计算机网络实验报告
实验六、端口安全
一、实验拓扑:
二、实验步骤:
Switch# configure terminal //进入全局配置模式。
Switch(config)# interface FastEthernet 0/3 //进入接口配置模式。
Switch(config-if)# switchport mode access //设置接口为access模式如果确定接口已经处于access模式,则此步骤可以省略。
Switch(config-if)# switchport port-security //打开该接口的端口安全功能
Switch(config-if)# switchport port-security maximum 3
//设置接口上安全地址的最大个数3,范围是1-128。
Switch(config-if)# switchport port-security violation protect
//设置处理违例的方式是protect。
Switch(config-if)# end
Switch#show port-security //显示所有安全端口的统计信息,包括最大安全地址数,当前安全地址数以及违例处理方式等。
使用接口配置模式下的命令switch port port-security mac-address mac-address[ip-address ip-address]来手工配置端口的所有安全地址。
在接口配置模式下,使用命令no switchport port-security来关闭一个接口的端口安全功能。使用命令no switchport port-security maximum来恢复为缺省个数。使用命令no switchport port-security violation来将违例处理置为缺省模式。
如果一个端口被配置为一个安全端口,当其安全地址的数目已经达到允许的最大个数后,如果该端口收到一个源地址不属于端口上的安全地址的包时,一个安全违例将产生。当违例产生时,设置下面几种针对违例的处理模式:
- protect:当安全地址个数满后,安全端口将丢弃未知源地址不在该端口的安全地址中的任何一个数据包
- restrict:当违例产生时,将发送一个Trap通知给管理员
- shutdown:当违例产生时,将关闭端口并发送一个Trap通知。
为了增强安全性,将MAC地址和IP地址绑定起来作为安全地址。也可以只指定地MAC址而不绑定IP地址。
三、实验具体过程+截图:
Switch>enable
全局配置
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
接口配置
Switch(config)#interface Fastether 0/3
设置接口为access模式
Switch(config-if)#switchport mode access
设置安全地址(接口)
Switch(config-if)#switchport port-security
设置安全地址最大个数
Switch(config-if)#switchport port-security maximum 3
设置处理违例方式
Switch(config-if)#switchport port-security violation protect
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
显示所有安全端口的统计信息,包括最大安全地址数,当前安全地址数以及违例处理方式等。
show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/3 3 1 0 Protect
----------------------------------------------------------------------
Ping连通之后:
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/3 3 3 0 Protect
----------------------------------------------------------------------
此时PC0与PC1,PC2可通信,与PC3不可通信。
关闭接口的安全端口功能:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#no switchport port-security
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
显示所有安全端口的统计信息(安全端口已经关闭了,没有信息了)
show port-security
此时PC0与PC1,PC2,PC3均可通信。
配置安全端口并指定Mac地址,使特定的地址之间可以互相通信,而在安全端口之外的其他端口在安全端口地址达到上限后不可通信。
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switch port-security
Switch(config-if)#switchport port-security maximum 3
Switch(config-if)#switchport port-security violation protect
Switch(config-if)#switchport port-security mac-address 0002.4A72.E492
Found duplicate mac-address 0002.4a72.e492.
Switch(config-if)#switchport port-security mac-address 00D0.D387.21D3
Found duplicate mac-address 00d0.d387.21d3.
Switch(config-if)#switchport port-security mac-address 00D0.BA12.52C3
Total secure mac-addresses on interface FastEthernet0/3 has reached maximum limit.
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/3 3 2 0 Protect
----------------------------------------------------------------------
Switch#
此时PC0与PC1,PC2可通信,与PC3不可通信。
实验七、交换机端口隔离
一、实验拓扑:
二、实验步骤:
创建VLAN:
Switch# configure terminal
Switch(config)# vlan 10 !创建vlan 10
Switch(config-vlan)# name test10 !将vlan 10命名为test10
Switch(config)# vlan 20 !创建vlan 20
Switch(config-vlan)# name test20 !将vlan 20命名为test20
验证测试:
Switch# show vlan !查看已配置的vlan信息
将接口分配到vlan:
Switch# configure terminal
Switch(config)# interface fastethernet0/5
Switch(config-if)# switchport access vlan 10 !将fastethernet 0/5端口加入vlan 10中
Switch(config)# interface fastethernet0/15
Switch(config-if)# switchport access vlan 20 !将fastethernet 0/15端口加入vlan 20中
三、实验过程:
创建PC1,PC2并为其配置IP地址,在同一个交换机下可以ping通(因为此时VLAN默认都为VLAN1):
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
进入全局配置创建相应的VLAN并修改名字:
Switch(config)#vlan 10
Switch(config-vlan)#name test10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name test20
Switch(config-vlan)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
可以通过show valn命令来查看刚才创建的valn信息:
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
10 test10 active
20 test20 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
配置VLAN与接口连接:
Switch(config)#interface fastethernet0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)#interface fastethernet0/2
Switch(config-if)#switchport access vlan 20
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
再次查看VLAN接口信息(发现刚才创建的valn与接口连接信息已经连接成功):
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 test10 active Fa0/1
20 test20 active Fa0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
上述配置完毕后,PC1与VLAN10相连,PC2与VLAN20相连,此时PC1与PC2的ping连通信息则ping不通:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
进入接口配置断开与VLAN10的连接:
Switch(config)#interface fastethernet0/1
Switch(config-if)#no switch access vlan 10
Switch(config-if)#exit
进入配置删除VLAN10:
Switch(config)#no vlan 10
此时再次查看PC1与PC2的ping连通信息发现依然ping不通(PC默认vlan1,而PC此时仍与VLAN20连接):
Switch(config)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
进入接口配置端口将PC2与VLAN20断开并删除VLAN20:
Switch(config)#interface fastethernet 0/2
Switch(config-if)#no switch access vlan 20
Switch(config-if)#exit
Switch(config)#no vlan 20
Switch(config)#end
此时PC1与PC2均不与个人设置的VLAN相连,都默认为VLAN0,故现在又可以ping通:
四、实验结果截图:
详见实验过程。
switch2实验报告
一、拓扑结构:
二、实验步骤:
在实验七的基础上:
Switch#
%SYS-5-CONFIG_I: Configured from console by console
%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(错误信息:% Access VLAN does not exist. Creating vlan 20)
原因:还没有创建VLAN10,VLAN20:
Switch(config)#interface fastethernet 0/5
Switch(config-if)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
Switch(config-if)#interface fastethernet 0/15
Switch(config-if)#switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20
Switch(config-if)#exit
创建VLAN10,VLAN20(实验七中已经删除):
Switch(config)#vlan 10
Switch(config-vlan)#name test10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name test20
Switch(config-vlan)#exit
配置接口连接到VLAN(PC1,PC2连接VLAN10,PC3,PC4连接VLAN20):
Switch(config)#interface fastether 0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastethernet 0/2
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switchport access vlan 20
Switch(config-if)#interface fastethernet 0/4
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#
查看VLAN,测试结果:
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 test10 active Fa0/1, Fa0/2, Fa0/5
20 test20 active Fa0/3, Fa0/4, Fa0/15
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
Switch#
三、实验结果截图:
PC0可以与PC1 ping通,PC2可以与PC3 ping通,但是PC0与PC2,Pc3不互通,PC1与PC2,PC3不互通。
实验八 跨交换机实现VLAN
一、实验拓扑:
二、实验步骤:
Switch0(A):
在交换机SwitchA上创建vlan 10,并将0/5端口划分给vlan 10中。
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#name sales
Switch(config-vlan)#exit
Switch(config)#interface fastethernet 0/5
Switch(config-if)#switchport access vlan 10
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan id 10
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 sales active Fa0/5
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
10 enet 100010 1500 - - - - - 0 0
在交换机SwitchA上创建vlan 20,并将0/15端口划分给vlan 20中。
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 20
Switch(config-vlan)#name technical
Switch(config-vlan)#exit
Switch(config)#interface fastethernet 0/15
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#exit
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan id 20
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
20 technical active Fa0/15
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20 enet 100020 1500 - - - - - 0 0
把交换机SwitchA与交换机SwitchB相连的端口定义为tag vlan模式。
(交换机的trunk接口默认情况下支持所有vlan。)
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
exit
Switch(config)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show interfaces fastethernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Switch#
Switch1(B):
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#name sales
Switch(config-vlan)#exit
Switch(config)#interface fastethernet 0/5
Switch(config-if)#switchport access vlan 10
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show vlan id 10
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 sales active Fa0/5
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
10 enet 100010 1500 - - - - - 0 0
把交换机SwitchB与交换机SwitchA相连的端口定义为tag vlan模式。
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/24
Switch(config-if)#switchport mode trunk
Switch(config-if)#end
Switch#
%SYS-5-CONFIG_I: Configured from console by console
show interfaces fastethernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Switch#
此时switch0(A)与switch1(B)配置完毕,PC0与PC2可进行通信(同一VLAN下),PC1与PC2不可通信。
三、实验结果截图:
