封面图加载中
山海
一、MUX VLAN是什么
MUX VLAN(Multiplex VLAN,多路复用VLAN)就像是一个聪明的"分群大师",它能让你用最少的VLAN资源实现精细的访问控制。它就是个“权限分类器”,用1个主VLAN圈定公共资源(比如服务器),再划分子VLAN控制谁能互通、谁该隔离,最终实现:
该通的(比如同事传文件)随便通
该断的(比如外包/访客互访)彻底断
公共资源(比如打印机/云盘)全员共享
二、案例背景
某中型公司搬新办公楼时,被网络需求搞到崩溃:
研发部:30人需高频互传代码/测试包(部门内完全互通)
外包团队:50人只能提交代码到Git,禁止互相访问(防代码泄露)
全公司:200+人共用云盘(公共资源开放)
按传统套路操作:
给每个外包人员单独开VLAN → 瞬间用掉50个VLAN号
研发部单独划1个VLAN → 配置部门内互通策略
在核心交换机写80条ACL规则 → 控制外包访问权限
最后的结果:
VLAN号超标(公司总配额仅300个,光外包就占1/6)
某次ACL配置失误,导致外包能互访Git仓库 → 代码泄露风险
每次新人入职都要手动改交换机 → 运维加班到凌晨
三、如何应用
主VLAN(VLAN 10):
只放云盘、Git服务器(公共资源专属区)
全员(研发+外包)都能访问
互通型从VLAN(VLAN 101):
绑定研发部所有设备
部门内随便传数据,像内部聊天群
隔离型从VLAN(VLAN 103):
所有外包人员的设备强制归类到此
每人独立“单间”,只能和主VLAN的Git服务器通信
实际效果:
VLAN号从51个暴减到3个(直接释放48个配额)
交换机配置从300+行缩到15行(删光所有ACL规则)
四、配置步骤
4.1 拓扑图
4.2 Core配置
创建VLAN10、101、103,并配置VLAN10的VLANIF接口,该IP地址是研发、外包、服务器的网关IP。
[Core]vlan batch 10 101 103
[Core]interface Vlanif 10
[Core-Vlanif10]ip address 192.168.1.254 24
[Core-Vlanif10]quit
配置MUX VLAN中的互通型VLAN101和隔离型VLAN103。
[Core]vlan 10
[Core-vlan10]mux-vlan
[Core-vlan10]subordinate separate 103
[Core-vlan10]subordinate group 101
[Core-Vlan10]quit配置接口加入VLAN并使能MUX VLAN功能。
[Core]interface GE 1/0/1
[Core-GE1/0/1]port link-type trunk
[Core-GE1/0/1]port trunk allow-pass vlan 101
[Core-GE1/0/1]port mux-vlan enable vlan 101
[Core-GE1/0/1]quit
[Core]interface GE 1/0/2
[Core-GE1/0/2]port link-type trunk
[Core-GE1/0/2]port trunk allow-pass vlan 101
[Core-GE1/0/2]port mux-vlan enable vlan 101
[Core-GE1/0/2]quit
[Core]interface GE 1/0/3
[Core-GE1/0/3]port link-type trunk
[Core-GE1/0/3]port trunk allow-pass vlan 103
[Core-GE1/0/3]port mux-vlan enable vlan 103
[Core-GE1/0/3]quit
[Core]interface GE 1/0/4
[Core-GE1/0/4]port link-type access
[Core-GE1/0/4]port default vlan 10
[Core-GE1/0/4]port mux-vlan enable vlan 10
[Core-GE1/0/4]quit
[Core]interface GE 1/0/5
[Core-GE1/0/5]port link-type trunk
[Core-GE1/0/5]port trunk allow-pass vlan 103
[Core-GE1/0/5]port mux-vlan enable vlan 103
[Core-GE1/0/5]quitJRswitch1配置
[JRswitch1]interface GE 1/0/1
[JRswitch1-GE1/0/1]port link-type trunk
[JRswitch1-GE1/0/1]undo port trunk allow-pass vlan 1
[JRswitch1-GE1/0/1]port trunk allow-pass vlan 101
[JRswitch1-GE1/0/1]quit
[JRswitch1]interface GE 1/0/2
[JRswitch1-GE1/0/2]port link-type access
[JRswitch1-GE1/0/2]port default vlan 101
[JRswitch1-GE1/0/2]quit
[JRswitch1]interface GE 1/0/3
[JRswitch1-GE1/0/3]port link-type access
[JRswitch1-GE1/0/3]port default vlan 101
[JRswitch1-GE1/0/3]quitJRswitch2配置
[JRswitch2]interface GE 1/0/1
[JRswitch2-GE1/0/1]port link-type trunk
[JRswitch2-GE1/0/1]undo port trunk allow-pass vlan 1
[JRswitch2-GE1/0/1]port trunk allow-pass vlan 101
[JRswitch2-GE1/0/1]quit
[JRswitch2]interface GE 1/0/2
[JRswitch2-GE1/0/2]port link-type access
[JRswitch2-GE1/0/2]port default vlan 101
[JRswitch2-GE1/0/2]quitJRswitch3配置
[JRswitch3]interface GE 1/0/1
[JRswitch3-GE1/0/1]port link-type trunk
[JRswitch3-GE1/0/1]undo port trunk allow-pass vlan 1
[JRswitch3-GE1/0/1]port trunk allow-pass vlan 103
[JRswitch3-GE1/0/1]quit
[JRswitch3]interface GE 1/0/2
[JRswitch3-GE1/0/2]port link-type access
[JRswitch3-GE1/0/2]port default vlan 103
[JRswitch3-GE1/0/2]quitJRswitch4配置
[JRswitch4]interface GE 1/0/1
[JRswitch4-GE1/0/1]port link-type trunk
[JRswitch4-GE1/0/1]undo port trunk allow-pass vlan 1
[JRswitch4-GE1/0/1]port trunk allow-pass vlan 103
[JRswitch4-GE1/0/1]quit
[JRswitch4]interface GE 1/0/2
[JRswitch4-GE1/0/2]port link-type access
[JRswitch4-GE1/0/2]port default vlan 103
[JRswitch4-GE1/0/2]quit4.3 验证测试
研发区PC1/PC2/PC3都可互访
PC1> ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=10.2 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=7.09 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=10.7 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=11.3 ms
--- 192.168.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 7.087/9.813/11.269/1.616 ms
PC1> ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=9 ttl=64 time=59.4 ms
64 bytes from 192.168.1.3: icmp_seq=10 ttl=64 time=18.2 ms
64 bytes from 192.168.1.3: icmp_seq=11 ttl=64 time=30.3 ms
64 bytes from 192.168.1.3: icmp_seq=12 ttl=64 time=22.4 ms
--- 192.168.1.3 ping statistics ---
12 packets transmitted, 4 received, 66.6667% packet loss, time 11233ms
rtt min/avg/max/mdev = 18.171/32.576/59.419/16.096 ms研发区PC1/PC2/PC3无法访问外包区PC5/PC6
P1> ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
From 192.168.1.1 icmp_seq=5 Destination Host Unreachable
From 192.168.1.1 icmp_seq=6 Destination Host Unreachable
--- 192.168.1.4 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6154ms
pipe 4
PC1> ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
From 192.168.1.1 icmp_seq=5 Destination Host Unreachable
From 192.168.1.1 icmp_seq=6 Destination Host Unreachable
--- 192.168.1.5 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time 6145ms
pipe 3外包区PC5/PC6无法互访
PC5> ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
From 192.168.1.4 icmp_seq=1 Destination Host Unreachable
From 192.168.1.4 icmp_seq=2 Destination Host Unreachable
From 192.168.1.4 icmp_seq=3 Destination Host Unreachable
From 192.168.1.4 icmp_seq=4 Destination Host Unreachable
From 192.168.1.4 icmp_seq=5 Destination Host Unreachable
From 192.168.1.4 icmp_seq=6 Destination Host Unreachable
From 192.168.1.4 icmp_seq=7 Destination Host Unreachable
--- 192.168.1.5 ping statistics ---
7 packets transmitted, 0 received, +7 errors, 100% packet loss, time 6149ms
pipe 4研发区与外包区均可访问服务器
PC4> ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=38.1 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=20.8 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=64 time=12.5 ms
64 bytes from 192.168.1.10: icmp_seq=4 ttl=64 time=13.3 ms
64 bytes from 192.168.1.10: icmp_seq=5 ttl=64 time=18.6 ms
--- 192.168.1.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 12.471/20.654/38.074/9.257 ms
PC1> ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=38.1 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=20.8 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=12.5 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=13.3 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=18.6 ms
--- 192.168.1.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4016ms
rtt min/avg/max/mdev = 12.471/20.654/38.074/9.287 ms