赞
踩
Switch# configure terminal //进入全局配置模式。
Switch(config)# interface FastEthernet 0/3 //进入接口配置模式。
Switch(config-if)# switchport mode access //设置接口为access模式如果确定接口已经处于access模式,则此步骤可以省略。
Switch(config-if)# switchport port-security //打开该接口的端口安全功能
Switch(config-if)# switchport port-security maximum 3
//设置接口上安全地址的最大个数3,范围是1-128。
Switch(config-if)# switchport port-security violation protect
//设置处理违例的方式是protect。
Switch(config-if)# end
Switch#show port-security //显示所有安全端口的统计信息,包括最大安全地址数,当前安全地址数以及违例处理方式等。
使用接口配置模式下的命令switch port port-security mac-address mac-address[ip-address ip-address]来手工配置端口的所有安全地址。
在接口配置模式下,使用命令no switchport port-security来关闭一个接口的端口安全功能。使用命令no switchport port-security maximum来恢复为缺省个数。使用命令no switchport port-security violation来将违例处理置为缺省模式。
如果一个端口被配置为一个安全端口,当其安全地址的数目已经达到允许的最大个数后,如果该端口收到一个源地址不属于端口上的安全地址的包时,一个安全违例将产生。当违例产生时,设置下面几种针对违例的处理模式:
为了增强安全性,将MAC地址和IP地址绑定起来作为安全地址。也可以只指定地MAC址而不绑定IP地址。
Switch>enable
全局配置
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
接口配置
Switch(config)#interface Fastether 0/3
设置接口为access模式
Switch(config-if)#switchport mode access
设置安全地址(接口)
Switch(config-if)#switchport port-security
设置安全地址最大个数
Switch(config-if)#switchport port-security maximum 3
设置处理违例方式
Switch(config-if)#switchport port-security violation protect
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
显示所有安全端口的统计信息,包括最大安全地址数,当前安全地址数以及违例处理方式等。
show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/3 3 1 0 Protect
----------------------------------------------------------------------
Ping连通之后:
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/3 3 3 0 Protect
----------------------------------------------------------------------
此时PC0与PC1,PC2可通信,与PC3不可通信。
关闭接口的安全端口功能:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#no switchport port-security
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
显示所有安全端口的统计信息(安全端口已经关闭了,没有信息了)
show port-security
此时PC0与PC1,PC2,PC3均可通信。
配置安全端口并指定Mac地址,使特定的地址之间可以互相通信,而在安全端口之外的其他端口在安全端口地址达到上限后不可通信。
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switch port-security
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation protect
Switch(config-if)#switchport port-security mac-address 0002.4A72.E492
Found duplicate mac-address 0002.4a72.e492.
Switch(config-if)#switchport port-security mac-address 00D0.D387.21D3
Found duplicate mac-address 00d0.d387.21d3.
Switch(config-if)#switchport port-security mac-address 00D0.BA12.52C3
Total secure mac-addresses on interface FastEthernet0/3 has reached maximum limit.
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/3 3 2 0 Protect
----------------------------------------------------------------------
Switch#
此时PC0与PC1,PC2可通信,与PC3不可通信。
创建VLAN:
Switch# configure terminal
Switch(config)# vlan 10 !创建vlan 10
Switch(config-vlan)# name test10 !将vlan 10命名为test10
Switch(config)# vlan 20 !创建vlan 20
Switch(config-vlan)# name test20 !将vlan 20命名为test20
验证测试:
Switch# show vlan !查看已配置的vlan信息
将接口分配到vlan:
Switch# configure terminal
Switch(config)# interface fastethernet0/5
Switch(config-if)# switchport access vlan 10 !将fastethernet 0/5端口加入vlan 10中
Switch(config)# interface fastethernet0/15
Switch(config-if)# switchport access vlan 20 !将fastethernet 0/15端口加入vlan 20中
创建PC1,PC2并为其配置IP地址,在同一个交换机下可以ping通(因为此时VLAN默认都为VLAN1):
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
进入全局配置创建相应的VLAN并修改名字:
Switch(config)#vlan 10
Switch(config-vlan)#name test10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name test20
Switch(config-vlan)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
可以通过show valn命令来查看刚才创建的valn信息:
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
10 test10 active
20 test20 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
配置VLAN与接口连接:
Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)#interface fastethernet0/2
Switch(config-if)#switchport access vlan 20
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
再次查看VLAN接口信息(发现刚才创建的valn与接口连接信息已经连接成功):
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 test10 active Fa0/1
20 test20 active Fa0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
上述配置完毕后,PC1与VLAN10相连,PC2与VLAN20相连,此时PC1与PC2的ping连通信息则ping不通:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
进入接口配置断开与VLAN10的连接:
Switch(config)#interface fastethernet0/1
Switch(config-if)#no switch access vlan 10
Switch(config-if)#exit
进入配置删除VLAN10:
Switch(config)#no vlan 10
此时再次查看PC1与PC2的ping连通信息发现依然ping不通(PC默认vlan1,而PC此时仍与VLAN20连接):
Switch(config)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
进入接口配置端口将PC2与VLAN20断开并删除VLAN20:
Switch(config)#interface fastethernet 0/2
Switch(config-if)#no switch access vlan 20
Switch(config-if)#exit
Switch(config)#no vlan 20
Switch(config)#end
此时PC1与PC2均不与个人设置的VLAN相连,都默认为VLAN0,故现在又可以ping通:
详见实验过程。
在实验七的基础上:
Switch#
%SYS-5-CONFIG_I: Configured from console by console
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(错误信息:% Access VLAN does not exist. Creating vlan 20)
原因:还没有创建VLAN10,VLAN20:
Switch(config)#interface fastethernet 0/5
Switch(config-if)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
Switch(config-if)#interface fastethernet 0/15
Switch(config-if)#switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20
Switch(config-if)#exit
创建VLAN10,VLAN20(实验七中已经删除):
Switch(config)#vlan 10
Switch(config-vlan)#name test10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name test20
Switch(config-vlan)#exit
配置接口连接到VLAN(PC1,PC2连接VLAN10,PC3,PC4连接VLAN20):
Switch(config)#interface fastether 0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastethernet 0/2
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switchport access vlan 20
Switch(config-if)#interface fastethernet 0/4
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#
查看VLAN,测试结果:
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 test10 active Fa0/1, Fa0/2, Fa0/5
20 test20 active Fa0/3, Fa0/4, Fa0/15
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Switch#
PC0可以与PC1 ping通,PC2可以与PC3 ping通,但是PC0与PC2,Pc3不互通,PC1与PC2,PC3不互通。
Switch0(A):
在交换机SwitchA上创建vlan 10,并将0/5端口划分给vlan 10中。
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#name sales
Switch(config-vlan)#exit
Switch(config)#interface fastethernet 0/5
Switch(config-if)#switchport access vlan 10
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan id 10
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 sales active Fa0/5
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
10 enet 100010 1500 - - - - - 0 0
在交换机SwitchA上创建vlan 20,并将0/15端口划分给vlan 20中。
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 20
Switch(config-vlan)#name technical
Switch(config-vlan)#exit
Switch(config)#interface fastethernet 0/15
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#exit
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan id 20
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
20 technical active Fa0/15
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20 enet 100020 1500 - - - - - 0 0
把交换机SwitchA与交换机SwitchB相连的端口定义为tag vlan模式。
(交换机的trunk接口默认情况下支持所有vlan。)
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
exit
Switch(config)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show interfaces fastethernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Switch#
Switch1(B):
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#name sales
Switch(config-vlan)#exit
Switch(config)#interface fastethernet 0/5
Switch(config-if)#switchport access vlan 10
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan id 10
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 sales active Fa0/5
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
10 enet 100010 1500 - - - - - 0 0
把交换机SwitchB与交换机SwitchA相连的端口定义为tag vlan模式。
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show interfaces fastethernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Switch#
此时switch0(A)与switch1(B)配置完毕,PC0与PC2可进行通信(同一VLAN下),PC1与PC2不可通信。
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。