網(wǎng)絡(luò)安全使用BPDUFilter提高STP安全性_第1頁(yè)
網(wǎng)絡(luò)安全使用BPDUFilter提高STP安全性_第2頁(yè)
網(wǎng)絡(luò)安全使用BPDUFilter提高STP安全性_第3頁(yè)
網(wǎng)絡(luò)安全使用BPDUFilter提高STP安全性_第4頁(yè)
網(wǎng)絡(luò)安全使用BPDUFilter提高STP安全性_第5頁(yè)
已閱讀5頁(yè),還剩9頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、網(wǎng)絡(luò)安全實(shí)驗(yàn)教程 #網(wǎng)絡(luò)安全實(shí)驗(yàn)教程 使用BPDUFilter提高STP安全性【實(shí)驗(yàn)名稱】使用BPDUFilter提高STP安全性【實(shí)驗(yàn)?zāi)康摹渴褂媒粨Q機(jī)的BPDUFilter特性増強(qiáng)交換網(wǎng)絡(luò)的穩(wěn)定性與彈性【背景描述】正常情況下,交換機(jī)會(huì)向所有啟用的接口發(fā)送BPDU報(bào)文,以便進(jìn)行生成樹(shù)的選舉與拓?fù)渚S護(hù)。但是如果交換機(jī)的某個(gè)端口連接的為終端設(shè)備,如PC機(jī)、打印機(jī)等,而這些設(shè)備無(wú)需參與STP計(jì)算,所以無(wú)需接收BPDU報(bào)文?!拘枨蠓治觥课覀兛梢允褂肂PDU過(guò)濾(BPDUFilter)功能禁止BPDU報(bào)文從端口發(fā)送出去,以防止無(wú)需參與STP計(jì)算的設(shè)備收到多余的BPDU報(bào)文?!緦?shí)驗(yàn)拓?fù)洹縁O/23F0/2

2、4SW2SW3【實(shí)驗(yàn)設(shè)備】交換機(jī)3臺(tái)PC1臺(tái)【預(yù)備知識(shí)】交換機(jī)轉(zhuǎn)發(fā)原理交換機(jī)呈本配宣STP原理PortFast原理BPDUFilter原理【實(shí)驗(yàn)原理】BPDUFilter功能禁止BPDU報(bào)文從端口發(fā)送出去,以防止無(wú)需參與STP計(jì)算的設(shè)備收到多余的BPDU報(bào)文。【實(shí)驗(yàn)步驟】第一步:配置Trunk端口SW1與SW2之間通過(guò)兩條鏈路相連以提供兀余性:SW1#configureSW1(config)#interfacefastEthernet0/23SW1(config-if)#switchportmodetrunkSW1(config-if)#exitSW1(config)#interfacefas

3、tEthernet0/24SW1(config-if)#switchportmodetrunkSW1(config-if)#endSW1#SW2#configureSW2(config)#interfacefastEthernet0/23SW2(config-if)#switchportmodetrunkSW2(config-if)#exitSW2(config)#interfacefastEthernet0/24SW2(config-if)#switchportmodetrunkSW2(config-if)#endSW2#第二步:?jiǎn)⒂蒙蓸?shù)協(xié)議一RSTPSW1#configureSW1(co

4、nfig)#spanning-treemoderstpSW1(config)#spanning-treeSW1(config)#SW2#configureSW2(config)#spanning-treemoderstpSW2(config)#spanning-treeSW2(config)#第三步:驗(yàn)證測(cè)試査看生成樹(shù)的選舉結(jié)果,由TSW2具有更小的MAC地址,所以SW2被選為根橋:SW1#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20B

5、ridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f882.f4a1Priority:32768TimeSinceTopologyChange:0d:2h:37m:57sTopologyChanges:10DesignatedRoot:8000.00d0.f821.a542RootCost:200000RootPort:23SW2#showspanning-treeStpVersio

6、n:RSTPSysStpStatus:ENABLEDMaxAge:20HelioTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f821.a542Priority:32768TimeSinceTopologyChange:0d:2h:38m:28sTopologyChanges:14DesignatedRoo

7、t:8000.00d0.f821.a542RootCost:0RootPort:0第四步:配置SW3將SW3配置為具有更小數(shù)值的優(yōu)先級(jí),以確保SW3有資格成為新的根橋,并啟用RSTP:SW3#configureSW3(config)#spanning-treepriority4096SW3(config)#spanning-treemoderstpSW3(config)#spanning-treeSW3(config)#第五步:將SW3接入SW2的F0/1端口交換機(jī)提示拓?fù)渥兏篠W2#Dec323:09:37SW2%7:%LINKCHANGED:InterfaceFastEthernet0/

8、1,changedstatetoupDec323:09:37SW2%7:%LINEPROTOCOLCHANGE:InterfaceFastEthernet0/1,changedstatetoUPDec323:09:40SW2%7:2007-12-323:09:40topochange:topologyischangedDec323:09:41SW2%7:2007-12-323:09:41topochange:topologyischanged査看生成樹(shù)的選舉結(jié)果,可以看到SW3成為了新的根橋:SW2#showspanning-treeStpVersion:RSTPSysStpStatus:EN

9、ABLEDMaxAge:20HelioTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f821.a542Priority:32768TimeSinceTopologyChange:0d:0h:0m:36sTopologyChanges:16DesignatedRoot:1000.00d0.f834.6af0R

10、ootCost:200000RootPort:1SW1#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelioTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f882.f4a1Priority:32768TimeSinceTopol

11、ogyChange:0d:0h:1m:22sTopologyChanges:12DesignatedRoot:1000.00d0.f834.6af0RootCost:400000RootPort:23SW3#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelioTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:Disa

12、bledBPDUFilter:DisabledBridgeAddr:00d0.f834.6af0Priority:4096TimeSinceTopologyChange:0d:0h:1m:56sTopologyChanges:6DesignatedRoot:1000.00d0.f834.6af0RootCost:0RootPort:0通過(guò)以上測(cè)試可以看出,由T-SW3的加入,造成STP重新進(jìn)彳j計(jì)算。第六步:將SW3從SW2的F0/1端口斷開(kāi),使網(wǎng)絡(luò)恢復(fù)以前的拓?fù)涞谄卟剑号渲肂PDUFilter啟用SW2的F0/1端口的BPDUFilter特性:SW2#configureSW2(config)

13、#interfacefastEthernet0/1SW2(config-if)#spanning-treebpdufilterenableSW2(config-if)#endSW2#査看BPDUFilter狀態(tài):SW2#showspanning-treeinterfacefastEthernet0/1PortAdminPortFast:DisabledPortOperPortFast:DisabledPortAdminLinkType:autoPortOperLinkType:point-to-pointPortBPDUGuard:disablePortBPDUFilter:enablePor

14、tstate:discardingPortPriority:128PortDesignatedRoot:8000.00d0.f821.a542PortDesignatedCost:0PortDesignatedBridge:8000.00d0.f821.a542PortDesignatedPort:8001PortForwardTransitions:3PortAdminPathCost:200000PortOperPathCost:200000PortRole:disableport第八步:將SW3再次接入SW2的F0/1端口査看SW2與SW1的生成樹(shù)狀態(tài),SW2仍然為根橋:SW2#show

15、spanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelioTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f821.a542Priority:32768TimeSinceTopologyChange:0d:0h:20m:26sTopologyC

16、hanges:16DesignatedRoot:8000.00d0.f821.a542RootCost:0RootPort:0SW1#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelioTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d

17、0.f882.f4a1Priority:32768TimeSinceTopologyChange:0d:0h:20m:56sTopologyChanges:12DesignatedRoot:8000.00d0.f821.a542RootCost:200000RootPort:23通過(guò)以上測(cè)試可以看出,由于SW2的F0/1端口配置了BPDUFilter,當(dāng)SW3接入到F0/1端口后,收到了BPDU報(bào)文,BPDUFilter丟棄了收到的BPDU報(bào)文,使得原網(wǎng)絡(luò)拓?fù)錄](méi)有受到影響。第九步:驗(yàn)證BPDUFilter為了更清晰的驗(yàn)證BPDUFilter功能,現(xiàn)將一臺(tái)PC接入到SW1的F0/1端口,通過(guò)在P

18、C上捕獲報(bào)文,可以看到SW1正在向F0/1發(fā)送BPDU報(bào)文:網(wǎng)絡(luò)安全實(shí)驗(yàn)教程第一章網(wǎng)絡(luò)基礎(chǔ)設(shè)施安全實(shí)驗(yàn)interfaceFastEthernet0/19 No.,TimeSourceDestinationProtocolInfomunnnnnM00:d0:t8:82:i-4:alSTPRSTRoot=I21.99998100:d0:f8:82:f4:al01:80:c2:00:00:00STPRSTRoot=33.99996200:d0:f8:82:f4:al01:80:c2:00:00:00STPRSTROOt=45.99994600:d0:f8:82:f4:al01:80:c2:00:00

19、:00STPRSTROOt=57.99992500:d0:f8:82:f4:al01:80:c2:00:00:00STPRSTROOt=69.99990700:d0:f8:82:f4:al01:80:c2:00:00:00STPRSTROOt=EFrame1(60bytesonwire,60bytescaptured)田IEEE802.3EthernetELogical-Linkcontrol日spanningTreeProtocolProtocolidentifier:spanningTreeProtocol(0 x0000)Protocolversionidentifier:Rapidsp

20、anningTree(2)BPDUType:Rapid/MulfiplespanningTree(0 x02)BBPDUflags:0 x7c(Agreemerrt,Forwarding,Learning,PortRole:Designated)RootIdentifier:32768/OO:dO:f8:21:a5:42RootPathcost:200000BridgeIdentifier:32768/00:d0:f8:82:f4:alPortidentifier:0 x8001MessageAge:1MaxAge:20HelloTime:2ForwardDelay:15version1Len

21、gth:0第十步:配置BPDUFilterSW1#configureSW1(config)#interfacefastEthernet0/1SW1(config-if)#spanning-treeportfastSW1(config-if)#spanning-treebpdufilterenableSW1(config-if)#endSW1#第十一步:驗(yàn)證測(cè)試在PC1上將無(wú)法捕獲到BPDU報(bào)文?!緟⒖寂渲谩縎W1#showrunning-configBuildingconfiguration.Currentconfiguration:1272bytesihostnameSW1iIIvlan1s

22、panning-treespanning-treemoderstpinterfaceFastEthernet0/1spanning-treebpdufilterenablespanning-treeportfastiinterfaceFastEthernet0/2iinterfaceFastEthernet0/3iinterfaceFastEthernet0/4iinterfaceFastEthernet0/5iinterfaceFastEthernet0/6iinterfaceFastEthernet0/7iinterfaceFastEthernet0/8iinterfaceFastEthe

23、rnet0/9iinterfaceFastEthernet0/10iinterfaceFastEthernet0/11iinterfaceFastEthernet0/12iinterfaceFastEthernet0/13iinterfaceFastEthernet0/14iinterfaceFastEthernet0/15iinterfaceFastEthernet0/16iinterfaceFastEthernet0/17iinterfaceFastEthernet0/18iinterfaceFastEthernet0/20!interfaceFastEthernet0/21!interf

24、aceFastEthernet0/22!interfaceFastEthernet0/23switchportmodetrunkiinterfaceFastEthernet0/24switchportmodetrunk!interfaceGigabitEthernet0/25!interfaceGigabitEthernet0/26!interfaceGigabitEthernet0/27!interfaceGigabitEthernet0/28!linecon0linevty04loginiIEndSW2#showrunning-configBuildingconfigurationCurr

25、entconfiguration:1247bytesihostnameSW2網(wǎng)絡(luò)安全實(shí)驗(yàn)教程第一章網(wǎng)絡(luò)基礎(chǔ)設(shè)施安全實(shí)驗(yàn)interfaceFastEthernet0/13 # 網(wǎng)絡(luò)安全實(shí)驗(yàn)教程interfaceFastEthernet0/15 vlan1spanning-treespanning-treemoderstpinterfaceFastEthernet0/1spanning-treebpdufilterenable!interfaceFastEthernet0/2!interfaceFastEthernet0/3!interfaceFastEthernet0/4!interfaceFa

26、stEthernet0/5!interfaceFastEthernet0/6!interfaceFastEthernet0/7!interfaceFastEthernet0/8!interfaceFastEthernet0/9!interfaceFastEthernet0/10!interfaceFastEthernet0/11!interfaceFastEthernet0/12!interfaceFastEthernet0/13!interfaceFastEthernet0/14!interfaceFastEthernet0/16!interfaceFastEthernet0/17!inte

27、rfaceFastEthernet0/18!interfaceFastEthernet0/19!interfaceFastEthernet0/20!interfaceFastEthernet0/21!interfaceFastEthernet0/22!interfaceFastEthernet0/23switchportmodetrunkiinterfaceFastEthernet0/24switchportmodetrunk!interfaceGigabitEthernet0/25!interfaceGigabitEthernet0/26!interfaceGigabitEthernet0/27!interfaceGigabitEthernet0/28!linecon0linevty04loginiIEndSW3#showrunning-configBuildingconfiguration.網(wǎng)絡(luò)安全實(shí)驗(yàn)教程第一章網(wǎng)絡(luò)基

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論