STP
实验拓扑
实验需求
- 开启所有设备,等待STP收敛后观察STP状态
- 使SW4成为根网桥
- 使闭塞端口出现在SW2上
- 把SW1上连接的PC的端口配置为边缘端口
实验步骤:
1.开启stp #交换机默认运行mstp
SW1
[sw1]stp mode stp #手动修改模式为stp
sw2
[sw2]stp mode stp
sw3
[sw3]stp mode stp
sw4
[sw4]stp mode stp
sw1
[sw1]dis int GigabitEthernet 1/0/4 #查看接口
GigabitEthernet1/0/4
Current state: DOWN
Line protocol state: DOWN
IP packet frame type: Ethernet II, hardware address: 409e-e6a0-0100 #本机的mac地址
Description: GigabitEthernet1/0/4 Interface
Bandwidth: 1000000 kbps
##查看完所有mac(优先级都是默认的),可以看到sw4<sw3<sw2<sw1##所以 可以得知sw1为根,到时候sw4上会有一个蔽塞端口(AP)
观察STP状态
sw1
[sw1]dis stp
-------[CIST Global Info][Mode STP]-------
Bridge ID :32768.409e-e6a0-0100
Bridge times: Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC :32768.409e-e6a0-0100, 0#可以看出根为自己
RegRoot ID/IRPC :32768.409e-e6a0-0100, 0
RootPort ID :0.0
BPDU-Protection : Disabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received :4
Time since last TC :0 days 0h:14m:13s
sw4
[sw4]dis stp
-------[CIST Global Info][Mode STP]-------
Bridge ID :32768.409f-0322-0400
Bridge times: Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC :32768.409e-e6a0-0100, 40#根为sw1
RegRoot ID/IRPC :32768.409f-0322-0400, 0
RootPort ID :128.2
BPDU-Protection : Disabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received :20
Time since last TC :0 days 0h:15m:13s
##再看交换机端口状态
sw1
[sw1]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE #两个端口都为DP,因为他们里根端口最近0 GigabitEthernet1/0/3 DESI FORWARDING NONE
sw2
[sw2]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE #1/0/1为DP0 GigabitEthernet1/0/2 ROOT FORWARDING NONE #1/0/2为RP
sw3
[sw3]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
sw4
[sw4]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE #1/0/2为闭塞端口
2.使sw4位根网桥
[sw4]stp priority 4096#设置stp优先级[sw4]dis stp
-------[CIST Global Info][Mode STP]-------
Bridge ID :4096.409f-0322-0400
Bridge times: Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC :4096.409f-0322-0400, 0#根网桥马上就是自己了
RegRoot ID/IRPC :4096.409f-0322-0400, 0
RootPort ID :0.0
BPDU-Protection : Disabled
Bridge Config-
Digest-Snooping : Disabled
TC or TCN received :20
Time since last TC :0 days 0h:21m:10s
3.让闭塞端口在sw2上
#先查看闭塞端口在哪[sw1]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE #可以看到AP在sw1上0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
[sw2-GigabitEthernet1/0/1]stp cost 99999#进入接口,设置stp接口开销[sw2-GigabitEthernet1/0/1]quit
[sw2]dis stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE #AP到sw2上去了0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
4.把与终端相连的接口都设置为边缘端口
[sw1-GigabitEthernet1/0/2]stp edged-port #进入接口,设置边缘端口
Edge port should only be connected to terminal. It will cause temporary loops if port GigabitEthernet1/0/2 is connected to bridges. Please use it carefully.
[sw1-GigabitEthernet1/0/2]int g1/0/4
[sw1-GigabitEthernet1/0/4]stp edged-port
总结:stp应用于计算机网络中树形拓扑结构]建立,主要作用是防止网桥网络中的冗余链路形成环路工作。
交换机安全端口
实验拓扑
实验需求
- 按照图示配置IP地址
- 在SW1所有连接PC的接口上配置开启802.1X验证,使接入的终端需要进行身份验证
- 创建一个用户身份验证的用户。用户名为
zhoudaye
,密码为123456
- 创建一个端口隔离组,实现三台PC无法互相访问
实验步骤
1.配置ip地址
pc1:192.168.1.1
pc2:192.168.1.2
pc3:192.168.1.3
2.开启dot1x.802.1x
sw1
[sw1]dot1x #全局开启认证[sw1]int g1/0/1
[sw1-GigabitEthernet1/0/1]dot1x #接口里开启认证[sw1-GigabitEthernet1/0/1]int g1/0/2
[sw1-GigabitEthernet1/0/2]dot1x #每个接口都要开启[sw1-GigabitEthernet1/0/2]int g1/0/3
[sw1-GigabitEthernet1/0/3]dot1x
3.创建用户
[sw1]local-user zhoudaye class ?
manage Device management user
network Network access user
[sw1]local-user zhoudaye class network #这里用户类型必须设置为network,且service-type也必须设置为lan-access,否则无法使用802.1x认证
New local user added.
[sw1-luser-network-zhoudaye]password simple 123456[sw1-luser-network-zhoudaye]service-type lan
[sw1-luser-network-zhoudaye]service-type ?
advpn ADVPN service
ike IKE service
ipoe IPOE service
lan-access LAN access service
portal Portal service
ppp PPP service
sslvpn SSL VPN service[sw1-luser-network-zhoudaye]service-type lan-access
4.创建交换机端口隔离组、
##分析:端口隔离组用于同vlan内部的端口隔离,属于同一个隔离组的接口无法互相访问,不同隔离组的接口才可以互相访问,所以需要把SW1的三个接口都加入到同一个隔离组##[sw1]port-isolate group 1#在sw1上创建一个编号1的组[sw1]int g1/0/1
[sw1-GigabitEthernet1/0/1]port-isolate ?
enable Add a port to the port isolation group
[sw1-GigabitEthernet1/0/1]port-isolate enable group ?
INTEGER<1-8> Port isolation group ID
[sw1-GigabitEthernet1/0/1]port-isolate enable group 1[sw1-GigabitEthernet1/0/1]int g1/0/2
[sw1-GigabitEthernet1/0/2]port-isolate enable group 1[sw1-GigabitEthernet1/0/2]int g1/0/3
[sw1-GigabitEthernet1/0/3]port-isolate enable group 1
端口链路聚合
实验拓扑
实验步骤
- 按照图示配置PC3和PC4的IP地址
- 在SW1和SW2的两条直连链路上配置链路聚合,实现链路冗余,并可以增加传输带宽
- SW1和SW2之间的直连链路要配置为Trunk类型,允许所有vlan通过
- 中断SW1和SW2之间的一条直连链路,测试PC3和PC4是否仍然能够继续访问
1.配置ip
pc3:192.168.1.1
pc4:192.168.1.2
2.创建链路聚合
sw1
[sw1]interface Bridge-Aggregation 1#创建一个链路聚合组[sw1-Bridge-Aggregation1]int g1/0/2 #进入接口加入聚合组[sw1-GigabitEthernet1/0/2]port link-aggregation group 1[sw1-GigabitEthernet1/0/2]int g1/0/3
[sw1-GigabitEthernet1/0/3]port link-aggregation group 1[sw1-GigabitEthernet1/0/3]quit
sw2
[sw2]int g1/0/1
[sw2-GigabitEthernet1/0/1]port link-aggregation group 1[sw2-GigabitEthernet1/0/1]int g1/0/2
[sw2-GigabitEthernet1/0/2]port link-aggregation group 1[sw2-GigabitEthernet1/0/2]quit
sw1 #查看链路聚合组[sw1]dis link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port: A -- Auto
Port Status: S -- Selected, U -- Unselected, I -- Individual
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/2 S 327681
GE1/0/3 S 327681
sw2
[sw2]dis link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port: A -- Auto
Port Status: S -- Selected, U -- Unselected, I -- Individual
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
GE1/0/1 S 327681
GE1/0/2 S 327681
3.sw1与sw2直连配置trunk
sw1
[sw1]int Bridge-Aggregation 1#进入链路聚合组[sw1-Bridge-Aggregation1]port link-type trunk #设置trunk口
Configuring GigabitEthernet1/0/2 done.
Configuring GigabitEthernet1/0/3 done.
[sw1-Bridge-Aggregation1]port trunk
[sw1-Bridge-Aggregation1]port trunk permit vlan all #允许vlan通过
Configuring GigabitEthernet1/0/2 done.
Configuring GigabitEthernet1/0/3 done.
[sw1-Bridge-Aggregation1]##SW2上命令与SW1上完全一致
sw2
[sw2]int Bridge-Aggregation 1[sw2-Bridge-Aggregation1]port link-type trunk
Configuring GigabitEthernet1/0/1 done.
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]port trunk permit vlan all
Configuring GigabitEthernet1/0/1 done.
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]
实验效果
当链路断掉时
[sw1]int g1/0/2
[sw1-GigabitEthernet1/0/2]shutdown
还是可以通讯
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]port trunk permit vlan all
Configuring GigabitEthernet1/0/1 done.
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]
---
实验效果
[外链图片转存中...(img-pGyvJU0P-1658582068948)]
当链路断掉时
~~~shell
[sw1]int g1/0/2
[sw1-GigabitEthernet1/0/2]shutdown
还是可以通讯
[外链图片转存中…(img-ZlGvDjHp-1658582068949)]
总结:端口链路聚合可以实现链路负载平衡。避免链路出现拥塞现象。
版权归原作者 讨厌学习 所有, 如有侵权,请联系我们删除。