1、建立VLAN其實隻要分為2步,隻需要2條指令:
①如果需要把網關放在EX2200裡,就是需要建立一個虛拟的三層接口SVI,是以我們可以先建立一個SVI作為即将建立的VLAN網關。
②建立VLAN的同時,把虛拟接口SVI與vlan比對起來。
網絡裝置中接口一般都會有子接口的概念,unit就是vlan的子接口
//建立一個虛拟接口unit2,位址為192.168.2.1/24
root# set interfaces vlan unit 2 family inet address 192.168.2.1/24
//建立VLAN比對SVI
root# set vlans vlan_name vlan-id 2 l3-interfacevlan.2
//記得還要在trunk口加入允許通過的VLAN
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 2
2、建立過濾的ACL也是分2步:
①建立過濾規則,可以帶port口,今天參數可以在指令行按?檢視
②把建立的ACL放在vlan的input或者output
建立ACL
//比對流量
set firewall family ethernet-switching filter acl_name term rule_name1 from destination-address X.X.X.X/X
//定義行為
set firewall family ethernet-switching filter acl_name term rule_name1 then discard
//放行其他流量,這條很重要,因為生成的ACL裡面會自動帶有一條any discard的規則。
set firewall family ethernet-switching filter acl_name term rule_name1 then accept
放到有對應的vlan
set vlans vlan_name filter input acl_name
----------------------------------------------------------------------------------
set interfaces vlan unit 2 family inet address 192.168.2.1/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 2
set firewall family ethernet-switching filter acl_name term rule_name1 from destination-address X.X.X.X/X
set firewall family ethernet-switching filter acl_name term rule_name1 then discard
![eNSP三層交換機配置-01[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)