网络安全学习--三层交换机
Posted 丢爸
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网络安全学习--三层交换机相关的知识,希望对你有一定的参考价值。
单臂路由缺点
- 网络瓶颈
- 容易发生单点物理故障
- VLAN间通信的每一个帧都进行单独路由
三层交换机
- 三层交换机=三层路由+二层交换机
- 三层路由引擎可以关闭和开启
- 优点
- 解决了网络瓶颈问题
- 解决了单点故障(虚拟接口不再依赖任何的物理接口)
- 一次路由,永久交换
- 三层交换机上配置虚拟接口(配置VLAN网关)
interface vlan 10
ip addr 10.1.1.1 255.255.255.0
no shutdown - 二层端口升级为三层端口
interface f0/x
no switchport
三层交换机实验
PC4模拟外网,Router1模拟外网的交换机
#---------------------配置交换部分-----------------------
#-------------配置核心交换机部分-------------
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface range fa0/1-2
Switch(config-if-range)#switchport trunk encapsulation dot1Q
Switch(config-if-range)#switchport mode trunk
Switch(config-if-range)#exit
Switch(config)#vtp domain tye
Changing VTP domain name from NULL to tye
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#exit
Switch(config)#ip routing
Switch(config)#interface vlan 10
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan10, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Switch(config-if)#ip addr 10.1.1.254 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 20
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan20, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
Switch(config-if)#ip addr 20.1.1.254 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset up up
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset down down
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset down down
GigabitEthernet0/2 unassigned YES unset down down
Vlan1 unassigned YES unset administratively down down
Vlan10 10.1.1.254 YES manual up up
Vlan20 20.1.1.254 YES manual up up
#----将核心交换机配置为DHCP服务
Switch(config)#ip dhcp excluded-address 10.1.1.1 10.1.1.99
Switch(config)#ip dhcp excluded-address 20.1.1.1 20.1.1.99
Switch(config)#ip dhcp pool v10
Switch(dhcp-config)#network 10.1.1.0 255.255.255.0
Switch(dhcp-config)#default-router 10.1.1.254
Switch(dhcp-config)#exit
Switch(config)#ip dhcp pool v20
Switch(dhcp-config)#network 20.1.1.0 255.255.255.0
Switch(dhcp-config)#default-router 20.1.1.254
Switch(dhcp-config)#exit
Switch(config)#
#----将核心交换机配置为DHCP服务
#-------------配置核心交换机部分-------------
#-------------配置接入交换机1部分-------------
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname sw1
sw1(config)#interface fa0/3
sw1(config-if)#switchport mode trunk
sw1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
sw1(config-if)#do show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
10 VLAN0010 active
20 VLAN0020 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
sw1(config-if)#exit
sw1(config)#interface fa0/1
sw1(config-if)#switchport access vlan 10
sw1(config-if)#exit
sw1(config)#interface fa0/2
sw1(config-if)#switchport access vlan 20
sw1(config-if)#exit
sw1(config)#
#-------------配置接入交换机1部分-------------
#-------------配置接入交换机2部分-------------
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
Switch(config)#hostname sw2
sw2(config)#interface fa0/3
sw2(config-if)#switchport mode trunk
sw2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
sw2(config-if)#
sw2(config-if)#exit
sw2(config)#interface fa0/1
sw2(config-if)#switchport access vlan 10
sw2(config-if)#exit
sw2(config)#interface fa0/2
sw2(config-if)#switchport access vlan 20
sw2(config-if)#exit
#-------------配置接入交换机2部分-------------
#---------------------配置交换部分-----------------------
交换机配置完成后,PC可以通过DHCP获取IP地址
获取IP后,各个VLAN之间实现互通
配置路由部分
- 为核心交换机和路由器接口配置IP
#---------------------配置核心交换机-----------------------
Switch(config)#interface fa0/3
Switch(config-if)#no switch
Switch(config-if)#ip addr 30.1.1.1 255.255.255.0
Switch(config-if)#no shutdown
#---------------------配置核心交换机-----------------------
#---------------------配置Router0-----------------------
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fa0/0
Router(config-if)#ip addr 30.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/1
Router(config-if)#ip addr 40.1.1.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
#---------------------配置Router0-----------------------
#---------------------配置Router1-----------------------
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#interface fa0/1
Router(config-if)#ip addr 40.1.1.2 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Router(config-if)#exit
Router(config)#interface fa0/0
Router(config-if)#ip addr 50.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#
#---------------------配置Router1-----------------------
- 为核心交换机和路由器配置路由
#------------------------核心交换机配置默认路由----------------------
Switch(config)#ip route 0.0.0.0 0.0.0.0 30.1.1.2
Switch(config)#do show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 30.1.1.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Vlan10
20.0.0.0/24 is subnetted, 1 subnets
C 20.1.1.0 is directly connected, Vlan20
30.0.0.0/24 is subnetted, 1 subnets
C 30.1.1.0 is directly connected, FastEthernet0/3
S* 0.0.0.0/0 [1/0] via 30.1.1.2
#------------------------核心交换机配置默认路由----------------------
#------------------------为Router0配置路由--------------------------
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 30.1.1.0/24 is directly connected, FastEthernet0/0
L 30.1.1.2/32 is directly connected, FastEthernet0/0
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.1.1.0/24 is directly connected, FastEthernet0/1
L 40.1.1.1/32 is directly connected, FastEthernet0/1
Router(config)#ip route 50.1.1.0 255.255.255.0 40.1.1.2
Router(config)#ip route 10.1.1.0 255.255.255.0 30.1.1.1
Router(config)#ip route 20.1.1.0 255.255.255.0 30.1.1.1
Router(config)#
#------------------------为Router0配置路由--------------------------
#------------------------为Router1配置路由--------------------------
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 40.1.1.0/24 is directly connected, FastEthernet0/1
L 40.1.1.2/32 is directly connected, FastEthernet0/1
50.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 50.1.1.0/24 is directly connected, FastEthernet0/0
L 50.1.1.254/32 is directly connected, FastEthernet0/0
Router(config)#ip route 0.0.0.0 0.0.0.0 40.1.1.1
#------------------------为Router1配置路由--------------------------
以上是关于网络安全学习--三层交换机的主要内容,如果未能解决你的问题,请参考以下文章