华为eNSP on CrashMemo | IT运维经验站https://crashmemo.com/tags/%E5%8D%8E%E4%B8%BAensp/Recent content in 华为eNSP on CrashMemo | IT运维经验站Hugo -- gohugo.iozhWed, 24 Jun 2026 00:00:00 +0000网络修炼笔记:交换机基础与 VLAN 隔离https://crashmemo.com/p/switch-basics-vlan-isolation/Wed, 24 Jun 2026 00:00:00 +0000https://crashmemo.com/p/switch-basics-vlan-isolation/<h2 id="实验环境准备">实验环境准备 </h2><ul> <li><strong>模拟器</strong>:华为 eNSP</li> <li><strong>模拟器设备</strong>:S5700 交换机(SW1)*1,PC *4</li> <li><strong>拓扑规划</strong>: <ul> <li>VLAN 10(研发部):PC1 (GE0/0/1, 192.168.1.1/24), PC2 (GE0/0/2, 192.168.1.2/24)</li> <li>VLAN 20(市场部):PC3 (GE0/0/3, 192.168.1.3/24), PC4 (GE0/0/4, 192.168.1.4/24)</li> </ul> </li> </ul> <p><img alt="eNSP 实验拓扑图" class="gallery-image" data-flex-basis="499px" data-flex-grow="208" height="559" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-49-49.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-49-49_hu_413f674fa76dd55a.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-49-49.webp 1164w" width="1164"></p> <hr> <h2 id="实验一同-vlan-内部通信与-mac-地址表学习">实验一:同 VLAN 内部通信与 MAC 地址表学习 </h2><h3 id="操作步骤">操作步骤 </h3><ol> <li>配置交换机 SW1,创建 VLAN 10,并将 GE0/0/1 和 GE0/0/2 类型设为 Access,划入 VLAN 10。</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">&lt;huawei&gt;sy // 进入系统视图 </span></span><span class="line"><span class="cl">[huawei]sysname sw1 // 修改设备名称为 sw1 </span></span><span class="line"><span class="cl">[sw1]vlan 10 // 创建 VLAN 10 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">// 配置 1 号接口并划入 VLAN 10 </span></span><span class="line"><span class="cl">[sw1]int g0/0/1 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/1]port link-type access </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/1]port default vlan 10 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/1]q </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">// 配置 2 号接口并划入 VLAN 10 </span></span><span class="line"><span class="cl">[sw1]int g0/0/2 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/2]port link-type access </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/2]port default vlan 10 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/2]q </span></span></code></pre></td></tr></table> </div> </div><p><img alt="交换机 VLAN 10 配置截图" class="gallery-image" data-flex-basis="731px" data-flex-grow="304" height="421" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-02-48.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-02-48_hu_2c58958a5ded3195.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-02-48.webp 1284w" width="1284"></p> <ol start="2"> <li>从 PC1 命令行发起测试:<code>ping 192.168.1.2</code></li> </ol> <p><img alt="PC1 ping PC2 结果" class="gallery-image" data-flex-basis="552px" data-flex-grow="230" height="679" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-47-48.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-47-48_hu_c01ccafe338a1e05.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-47-48.webp 1562w" width="1562"></p> <ol start="3"> <li>在交换机上查看 MAC 地址表:<code>display mac-address</code></li> </ol> <p><img alt="交换机 MAC 地址表" class="gallery-image" data-flex-basis="836px" data-flex-grow="348" height="368" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-54-54.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-54-54_hu_aafe5c9153e7c44a.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_00-54-54.webp 1283w" width="1283"></p> <h3 id="实验现象与结果">实验现象与结果 </h3><ul> <li><strong>PING 结果</strong>:双向互通成功。</li> <li><strong>交换机查表结果</strong>: 在 SW1 上成功看到动态学习到的 MAC 地址项,MAC 地址、VLAN ID(10)以及对应的物理接口(GE0/0/1 和 GE0/0/2)一一对应。同时这也印证了 <a class="link" href="https://crashmemo.com/p/arp-protocol-lan-communication/" >ARP 协议在局域网中的工作方式</a>:交换机在数据封装层面依赖 ARP 获取目标 MAC 地址来完成帧的转发。</li> </ul> <hr> <h2 id="实验二跨-vlan-隔离效果与边界抓包分析">实验二:跨 VLAN 隔离效果与边界抓包分析 </h2><h3 id="操作步骤-1">操作步骤 </h3><ol> <li>配置交换机 SW1,创建 VLAN 20,并将 GE0/0/3 和 GE0/0/4 划入 VLAN 20。</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">[sw1]vlan 20 // 创建 VLAN 20 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">// 配置 3 号接口并划入 VLAN 20 </span></span><span class="line"><span class="cl">[sw1]int g0/0/3 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/3]port link-type access </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/3]port default vlan 20 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/3]q </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">// 配置 4 号接口并划入 VLAN 20 </span></span><span class="line"><span class="cl">[sw1]int g0/0/4 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/4]port link-type access </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/4]port default vlan 20 </span></span><span class="line"><span class="cl">[sw1-GigabitEthernet0/0/4]q </span></span></code></pre></td></tr></table> </div> </div><p><img alt="交换机 VLAN 20 配置截图" class="gallery-image" data-flex-basis="957px" data-flex-grow="398" height="322" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-04-57.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-04-57_hu_a209c92bf06f63ec.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-04-57.webp 1284w" width="1284"></p> <ol start="2"> <li>开启三个位置的 Wireshark 抓包:PC1 本地网卡、交换机 GE0/0/1(入网口)、交换机 GE0/0/3(对端出网口)。</li> </ol> <p><img alt="Wireshark 抓包位置示意图" class="gallery-image" data-flex-basis="470px" data-flex-grow="196" height="616" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-42-52.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-42-52_hu_9426adde1e91abb7.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-42-52.webp 1208w" width="1208"></p> <ol start="3"> <li>从 PC1 发起跨网段/跨部门测试:<code>ping 192.168.1.3</code>。</li> </ol> <p><img alt="PC1 ping PC3 超时" class="gallery-image" data-flex-basis="646px" data-flex-grow="269" height="580" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-45-15.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-45-15_hu_afb9da616940d343.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-45-15.webp 1562w" width="1562"></p> <h3 id="边界抓包对比分析">边界抓包对比分析 </h3><ul> <li><strong>PC1 本地网卡 / GE0/0/1 入接口</strong>:捕获到 PC1 发出的 ARP 广播包(<code>Who has 192.168.1.3? Tell 192.168.1.1</code>)。说明终端封装正常,数据已送达交换机。</li> </ul> <p><img alt="PC1 网卡 ARP 广播抓包" class="gallery-image" data-flex-basis="2899px" data-flex-grow="1208" height="161" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-49-14.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-49-14_hu_5878fea60a60eec7.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-49-14_hu_aa67aed75d227d3f.webp 1600w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-49-14.webp 1945w" width="1945"></p> <p><img alt="交换机 GE0/0/1 入接口抓包" class="gallery-image" data-flex-basis="2947px" data-flex-grow="1228" height="157" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-52-03.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-52-03_hu_f0d9e07bad7eed16.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-52-03_hu_174942fcbf65350c.webp 1600w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-52-03.webp 1928w" width="1928"></p> <ul> <li><strong>GE0/0/3 出接口(PC3 直连线)</strong>:<strong>未接收到任何 ARP 广播或 ICMP 报文</strong>。</li> </ul> <p><img alt="交换机 GE0/0/3 出接口抓包" class="gallery-image" data-flex-basis="1070px" data-flex-grow="446" height="528" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-53-41.webp" srcset="https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-53-41_hu_93b610dd78799762.webp 800w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-53-41_hu_b05dfb682f6e4ca9.webp 1600w, https://crashmemo.com/p/switch-basics-vlan-isolation/PixPin_2026-06-25_11-53-41.webp 2356w" width="2356"></p> <h3 id="阻断原理分析">阻断原理分析 </h3><p>数据包带有 VLAN 10 标签在交换机内部流转。当交换机尝试泛洪广播时,发现 GE0/0/3 属于 VLAN 20,VLAN 标签不匹配。交换机在内部强制阻断了该报文的转发,导致广播包无法跨越 VLAN 边界。更多关于 ARP 广播在二层网络中的行为分析,可参考 <a class="link" href="https://crashmemo.com/p/arp-protocol-lan-communication/" >ARP 协议与局域网通信原理</a>。</p> <hr> <h2 id="结论">结论 </h2><ol> <li><strong>VLAN 隔离广播域</strong>:VLAN 的本质是在交换机内部打上标签,限制广播包的泛洪范围。不同 VLAN 在二层(数据链路层)天然隔离。</li> <li><strong>Access 接口行为</strong>:入方向打标签,出方向剥标签。它严格限制了只有相同 VLAN 的数据才能从该接口流出。</li> </ol>