实验用到的知识点:
启用端口安全功能配置
端口安全mac地址配置
端口安全mac地址数目配置
端口安全违规处理方式配置
任务
VLAN及VLAN间路由配置;
端口安全应用配置:左边网络中只允许PC0接入C1,右边网络允许两个终端用户接入C1;
实现步骤
如图所示,二层结构构建的本地网络包括一个核心交换机和两个接入交换机,按图示要求为S1、S2划分VLAN及成员。
" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=
记录表格:
设备名 | 接口 | IP地址/掩码 | 网关地址 | 备注 |
---|---|---|---|---|
C1 | vlan 1 | 10.35.1.254/24 | ||
C1 | vlan 2 | 10.35.2.254/24 | ||
S1 | Fa0/1 | vlan 1 | ||
S1 | Fa0/2 | vlan 2 | ||
S1 | Fa0/3 | mac: 0001.96ce.1e03 | ||
S2 | Fa0/1 | vlan 1 | ||
S2 | Fa0/2 | vlan 2 | ||
S2 | Fa0/3 | mac: 00e0.b086.8803 | ||
PC0 | 10.35.1.1/24 | 10.35.1.254/24 | mac: 0060.7020.93BB | |
PC1 | 10.35.2.1/24 | 10.35.2.254/24 | mac: 0090.2150.050B | |
PC2 | 10.35.1.2/24 | 10.35.1.254/24 | mac: 0004.9A58.D178 | |
PC3 | 10.35.2.2/24 | 10.35.2.254/24 | mac: 0002.17B3.896B |
配置VLAN间路由
在S1、S2、C1进行设置,最终实现PC间的互Ping,各PC均可ssh C1
S1: 中继接口
1 | S1(config)# vlan 2 #创建vlan2 |
S2: 中继接口
1 | S2(config)# vlan 2 #创建vlan2 |
C1:SSH
主机名C1、域名wtctx、用户名、密码均为txXX、enable不加密密码tx18XX(XX为学号最后2位)
1 | C1(config)# hostname C1 #设置主机名为C1 |
C1:中继接口
1 | C1(config)# interface range fastEthernet 0/1-2 #进入0/1和0/2端口 |
C1:开启路由功能
1 | C1(config)# ip routing #开启路由功能 |
C1:设置各VLAN网关地址
地址为该网段最大主机地址(注意VLAN接口默认关闭且手工打开)
1 | C1(config)# vlan 2 #创建vlan 2 |
记录结果
为各PC设置网关地址,设置完毕PC0 分别ping PC1 和PC2,记录结果。
" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=
端口安全配置。
C1:fa0/1开启安全端口功能
配置时建议关闭端口,关闭端口可清空mac地址表
1 | C1(config)# interface fastEthernet 0/1 #进入Fa0/1接口 |
C1:fa0/1安全端口禁用DTP
1 | C1(config-if)# switchport nonegotiate #禁用DTP |
C1:fa0/1安全端口允许最大地址数
1 | C1(config-if)# switchport port-security maximum 3 #设置允许最大地址数 |
C1:fa0/1安全端口指定允许接入的地址
1 | C1(config-if)# switchport port-security mac-address 0060.7020.93BB |
C1:fa0/1安全端口指定违规处理行为
建议使用protected,思考为什么
1 | C1(config-if)# switchport port-security violation protect |
C1:fa0/2开启安全端口功能
配置时建议关闭端口,关闭端口可清空mac地址表
1 | C1(config-if)# no shutdown #开启Fa0/1端口 |
C1:fa0/2安全端口禁用DTP
1 | C1(config-if)# switchport nonegotiate #禁用DTP |
C1:fa0/2安全端口允许最大地址数
思考数值设置多少合理,依据是什么
1 | C1(config-if)# switchport port-security maximum 5 #设置允许最大地址数 |
C1:fa0/2安全端口采用地址粘滞功能
1 | C1(config-if)# switchport port-security mac-address sticky |
C1:fa0/2安全端口指定违规处理行为
建议使用protected,思考为什么
1 | C1(config-if)# switchport port-security violation protect |
记录结果
设置完毕PC0 分别ping PC1 和PC2,记录结果,思考原因
" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=
1 | 解析:虽然已经做到了全网互通,但是由于PC1没有设置允许它接入,且设置了保护模式为protect,所以PC1的数据流量对于交换机来说是违规的,端口对PC1的数据进行丢弃,所以PC0的数据无法发送给PC1。 |
思考
" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" class="lazyload" data-srcset="" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=
1 | 解析:此时mac地址表会出现共5个来自Fa0/2的mac地址记录,分别是从Fa0/1学习地址时会优先学习与之直连的接口地址(即S1交换机的Fa0/3端口),vlan1和vlan2接口的mac地址,PC2和PC3的mac地址。 |