![7種常用的MAC地址配置方法你會(huì)幾種_第1頁](http://file4.renrendoc.com/view/d38443c4a6e7d6021fbc33dd936267dd/d38443c4a6e7d6021fbc33dd936267dd1.gif)
![7種常用的MAC地址配置方法你會(huì)幾種_第2頁](http://file4.renrendoc.com/view/d38443c4a6e7d6021fbc33dd936267dd/d38443c4a6e7d6021fbc33dd936267dd2.gif)
![7種常用的MAC地址配置方法你會(huì)幾種_第3頁](http://file4.renrendoc.com/view/d38443c4a6e7d6021fbc33dd936267dd/d38443c4a6e7d6021fbc33dd936267dd3.gif)
![7種常用的MAC地址配置方法你會(huì)幾種_第4頁](http://file4.renrendoc.com/view/d38443c4a6e7d6021fbc33dd936267dd/d38443c4a6e7d6021fbc33dd936267dd4.gif)
![7種常用的MAC地址配置方法你會(huì)幾種_第5頁](http://file4.renrendoc.com/view/d38443c4a6e7d6021fbc33dd936267dd/d38443c4a6e7d6021fbc33dd936267dd5.gif)
版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
7種常用的MAC地址配置方法,你會(huì)幾種?前言MAC(MediaAccessControl)地址用來定義網(wǎng)絡(luò)設(shè)備的位置。MAC地址由48比特長(zhǎng)、12位的16進(jìn)制數(shù)字組成,其中從左到右開始,0到23bit是廠商向IETF等機(jī)構(gòu)申請(qǐng)用來標(biāo)識(shí)廠商的代碼,24到47bit由廠商自行分派,是各個(gè)廠商制造的所有網(wǎng)卡的一個(gè)唯一編號(hào)。MAC地址可以分為3種類型:物理MAC地址:這種類型的MAC地址唯一的標(biāo)識(shí)了以太網(wǎng)上的一個(gè)終端,該地址為全球唯一的硬件地址;廣播MAC地址:全1的MAC地址為廣播地址(FF-FF-FF-FF-FF-FF),用來表示LAN上的所有終端設(shè)備;組播MAC地址:除廣播地址外,第8bit為1的MAC地址為組播MAC地址(例如01-00-00-00-00-00),用來代表LAN上的一組終端。其中以01-80-c2開頭的組播MAC地址叫BPDUMAC,一般作為協(xié)議報(bào)文的目的MAC地址標(biāo)示某種協(xié)議報(bào)文。本文主要介紹MAC地址相關(guān)的7種配置示例。01
配置靜態(tài)MAC地址示例組網(wǎng)需求如圖1所示,用戶主機(jī)PC的MAC地址為0002-0002-0002,與Switch的GE1/0/1接口相連。Server服務(wù)器的MAC地址為0004-0004-0004,與Switch的GE1/0/2接口相連。用戶主機(jī)PC和Server服務(wù)器均在VLAN2內(nèi)通信。為防止MAC地址攻擊,在Switch的MAC表中為用戶主機(jī)添加一條靜態(tài)表項(xiàng)。為防止非法用戶假冒Server的MAC地址竊取重要用戶信息,在Switch上為Server服務(wù)器添加一條靜態(tài)MAC地址表項(xiàng)。圖1
配置靜態(tài)MAC表組網(wǎng)圖配置思路采用如下的思路配置MAC表:創(chuàng)建VLAN,并將接口加入到VLAN中,實(shí)現(xiàn)二層轉(zhuǎn)發(fā)功能。添加靜態(tài)MAC地址表項(xiàng),防止非法用戶攻擊。操作步驟添加靜態(tài)MAC地址表項(xiàng)#創(chuàng)建VLAN2,將接口GigabitEthernet1/0/1、GigabitEthernet1/0/2加入VLAN2。<HUAWEI>system-view
[HUAWEI]sysnameSwitch
[Switch]vlan2
[Switch-vlan2]quit
[Switch]interfacegigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1]portlink-typeaccess
[Switch-GigabitEthernet1/0/1]portdefaultvlan2
[Switch-GigabitEthernet1/0/1]quit
[Switch]interfacegigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2]portlink-typeaccess
[Switch-GigabitEthernet1/0/2]portdefaultvlan2
[Switch-GigabitEthernet1/0/2]quit#配置靜態(tài)MAC地址表項(xiàng)。[Switch]mac-addressstatic2-2-2GigabitEthernet1/0/1vlan2
[Switch]mac-addressstatic4-4-4GigabitEthernet1/0/2vlan2驗(yàn)證配置結(jié)果#在任意視圖下執(zhí)行displaymac-addressstaticvlan2命令,查看靜態(tài)MAC表是否添加成功。[Switch]displaymac-addressstaticvlan2
-------------------------------------------------------------------------------
MACAddressVLAN/VSI/BDLearned-FromType
-------------------------------------------------------------------------------
0002-0002-00022/-/-GE1/0/1static
0004-0004-00042/-/-GE1/0/2static
-------------------------------------------------------------------------------
Totalitemsdisplayed=2配置文件Switch的配置文件#
sysnameSwitch
#
vlanbatch2
#
interfaceGigabitEthernet1/0/1
portlink-typeaccess
portdefaultvlan2
#
interfaceGigabitEthernet1/0/2
portlink-typeaccess
portdefaultvlan2
#
mac-addressstatic0002-0002-0002GigabitEthernet1/0/1vlan2
mac-addressstatic0004-0004-0004GigabitEthernet1/0/2vlan2
#
return02配置黑洞MAC地址示例組網(wǎng)需求如圖2所示,交換機(jī)Switch收到一個(gè)非法用戶的訪問,非法用戶的MAC地址為0005-0005-0005,所屬VLAN為VLAN3。通過指定該MAC地址為黑洞MAC,實(shí)現(xiàn)非法用戶的過濾。圖2
配置黑洞MAC表組網(wǎng)圖配置思路采用如下的思路配置MAC表:創(chuàng)建VLAN,實(shí)現(xiàn)二層轉(zhuǎn)發(fā)功能。添加黑洞MAC表,防止MAC地址攻擊。操作步驟添加黑洞MAC地址表項(xiàng)#創(chuàng)建VLAN3。<HUAWEI>system-view
[HUAWEI]sysnameSwitch
[Switch]vlan3
[Switch-vlan3]quit#添加黑洞MAC地址表項(xiàng)。[Switch]mac-addressblackhole0005-0005-0005vlan3驗(yàn)證配置結(jié)果#在任意視圖下執(zhí)行displaymac-addressblackhole命令,查看黑洞MAC表是否添加成功。[Switch]displaymac-addressblackhole
-------------------------------------------------------------------------------
MACAddressVLAN/VSI/BDLearned-FromType
-------------------------------------------------------------------------------
0005-0005-00053/-/--blackhole
-------------------------------------------------------------------------------
Totalitemsdisplayed=1配置文件Switch的配置文件#
sysnameSwitch
#
vlanbatch3
#
mac-addressblackhole0005-0005-0005vlan3
#
return03配置基于接口的MAC地址學(xué)習(xí)限制示例組網(wǎng)需求如圖3所示,用戶網(wǎng)絡(luò)1和用戶網(wǎng)絡(luò)2通過LSW與Switch相連,Switch連接LSW的接口為GE1/0/1。用戶網(wǎng)絡(luò)1和用戶網(wǎng)絡(luò)2分別屬于VLAN10和VLAN20。在Switch上,為了控制接入用戶數(shù)量,可以基于接口GE1/0/1配置MAC地址學(xué)習(xí)限制功能。圖3
配置基于接口的MAC地址學(xué)習(xí)限制數(shù)組網(wǎng)圖配置思路采用如下的思路配置基于接口的MAC地址學(xué)習(xí)限制:創(chuàng)建VLAN,并將接口加入到VLAN中,實(shí)現(xiàn)二層轉(zhuǎn)發(fā)功能。配置基于接口的MAC地址學(xué)習(xí)限制,控制接入用戶數(shù)量。操作步驟配置MAC地址學(xué)習(xí)限制#將GigabitEthernet1/0/1加入VLAN10和VLAN20。<HUAWEI>system-view
[HUAWEI]sysnameSwitch
[Switch]vlanbatch1020
[Switch]interfacegigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1]portlink-typehybrid
[Switch-GigabitEthernet1/0/1]porthybridtaggedvlan1020#在接口GigabitEthernet1/0/1上配置MAC地址學(xué)習(xí)限制規(guī)則:最多可以學(xué)習(xí)100個(gè)MAC地址,超過最大MAC地址學(xué)習(xí)數(shù)量的報(bào)文丟棄,并進(jìn)行告警提示。[Switch-GigabitEthernet1/0/1]mac-limitmaximum100actiondiscardalarmenable
[Switch-GigabitEthernet1/0/1]return驗(yàn)證配置結(jié)果#在任意視圖下執(zhí)行displaymac-limit命令,查看MAC地址學(xué)習(xí)限制規(guī)則是否配置成功。<Switch>displaymac-limit
MAClimitisenabled
TotalMAClimitrulecount:1
PORTVLAN/VSISLOTMaximumRate(ms)ActionAlarm
----------------------------------------------------------------------------
GE1/0/1--100-discardenable配置文件以下僅給出Switch的配置文件。#
sysnameSwitch
#
vlanbatch1020
#
interfaceGigabitEthernet1/0/1
portlink-typehybrid
porthybridtaggedvlan1020
mac-limitmaximum100
#
return04
配置基于VLAN的MAC地址學(xué)習(xí)限制示例組網(wǎng)需求如圖4所示,用戶網(wǎng)絡(luò)1通過LSW1與Switch相連,Switch的接口為GE1/0/1。用戶網(wǎng)絡(luò)2通過LSW2與Switch相連,Switch的接口為GE1/0/2。GE1/0/1、GE1/0/2同屬于VLAN2。為控制接入用戶數(shù),對(duì)VLAN2進(jìn)行MAC地址學(xué)習(xí)的限制。圖4
配置基于VLAN的MAC地址學(xué)習(xí)限制組網(wǎng)圖配置思路采用如下的思路配置基于VLAN的MAC地址學(xué)習(xí)限制:創(chuàng)建VLAN,并將接口加入到VLAN中,實(shí)現(xiàn)二層轉(zhuǎn)發(fā)功能。配置VLAN的MAC地址學(xué)習(xí)限制,實(shí)現(xiàn)防止MAC地址攻擊,控制接入用戶數(shù)量。操作步驟配置MAC地址學(xué)習(xí)限制#將GigabitEthernet1/0/1、GigabitEthernet1/0/2加入VLAN2。<HUAWEI>system-view
[HUAWEI]sysnameSwitch
[Switch]vlan2
[Switch-vlan2]quit
[Switch]interfacegigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1]portlink-typehybrid
[Switch-GigabitEthernet1/0/1]porthybridpvidvlan2
[Switch-GigabitEthernet1/0/1]porthybriduntaggedvlan2
[Switch-GigabitEthernet1/0/1]quit
[Switch]interfacegigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2]portlink-typehybrid
[Switch-GigabitEthernet1/0/2]porthybridpvidvlan2
[Switch-GigabitEthernet1/0/2]porthybriduntaggedvlan2
[Switch-GigabitEthernet1/0/2]quit#在VLAN2上配置MAC地址學(xué)習(xí)限制規(guī)則:最多可以學(xué)習(xí)100個(gè)MAC地址,超過最大MAC地址學(xué)習(xí)數(shù)量的報(bào)文繼續(xù)轉(zhuǎn)發(fā)但不加入MAC地址表,并進(jìn)行告警提示。[Switch]vlan2
[Switch-vlan2]mac-limitmaximum100actionforwardalarmenable
[Switch-vlan2]return驗(yàn)證配置結(jié)果#在任意視圖下執(zhí)行displaymac-limit命令,查看MAC地址學(xué)習(xí)限制規(guī)則是否配置成功。<Switch>displaymac-limit
MAClimitisenabled
TotalMAClimitrulecount:1
PORTVLAN/VSISLOTMaximumRate(ms)ActionAlarm
----------------------------------------------------------------------------
-2-100-forwardenable配置文件以下僅給出Switch的配置文件。#
sysnameSwitch
#
vlanbatch2
#
vlan2
mac-limitmaximum100actionforward
#
interfaceGigabitEthernet1/0/1
portlink-typehybrid
porthybridpvidvlan2
porthybriduntaggedvlan2
#
interfaceGigabitEthernet1/0/2
portlink-typehybrid
porthybridpvidvlan2
porthybriduntaggedvlan2
#
return05配置基于VSI的MAC地址學(xué)習(xí)限制示例組網(wǎng)需求如圖5,某企業(yè)機(jī)構(gòu),自建骨干網(wǎng)。為了保證骨干網(wǎng)的安全,在PE設(shè)備上通過配置基于VSI的MAC地址學(xué)習(xí)限制功能,實(shí)現(xiàn)對(duì)CE的接入控制。圖5
配置基于VSI的MAC地址學(xué)習(xí)限制組網(wǎng)圖配置思路采用如下的思路配置基于VSI的MAC地址學(xué)習(xí)限制:在骨干網(wǎng)上配置路由協(xié)議實(shí)現(xiàn)互通。在PE之間建立遠(yuǎn)端LDP會(huì)話。在PE間建立傳輸業(yè)務(wù)數(shù)據(jù)所使用的隧道。在PE上使能MPLSL2VPN。在PE上創(chuàng)建VSI,指定信令為L(zhǎng)DP。在PE設(shè)備基于VSI配置MAC地址學(xué)習(xí)限制,完成對(duì)CE的接入控制。操作步驟配置各接口所屬的VLAN以及相關(guān)接口IP地址#配置CE1。<HUAWEI>system-view
[HUAWEI]sysnameCE1
[CE1]vlan10
[CE1-vlan10]quit
[CE1]interfacevlanif10
[CE1-Vlanif10]ipaddress
[CE1-Vlanif10]quit
[CE1]interfacegigabitethernet1/0/0
[CE1-GigabitEthernet1/0/0]portlink-typetrunk
[CE1-GigabitEthernet1/0/0]porttrunkallow-passvlan10
[CE1-GigabitEthernet1/0/0]quit#配置CE2。<HUAWEI>system-view
[HUAWEI]sysnameCE2
[CE2]vlan40
[CE2-vlan40]quit
[CE2]interfacevlanif40
[CE2-Vlanif40]ipaddress
[CE2-Vlanif40]quit
[CE2]interfacegigabitethernet1/0/0
[CE2-GigabitEthernet1/0/0]portlink-typetrunk
[CE2-GigabitEthernet1/0/0]porttrunkallow-passvlan40
[CE2-GigabitEthernet1/0/0]quit#配置PE1。<HUAWEI>system-view
[HUAWEI]sysnamePE1
[PE1]vlanbatch1020
[PE1]interfacevlanif20
[PE1-Vlanif20]ipaddress
[PE1-Vlanif20]quit
[PE1]interfacegigabitethernet1/0/0
[PE1-GigabitEthernet1/0/0]portlink-typetrunk
[PE1-GigabitEthernet1/0/0]porttrunkallow-passvlan10
[PE1-GigabitEthernet1/0/0]quit
[PE1]interfacegigabitethernet2/0/0
[PE1-GigabitEthernet2/0/0]portlink-typetrunk
[PE1-GigabitEthernet2/0/0]porttrunkallow-passvlan20
[PE1-GigabitEthernet2/0/0]quit#配置P。<HUAWEI>system-view
[HUAWEI]sysnameP
[P]vlanbatch2030
[P]interfacevlanif20
[P-Vlanif20]ipaddress
[P-Vlanif20]quit
[P]interfacevlanif30
[P-Vlanif30]ipaddress
[P-Vlanif30]quit
[P]interfacegigabitethernet1/0/0
[P-GigabitEthernet1/0/0]portlink-typetrunk
[P-GigabitEthernet1/0/0]porttrunkallow-passvlan20
[P-GigabitEthernet1/0/0]quit
[P]interfacegigabitethernet2/0/0
[P-GigabitEthernet2/0/0]portlink-typetrunk
[P-GigabitEthernet2/0/0]porttrunkallow-passvlan30
[P-GigabitEthernet2/0/0]quit#配置PE2。<HUAWEI>system-view
[HUAWEI]sysnamePE2
[PE2]vlanbatch3040
[PE2]interfacevlanif30
[PE2-Vlanif30]ipaddress
[PE2-Vlanif30]quit
[PE2]interfacegigabitethernet1/0/0
[PE2-GigabitEthernet1/0/0]portlink-typetrunk
[PE2-GigabitEthernet1/0/0]porttrunkallow-passvlan30
[PE2-GigabitEthernet1/0/0]quit
[PE2]interfacegigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0]portlink-typetrunk
[PE2-GigabitEthernet2/0/0]porttrunkallow-passvlan40
[PE2-GigabitEthernet2/0/0]quit配置IGP,本例中使用OSPF。配置OSPF時(shí),注意需要發(fā)布PE1、P和PE2的32位Loopback接口地址(LSR-ID)。#配置PE1。[PE1]routerid
[PE1]interfaceloopback1
[PE1-LoopBack1]ipaddress32
[PE1-LoopBack1]quit
[PE1]ospf1
[PE1-ospf-1]area0
[PE1-ospf-1-area-]network
[PE1-ospf-1-area-]network55
[PE1-ospf-1-area-]quit
[PE1-ospf-1]quit#配置P。[P]routerid
[P]interfaceloopback1
[P-LoopBack1]ipaddress32
[P-LoopBack1]quit
[P]ospf1
[P-ospf-1]area0
[P-ospf-1-area-]network
[P-ospf-1-area-]network55
[P-ospf-1-area-]network55
[P-ospf-1-area-]quit
[P-ospf-1]quit#配置PE2。[PE2]routerid
[PE2]interfaceloopback1
[PE2-LoopBack1]ipaddress32
[PE2-LoopBack1]quit
[PE2]ospf1
[PE2-ospf-1]area0
[PE2-ospf-1-area-]network
[PE2-ospf-1-area-]network55
[PE2-ospf-1-area-]quit
[PE2-ospf-1]quit配置完成后,在PE1、P和PE2上執(zhí)行displayiprouting-table命令可以看到已學(xué)到彼此的路由。以PE1的顯示為例:[PE1]displayiprouting-table
RouteFlags:R-relay,D-downloadtofib,T-tovpn-instance
------------------------------------------------------------------------------
RoutingTables:Public
Destinations:8Routes:8
Destination/MaskProtoPreCostFlagsNextHopInterface
/32Direct00DLoopBack1
/32OSPF101DVlanif20
/32OSPF102DVlanif20
/24Direct00DVlanif20
/32Direct00DVlanif20
/24OSPF102DVlanif20
/8Direct00DInLoopBack0
/32Direct00DInLoopBack0配置MPLS基本能力和LDP#配置PE1[PE1]mplslsr-id
[PE1]mpls
[PE1-mpls]quit
[PE1]mplsldp
[PE1-mpls-ldp]quit
[PE1]interfacevlanif20
[PE1-Vlanif20]mpls
[PE1-Vlanif20]mplsldp
[PE1-Vlanif20]quit#配置P[P]mplslsr-id
[P]mpls
[P-mpls]quit
[P]mplsldp
[P-mpls-ldp]quit
[P]interfacevlanif20
[P-Vlanif20]mpls
[P-Vlanif20]mplsldp
[P-Vlanif20]quit
[P]interfacevlanif30
[P-Vlanif30]mpls
[P-Vlanif30]mplsldp
[P-Vlanif30]quit#配置PE2[PE2]mplslsr-id
[PE2]mpls
[PE2-mpls]quit
[PE2]mplsldp
[PE2-mpls-ldp]quit
[PE2]interfacevlanif30
[PE2-Vlanif30]mpls
[PE2-Vlanif30]mplsldp
[PE2-Vlanif30]quit配置完成后,在PE1、P和PE2上執(zhí)行displaymplsldpsession命令可以看到PE1和P之間或PE2和P之間的對(duì)等體的Status項(xiàng)為“Operational”,即對(duì)等體關(guān)系已建立。執(zhí)行displaymplslsp命令可以看到LSP的建立情況。以PE1的顯示為例:[PE1]displaymplsldpsession
LDPSession(s)inPublicNetwork
Codes:LAM(LabelAdvertisementMode),SsnAgeUnit(DDDD:HH:MM)
A'*'beforeasessionmeansthesessionisbeingdeleted.
------------------------------------------------------------------------------
PeerIDStatusLAMSsnRoleSsnAgeKASent/Rcv
------------------------------------------------------------------------------
:0OperationalDUPassive000:15:293717/3717
------------------------------------------------------------------------------
TOTAL:1session(s)Found.在PE之間建立遠(yuǎn)端LDP會(huì)話#配置PE1。[PE1]mplsldpremote-peer
[PE1-mpls-ldp-remote-]remote-ip
[PE1-mpls-ldp-remote-]quit#配置PE2。[PE2]mplsldpremote-peer
[PE2-mpls-ldp-remote-]remote-ip
[PE2-mpls-ldp-remote-]quit配置完成后,在PE1或PE2上執(zhí)行displaymplsldpsession命令可以看到PE1和PE2之間的對(duì)等體的Status項(xiàng)為“Operational”,即遠(yuǎn)端對(duì)等體關(guān)系已建立。在PE上使能MPLSL2VPN#配置PE1。[PE1]mplsl2vpn
[PE1-l2vpn]quit#配置PE2。[PE2]mplsl2vpn
[PE2-l2vpn]quit在PE上配置VSI#配置PE1。[PE1]vsia2static
[PE1-vsi-a2]pwsignalldp
[PE1-vsi-a2-ldp]vsi-id2
[PE1-vsi-a2-ldp]peer
[PE1-vsi-a2-ldp]quit
[PE1-vsi-a2]quit#配置PE2。[PE2]vsia2static
[PE2-vsi-a2]pwsignalldp
[PE2-vsi-a2-ldp]vsi-id2
[PE2-vsi-a2-ldp]peer
[PE2-vsi-a2-ldp]quit
[PE2-vsi-a2]quit在PE上配置VSI與接口的綁定#配置PE1。[PE1]interfacevlanif10
[PE1-Vlanif10]l2bindingvsia2
[PE1-Vlanif10]quit#配置PE2。[PE2]interfacevlanif40
[PE2-Vlanif40]l2bindingvsia2
[PE2-Vlanif40]quit驗(yàn)證配置結(jié)果完成上述配置后,在PE1上執(zhí)行displayvsinamea2verbose命令,可以看到名字為a2的VSI建立了一條PW到PE2,VSI狀態(tài)為UP。[PE1]displayvsinamea2verbose
***VSIName:a2
AdministratorVSI:no
IsolateSpoken:disable
VSIIndex:0
PWSignaling:ldp
MemberDiscoveryStyle:static
PWMACLearnStyle:unqualify
EncapsulationType:vlan
MTU:1500
DiffservMode:uniform
MplsExp:--
DomainId:255
DomainName:
IgnoreAcState:disable
P2PVSI:disable
CreateTime:0days,0hours,5minutes,1seconds
VSIState:up
VSIID:2
*PeerRouterID:
Negotiation-vc-id:2
primaryorsecondary:primary
ignore-standby-state:no
VCLabel:4098
PeerType:dynamic
Session:up
TunnelID:0x1
BroadcastTunnelID:0x1
BroadBackupTunnelID:0x0
CKey:2
NKey:1
StpEnable:0
PwIndex:0
ControlWord:disable
InterfaceName:Vlanif10
State:up
AccessPort:false
LastUpTime:2010/12/3011:31:18
TotalUpTime:0days,0hours,1minutes,35seconds
**PWInformation:
*PeerIpAddress:
PWState:up
LocalVCLabel:4098
RemoteVCLabel:4098
RemoteControlWord:disable
PWType:label
LocalVCCV:alertlsp-pingbfd
RemoteVCCV:alertlsp-pingbfd
TunnelID:0x1
BroadcastTunnelID:0x1
BroadBackupTunnelID:0x0
Ckey:0x2
Nkey:0x1
MainPWToken:0x1
SlavePWToken:0x0
TnlType:LSP
OutInterface:Vlanif20
BackupOutInterface:
StpEnable:0
PWLastUpTime:2010/12/3011:32:03
PWTotalUpTime:0days,0hours,1minutes,35seconds在CE1()上能夠ping通CE2()。[CE1]ping
PING:56databytes,pressCTRL_Ctobreak
Replyfrom:bytes=56Sequence=1ttl=255time=90ms
Replyfrom:bytes=56Sequence=2ttl=255time=77ms
Replyfrom:bytes=56Sequence=3ttl=255time=34ms
Replyfrom:bytes=56Sequence=4ttl=255time=46ms
Replyfrom:bytes=56Sequence=5ttl=255time=94ms
---pingstatistics---
5packet(s)transmitted
5packet(s)received
0.00%packetloss
round-tripmin/avg/max=34/68/94ms在PE1的VSI上配置MAC地址學(xué)習(xí)限制#在VSI上配置MAC地址學(xué)習(xí)限制規(guī)則:最多可以學(xué)習(xí)300個(gè)MAC地址,超過最大MAC地址學(xué)習(xí)數(shù)量的報(bào)文直接丟棄并進(jìn)行告警提示。[PE1]vsia2static
[PE1-vsi-a2]mac-limitmaximum300actiondiscardalarmenable
[PE1-vsi-a2]return驗(yàn)證配置結(jié)果#在任意視圖下執(zhí)行displaymac-limit命令,查看MAC地址學(xué)習(xí)限制規(guī)則是否配置成功。<PE1>displaymac-limit
MAClimitisenabled
TotalMAClimitrulecount:1
PORTVLAN/VSISLOTMaximumRate(ms)ActionAlarm
----------------------------------------------------------------------------
-a2-300-discardenable配置文件CE1的配置文件#
sysnameCE1
#
vlanbatch10
#
interfaceVlanif10
ipaddress
#
interfaceGigabitEthernet1/0/0
portlink-typetrunk
porttrunkallow-passvlan10
#
returnCE2的配置文件#
sysnameCE2
#
vlanbatch40
#
interfaceVlanif40
ipaddress
#
interfaceGigabitEthernet1/0/0
portlink-typetrunk
porttrunkallow-passvlan40
#
returnPE1的配置文件#
sysnamePE1
#
routerid
#
vlanbatch1020
#
mplslsr-id
mpls
#
mplsl2vpn
#
vsia2static
mac-limitmaximum300
pwsignalldp
vsi-id2
peer
#
mplsldp
#
mplsldpremote-peer
remote-ip
#
interfaceVlanif10
l2bindingvsia2
#
interfaceVlanif20
ipaddress
mpls
mplsldp
#
interfaceGigabitEthernet1/0/0
portlink-typetrunk
porttrunkallow-passvlan10
#
interfaceGigabitEthernet2/0/0
portlink-typetrunk
porttrunkallow-passvlan20
#
interfaceLoopBack1
ipaddress55
#
ospf1
area
network
network55
#
returnP的配置文件#
sysnameP
#
routerid
#
vlanbatch2030
#
mplslsr-id
mpls
#
mplsldp
#
interfaceVlanif20
ipaddress
mpls
mplsldp
#
interfaceVlanif30
ipaddress
mpls
mplsldp
#
interfaceGigabitEthernet1/0/0
portlink-typetrunk
porttrunkallow-passvlan20
#
interfaceGigabitEthernet2/0/0
portlink-typetrunk
porttrunkallow-passvlan30
#
interfaceLoopBack1
ipaddress55
#
ospf1
area
network
network55
network55
#
returnPE2的配置文件#
sysnamePE2
#
routerid
#
vlanbatch3040
#
mplslsr-id
mpls
#
mplsl2vpn
#
vsia2static
pwsignalldp
vsi-id2
peer
#
mplsldp
#
mplsldpremote-peer
remote-ip
#
interfaceVlanif30
ipaddress
mpls
mplsldp
#
interfaceVlanif40
l2bindingvsia2
#
interfaceGigabitEthernet1/0/0
portlink-typetrunk
porttrunkallow-passvlan30
#
interfaceGigabitEthernet2/0/0
portlink-typetrunk
porttrunkallow-passvlan40
#
interfaceLoopBack1
ipaddress55
#
ospf1
area
network
network55
#
return06
配置MAC防漂移示例組網(wǎng)需求某企業(yè)網(wǎng)絡(luò)中,用戶需要訪問企業(yè)的服務(wù)器。如果某些非法用戶從其他接口假冒服務(wù)器的MAC地址發(fā)送報(bào)文,則服務(wù)器的MAC地址將在其他接口學(xué)習(xí)到。這樣用戶發(fā)往服務(wù)器的報(bào)文就會(huì)發(fā)往非法用戶,不僅會(huì)導(dǎo)致用戶與服務(wù)器不能正常通信,還會(huì)導(dǎo)致一些重要用戶信息被竊取。如圖6所示,為了提高服務(wù)器安全性,防止被非法用戶攻擊,可配置MAC防漂移功能。圖6
配置MAC防漂移組網(wǎng)圖配置思路采用如下的思路配置MAC防漂移:創(chuàng)建VLAN,并將接口加入到VLAN中,實(shí)現(xiàn)二層轉(zhuǎn)發(fā)功能。在服務(wù)器連接的接口上配置MAC防漂移功能,實(shí)現(xiàn)MAC地址防漂移。操作步驟創(chuàng)建VLAN,并將接口加入到VLAN中。#將GigabitEthernet1/0/1、GigabitEthernet1/0/2加入VLAN10。<HUAWEI>system-view
[HUAWEI]sysnameSwitch
[Switch]vlan10
[Switch-vlan10]quit
[Switch]interfacegigabitethernet1/0/2
[Switch-GigabitEthernet1/0/2]portlink-typetrunk
[Switch-GigabitEthernet1/0/2]porttrunkallow-passvlan10
[Switch-GigabitEthernet1/0/2]quit
[Switch]interfacegigabitethernet1/0/1
[Switch-GigabitEthernet1/0/1]portlink-typehybrid
[Switch-GigabitEthernet1/0/1]porthybridpvidvlan10
[Switch-GigabitEthernet1/0/1]porthybriduntaggedvlan10#在GigabitEthernet1/0/1上配置MAC地址學(xué)習(xí)的優(yōu)先級(jí)為2。[Switch-GigabitEthernet1/0/1]mac-learningpriority2
[Switch-GigabitEthernet1/0/1]quit驗(yàn)證配置結(jié)果#在任意視圖下執(zhí)行displaycurrent-configuration命令,查看接口MAC地址學(xué)習(xí)的優(yōu)先級(jí)配置是否正確。[Switch]displaycurrent-configurationinterfacegigabitethernet1/0/1
#
interfaceGigabitEthernet1/0/1
portlink-typehybrid
porthybridpvidvlan10
porthybriduntaggedvlan10
mac-learningpriority2
#
return配置文件Switch的配置文件#
sysnameSwitch
#
vlanbatch10
#
interfaceGigabitEthernet1/0/1
portlink-typehybrid
porthybridpvidvlan10
porthybriduntaggedvlan10
mac-learningpriority2
#
inte
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 2025年煮蛋器項(xiàng)目規(guī)劃申請(qǐng)報(bào)告模板
- 2025年自然生態(tài)保護(hù)服務(wù)項(xiàng)目規(guī)劃申請(qǐng)報(bào)告模稿
- 2025年建筑工程預(yù)拌混凝土供應(yīng)協(xié)議
- 2025年畫具畫材項(xiàng)目規(guī)劃申請(qǐng)報(bào)告模板
- 2025年高導(dǎo)熱石墨膜項(xiàng)目規(guī)劃申請(qǐng)報(bào)告
- 2025年醫(yī)療機(jī)構(gòu)人員退出勞動(dòng)合同
- 2025年演藝舞臺(tái)燈光購(gòu)銷合同范文
- 2025年企業(yè)合并合同標(biāo)準(zhǔn)范本(在線版)
- 2025年人工智能協(xié)作框架協(xié)議
- 2025年個(gè)人運(yùn)輸業(yè)務(wù)綜合合同書
- 2025年上半年東莞望牛墩鎮(zhèn)事業(yè)單位招考(10人)易考易錯(cuò)模擬試題(共500題)試卷后附參考答案
- 2025年度茶葉品牌加盟店加盟合同及售后服務(wù)協(xié)議
- 2025年江蘇連云港市贛榆城市建設(shè)發(fā)展集團(tuán)有限公司招聘筆試參考題庫(kù)附帶答案詳解
- 氧氣、乙炔工安全操作規(guī)程(3篇)
- 砥礪前行決心譜寫華章
- 建筑廢棄混凝土處置和再生建材利用措施計(jì)劃
- GB/T 12723-2024單位產(chǎn)品能源消耗限額編制通則
- (新版教材)粵教粵科版六年級(jí)下冊(cè)科學(xué)全冊(cè)課時(shí)練(同步練習(xí))
- TCETA 001-2021 演藝燈具型號(hào)命名規(guī)則
- c語言期末機(jī)考(大連理工大學(xué)題庫(kù))
- 煤礦從業(yè)人員考試題庫(kù)全答案(word版)
評(píng)論
0/150
提交評(píng)論