网络安全学习--VLAN
Posted 丢爸
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网络安全学习--VLAN相关的知识,希望对你有一定的参考价值。
VLAN(Virtual LAN)虚拟局域网
VLAN属于2层技术
广播的危害
增加网络/终端负担,传播病毒,安全性
如何控制广播
控制广播=隔离广播域
路由器隔离广播(物理隔离广播)
路由器隔离广播缺点:成本高,不灵活
采用新的技术VLAN控制广播,VLAN技术是在交换机上实现且通过逻辑隔离划分的广播域。
一个VLAN=一个广播域=一个网段
VLAN类型
- 静态VLAN
- 手工配置
- 基于端口划分的VLAN
- 动态VLAN
- 手工配置
- 基于MAC地址划分的VLAN
vlan实验
默认交换机已经存在VLAN,所有的端口都属于vlan 1即default中,所以跨交换机中的PC在加入不同VLAN时,不做配置无法直接通信。
#-------------------------Switch0是配置信息-------------------
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan ?
<1-4094> ISL VLAN IDs 1-1005
Switch(config)#vlan
% Incomplete command.
Switch(config)#vlan 10
Switch(config-vlan)#name first
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#name second
Switch(config-vlan)#exit
Switch(config)#do show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
10 first active
20 second active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch(config)#interface f0/2
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface f0/3
Switch(config-if)#switchport access vlan 20
Switch(config-if)#do show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gig0/1, Gig0/2
10 first active Fa0/1, Fa0/2
20 second active Fa0/3
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
#-------------------------Switch0是配置信息-------------------
#-------------------------Switch1是配置信息-------------------
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#exit
Switch(config)#do show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gig0/1, Gig0/2
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Switch(config)#interface f0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface fa0/2
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#do show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 VLAN0010 active Fa0/1
20 VLAN0020 active Fa0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
#-------------------------Switch1是配置信息-------------------
#配置完成后,跨交换机相同vlan还无法访问,解决方法如下通过Trunk
Trunk
Trunk/中继链路/公共链路:允许所有vlan通过Trunk链路
通过在数据帧上添加标签,区分不同VLAN的数据
Trunk标签
- IEEE 802.1Q:公有协议,所有厂家支持,标签大小4个字节,属于内部标签
- ISL(Cisco私有),标签大小30字节(26+4)
交换机端口链路类型
接入端口:access端口,一般用于连接PC,只能属于某1个vlan,也只能传输1个vlan数据
中继端口,也称trunk端口,属于公共端口,允许所有vlan的数据通过。
配置trunk
#此实验连接上一个实验
#------------------配置Switch0上的fa0/4接口
Switch(config)#interface fa0/4
Switch(config-if)#switchport mode trunk
Switch(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, changed state to up
#------------------配置Switch1上的fa0/4接口
Switch(config)#interface fa0/4
Switch(config-if)#switchport mode trunk
Switch(config-if)#
Switch(config-if)#
Switch(config-if)#do show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gig0/1, Gig0/2
10 VLAN0010 active Fa0/1
20 VLAN0020 active Fa0/2
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
#--------------再次通过ping测试不同交换机上的同vlan之间通信
C:\\>ping 10.1.1.5
Pinging 10.1.1.5 with 32 bytes of data:
Reply from 10.1.1.5: bytes=32 time<1ms TTL=128
Reply from 10.1.1.5: bytes=32 time=4ms TTL=128
Ping statistics for 10.1.1.5:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 2ms
Control-C
^C
以上是关于网络安全学习--VLAN的主要内容,如果未能解决你的问题,请参考以下文章