參考:案例11Trunk上本徵VLAN或PVID最佳實踐 (紙質書籍網絡工程師思科華爲華三實戰案例紅寶書p142)
如果一個trunk鏈路上兩側的本徵VLAN不同,本徵VLAN類似於接入接口的VLAN,會引發VLAN混亂的訪問,稱爲:跨越VALN攻擊
解決方案:
- 主動解決方案:在trunk上使得本徵VLAN也攜帶tag,華爲、H3C的Trunk配置沒有該方案
- 被動解決方案:在trunk上使用一個沒有業務的VLAN作爲本徵VLAN,使得VLAN業務不受影響
案例12
在LSW1和LSW2上實施混雜模式,使得PC1、PC2都可以和路由器通信,但是PC1和PC2不能通信。另AR1和PC1、PC2在同一個子網。
配置ip,且PC1能和PC2、Server1、AR1網絡互通
PC1>ping 10.1.10.2
Ping 10.1.10.2: 32 data bytes, Press Ctrl_C to break
From 10.1.10.2: bytes=32 seq=1 ttl=128 time=31 ms
From 10.1.10.2: bytes=32 seq=2 ttl=128 time=47 ms
From 10.1.10.2: bytes=32 seq=3 ttl=128 time=47 ms
From 10.1.10.2: bytes=32 seq=4 ttl=128 time=31 ms
From 10.1.10.2: bytes=32 seq=5 ttl=128 time=47 ms
--- 10.1.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/40/47 ms
PC1>ping 10.1.10.3
Ping 10.1.10.3: 32 data bytes, Press Ctrl_C to break
PC1>ping 10.1.10.11
Ping 10.1.10.11: 32 data bytes, Press Ctrl_C to break
LSW1和LSW3互聯端口配置hybird
[SW1]vlan batch 8 9 10 11 99
Info: This operation may take a few seconds. Please wait for a moment...done.
[SW1]in g0/0/3
[SW1-GigabitEthernet0/0/3]port hybrid ?
pvid Specify current port's PVID VLAN characteristics
tagged Tagged
untagged Untagged
vlan Virtual LAN
[SW1-GigabitEthernet0/0/3]port hybrid pvid vlan 99
[SW1-GigabitEthernet0/0/3]
Feb 20 2020 14:52:04-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 10, the change loop count is 0, and the maximum number of records is 4095.
[SW1-GigabitEthernet0/0/3]port hybrid tagged vlan all
Feb 20 2020 14:52:54-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25.191.3.1 configurations have been changed. The current change number is 11, the change loop count is 0, and the maximum number of records is 409
[SW1-GigabitEthernet0/0/3]display this
#
interface GigabitEthernet0/0/3
port hybrid pvid vlan 99
port hybrid tagged vlan 1 to 4094
#
return
[SW1-GigabitEthernet0/0/3]
[SW1-GigabitEthernet0/0/3]display port vlan active
T=TAG U=UNTAG
-------------------------------------------------------------------------------
Port Link Type PVID VLAN List
-------------------------------------------------------------------------------
GE0/0/1 access 1 U: 1
GE0/0/2 hybrid 1 U: 1
GE0/0/3 hybrid 99 T: 1 8 to 12 99
LSW3的g0/0/3也同樣配置
連接終端的接口配置hybrid
[SW1-GigabitEthernet0/0/1]port link-type hybrid
[SW1-GigabitEthernet0/0/1]port hybrid pvid vlan 11
[SW1-GigabitEthernet0/0/1]port hybrid untagged 8 9 11
[SW1-GigabitEthernet0/0/1]display port vlan active
T=TAG U=UNTAG
-------------------------------------------------------------------------------
Port Link Type PVID VLAN List
-------------------------------------------------------------------------------
GE0/0/1 hybrid 11 U: 1 8 to 9 11
GE0/0/2 hybrid 1 U: 1
GE0/0/3 hybrid 99 T: 1 8 to 12 99
[SW3-GigabitEthernet0/0/10]port hybrid pvid vlan 8
[SW3-GigabitEthernet0/0/10]port hybrid untagged vlan 8 11
[SW3-GigabitEthernet0/0/11]port hybrid pvid vlan 9
[SW3-GigabitEthernet0/0/11]port hybrid untagged vlan 9 11
[SW3-GigabitEthernet0/0/11]display port vlan active
T=TAG U=UNTAG
-------------------------------------------------------------------------------
Port Link Type PVID VLAN List
-------------------------------------------------------------------------------
GE0/0/1 hybrid 1 U: 1
GE0/0/2 hybrid 1 U: 1
GE0/0/3 hybrid 99 T: 1 8 to 11 99
GE0/0/4 hybrid 1 U: 1
GE0/0/5 hybrid 1 U: 1
GE0/0/6 hybrid 1 U: 1
GE0/0/7 hybrid 1 U: 1
GE0/0/8 hybrid 1 U: 1
GE0/0/9 hybrid 1 U: 1
GE0/0/10 hybrid 1 U: 1 8 11
GE0/0/11 hybrid 1 U: 1 9 11
測試PC1是否能ping通R1、PC2
PC1>ping 10.1.10.11
Ping 10.1.10.11: 32 data bytes, Press Ctrl_C to break
From 10.1.10.11: bytes=32 seq=1 ttl=255 time=94 ms
From 10.1.10.11: bytes=32 seq=2 ttl=255 time=78 ms
From 10.1.10.11: bytes=32 seq=3 ttl=255 time=94 ms
From 10.1.10.11: bytes=32 seq=4 ttl=255 time=78 ms
From 10.1.10.11: bytes=32 seq=5 ttl=255 time=94 ms
--- 10.1.10.11 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 78/87/94 ms
PC1>ping 10.1.10.2
Ping 10.1.10.2: 32 data bytes, Press Ctrl_C to break
From 10.1.10.1: Destination host unreachable
From 10.1.10.1: Destination host unreachable
From 10.1.10.1: Destination host unreachable
From 10.1.10.1: Destination host unreachable
From 10.1.10.1: Destination host unreachable
--- 10.1.10.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
PC>
[SW1-port-group-hybrid]display port vlan active
T=TAG U=UNTAG
-------------------------------------------------------------------------------
Port Link Type PVID VLAN List
-------------------------------------------------------------------------------
GE0/0/1 hybrid 1 U: 1
GE0/0/2 hybrid 1 U: 1
GE0/0/3 hybrid 99 T: 1 8 to 12 99
[SW3-GigabitEthernet0/0/11]port hybrid untagged vlan 8 9 11
[SW3-GigabitEthernet0/0/10]port hybrid untagged vlan 8 9 11
PC>ping 10.1.10.2
Ping 10.1.10.2: 32 data bytes, Press Ctrl_C to break
From 10.1.10.2: bytes=32 seq=1 ttl=128 time=46 ms
From 10.1.10.2: bytes=32 seq=2 ttl=128 time=32 ms
From 10.1.10.2: bytes=32 seq=3 ttl=128 time=31 ms
From 10.1.10.2: bytes=32 seq=4 ttl=128 time=31 ms
From 10.1.10.2: bytes=32 seq=5 ttl=128 time=31 ms
--- 10.1.10.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/34/46 ms
PC>
[SW3-GigabitEthernet0/0/10]display port vlan active
T=TAG U=UNTAG
-------------------------------------------------------------------------------
Port Link Type PVID VLAN List
-------------------------------------------------------------------------------
GE0/0/1 hybrid 1 U: 1
GE0/0/2 hybrid 1 U: 1
GE0/0/3 hybrid 99 T: 1 8 to 11 99
GE0/0/4 hybrid 1 U: 1
GE0/0/5 hybrid 1 U: 1
GE0/0/6 hybrid 1 U: 1
GE0/0/7 hybrid 1 U: 1
GE0/0/8 hybrid 1 U: 1
GE0/0/9 hybrid 1 U: 1
GE0/0/10 hybrid 1 U: 1 8 to 9 11
GE0/0/11 hybrid 11 U: 1 8 to 9 11