 255.255.255.0
ospfv3 1 area 0.0.0.0
ospfv3 authentication-mode keychain abc
ipv6 address 2001::1/64
#
[88-X-UP]dis ospfv3 peer
OSPFv3 Process 1 with Router ID 2.2.2.1
Area: 0.0.0.0
-------------------------------------------------------------------------
Router ID Pri State Dead-Time InstID Interface
2.2.2.9 1 Full/DR 00:00:33 0 GE5/1/5
配置OSPFv3验证后,OSPFv3路由器建立邻居关系时,在发送的报文中会携带验证字段,在接收报文时会进行验证,只有通过验证的报文才能接收,否则将不会接收报文,不能正常建立邻居。
配置时需要注意:两端的key id编号要一样。
如图1所示:
· Site 1和Site 2是某公司的两个部门,分别在VLAN 2和VLAN 3上承载业务,并接入Device A。
· Device A通过GigabitEthernet1/0/1端口与外部网络相连。
· 公司希望这两个部门都可以通过Device A和外部网络通信,但两部门内部的二层流量都互相隔离。
· 在设备上将端口加入到指定的隔离组中前,必须先完成该隔离组的创建。
· 一个端口最多只能加入一个隔离组。
# 在Device A上创建VLAN 2和VLAN 3,将端口GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 2和VLAN 3的报文通过。将端口GigabitEthernet1/0/2和GigabitEthernet1/0/3加入VLAN2;将端口GigabitEthernet1/0/4和GigabitEthernet1/0/5加入VLAN3。
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] port gigabitethernet 1/0/2
[DeviceA-vlan2] port gigabitethernet 1/0/3
[DeviceA-vlan2] quit
[DeviceA] vlan 3
[DeviceA-vlan3] port gigabitethernet 1/0/4
[DeviceA-vlan3] port gigabitethernet 1/0/5
[DeviceA-vlan3] quit
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 2 3
[DeviceA-GigabitEthernet1/0/1] quit
# 创建隔离组1和隔离组2。
[DeviceA] port-isolate group 1
[DeviceA] port-isolate group 2
# 将端口GigabitEthernet1/0/2、GigabitEthernet1/0/3加入隔离组1;将GigabitEthernet1/0/4、GigabitEthernet1/0/5加入隔离组2。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port-isolate enable group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port-isolate enable group 1
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port-isolate enable group 2
[DeviceA-GigabitEthernet1/0/4] quit
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port-isolate enable group 2
[DeviceA-GigabitEthernet1/0/5] quit
# 显示所有隔离组的信息。
[DeviceA] display port-isolate group
Port isolation group information:
Group ID: 1
Group members:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Group ID: 2
Group members:
GigabitEthernet1/0/4
GigabitEthernet1/0/5
以上信息显示:
· DeviceA上的端口GigabitEthernet1/0/2、GigabitEthernet1/0/3已经加入隔离组1,从而实现二层隔离,分别对应的Host A和Host B彼此之间不能Ping通。
· Device A上的端口GigabitEthernet1/0/4、GigabitEthernet1/0/5已经加入隔离组2,从而实现二层隔离,分别对应的Host C和Host D彼此之间不能Ping通。
部分交换机的配置文件中会显示port link-mode bridge命令,请以实际情况为准。
#
port-isolate group 1
port-isolate group 2
#
vlan 2 to 3
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 3
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
port-isolate enable group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 2
port-isolate enable group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 3
port-isolate enable group 2
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 3
port-isolate enable group 2
(0)
如图1所示:
· Site 1和Site 2是某公司的两个部门,分别在VLAN 2和VLAN 3上承载业务,并接入Device A。
· Device A通过GigabitEthernet1/0/1端口与外部网络相连。
· 公司希望这两个部门都可以通过Device A和外部网络通信,但两部门内部的二层流量都互相隔离。
· 在设备上将端口加入到指定的隔离组中前,必须先完成该隔离组的创建。
· 一个端口最多只能加入一个隔离组。
# 在Device A上创建VLAN 2和VLAN 3,将端口GigabitEthernet1/0/1的链路类型配置为Trunk,并允许VLAN 2和VLAN 3的报文通过。将端口GigabitEthernet1/0/2和GigabitEthernet1/0/3加入VLAN2;将端口GigabitEthernet1/0/4和GigabitEthernet1/0/5加入VLAN3。
<DeviceA> system-view
[DeviceA] vlan 2
[DeviceA-vlan2] port gigabitethernet 1/0/2
[DeviceA-vlan2] port gigabitethernet 1/0/3
[DeviceA-vlan2] quit
[DeviceA] vlan 3
[DeviceA-vlan3] port gigabitethernet 1/0/4
[DeviceA-vlan3] port gigabitethernet 1/0/5
[DeviceA-vlan3] quit
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 2 3
[DeviceA-GigabitEthernet1/0/1] quit
# 创建隔离组1和隔离组2。
[DeviceA] port-isolate group 1
[DeviceA] port-isolate group 2
# 将端口GigabitEthernet1/0/2、GigabitEthernet1/0/3加入隔离组1;将GigabitEthernet1/0/4、GigabitEthernet1/0/5加入隔离组2。
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port-isolate enable group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port-isolate enable group 1
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port-isolate enable group 2
[DeviceA-GigabitEthernet1/0/4] quit
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port-isolate enable group 2
[DeviceA-GigabitEthernet1/0/5] quit
# 显示所有隔离组的信息。
[DeviceA] display port-isolate group
Port isolation group information:
Group ID: 1
Group members:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Group ID: 2
Group members:
GigabitEthernet1/0/4
GigabitEthernet1/0/5
以上信息显示:
· DeviceA上的端口GigabitEthernet1/0/2、GigabitEthernet1/0/3已经加入隔离组1,从而实现二层隔离,分别对应的Host A和Host B彼此之间不能Ping通。
· Device A上的端口GigabitEthernet1/0/4、GigabitEthernet1/0/5已经加入隔离组2,从而实现二层隔离,分别对应的Host C和Host D彼此之间不能Ping通。
部分交换机的配置文件中会显示port link-mode bridge命令,请以实际情况为准。
#
port-isolate group 1
port-isolate group 2
#
vlan 2 to 3
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 3
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 2
port-isolate enable group 1
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 2
port-isolate enable group 1
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 3
port-isolate enable group 2
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 3
port-isolate enable group 2
(0)
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作