当前位置:   article > 正文

交换机实验之端口安全、交换机端口隔离、 跨交换机实现VLAN_交换机端口安全实验

交换机端口安全实验

计算机网络实验报告

计算机网络实验报告 1

实验六、端口安全 2

一、实验拓扑: 2

二、实验步骤: 2

三、实验具体过程+截图: 3

实验七、交换机端口隔离 6

一、实验拓扑: 6

二、实验步骤: 6

三、实验过程: 7

四、实验结果截图: 11

switch2实验报告 11

一、拓扑结构: 11

二、实验步骤: 11

三、实验结果截图: 13

实验八 跨交换机实现VLAN 15

一、实验拓扑: 15

二、实验步骤: 15

三、实验结果截图: 19

 

实验六、端口安全

一、实验拓扑:

二、实验步骤:

Switch# configure terminal                        //进入全局配置模式。

Switch(config)# interface FastEthernet 0/3            //进入接口配置模式。

Switch(config-if)# switchport mode access          //设置接口为access模式如果确定接口已经处于access模式,则此步骤可以省略。

Switch(config-if)# switchport port-security           //打开该接口的端口安全功能

Switch(config-if)# switchport port-security maximum 3

//设置接口上安全地址的最大个数3,范围是1-128

Switch(config-if)# switchport port-security violation protect

               //设置处理违例的方式是protect

Switch(config-if)# end

Switch#show port-security                      //显示所有安全端口的统计信息,包括最大安全地址数,当前安全地址数以及违例处理方式等。

使用接口配置模式下的命令switch port port-security mac-address mac-address[ip-address ip-address]来手工配置端口的所有安全地址。

在接口配置模式下,使用命令no switchport port-security来关闭一个接口的端口安全功能。使用命令no switchport port-security maximum来恢复为缺省个数。使用命令no switchport port-security violation来将违例处理置为缺省模式。

如果一个端口被配置为一个安全端口,当其安全地址的数目已经达到允许的最大个数后,如果该端口收到一个源地址不属于端口上的安全地址的包时,一个安全违例将产生。当违例产生时,设置下面几种针对违例的处理模式: 

  1. protect:当安全地址个数满后,安全端口将丢弃未知源地址不在该端口的安全地址中的任何一个数据包 
  2. restrict:当违例产生时,将发送一个Trap通知给管理员 
  3. shutdown:当违例产生时,将关闭端口并发送一个Trap通知。

为了增强安全性,将MAC地址和IP地址绑定起来作为安全地址。也可以只指定地MAC址而不绑定IP地址。

三、实验具体过程+截图:

Switch>enable

全局配置

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

接口配置

Switch(config)#interface Fastether 0/3

设置接口为access模式

Switch(config-if)#switchport mode access

设置安全地址(接口)

Switch(config-if)#switchport port-security

设置安全地址最大个数

Switch(config-if)#switchport port-security maximum 3

设置处理违例方式

Switch(config-if)#switchport port-security violation protect

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

显示所有安全端口的统计信息,包括最大安全地址数,当前安全地址数以及违例处理方式等。

show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

               (Count)       (Count)        (Count)

--------------------------------------------------------------------

        Fa0/3        3          1                 0          Protect

----------------------------------------------------------------------

Ping连通之后:

Switch#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

               (Count)       (Count)        (Count)

--------------------------------------------------------------------

        Fa0/3        3          3                 0          Protect

----------------------------------------------------------------------

此时PC0与PC1,PC2可通信,与PC3不可通信。

 

 

关闭接口的安全端口功能:

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 0/3

Switch(config-if)#no switchport port-security

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

显示所有安全端口的统计信息(安全端口已经关闭了,没有信息了)

show port-security

此时PC0与PC1,PC2,PC3均可通信。

配置安全端口并指定Mac地址,使特定的地址之间可以互相通信,而在安全端口之外的其他端口在安全端口地址达到上限后不可通信。

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 0/3

Switch(config-if)#switch port-security

Switch(config-if)#switchport port-security maximum 3

Switch(config-if)#switchport port-security violation protect

Switch(config-if)#switchport port-security mac-address 0002.4A72.E492

Found duplicate mac-address 0002.4a72.e492.

Switch(config-if)#switchport port-security mac-address 00D0.D387.21D3

Found duplicate mac-address 00d0.d387.21d3.

Switch(config-if)#switchport port-security mac-address 00D0.BA12.52C3

Total secure mac-addresses on interface FastEthernet0/3 has reached maximum limit.

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

               (Count)       (Count)        (Count)

--------------------------------------------------------------------

        Fa0/3        3          2                 0          Protect

----------------------------------------------------------------------

Switch#

此时PC0与PC1,PC2可通信,与PC3不可通信。

 

实验七、交换机端口隔离

一、实验拓扑:

二、实验步骤:

创建VLAN:

Switch# configure terminal

Switch(config)# vlan 10 !创建vlan 10

Switch(config-vlan)# name test10 !将vlan 10命名为test10

Switch(config)# vlan 20 !创建vlan 20

Switch(config-vlan)# name test20 !将vlan 20命名为test20

验证测试:

Switch# show vlan !查看已配置的vlan信息

将接口分配到vlan:

Switch# configure terminal

Switch(config)# interface fastethernet0/5

Switch(config-if)# switchport access vlan 10 !将fastethernet 0/5端口加入vlan 10中

Switch(config)# interface fastethernet0/15

Switch(config-if)# switchport access vlan 20 !将fastethernet 0/15端口加入vlan 20中

 

三、实验过程:

创建PC1,PC2并为其配置IP地址,在同一个交换机下可以ping通(因为此时VLAN默认都为VLAN1):

Switch>enable

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

进入全局配置创建相应的VLAN并修改名字:

Switch(config)#vlan 10

Switch(config-vlan)#name test10

Switch(config-vlan)#vlan 20

Switch(config-vlan)#name test20

Switch(config-vlan)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

可以通过show valn命令来查看刚才创建的valn信息:

show vlan

 

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig0/1, Gig0/2

10 test10 active

20 test20 active

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

20 enet 100020 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

 

Remote SPAN VLANs

------------------------------------------------------------------------------

 

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

配置VLAN与接口连接:

Switch(config)#interface fastethernet0/1

Switch(config-if)#switchport access vlan 10

Switch(config-if)#interface fastethernet0/2

Switch(config-if)#switchport access vlan 20

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

再次查看VLAN接口信息(发现刚才创建的valn与接口连接信息已经连接成功):

show vlan

 

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13, Fa0/14

Fa0/15, Fa0/16, Fa0/17, Fa0/18

Fa0/19, Fa0/20, Fa0/21, Fa0/22

Fa0/23, Fa0/24, Gig0/1, Gig0/2

10 test10 active Fa0/1

20 test20 active Fa0/2

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

20 enet 100020 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

 

Remote SPAN VLANs

------------------------------------------------------------------------------

 

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

上述配置完毕后,PC1与VLAN10相连,PC2与VLAN20相连,此时PC1与PC2的ping连通信息则ping不通:

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

进入接口配置断开与VLAN10的连接:

Switch(config)#interface fastethernet0/1

Switch(config-if)#no switch access vlan 10

Switch(config-if)#exit

进入配置删除VLAN10:

Switch(config)#no vlan 10

此时再次查看PC1与PC2的ping连通信息发现依然ping不通(PC默认vlan1,而PC此时仍与VLAN20连接):

Switch(config)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

进入接口配置端口将PC2与VLAN20断开并删除VLAN20:

Switch(config)#interface fastethernet 0/2

Switch(config-if)#no switch access vlan 20

Switch(config-if)#exit

Switch(config)#no vlan 20

Switch(config)#end

此时PC1与PC2均不与个人设置的VLAN相连,都默认为VLAN0,故现在又可以ping通:

四、实验结果截图:

详见实验过程。

 

 

switch2实验报告

一、拓扑结构:

 

二、实验步骤:

在实验七的基础上:

Switch#

%SYS-5-CONFIG_I: Configured from console by console

 

%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to up

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up

 

%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to up

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up

configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

(错误信息:% Access VLAN does not exist. Creating vlan 20

原因:还没有创建VLAN10,VLAN20:

Switch(config)#interface fastethernet 0/5

Switch(config-if)#switchport access vlan 10

% Access VLAN does not exist. Creating vlan 10

Switch(config-if)#interface fastethernet 0/15

Switch(config-if)#switchport access vlan 20

% Access VLAN does not exist. Creating vlan 20

Switch(config-if)#exit

创建VLAN10,VLAN20(实验七中已经删除):

Switch(config)#vlan 10

Switch(config-vlan)#name test10

Switch(config-vlan)#exit

Switch(config)#vlan 20

Switch(config-vlan)#name test20

Switch(config-vlan)#exit

配置接口连接到VLAN(PC1,PC2连接VLAN10,PC3,PC4连接VLAN20):

Switch(config)#interface fastether 0/1

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#interface fastethernet 0/2

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#interface fastethernet 0/3

Switch(config-if)#switchport access vlan 20

Switch(config-if)#interface fastethernet 0/4

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Switch(config)#

查看VLAN,测试结果:

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show vlan

 

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9

Fa0/10, Fa0/11, Fa0/12, Fa0/13

Fa0/14, Fa0/16, Fa0/17, Fa0/18

Fa0/19, Fa0/20, Fa0/21, Fa0/22

Fa0/23, Fa0/24, Gig0/1, Gig0/2

10 test10 active Fa0/1, Fa0/2, Fa0/5

20 test20 active Fa0/3, Fa0/4, Fa0/15

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

20 enet 100020 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

 

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

 

Remote SPAN VLANs

------------------------------------------------------------------------------

 

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

Switch#

三、实验结果截图:

PC0可以与PC1 ping通,PC2可以与PC3 ping通,但是PC0与PC2,Pc3不互通,PC1与PC2,PC3不互通。

实验八 跨交换机实现VLAN

一、实验拓扑:

二、实验步骤:

Switch0(A):

在交换机SwitchA上创建vlan 10,并将0/5端口划分给vlan 10中。

Switch>enable

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#vlan 10

Switch(config-vlan)#name sales

Switch(config-vlan)#exit

Switch(config)#interface fastethernet 0/5

Switch(config-if)#switchport access vlan 10

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show vlan id 10

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

10   sales                            active    Fa0/5

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

10   enet  100010     1500  -      -      -        -    -        0      0

 

在交换机SwitchA上创建vlan 20,并将0/15端口划分给vlan 20中。

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#vlan 20

Switch(config-vlan)#name technical

Switch(config-vlan)#exit

Switch(config)#interface fastethernet 0/15

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Switch(config)#exit

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show vlan id 20

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

20   technical                        active    Fa0/15

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

20   enet  100020     1500  -      -      -        -    -        0      0

 

把交换机SwitchA与交换机SwitchB相连的端口定义为tag vlan模式。

(交换机的trunk接口默认情况下支持所有vlan。)

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 0/24

Switch(config-if)#switchport mode trunk

 

Switch(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up

exit

Switch(config)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show interfaces fastethernet 0/24 switchport

Name: Fa0/24

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: All

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

 

 

Switch#

Switch1(B):

Switch>enable

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#vlan 10

Switch(config-vlan)#name sales

Switch(config-vlan)#exit

Switch(config)#interface fastethernet 0/5

Switch(config-if)#switchport access vlan 10

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show vlan id 10

 

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

10   sales                            active    Fa0/5

 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

10   enet  100010     1500  -      -      -        -    -        0      0

 

把交换机SwitchB与交换机SwitchA相连的端口定义为tag vlan模式。

Switch#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 0/24

Switch(config-if)#switchport mode trunk

Switch(config-if)#end

Switch#

%SYS-5-CONFIG_I: Configured from console by console

show interfaces fastethernet 0/24 switchport

Name: Fa0/24

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: All

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

 

 

Switch#

此时switch0(A)与switch1(B)配置完毕,PC0与PC2可进行通信(同一VLAN下),PC1与PC2不可通信。

三、实验结果截图:

 

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Cpp五条/article/detail/641782
推荐阅读
相关标签
  

闽ICP备14008679号