交换机配置
[S1]display interface brief 查看所有接口精简信息
[S1]display mac-address 查看MAC地址表
创建交换机端口组:
[S]vlan 2 建一个vlan2
[S]port-group VLAN2PROTS 建一个名为VLAN2PROTS的端口组
[S-port-group-vlan2ports]group-member Ethernet 0/0/4 to Ethernet 0/0/5 将4-5的加入端口组
[S-port-group-vlan2ports]port link-type access 接口类型是access
[S-port-group-vlan2ports]port default vlan 2 组加入vlan 2
[S]interface Vlanif 2 进入VLAN 2端口配置
[S-Vlanif2]ip address 172.16.2.1 24 配置VLAN2的IP地址
配置交换机接口安全:
[S]interface Ethernet 0/0/2
[S-Ethernet0/0/2]port-security enable 启用此端口的端品安全
[S-Ethernet0/0/2]port-security protect-action shutdown 违反安全关闭端口
[S-Ethernet0/0/2]port-security max-mac-num 1 只允许此端口有一个MAC地址连接
[S-Ethernet0/0/2]port-security mac-address sticky 绑定连接的MAC地址
[S-Ethernet0/0/2]port-security mac-address sticky 5489-98A0-3C5A vlan 1 设定连接此MAC地址
生成树协议:
STP 角色(role)
根端口(Root Port),指定端口(Designated Port),替代端口(Alternate Port),备份端口(Backup Port),备份端口(Backup Port)。
五种状态
禁用(Disabled),阻塞(Blocking),侦听(Listening),学习(Learning),转发(Forwarding)
[S]stp enable 开启生成树协议
[S]stp disable 禁用生成树协议
[S]stp priority 0 设置此交换机的网桥优先级BID为 0 。4096的倍数。越小优先级越大。
[S1]stp priority 4096 设为备用交换机
或者: [S]stp root primary 指定根交换机 [S1]stp root secondary 指定备用交换机
[S-GigabitEthernet0/0/1]stp cost 200 指定端口STP端口开销值
[S-GigabitEthernet0/0/1]stp port priority 16 指定端口的STP端口优先级 16的倍数
VLAN配置
LAN 局域网 WAN广域网 VLAN虚拟局域网 安全,灵活,分段
干道链路:trunk(带侦标记) 访问链路:access(不带侦标记)
[S]clear configuration interface GigabitEthernet 0/0/1 清除当前接口所有配置
创建VLAN并批量配置端口:
[S]vlan 2 创建VLAN2
[S-Ethernet0/0/8]port link-type access 定义此接口类型
[S-Ethernet0/0/8]port default vlan 2 此接口划分到vlan 2
[S]port-group vlan2ports 创建名为vlan2ports的端口组
[S-port-group-vlan2ports]group-member Ethernet 0/0/10 to Ethernet 0/0/15 10-15加入端口组
[S-port-group-vlan2ports]port link-type access 定义端口组类型为access
[S-port-group-vlan2ports]port default vlan 2 装此端口组加入vlan 2
跨交换机的VLAN:
[S]interface GigabitEthernet 0/0/2 进入交换机相连接端口的配置
[S-GigabitEthernet0/0/2]port link-type trunk 端口类型设为trunk干道链路
[S-GigabitEthernet0/0/2]port trunk allow-pass vlan all 允许所有VLAN通过
[S]vlan batch 3 to 4
[S-Ethernet0/0/4]port link-type access 端口设为 access类型
[S-Ethernet0/0/4]port default vlan 3 端口加入vlan 3
[S-Ethernet0/0/5]port link-type access 端口设为 access类型
[S-Ethernet0/0/5]port default vlan 4 端口加入vlan 4
[S-Vlanif3]ip address 192.168.38.1 24
[S-Vlanif4]ip address 192.168.39.1 24
[SS-GigabitEthernet0/0/2]port link-type trunk 两个交换机以G0/0/2口相连
[SS-GigabitEthernet0/0/2]port trunk
[SS-port-group-trunk]port trunk allow-pass vlan all
[SS]vlan batch 3 4
[SS-Ethernet0/0/2]port link-type access
[SS-Ethernet0/0/2]port default vlan 3
[SS-Ethernet0/0/1]port link-type access
[SS-Ethernet0/0/1]port default vlan 4
[SS-Vlanif3]ip address 192.168.38.1 24
[SS-Vlanif4]ip address 192.168.39.1 24
配置交换机自动同步VLAN信息:
[S]interface g0/0/1
[S-GigabitEthernet0/0/1]port link-type trunk
[S-GigabitEthernet0/0/1]port trunk allow-pass vlan all 配置各个相连交换机的端口干道链路
各个相连交换机全局和相连端口均要启用GVRP 协议 vlan注册协议
[S]gvrp 全局启用GVRP VLAN注册协议
[S]vlan 20
[S-GigabitEthernet0/0/1]gvrp 在接口上启用GVRP VLAN注册协议
[S-GigabitEthernet0/0/1]port trunk allow-pass vlan 20 允许通过VLAN20
首位交换机均配置VLAN 20
[S4]vlan 20
[S]interface Ethernet 0/0/1 配置与PC相连端口
[S-Ethernet0/0/1]port link-type access
[S-Ethernet0/0/1]port default vlan 20
[S4]interface Ethernet 0/0/1 配置与PC相连端口
[S4-Ethernet0/0/1]port link-type access
[S4-Ethernet0/0/1]port default vlan 20
单臂路由器实现VLAN间路由:
[S]interface GigabitEthernet 0/0/1
[S-GigabitEthernet0/0/1]port link-type trunk
[S-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[R]interface GigabitEthernet 0/0/2
[R-GigabitEthernet0/0/2]ip address 172.16.10.1 24
[R]interface GigabitEthernet 0/0/2.2 进入G0/0/2逻辑接口G0/0/2.2
[R-GigabitEthernet0/0/2.2]dot1q termination vid 2 此逻辑接口设为VLAN 2的网关
[R-GigabitEthernet0/0/2.2]ip address 172.16.2.1 24
[R-GigabitEthernet0/0/2.2]arp broadcast enable 启用ARP广播
[R]interface GigabitEthernet 0/0/2.3
[R-GigabitEthernet0/0/2.3]dot1q termination vid 3 此逻辑接口设为VLAN 3的网关
[R-GigabitEthernet0/0/2.3]ip address 172.16.3.1 24
[R-GigabitEthernet0/0/2.3]arp broadcast enable
三层交换实现VLAN间路由:
[S]port-group VLAN4
[S-port-group-vlan4]group-member Ethernet 0/0/1 to Ethernet 0/0/10
[S-port-group-vlan4]port link-type access
[S-port-group-vlan4]port default vlan 4
[S-Vlanif4]ip address 172.16.4.1 24
[S]port-group VLAN5
[S-port-group-vlan5]group-member Ethernet 0/0/11 to Ethernet 0/0/20
[S-port-group-vlan5]port link-type access
[S-port-group-vlan5]port default vlan 5
[S-Vlanif5]ip address 172.16.5.1 24
混合接口(Hybrid)的应用:
三个VLAN在同一个网段
[S]port-group VLAN6
[S-port-group-vlan6]group-member Ethernet 0/0/21 to Ethernet 0/0/22
[S-port-group-vlan6]port link-type hybrid 接口组设为混合接口
[S-port-group-vlan6]port hybrid pvid vlan 6 接入VLAN 6
[S-port-group-vlan6]port hybrid untagged vlan 4 5 6 不带标记允许VLAN 4 5 6通过
[S-port-group-vlan4]port hybrid untagged vlan 4 6 VLAN4接口组设为只允许 4 6通过
[S-port-group-vlan5]port hybrid untagged vlan 5 6 VLAN5接口组设为只允许 5 6通过
[S-GigabitEthernet0/0/1]port link-type hybrid 交换机相连接口配置
[S-GigabitEthernet0/0/1]port hybrid pvid vlan 1
[S-GigabitEthernet0/0/1]port hybrid tagged vlan 4 5 6 允许带标记的 VLAN 4 5 6通过
[S1-GigabitEthernet0/0/1]port link-type hybrid
[S1-GigabitEthernet0/0/1]port hybrid pvid vlan 1
[S1-GigabitEthernet0/0/1]port hybrid tagged vlan 4 5 6
[S1]interface Ethernet 0/0/1
[S1-Ethernet0/0/1]port hybrid pvid vlan 4
[S1-Ethernet0/0/1]port hybrid untagged vlan 4 6
如果再连接路由器:
[S1-GigabitEthernet0/0/2]port link-type hybrid
[S1-GigabitEthernet0/0/2]port hybrid pvid vlan 4
[S1-GigabitEthernet0/0/2]port hybrid untagged vlan 4 5 6
[R]interface GigabitEthernet 0/0/0
[R-GigabitEthernet0/0/0]ip address 172.16.0.1 24
监控其他端口流量:
配置Ethernet 0/0/2 接口监控Ethernet 0/0/1接口的出入流量
[S]observe-port interface Ethernet 0/0/2 配置此接口为监控接口
[S-Ethernet0/0/1]mirror to observe-port both 出入流量都转到这个接口
[S-Ethernet0/0/1]undo mirror both 取消监控