0


H3C-stp-链路聚合-端口安全

STP

实验拓扑

image-20220711161442592


实验需求

  1. 开启所有设备,等待STP收敛后观察STP状态
  2. 使SW4成为根网桥
  3. 使闭塞端口出现在SW2上
  4. 把SW1上连接的PC的端口配置为边缘端口

实验步骤:

1.开启stp           #交换机默认运行mstp
SW1
[sw1]stp mode stp   #手动修改模式为stp

sw2
[sw2]stp mode stp 

sw3
[sw3]stp mode stp

sw4
[sw4]stp mode stp

sw1
[sw1]dis int GigabitEthernet 1/0/4                 #查看接口
GigabitEthernet1/0/4
Current state: DOWN
Line protocol state: DOWN
IP packet frame type: Ethernet II, hardware address: 409e-e6a0-0100             #本机的mac地址
Description: GigabitEthernet1/0/4 Interface
Bandwidth: 1000000 kbps

##查看完所有mac(优先级都是默认的),可以看到sw4<sw3<sw2<sw1##所以 可以得知sw1为根,到时候sw4上会有一个蔽塞端口(AP)

观察STP状态
sw1
[sw1]dis stp
-------[CIST Global Info][Mode STP]-------
 Bridge ID           :32768.409e-e6a0-0100
 Bridge times: Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
 Root ID/ERPC        :32768.409e-e6a0-0100, 0#可以看出根为自己
 RegRoot ID/IRPC     :32768.409e-e6a0-0100, 0
 RootPort ID         :0.0
 BPDU-Protection     : Disabled
 Bridge Config-
 Digest-Snooping     : Disabled
 TC or TCN received  :4
 Time since last TC  :0 days 0h:14m:13s

sw4
[sw4]dis stp
-------[CIST Global Info][Mode STP]-------
 Bridge ID           :32768.409f-0322-0400
 Bridge times: Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
 Root ID/ERPC        :32768.409e-e6a0-0100, 40#根为sw1
 RegRoot ID/IRPC     :32768.409f-0322-0400, 0
 RootPort ID         :128.2
 BPDU-Protection     : Disabled
 Bridge Config-
 Digest-Snooping     : Disabled
 TC or TCN received  :20
 Time since last TC  :0 days 0h:15m:13s
 
 
 ##再看交换机端口状态
 sw1
 [sw1]dis stp brief 
 MST ID   Port                                Role  STP State   Protection 
 0        GigabitEthernet1/0/1                DESI  FORWARDING  NONE       #两个端口都为DP,因为他们里根端口最近0        GigabitEthernet1/0/3                DESI  FORWARDING  NONE
 
 sw2
 [sw2]dis stp brief 
 MST ID   Port                                Role  STP State   Protection
 0        GigabitEthernet1/0/1                DESI  FORWARDING  NONE       #1/0/1为DP0        GigabitEthernet1/0/2                ROOT  FORWARDING  NONE       #1/0/2为RP
 
 sw3
 [sw3]dis stp brief 
 MST ID   Port                                Role  STP State   Protection
 0        GigabitEthernet1/0/1                DESI  FORWARDING  NONE
 0        GigabitEthernet1/0/2                ROOT  FORWARDING  NONE
 
 sw4
 [sw4]dis stp brief 
 MST ID   Port                                Role  STP State   Protection
 0        GigabitEthernet1/0/1                ROOT  FORWARDING  NONE
 0        GigabitEthernet1/0/2                ALTE  DISCARDING  NONE            #1/0/2为闭塞端口

2.使sw4位根网桥
[sw4]stp priority 4096#设置stp优先级[sw4]dis stp
-------[CIST Global Info][Mode STP]-------
 Bridge ID           :4096.409f-0322-0400
 Bridge times: Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
 Root ID/ERPC        :4096.409f-0322-0400, 0#根网桥马上就是自己了
 RegRoot ID/IRPC     :4096.409f-0322-0400, 0
 RootPort ID         :0.0
 BPDU-Protection     : Disabled
 Bridge Config-
 Digest-Snooping     : Disabled
 TC or TCN received  :20
 Time since last TC  :0 days 0h:21m:10s

3.让闭塞端口在sw2上
#先查看闭塞端口在哪[sw1]dis stp brief 
 MST ID   Port                                Role  STP State   Protection
 0        GigabitEthernet1/0/1                ALTE  DISCARDING  NONE           #可以看到AP在sw1上0        GigabitEthernet1/0/3                ROOT  FORWARDING  NONE
 
 [sw2-GigabitEthernet1/0/1]stp cost 99999#进入接口,设置stp接口开销[sw2-GigabitEthernet1/0/1]quit
[sw2]dis stp brief                                
 MST ID   Port                                Role  STP State   Protection
 0        GigabitEthernet1/0/1                ALTE  DISCARDING  NONE           #AP到sw2上去了0        GigabitEthernet1/0/2                ROOT  FORWARDING  NONE

4.把与终端相连的接口都设置为边缘端口
[sw1-GigabitEthernet1/0/2]stp edged-port              #进入接口,设置边缘端口
Edge port should only be connected to terminal. It will cause temporary loops if port GigabitEthernet1/0/2 is connected to bridges. Please use it carefully.
[sw1-GigabitEthernet1/0/2]int g1/0/4
[sw1-GigabitEthernet1/0/4]stp edged-port 

总结:stp应用于计算机网络中树形拓扑结构]建立,主要作用是防止网桥网络中的冗余链路形成环路工作。

交换机安全端口

实验拓扑

image-20220711164639274


实验需求

  1. 按照图示配置IP地址
  2. 在SW1所有连接PC的接口上配置开启802.1X验证,使接入的终端需要进行身份验证
  3. 创建一个用户身份验证的用户。用户名为zhoudaye,密码为123456
  4. 创建一个端口隔离组,实现三台PC无法互相访问

实验步骤

1.配置ip地址
pc1:192.168.1.1
pc2:192.168.1.2
pc3:192.168.1.3
2.开启dot1x.802.1x
sw1
[sw1]dot1x      #全局开启认证[sw1]int g1/0/1
[sw1-GigabitEthernet1/0/1]dot1x           #接口里开启认证[sw1-GigabitEthernet1/0/1]int g1/0/2
[sw1-GigabitEthernet1/0/2]dot1x           #每个接口都要开启[sw1-GigabitEthernet1/0/2]int g1/0/3
[sw1-GigabitEthernet1/0/3]dot1x 
3.创建用户
[sw1]local-user zhoudaye class ?
  manage   Device management user
  network  Network access user

[sw1]local-user zhoudaye class network       #这里用户类型必须设置为network,且service-type也必须设置为lan-access,否则无法使用802.1x认证
New local user added.
[sw1-luser-network-zhoudaye]password simple 123456[sw1-luser-network-zhoudaye]service-type lan
[sw1-luser-network-zhoudaye]service-type ?
  advpn       ADVPN service
  ike         IKE service
  ipoe        IPOE service
  lan-access  LAN access service
  portal      Portal service
  ppp         PPP service
  sslvpn      SSL VPN service[sw1-luser-network-zhoudaye]service-type lan-access 
4.创建交换机端口隔离组、
##分析:端口隔离组用于同vlan内部的端口隔离,属于同一个隔离组的接口无法互相访问,不同隔离组的接口才可以互相访问,所以需要把SW1的三个接口都加入到同一个隔离组##[sw1]port-isolate group 1#在sw1上创建一个编号1的组[sw1]int g1/0/1
[sw1-GigabitEthernet1/0/1]port-isolate ?
  enable  Add a port to the port isolation group

[sw1-GigabitEthernet1/0/1]port-isolate enable group ?
  INTEGER<1-8>  Port isolation group ID

[sw1-GigabitEthernet1/0/1]port-isolate enable group 1[sw1-GigabitEthernet1/0/1]int g1/0/2
[sw1-GigabitEthernet1/0/2]port-isolate enable group 1[sw1-GigabitEthernet1/0/2]int g1/0/3
[sw1-GigabitEthernet1/0/3]port-isolate enable group 1

image-20220711170606726

端口链路聚合

实验拓扑

image-20220711173542752


实验步骤

  1. 按照图示配置PC3和PC4的IP地址
  2. 在SW1和SW2的两条直连链路上配置链路聚合,实现链路冗余,并可以增加传输带宽
  3. SW1和SW2之间的直连链路要配置为Trunk类型,允许所有vlan通过
  4. 中断SW1和SW2之间的一条直连链路,测试PC3和PC4是否仍然能够继续访问

1.配置ip
pc3:192.168.1.1
pc4:192.168.1.2
2.创建链路聚合
sw1
[sw1]interface Bridge-Aggregation 1#创建一个链路聚合组[sw1-Bridge-Aggregation1]int g1/0/2                     #进入接口加入聚合组[sw1-GigabitEthernet1/0/2]port link-aggregation group 1[sw1-GigabitEthernet1/0/2]int g1/0/3
[sw1-GigabitEthernet1/0/3]port link-aggregation group 1[sw1-GigabitEthernet1/0/3]quit

sw2
[sw2]int g1/0/1
[sw2-GigabitEthernet1/0/1]port link-aggregation group 1[sw2-GigabitEthernet1/0/1]int g1/0/2
[sw2-GigabitEthernet1/0/2]port link-aggregation group 1[sw2-GigabitEthernet1/0/2]quit

sw1                                            #查看链路聚合组[sw1]dis link-aggregation verbose 
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing 
Port: A -- Auto
Port Status: S -- Selected, U -- Unselected, I -- Individual 
Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation, 
        D -- Synchronization, E -- Collecting, F -- Distributing,  
        G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
  Port             Status  Priority Oper-Key
--------------------------------------------------------------------------------
  GE1/0/2          S       327681         
  GE1/0/3          S       327681  
  
  
  sw2
  [sw2]dis link-aggregation verbose 
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing 
Port: A -- Auto
Port Status: S -- Selected, U -- Unselected, I -- Individual 
Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation, 
        D -- Synchronization, E -- Collecting, F -- Distributing,  
        G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
  Port             Status  Priority Oper-Key
--------------------------------------------------------------------------------
  GE1/0/1          S       327681         
  GE1/0/2          S       327681
3.sw1与sw2直连配置trunk
sw1
[sw1]int Bridge-Aggregation  1#进入链路聚合组[sw1-Bridge-Aggregation1]port link-type trunk       #设置trunk口
Configuring GigabitEthernet1/0/2 done.
Configuring GigabitEthernet1/0/3 done.
[sw1-Bridge-Aggregation1]port trunk
[sw1-Bridge-Aggregation1]port trunk permit vlan all      #允许vlan通过
Configuring GigabitEthernet1/0/2 done.
Configuring GigabitEthernet1/0/3 done.
[sw1-Bridge-Aggregation1]##SW2上命令与SW1上完全一致
sw2
[sw2]int Bridge-Aggregation 1[sw2-Bridge-Aggregation1]port link-type trunk 
Configuring GigabitEthernet1/0/1 done.
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]port trunk permit vlan all
Configuring GigabitEthernet1/0/1 done.
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]

实验效果

image-20220711175102258

当链路断掉时

[sw1]int g1/0/2
[sw1-GigabitEthernet1/0/2]shutdown 

还是可以通讯

image-20220711175300404

Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]port trunk permit vlan all
Configuring GigabitEthernet1/0/1 done.
Configuring GigabitEthernet1/0/2 done.
[sw2-Bridge-Aggregation1]


---

实验效果

[外链图片转存中...(img-pGyvJU0P-1658582068948)]

当链路断掉时

~~~shell
[sw1]int g1/0/2
[sw1-GigabitEthernet1/0/2]shutdown 

还是可以通讯

[外链图片转存中…(img-ZlGvDjHp-1658582068949)]

总结:端口链路聚合可以实现链路负载平衡。避免链路出现拥塞现象。


本文转载自: https://blog.csdn.net/weixin_58659466/article/details/125952864
版权归原作者 讨厌学习 所有, 如有侵权,请联系我们删除。

“H3C-stp-链路聚合-端口安全”的评论:

还没有评论