第五章 交换技术
VLAN
VLAN
VLAN ID
- VLAN ID范围0~4095
- 0,4095保留,仅限系统使用,用户不能查看和使用这些VLAN
- 1 正常,Cisco默认VLAN,用户能够使用VLAN,但是无法删除
- 2~1001,用于以太网VLAN,用户可以随意创建,使用和删除这些VLAN
- 10021005,正常,用于FDDI和Cisco默认VLAN,用户不能删除VLAN1002~1005
- 1006~1024,保留,仅限系统使用,用户不能查看和使用这些vlan
- 1025~4094,拓展vlan,仅用于以太网vlan
vlan分类
- 数据vlan:最常规的VLAN
- 管理vlan:用于管理员对交换机进行管理
- 语音vlan
- 私有vlan
- 本征vlan
vlan
SW1#vlan database
SW1(vlan)#vlan 10 name IT
VLAN 10 added:
Name: IT
SW1(vlan)#vlan 20 name JX
VLAN 20 added:
Name: JX
SW1(vlan)#exit
SW1#conf te
SW1(config)#int range f1/0 , f1/1
SW1(config-if-range)#no shutdown
SW1(config-if-range)#swi
SW1(config-if-range)#switchport mo
SW1(config-if-range)#switchport mode acc
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport acc
SW1(config-if-range)#switchport access vlan 10
SW1(config-if)#end
SW1#show sw
SW1#show vlan-sw
SW1#show vlan-switch bri
SW1#show vlan-switch brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa1/5, Fa1/6, Fa1/7, Fa1/8
Fa1/9, Fa1/10, Fa1/11, Fa1/12
Fa1/13, Fa1/14, Fa1/15
10 IT active Fa1/0, Fa1/1, Fa1/3
20 JX active Fa1/2, Fa1/4
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW1(config-if)# switchport trunk encapsulation dot1
SW1(config-if)# switchport trunk native vlan 10
SW1(config-if)# switchport trunk allow vlan 1,20,1002-1005
Trunk的优化
NATIVE VLAN---本征vlan,自然vlan
- 不打tag,节省资源,一个交换机只能有一个NATIVE VLAN,默认VLAN 1为NATIVE VLAN
-
swtichport trunk native vlan ID
VTP技术
定义
vlan trunking protocol,思科私有,用于管理vlan(统一创建、修改、删除)
原理
- VTP模式(服务器和客户端)
- VTP域名和密码(domain、password)
- VTP修订版本号
- VTP分组
部署
按照版本高低从服务器端同步vlan,特殊情况下也可能导致服务器向服务器学习
//服务器端部署
SW3#vlan database
SW3(vlan)#vtp server
Device mode already VTP SERVER.
SW3(vlan)#vtp domain PL
Changing VTP domain name from LP to PL
SW3(vlan)#vtp password cisco
Password already set to cisco.
SW3(vlan)#exit
//客户端部署
SW2#vlan da
SW2(vlan)#vtp client
Setting device to VTP CLIENT mode.
SW2(vlan)#vtp domain PL
Changing VTP domain name from NULL to PL
SW2(vlan)#vtp password cisco
Setting device VLAN database password to cisco.
SW2(vlan)#exit
//查看VTP状态
SW1#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally : 256
Number of existing VLANs : 8
VTP Operating Mode : Client
VTP Domain Name : PL
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xA0 0xB3 0x0E 0x85 0xB0 0x52 0x8B 0x5D
Configuration last modified by 0.0.0.0 at 3-1-02 00:46:18
VTP分组
汇总通告包
向外通告本地的VTP信息,每5分钟通报一次,vlan发生变动时也发送
No. Time Source Destination Protocol Length Info
//汇总通告包
50 26.756016 cc:03:12:1c:f1:01 CDP/VTP/DTP/PAgP/UDLD VTP 99 Summary Advertisement, Revision: 1, Followers: 1
//子集通告包
51 26.771367 cc:03:12:1c:f1:01 CDP/VTP/DTP/PAgP/UDLD VTP 314 Subset Advertisement, Revision: 1, Seq: 1[Malformed Packet]
52 26.848951 cc:01:04:74:f1:01 CDP/VTP/DTP/PAgP/UDLD VTP 99 Summary Advertisement, Revision: 1, Followers: 1
53 26.863518 cc:01:04:74:f1:01 CDP/VTP/DTP/PAgP/UDLD VTP 314 Subset Advertisement, Revision: 1, Seq: 1[Malformed Packet]
通告请求包
客户端服或务端触发请求
子集通告包
当vlan发生变化时的vlan信息集
Frame 51: 314 bytes on wire (2512 bits), 314 bytes captured (2512 bits)
IEEE 802.3 Ethernet
Logical-Link Control
VLAN Trunking Protocol
Version: 0x01
Code: Subset Advertisement (0x02)
Sequence Number: 1
Management Domain Length: 2
Management Domain: PL
Configuration Revision Number: 1
VLAN Information
[Malformed Packet: VTP]
VTP透明模式(transparent)
原理:
将新接入的vlan版本设置为0
权限:
能够创建删除修改vlan,但是无法与其他设备进行交互
配置:
SW2#vlan database
SW2(vlan)#vtp transparent
Setting device to VTP TRANSPARENT mode.
SW2(vlan)#exit
APPLY completed.
Exiting....
交换防环
二层环路形成
//配置视图
no spanning-tree vlan 1 //关闭防环地址
int vlan 1 //vlan1交换机逻辑管理接口
no sh
ip add ip地址 子网掩码 //为vlan配置ip地址
ping IP地址
debug ip packet //调试IP数据包
debug ip icmp //调试ICMP包
debug arp //调试ARP包
STP
分类
- STP:802.1d
- PVST:思科私有
- RSTP:802.1w
- MSTP:802.1s
选举原理
STP网桥角色
-
根网桥、备根网桥、非根网桥
-
依据:BID=优先级(默认值32678)+本地mac
- 优先级范围0~65535
-
规则:越小越优先
STP端口角色
-
角色:根端口、指定端口、非根端口
-
根端口:非根设备、除了根以外、离根最近的端口,用来接收BPDU分组,有且只有一个
-
指定端口:链路,每个链路必须有且只有一个指定端口,离根最近,用来发送BPDU分组
-
阻塞端口:拓扑,每个环形拓扑必须有的,用来阻塞数据防止环路
-
依据:
- 先选举cost最短(到根)
- 再选举BID最小
- 再选举邻居PID(PID=Port Priority + Port ID)最小
STP的选举技巧
- 先选根桥,并且根桥的所有接口都是DP(根桥的接口离本身最近)
- DP对面就是RP(因为DP发送BPDU分组,RP接收BPDU分组)
- 选举的流程:先选根桥-->选RP/DP-->选NDP(阻塞端口)
配置
spanning-tree vlan 1 //开启生成树协议
show spanning-tree vlan 1 brief //查看生成树协议状态
show run | include spanning
SW1#show spanning-tree vlan 1 brief
VLAN1
Spanning tree enabled protocol ieee
Root ID Priority 32768
Address cc01.4aa0.0000
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32768
Address cc01.4aa0.0000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Designated
Name Port ID Prio Cost Sts Cost Bridge ID Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet1/0 128.41 128 19 FWD 0 32768 cc01.4aa0.0000 128.41
FastEthernet1/1 128.42 128 19 LIS 0 32768 cc01.4aa0.0000 128.42
//通过写明具体的优先级配置
spanning-tree vlan 1 priority 0 //设置优先级,优先级0~65535
//通过关键字设置
spanning-tree vlan 1 root primary
spanning-tree vlan 1 root secondary
STP数据分组
BPDU的定义
BPDU(Bridge Protocol Data Unit,网桥协议数据单元)用于实现生成树的选举和维持,一般包含选举的参数,例如BID、PID、Cost。初始情况下都能发送,当根选举后,只有根才能发送,其他交换机仅仅是转发。
BPDU分类
- configuration BPDU
- TCN/TC/TCA BPDU
//配置BPDU包
Spanning Tree Protocol
Protocol Identifier: Spanning Tree Protocol (0x0000)
Protocol Version Identifier: Spanning Tree (0)
BPDU Type: Configuration (0x00)
BPDU flags: 0x00
0... .... = Topology Change Acknowledgment: No
.... ...0 = Topology Change: No
Root Identifier: 32768 / 0 / cc:01:4a:a0:00:00
Root Bridge Priority: 32768
Root Bridge System ID Extension: 0
Root Bridge System ID: cc:01:4a:a0:00:00 (cc:01:4a:a0:00:00)
Root Path Cost: 0
Bridge Identifier: 32768 / 0 / cc:01:4a:a0:00:00
Bridge Priority: 32768
Bridge System ID Extension: 0
Bridge System ID: cc:01:4a:a0:00:00 (cc:01:4a:a0:00:00)
Port identifier: 0x8029
Message Age: 0
Max Age: 20
Hello Time: 2
Forward Delay: 15
//TCN、TC、TCA包
215438 10734.419026 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215439 10736.608491 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215440 10738.973192 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215441 10741.467512 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215442 10743.683322 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215443 10745.866352 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215444 10748.114273 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
215445 10750.322500 cc:01:4a:a0:f1:00 Spanning-tree-(for-bridges)_00 STP 60 Conf. TC + Root = 32768/0/cc:01:4a:a0:00:00 Cost = 0 Port = 0x8029
STP端口状态
graph LR
Blocking-.->Listening-.->learning-.->Forwarding
链路状态
定义
从链路出现故障到网络拓扑趋于稳定的过程称为链路收敛过程
分类
-
直接链路收敛:30s
-
graph LR Blocking-.20s.->Listening-.15s.->learning-.15s.->Forwarding
-
-
间接链路收敛:50s
链路收敛实验
debug spanning-tree events //调试STP状态收敛过程
uplinkfast
spanning-tree uplinkfast
Backbonefast
骨干加速,用于加速间接链路收敛,可以减少20s
spanning-tree backbonefast
Portfast
加速接入设备与交换机
PVST
n个vlan有n棵树
部署
开启trunk链路
创建vlan10/20
部署pvst(persvlan stp)
spanning-tree vlan 10 root primary
spanning-tree vlan 10 root secondary
交换冗余
链路捆绑
- 条件:将多根链路捆绑一起,需要保证链路的速率、双工模式、介质、配置等一样
- 方式:强制模式(on)、协商模式(PAGP、LACP)
//不跑协议
int range f0/1 , f0/4
switchport mode trunk
channel-group 1 mode on //将接口捆绑进入组1
show ip interface brief
show int port-channel 1 //查看接口带宽
show etherchannel summary //查看以太通道属性
show cdp neighbors //查看邻居
show int trunk
show spanning-tree vlan 10 brief
//PAGP 思科私有
int range f0/1 , f0/4
switchport mode trunk
channel-protocol pagp //设置协议为PAGP(端口汇聚协议)
channel-group 1 mode desirable/auto //desirable表示主动协商,auto表示被动协商,通常为db模式
//LACP 行业标准
int range f0/1 , f0/4
switchport mode trunk
channel-protocol lacp //设置链路汇聚协议
channel-group 1 mode active/passive //active表示主动协商,passive表示被动协商
单臂路由
通过路由器子接口实现vlan间通信
//路由器
R1(config)#interface f1/0
R1(config-if)#no shutdown
R1(config)#interface f1/0.10
R1(config-subif)#encapsulation dot1Q 10
R1(config-subif)#ip address 192.168.10.254 255.255.255.0
R1(config)#interface f1/0.20
R1(config-subif)#encapsulation dot1Q 20
R1(config-subif)#ip address 192.168.20.254 255.255.255.0
DHCP部署
//服务器端部署
ip dhcp pool vlan10 192.168.10.0 255.255.255.0
ip dhcp pool vlan20 192.168.20.0 255.255.255.0
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.254
//客户端部署
no ip address
ip address dhcp //开启dhcp请求
交换安全
端口安全
int f1/0
switchport mode access
spanning-tree porfast //开启端口加速
switchport port-security //开启端口安全
switchport port-security mac-address sticky //开启地址学习
switchport Port-security Max 1 //定义最大mac接入数
switchport port-security violation shutdown //定义惩罚模式
//protect security violation protect mode 保护模式(丢包)
//restrict security violation restrict mode 限制模式(丢包+报警)
//shutdown security violation shutdown mode 关闭模式(关闭端口)
实战
排错
- trunk:show int trunk show run int f0/1
- vtp/vlan:show vtp status show vlan-switch brief
- stp/pvst:show spanning-tree vlan 10 brief
- l3 switching:show ip int brief
- dhcp:show ip int brief show run | section ip dhcp show ip route
- etherchannel:show etherchannel summary show ip int brief show int port-channel 1
- port-security:show run show run int f0/1
- OSPF:show run | section route ospf show ip ospf neighbor show ip route ospf
浙公网安备 33010602011771号