内容发布更新时间 : 2024/6/26 19:05:25星期一 下面是文章的全部内容请认真阅读。
100M 100M
1
百思学网络,领先科技 -54- HTTP://WWW.BESTXUE.CN
Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2 2 VLAN0002 active 3 VLAN0003 active 4 VLAN0004 active 配置 SW2: 创建 VLAN2-4 SW3(config)#vlan 2-4 查看 VLAN: SW3#show vlan VLAN Name Status Ports ---- -------------------------------- ---------
------------------------------- 1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24 2 VLAN0002 active 3 VLAN0003 active 4 VLAN0004 active 二、实现实验要求 2: 要求 2.确保核心交换机 SW1 为 VLAN1-4 的根网桥,当 SW1 出现故障时 SW2 成为 VLAN1-4 的根网桥. 配置 SW1: (确保核心交换机 SW1 为 VLAN1-4 的根网桥)
SW1(config)#spanning-tree vlan 1-4 root primary 或 SW1(config)#spanning-tree vlan 1-4 priority 24576 (root primary= priority 24576) 配置 SW2: (当 SW1 出现故障时 SW2 成为 VLAN1-4 的根网桥) SW2(config)#spanning-tree vlan 1-4 root secondary 或 SW2(config)#spanning-tree vlan 1-4 priority 28672 (root secondary= priority 28672) 三、实现实验要求 3: 要求 3:确保交换机 SW3 的 VLAN1,VLAN2 到核心网络(SW1,SW2)的流量走线路 1 SW3#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28673 (priority 28672 sys-id-ext 1) Address 0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Altn BLK 19 128.2百思学网络,领先科技 -55- HTTP://WWW.BESTXUE.CN
P2p SW3#show spanning-tree vlan 2 VLAN0002 Spanning tree enabled protocol ieee Root ID
Priority 24578 Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address
0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Altn BLK 19 128.2 P2p 通过在 SW3 上查看 VLAN1 ,VALN2 的生成树状态,发现相对于 VLAN1,VLAN2 来说 F0/1 为转发状态,F0/2 为 blocking 状态,可以确定 VLAN1 和 VLAN2 到达核心网络的流量通过 F0/1 走线路 1, 已符合本实 验的要求,不需要做配置。 四、实现实验要求 4: 要求 4:确保交换机 SW3 的 VLAN3,VLAN4 到核心网络(SW1,SW2)的流量走线路 2 配置 SW3: SW3(config)#int f0/1 SW3(config-if)#spanning-tree vlan 3-4 cost 39 配置后,确认交换机 SW3 的 VLAN3,VLAN4 到核心网络(SW1,SW2)的流量是否走线路 2: SW3#show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol ieee Root ID Priority 24579 Address 000d.bcb4.c500 Cost 38 Port 2 (FastEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32771 (priority 32768 sys-id-ext 3) Address 0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Altn BLK 39 128.1 P2p Fa0/2 Root FWD 19 128.2 P2p SW3#show spanning-tree vlan 4 VLAN0004 Spanning tree enabled protocol ieee Root ID Priority 24580 Address 000d.bcb4.c500 Cost 38 Port 2
(FastEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32772 (priority 32768 sys-id-ext 4) Address 0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Altn BLK 39 128.1 P2p 百思学网络,领先科技 -56- HTTP://WWW.BESTXUE.CN
Fa0/2 Root FWD 19 128.2 P2p 结果:通过在 SW3 上查看 VLAN3 ,VALN4 的生成树状态,发现相对于 VLAN3,VLAN4 来说 F0/2 为转 发状态,F0/1 为 blocking 状态,可以确定 VLAN3 和
VLAN4 到达核心网络的流量通过 F0/2 走线路 2, 符合本 实验的要求. 附:根网桥和备份根网桥和非根网桥 SW3 的确认信息: 根网桥确认信息: SW1#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000d.bcb4.c500 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24577 (priority 24576 sys-id-ext 1) Address 000d.bcb4.c500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
SW1#show spanning-tree vlan 2 VLAN0002 Spanning tree enabled protocol ieee Root ID Priority 24578 Address 000d.bcb4.c500 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24578 (priority 24576 sys-id-ext 2) Address 000d.bcb4.c500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
SW1#show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol ieee Root ID Priority 24579 Address 000d.bcb4.c500 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24579 (priority 24576 sys-id-ext 3) Address 000d.bcb4.c500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
百思学网络,领先科技 -57- HTTP://WWW.BESTXUE.CN
SW1#show spanning-tree vlan 4 VLAN0004 Spanning tree enabled protocol ieee Root ID Priority 24580 Address 000d.bcb4.c500 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24580 (priority 24576 sys-id-ext 4) Address 000d.bcb4.c500 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
备份根网桥的确认信息: SW2#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28673 (priority 28672 sys-id-ext 1) Address 0011.92e4.2780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
SW2#show spanning-tree vlan 2 VLAN0002 Spanning tree enabled protocol ieee Root ID Priority 24578 Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28674
(priority 28672 sys-id-ext 2) Address 0011.92e4.2780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
SW2#show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol ieee Root ID Priority 24579
百思学网络,领先科技 -58- HTTP://WWW.BESTXUE.CN
Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28675 (priority 28672 sys-id-ext 3) Address 0011.92e4.2780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
SW2#show spanning-tree vlan 4 VLAN0004 Spanning tree enabled protocol ieee Root ID Priority 24580 Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28676 (priority 28672 sys-id-ext 4) Address 0011.92e4.2780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p
SW2#
非根网桥 SW3 的确认信息: SW3#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 24577 Address 000d.bcb4.c500 Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 28673 (priority 28672 sys-id-ext 1) Address 0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Altn BLK 19 128.2 P2p SW3#show spanning-tree vlan 2 VLAN0002 Spanning tree enabled protocol ieee Root ID Priority 24578 Address 000d.bcb4.c500
百思学网络,领先科技 -59- HTTP://WWW.BESTXUE.CN
Cost 19 Port 1 (FastEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address 0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Root FWD 19 128.1 P2p Fa0/2 Altn BLK 19 128.2 P2p SW3#show spanning-tree vlan 3 VLAN0003 Spanning tree enabled protocol ieee Root ID
Priority 24579 Address 000d.bcb4.c500 Cost 38 Port 2 (FastEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32771 (priority 32768 sys-id-ext 3) Address
0013.1a9a.2b80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Altn BLK 39 128.1 P2p Fa0/2 Root FWD 19 128.2 P2p SW3#show spanning-tree vlan 4
VLAN0004 Spanning tree enabled protocol ieee Root ID Priority 24580 Address 000d.bcb4.c500 Cost 38 Port 2 (FastEthernet0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32772 (priority 32768 sys-id-ext 4) Address 0013.1a9a.2b80 Hello Time 2 sec Max Age 20
sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/1 Altn BLK 39 128.1 P2p Fa0/2 Root FWD 19 128.2 P2p
百思学网络,领先科技 -60- HTTP://WWW.BESTXUE.CN
实验14. 配置交换机的端口安全(1) 实验拓扑:
实验需求: F0/1 的已划分到 VLAN2 ,配置 F0/1 的端口安 全,使得 端 口 F0/1 只允 许 PC1 的 MAC 地址 (aaaa.aaaa.aaa1)进入,如果接收到违规的包(也就是进入 F0/1 非 MAC:aaaa.aaaa.aaa1 的数据包)接口 会 shutdown. 实验步骤: 第一步: 创建 VLAN2,把 F0/1 加入 VLAN2 SW2950(config)#vlan 2 SW2950(config-vlan)#exit SW2950(config)#int f0/1 SW2950(config-if)#switchport mode access SW2950(config-if)#switchport access vlan 2 第二步: 设置 F0/1 的端口安全: SW2950(config)#int f0/1 SW2950(config-if)#switchport port-security --------注:启用端口安全 SW2950(config-if)#switchport port-security maximum 1 --------注:允许进入 F0/1 的 MAC 地址的最大数 目,为 1,这是默认值。 SW2950(config-if)#switchport port-security mac-address aaaa.aaaa.aaa1 --------注:设置所允许的具体 MAC 地址 SW2950(config-if)#switchport port-security violation shutdown ---------注:当接收到不是允许的 MAC 时 的动作为 shutdown, 这是默认设置查看以上配置 SW2950#show run int f0/1 Building configuration... Current configuration : 163 bytes !
百思学网络,领先科技 -61- HTTP://WWW.BESTXUE.CN
interface FastEthernet0/1 switchport access vlan 2 switchport mode access switchport port-security switchport port-security mac-address aaaa.aaaa.aaa1 end SW1#show port-security
------注: 通过查看配置发现上面我们配 置了 4 条端口安全命令,但只看 到两条,因为有其中两条是只要 启用了端口安全,就默认设置了,不会显示,可以show port-security 看到 Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)
--------------------------------------------------------------------------- Fa0/10 1 1 0 Shutdown
--------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 端口安全的另外两个动作参数:(protect 和 restrict) SW1(config-if)#switchport port-security violation ? protect Security violation protect mode --------注: Protect 意思是当 F0/1 接收到 不是所允许的 MAC 地址时动 作为做保护,不会关闭接口, 但数据包被拒绝通过,接口的 状态是好的,不给管理员任何 提示,不产生告警。
restrict Security violation restrict mode -------注: shutdown Security violation shutdown mode -------注: shutdown 意思是接收到不是所允许的 MAC 地址时动作关闭 接口,并产生告警,被 shutdown 的接口要 shutdown 再 no shutdown,接口状态才会再次 up restrict 意思是当 F0/1 接收到不是所允 许的 MAC 地址时动 作为做限制,不会关闭接口, 但数据包被拒绝通过,接口的 状态是好的,但会给管理员提 示信息,产生告警。 百思学网络,领先科技 -62- HTTP://WWW.BESTXUE.CN
实验15. 配置交换机的端口安全(2) 实验拓扑:
实验拓扑描述:SW2950 的 F0/4 下接了一个非网管的交换机。 实验需求: F0/4 的已划分到 VLAN4,配置 F0/4 的端口安全,使得端口 F0/4 最多允许 10 个 MAC 进入,如果接 收到违规的包(也就是进入 F0/4 接口的 MAC 地址超过 10 个,则丢弃违规的数据包,并且产生告警。 实验步骤: 第一步: 创建 VLAN4,把 F0/4 加入 VLAN4 SW2950(config)#vlan 4 SW2950(config)#int f0/4 SW2950(config-if)#switchport mode access SW2950(config-if)#switchport
access vlan 4 -----------注:把端 F0/4 加入到 VLAN4 SW2950(config-if)#switchport port-security SW2950(config-if)#switchport port-security maximum 10 SW2950(config-if)#switchport
port-security mac-address sticky SW2950(config-if)#switchport port-security violation restrict -----------注:启用端口安全,进入接口最大的 MAC 地址数,sticky 命令作用是会记 录前 10 个合法的 MAC 地址,超过则 被丢弃。Restrict 的作为违规的数据包 不可以通过,会产生告警。 通过 show run 查看以上所做的配置:
非网管交换机
百思学网络,领先科技 -63- HTTP://WWW.BESTXUE.CN
SW2950#sho run int f0/4 interface FastEthernet0/4 switchport access vlan 4 switchport mode access switchport port-security switchport port-security maximum 10 switchport port-security violation restrict switchport port-security mac-address sticky 查看端口安全参数: SW2#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) --------------------------------------------------------------------------- Fa0/4 10 0 0 Restrict
--------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 百思学网络,领先科技 -64- HTTP://WWW.BESTXUE.CN
实验16. 用路由器实现 VLAN 之间的访问 实验拓扑:
实验要求: 1. 在 SW1 上划分 VLAN2,VLAN3,把 F0/2 加入 VLAN2,F0/3 加入 VLAN3,端口 F0/1 设置为 802.1Q 的 Trunk. 2. 配置 R1,使得 VLAN2 和 VLAN3 的主机之间可以互相访问. 配置步骤: 配置 SW1: SW1(config)#vlan 2-3 --------------------------------------------注:创建 VLAN2,VLAN3 SW1(config)#int f0/2 SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 2 ------------------------注:把端口 F0/2 加入 VLAN2
SW1(config)#int f0/3 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 3 ------------------------注:把端口 F0/3 加入 VLAN3 SW1(config)#int f0/1
SW1(config-if)#switchport mode trunk ---------------------------注:把端口 F0/1 设置为 trunk 端口 配置 R1: R1(config)#inte0/0 R1(config-if)#no shutdown ---------------------------注:启用物理接口 E0/0 R1(config-if)#exit R1(config)#int e0/0.2 R1(config-subif)#encapsulation dot1Q 2
R1(config-subif)#ip address 10.1.2.254 255.255.255.0 ----------注:创建并进入 E0/0.2 子接口,封装 802.1Q (dot1Q),2 为 VLAN_ID ,并配置 IP 地址 R1(config-subif)#end R1#conf t R1(config)#int e0/0.3 R1(config-subif)#encapsulation dot1Q 3 R1(config-subif)#ip add 10.1.3.254 255.255.255.0 ---------------注:创建并进入 E0/0.3 子接口,封装 802.1Q (dot1Q),3 为 VLAN_ID ,并配置 IP 地址 查看 E0/0.2 的子接口: R1#sho run int e0/0.2
VLAN2 网段:10.1.2.0/24 VLAN3 网段:10.1.3.0/24
PC2:10.1.3.1/24 GW:10.1.3.254 PC1:10.1.2.1/24 GW:10.1.2.254
R1为2600的路由器 SW1为2950交换机
百思学网络,领先科技 -65- HTTP://WWW.BESTXUE.CN
interface Ethernet0/0.2 encapsulation dot1Q 2 ip address 10.1.2.254 255.255.255.0 end 查看 E0/0.3 的子接口: R1#sho run int e0/0.3 Building configuration... Current configuration : 91 bytes ! interface Ethernet0/0.3 encapsulation dot1Q 3 ip address 10.1.3.254 255.255.255.0 end
检查 R1 的接口状态:包括物理接口和子接口: R1#show ip int brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 unassigned YES unset up up Ethernet0/0.2 10.1.2.254 YES manual up up Ethernet0/0.3 10.1.3.254 YES manual up up Serial0/0 unassigned YES unset
administratively down down Serial0/1 unassigned YES unset administratively down down 检查 SW1 F0/1 的 trunk 状态: SW1#show int f0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk --------------------------注〆802.1Q trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q
----------------------注〆802.1Q trunk Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none Administrative private-vlan