7種常用的MAC地址配置方法你會幾種_第1頁
7種常用的MAC地址配置方法你會幾種_第2頁
7種常用的MAC地址配置方法你會幾種_第3頁
7種常用的MAC地址配置方法你會幾種_第4頁
7種常用的MAC地址配置方法你會幾種_第5頁
已閱讀5頁,還剩38頁未讀, 繼續(xù)免費閱讀

下載本文檔

版權說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權,請進行舉報或認領

文檔簡介

7種常用的MAC地址配置方法,你會幾種?前言MAC(MediaAccessControl)地址用來定義網(wǎng)絡設備的位置。MAC地址由48比特長、12位的16進制數(shù)字組成,其中從左到右開始,0到23bit是廠商向IETF等機構申請用來標識廠商的代碼,24到47bit由廠商自行分派,是各個廠商制造的所有網(wǎng)卡的一個唯一編號。MAC地址可以分為3種類型:物理MAC地址:這種類型的MAC地址唯一的標識了以太網(wǎng)上的一個終端,該地址為全球唯一的硬件地址;廣播MAC地址:全1的MAC地址為廣播地址(FF-FF-FF-FF-FF-FF),用來表示LAN上的所有終端設備;組播MAC地址:除廣播地址外,第8bit為1的MAC地址為組播MAC地址(例如01-00-00-00-00-00),用來代表LAN上的一組終端。其中以01-80-c2開頭的組播MAC地址叫BPDUMAC,一般作為協(xié)議報文的目的MAC地址標示某種協(xié)議報文。本文主要介紹MAC地址相關的7種配置示例。01

配置靜態(tài)MAC地址示例組網(wǎng)需求如圖1所示,用戶主機PC的MAC地址為0002-0002-0002,與Switch的GE1/0/1接口相連。Server服務器的MAC地址為0004-0004-0004,與Switch的GE1/0/2接口相連。用戶主機PC和Server服務器均在VLAN2內(nèi)通信。為防止MAC地址攻擊,在Switch的MAC表中為用戶主機添加一條靜態(tài)表項。為防止非法用戶假冒Server的MAC地址竊取重要用戶信息,在Switch上為Server服務器添加一條靜態(tài)MAC地址表項。圖1

配置靜態(tài)MAC表組網(wǎng)圖配置思路采用如下的思路配置MAC表:創(chuàng)建VLAN,并將接口加入到VLAN中,實現(xiàn)二層轉發(fā)功能。添加靜態(tài)MAC地址表項,防止非法用戶攻擊。操作步驟添加靜態(tài)MAC地址表項#創(chuàng)建VLAN2,將接口GigabitEthernet1/0/1、GigabitEthernet1/0/2加入VLAN2。<HUAWEI>system-view

[HUAWEI]sysnameSwitch

[Switch]vlan2

[Switch-vlan2]quit

[Switch]interfacegigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1]portlink-typeaccess

[Switch-GigabitEthernet1/0/1]portdefaultvlan2

[Switch-GigabitEthernet1/0/1]quit

[Switch]interfacegigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2]portlink-typeaccess

[Switch-GigabitEthernet1/0/2]portdefaultvlan2

[Switch-GigabitEthernet1/0/2]quit#配置靜態(tài)MAC地址表項。[Switch]mac-addressstatic2-2-2GigabitEthernet1/0/1vlan2

[Switch]mac-addressstatic4-4-4GigabitEthernet1/0/2vlan2驗證配置結果#在任意視圖下執(zhí)行displaymac-addressstaticvlan2命令,查看靜態(tài)MAC表是否添加成功。[Switch]displaymac-addressstaticvlan2

-------------------------------------------------------------------------------

MACAddressVLAN/VSI/BDLearned-FromType

-------------------------------------------------------------------------------

0002-0002-00022/-/-GE1/0/1static

0004-0004-00042/-/-GE1/0/2static

-------------------------------------------------------------------------------

Totalitemsdisplayed=2配置文件Switch的配置文件#

sysnameSwitch

#

vlanbatch2

#

interfaceGigabitEthernet1/0/1

portlink-typeaccess

portdefaultvlan2

#

interfaceGigabitEthernet1/0/2

portlink-typeaccess

portdefaultvlan2

#

mac-addressstatic0002-0002-0002GigabitEthernet1/0/1vlan2

mac-addressstatic0004-0004-0004GigabitEthernet1/0/2vlan2

#

return02配置黑洞MAC地址示例組網(wǎng)需求如圖2所示,交換機Switch收到一個非法用戶的訪問,非法用戶的MAC地址為0005-0005-0005,所屬VLAN為VLAN3。通過指定該MAC地址為黑洞MAC,實現(xiàn)非法用戶的過濾。圖2

配置黑洞MAC表組網(wǎng)圖配置思路采用如下的思路配置MAC表:創(chuàng)建VLAN,實現(xiàn)二層轉發(fā)功能。添加黑洞MAC表,防止MAC地址攻擊。操作步驟添加黑洞MAC地址表項#創(chuàng)建VLAN3。<HUAWEI>system-view

[HUAWEI]sysnameSwitch

[Switch]vlan3

[Switch-vlan3]quit#添加黑洞MAC地址表項。[Switch]mac-addressblackhole0005-0005-0005vlan3驗證配置結果#在任意視圖下執(zhí)行displaymac-addressblackhole命令,查看黑洞MAC表是否添加成功。[Switch]displaymac-addressblackhole

-------------------------------------------------------------------------------

MACAddressVLAN/VSI/BDLearned-FromType

-------------------------------------------------------------------------------

0005-0005-00053/-/--blackhole

-------------------------------------------------------------------------------

Totalitemsdisplayed=1配置文件Switch的配置文件#

sysnameSwitch

#

vlanbatch3

#

mac-addressblackhole0005-0005-0005vlan3

#

return03配置基于接口的MAC地址學習限制示例組網(wǎng)需求如圖3所示,用戶網(wǎng)絡1和用戶網(wǎng)絡2通過LSW與Switch相連,Switch連接LSW的接口為GE1/0/1。用戶網(wǎng)絡1和用戶網(wǎng)絡2分別屬于VLAN10和VLAN20。在Switch上,為了控制接入用戶數(shù)量,可以基于接口GE1/0/1配置MAC地址學習限制功能。圖3

配置基于接口的MAC地址學習限制數(shù)組網(wǎng)圖配置思路采用如下的思路配置基于接口的MAC地址學習限制:創(chuàng)建VLAN,并將接口加入到VLAN中,實現(xiàn)二層轉發(fā)功能。配置基于接口的MAC地址學習限制,控制接入用戶數(shù)量。操作步驟配置MAC地址學習限制#將GigabitEthernet1/0/1加入VLAN10和VLAN20。<HUAWEI>system-view

[HUAWEI]sysnameSwitch

[Switch]vlanbatch1020

[Switch]interfacegigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1]portlink-typehybrid

[Switch-GigabitEthernet1/0/1]porthybridtaggedvlan1020#在接口GigabitEthernet1/0/1上配置MAC地址學習限制規(guī)則:最多可以學習100個MAC地址,超過最大MAC地址學習數(shù)量的報文丟棄,并進行告警提示。[Switch-GigabitEthernet1/0/1]mac-limitmaximum100actiondiscardalarmenable

[Switch-GigabitEthernet1/0/1]return驗證配置結果#在任意視圖下執(zhí)行displaymac-limit命令,查看MAC地址學習限制規(guī)則是否配置成功。<Switch>displaymac-limit

MAClimitisenabled

TotalMAClimitrulecount:1

PORTVLAN/VSISLOTMaximumRate(ms)ActionAlarm

----------------------------------------------------------------------------

GE1/0/1--100-discardenable配置文件以下僅給出Switch的配置文件。#

sysnameSwitch

#

vlanbatch1020

#

interfaceGigabitEthernet1/0/1

portlink-typehybrid

porthybridtaggedvlan1020

mac-limitmaximum100

#

return04

配置基于VLAN的MAC地址學習限制示例組網(wǎng)需求如圖4所示,用戶網(wǎng)絡1通過LSW1與Switch相連,Switch的接口為GE1/0/1。用戶網(wǎng)絡2通過LSW2與Switch相連,Switch的接口為GE1/0/2。GE1/0/1、GE1/0/2同屬于VLAN2。為控制接入用戶數(shù),對VLAN2進行MAC地址學習的限制。圖4

配置基于VLAN的MAC地址學習限制組網(wǎng)圖配置思路采用如下的思路配置基于VLAN的MAC地址學習限制:創(chuàng)建VLAN,并將接口加入到VLAN中,實現(xiàn)二層轉發(fā)功能。配置VLAN的MAC地址學習限制,實現(xiàn)防止MAC地址攻擊,控制接入用戶數(shù)量。操作步驟配置MAC地址學習限制#將GigabitEthernet1/0/1、GigabitEthernet1/0/2加入VLAN2。<HUAWEI>system-view

[HUAWEI]sysnameSwitch

[Switch]vlan2

[Switch-vlan2]quit

[Switch]interfacegigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1]portlink-typehybrid

[Switch-GigabitEthernet1/0/1]porthybridpvidvlan2

[Switch-GigabitEthernet1/0/1]porthybriduntaggedvlan2

[Switch-GigabitEthernet1/0/1]quit

[Switch]interfacegigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2]portlink-typehybrid

[Switch-GigabitEthernet1/0/2]porthybridpvidvlan2

[Switch-GigabitEthernet1/0/2]porthybriduntaggedvlan2

[Switch-GigabitEthernet1/0/2]quit#在VLAN2上配置MAC地址學習限制規(guī)則:最多可以學習100個MAC地址,超過最大MAC地址學習數(shù)量的報文繼續(xù)轉發(fā)但不加入MAC地址表,并進行告警提示。[Switch]vlan2

[Switch-vlan2]mac-limitmaximum100actionforwardalarmenable

[Switch-vlan2]return驗證配置結果#在任意視圖下執(zhí)行displaymac-limit命令,查看MAC地址學習限制規(guī)則是否配置成功。<Switch>displaymac-limit

MAClimitisenabled

TotalMAClimitrulecount:1

PORTVLAN/VSISLOTMaximumRate(ms)ActionAlarm

----------------------------------------------------------------------------

-2-100-forwardenable配置文件以下僅給出Switch的配置文件。#

sysnameSwitch

#

vlanbatch2

#

vlan2

mac-limitmaximum100actionforward

#

interfaceGigabitEthernet1/0/1

portlink-typehybrid

porthybridpvidvlan2

porthybriduntaggedvlan2

#

interfaceGigabitEthernet1/0/2

portlink-typehybrid

porthybridpvidvlan2

porthybriduntaggedvlan2

#

return05配置基于VSI的MAC地址學習限制示例組網(wǎng)需求如圖5,某企業(yè)機構,自建骨干網(wǎng)。為了保證骨干網(wǎng)的安全,在PE設備上通過配置基于VSI的MAC地址學習限制功能,實現(xiàn)對CE的接入控制。圖5

配置基于VSI的MAC地址學習限制組網(wǎng)圖配置思路采用如下的思路配置基于VSI的MAC地址學習限制:在骨干網(wǎng)上配置路由協(xié)議實現(xiàn)互通。在PE之間建立遠端LDP會話。在PE間建立傳輸業(yè)務數(shù)據(jù)所使用的隧道。在PE上使能MPLSL2VPN。在PE上創(chuàng)建VSI,指定信令為LDP。在PE設備基于VSI配置MAC地址學習限制,完成對CE的接入控制。操作步驟配置各接口所屬的VLAN以及相關接口IP地址#配置CE1。<HUAWEI>system-view

[HUAWEI]sysnameCE1

[CE1]vlan10

[CE1-vlan10]quit

[CE1]interfacevlanif10

[CE1-Vlanif10]ipaddress

[CE1-Vlanif10]quit

[CE1]interfacegigabitethernet1/0/0

[CE1-GigabitEthernet1/0/0]portlink-typetrunk

[CE1-GigabitEthernet1/0/0]porttrunkallow-passvlan10

[CE1-GigabitEthernet1/0/0]quit#配置CE2。<HUAWEI>system-view

[HUAWEI]sysnameCE2

[CE2]vlan40

[CE2-vlan40]quit

[CE2]interfacevlanif40

[CE2-Vlanif40]ipaddress

[CE2-Vlanif40]quit

[CE2]interfacegigabitethernet1/0/0

[CE2-GigabitEthernet1/0/0]portlink-typetrunk

[CE2-GigabitEthernet1/0/0]porttrunkallow-passvlan40

[CE2-GigabitEthernet1/0/0]quit#配置PE1。<HUAWEI>system-view

[HUAWEI]sysnamePE1

[PE1]vlanbatch1020

[PE1]interfacevlanif20

[PE1-Vlanif20]ipaddress

[PE1-Vlanif20]quit

[PE1]interfacegigabitethernet1/0/0

[PE1-GigabitEthernet1/0/0]portlink-typetrunk

[PE1-GigabitEthernet1/0/0]porttrunkallow-passvlan10

[PE1-GigabitEthernet1/0/0]quit

[PE1]interfacegigabitethernet2/0/0

[PE1-GigabitEthernet2/0/0]portlink-typetrunk

[PE1-GigabitEthernet2/0/0]porttrunkallow-passvlan20

[PE1-GigabitEthernet2/0/0]quit#配置P。<HUAWEI>system-view

[HUAWEI]sysnameP

[P]vlanbatch2030

[P]interfacevlanif20

[P-Vlanif20]ipaddress

[P-Vlanif20]quit

[P]interfacevlanif30

[P-Vlanif30]ipaddress

[P-Vlanif30]quit

[P]interfacegigabitethernet1/0/0

[P-GigabitEthernet1/0/0]portlink-typetrunk

[P-GigabitEthernet1/0/0]porttrunkallow-passvlan20

[P-GigabitEthernet1/0/0]quit

[P]interfacegigabitethernet2/0/0

[P-GigabitEthernet2/0/0]portlink-typetrunk

[P-GigabitEthernet2/0/0]porttrunkallow-passvlan30

[P-GigabitEthernet2/0/0]quit#配置PE2。<HUAWEI>system-view

[HUAWEI]sysnamePE2

[PE2]vlanbatch3040

[PE2]interfacevlanif30

[PE2-Vlanif30]ipaddress

[PE2-Vlanif30]quit

[PE2]interfacegigabitethernet1/0/0

[PE2-GigabitEthernet1/0/0]portlink-typetrunk

[PE2-GigabitEthernet1/0/0]porttrunkallow-passvlan30

[PE2-GigabitEthernet1/0/0]quit

[PE2]interfacegigabitethernet2/0/0

[PE2-GigabitEthernet2/0/0]portlink-typetrunk

[PE2-GigabitEthernet2/0/0]porttrunkallow-passvlan40

[PE2-GigabitEthernet2/0/0]quit配置IGP,本例中使用OSPF。配置OSPF時,注意需要發(fā)布PE1、P和PE2的32位Loopback接口地址(LSR-ID)。#配置PE1。[PE1]routerid

[PE1]interfaceloopback1

[PE1-LoopBack1]ipaddress32

[PE1-LoopBack1]quit

[PE1]ospf1

[PE1-ospf-1]area0

[PE1-ospf-1-area-]network

[PE1-ospf-1-area-]network55

[PE1-ospf-1-area-]quit

[PE1-ospf-1]quit#配置P。[P]routerid

[P]interfaceloopback1

[P-LoopBack1]ipaddress32

[P-LoopBack1]quit

[P]ospf1

[P-ospf-1]area0

[P-ospf-1-area-]network

[P-ospf-1-area-]network55

[P-ospf-1-area-]network55

[P-ospf-1-area-]quit

[P-ospf-1]quit#配置PE2。[PE2]routerid

[PE2]interfaceloopback1

[PE2-LoopBack1]ipaddress32

[PE2-LoopBack1]quit

[PE2]ospf1

[PE2-ospf-1]area0

[PE2-ospf-1-area-]network

[PE2-ospf-1-area-]network55

[PE2-ospf-1-area-]quit

[PE2-ospf-1]quit配置完成后,在PE1、P和PE2上執(zhí)行displayiprouting-table命令可以看到已學到彼此的路由。以PE1的顯示為例:[PE1]displayiprouting-table

RouteFlags:R-relay,D-downloadtofib,T-tovpn-instance

------------------------------------------------------------------------------

RoutingTables:Public

Destinations:8Routes:8

Destination/MaskProtoPreCostFlagsNextHopInterface

/32Direct00DLoopBack1

/32OSPF101DVlanif20

/32OSPF102DVlanif20

/24Direct00DVlanif20

/32Direct00DVlanif20

/24OSPF102DVlanif20

/8Direct00DInLoopBack0

/32Direct00DInLoopBack0配置MPLS基本能力和LDP#配置PE1[PE1]mplslsr-id

[PE1]mpls

[PE1-mpls]quit

[PE1]mplsldp

[PE1-mpls-ldp]quit

[PE1]interfacevlanif20

[PE1-Vlanif20]mpls

[PE1-Vlanif20]mplsldp

[PE1-Vlanif20]quit#配置P[P]mplslsr-id

[P]mpls

[P-mpls]quit

[P]mplsldp

[P-mpls-ldp]quit

[P]interfacevlanif20

[P-Vlanif20]mpls

[P-Vlanif20]mplsldp

[P-Vlanif20]quit

[P]interfacevlanif30

[P-Vlanif30]mpls

[P-Vlanif30]mplsldp

[P-Vlanif30]quit#配置PE2[PE2]mplslsr-id

[PE2]mpls

[PE2-mpls]quit

[PE2]mplsldp

[PE2-mpls-ldp]quit

[PE2]interfacevlanif30

[PE2-Vlanif30]mpls

[PE2-Vlanif30]mplsldp

[PE2-Vlanif30]quit配置完成后,在PE1、P和PE2上執(zhí)行displaymplsldpsession命令可以看到PE1和P之間或PE2和P之間的對等體的Status項為“Operational”,即對等體關系已建立。執(zhí)行displaymplslsp命令可以看到LSP的建立情況。以PE1的顯示為例:[PE1]displaymplsldpsession

LDPSession(s)inPublicNetwork

Codes:LAM(LabelAdvertisementMode),SsnAgeUnit(DDDD:HH:MM)

A'*'beforeasessionmeansthesessionisbeingdeleted.

------------------------------------------------------------------------------

PeerIDStatusLAMSsnRoleSsnAgeKASent/Rcv

------------------------------------------------------------------------------

:0OperationalDUPassive000:15:293717/3717

------------------------------------------------------------------------------

TOTAL:1session(s)Found.在PE之間建立遠端LDP會話#配置PE1。[PE1]mplsldpremote-peer

[PE1-mpls-ldp-remote-]remote-ip

[PE1-mpls-ldp-remote-]quit#配置PE2。[PE2]mplsldpremote-peer

[PE2-mpls-ldp-remote-]remote-ip

[PE2-mpls-ldp-remote-]quit配置完成后,在PE1或PE2上執(zhí)行displaymplsldpsession命令可以看到PE1和PE2之間的對等體的Status項為“Operational”,即遠端對等體關系已建立。在PE上使能MPLSL2VPN#配置PE1。[PE1]mplsl2vpn

[PE1-l2vpn]quit#配置PE2。[PE2]mplsl2vpn

[PE2-l2vpn]quit在PE上配置VSI#配置PE1。[PE1]vsia2static

[PE1-vsi-a2]pwsignalldp

[PE1-vsi-a2-ldp]vsi-id2

[PE1-vsi-a2-ldp]peer

[PE1-vsi-a2-ldp]quit

[PE1-vsi-a2]quit#配置PE2。[PE2]vsia2static

[PE2-vsi-a2]pwsignalldp

[PE2-vsi-a2-ldp]vsi-id2

[PE2-vsi-a2-ldp]peer

[PE2-vsi-a2-ldp]quit

[PE2-vsi-a2]quit在PE上配置VSI與接口的綁定#配置PE1。[PE1]interfacevlanif10

[PE1-Vlanif10]l2bindingvsia2

[PE1-Vlanif10]quit#配置PE2。[PE2]interfacevlanif40

[PE2-Vlanif40]l2bindingvsia2

[PE2-Vlanif40]quit驗證配置結果完成上述配置后,在PE1上執(zhí)行displayvsinamea2verbose命令,可以看到名字為a2的VSI建立了一條PW到PE2,VSI狀態(tài)為UP。[PE1]displayvsinamea2verbose

***VSIName:a2

AdministratorVSI:no

IsolateSpoken:disable

VSIIndex:0

PWSignaling:ldp

MemberDiscoveryStyle:static

PWMACLearnStyle:unqualify

EncapsulationType:vlan

MTU:1500

DiffservMode:uniform

MplsExp:--

DomainId:255

DomainName:

IgnoreAcState:disable

P2PVSI:disable

CreateTime:0days,0hours,5minutes,1seconds

VSIState:up

VSIID:2

*PeerRouterID:

Negotiation-vc-id:2

primaryorsecondary:primary

ignore-standby-state:no

VCLabel:4098

PeerType:dynamic

Session:up

TunnelID:0x1

BroadcastTunnelID:0x1

BroadBackupTunnelID:0x0

CKey:2

NKey:1

StpEnable:0

PwIndex:0

ControlWord:disable

InterfaceName:Vlanif10

State:up

AccessPort:false

LastUpTime:2010/12/3011:31:18

TotalUpTime:0days,0hours,1minutes,35seconds

**PWInformation:

*PeerIpAddress:

PWState:up

LocalVCLabel:4098

RemoteVCLabel:4098

RemoteControlWord:disable

PWType:label

LocalVCCV:alertlsp-pingbfd

RemoteVCCV:alertlsp-pingbfd

TunnelID:0x1

BroadcastTunnelID:0x1

BroadBackupTunnelID:0x0

Ckey:0x2

Nkey:0x1

MainPWToken:0x1

SlavePWToken:0x0

TnlType:LSP

OutInterface:Vlanif20

BackupOutInterface:

StpEnable:0

PWLastUpTime:2010/12/3011:32:03

PWTotalUpTime:0days,0hours,1minutes,35seconds在CE1()上能夠ping通CE2()。[CE1]ping

PING:56databytes,pressCTRL_Ctobreak

Replyfrom:bytes=56Sequence=1ttl=255time=90ms

Replyfrom:bytes=56Sequence=2ttl=255time=77ms

Replyfrom:bytes=56Sequence=3ttl=255time=34ms

Replyfrom:bytes=56Sequence=4ttl=255time=46ms

Replyfrom:bytes=56Sequence=5ttl=255time=94ms

---pingstatistics---

5packet(s)transmitted

5packet(s)received

0.00%packetloss

round-tripmin/avg/max=34/68/94ms在PE1的VSI上配置MAC地址學習限制#在VSI上配置MAC地址學習限制規(guī)則:最多可以學習300個MAC地址,超過最大MAC地址學習數(shù)量的報文直接丟棄并進行告警提示。[PE1]vsia2static

[PE1-vsi-a2]mac-limitmaximum300actiondiscardalarmenable

[PE1-vsi-a2]return驗證配置結果#在任意視圖下執(zhí)行displaymac-limit命令,查看MAC地址學習限制規(guī)則是否配置成功。<PE1>displaymac-limit

MAClimitisenabled

TotalMAClimitrulecount:1

PORTVLAN/VSISLOTMaximumRate(ms)ActionAlarm

----------------------------------------------------------------------------

-a2-300-discardenable配置文件CE1的配置文件#

sysnameCE1

#

vlanbatch10

#

interfaceVlanif10

ipaddress

#

interfaceGigabitEthernet1/0/0

portlink-typetrunk

porttrunkallow-passvlan10

#

returnCE2的配置文件#

sysnameCE2

#

vlanbatch40

#

interfaceVlanif40

ipaddress

#

interfaceGigabitEthernet1/0/0

portlink-typetrunk

porttrunkallow-passvlan40

#

returnPE1的配置文件#

sysnamePE1

#

routerid

#

vlanbatch1020

#

mplslsr-id

mpls

#

mplsl2vpn

#

vsia2static

mac-limitmaximum300

pwsignalldp

vsi-id2

peer

#

mplsldp

#

mplsldpremote-peer

remote-ip

#

interfaceVlanif10

l2bindingvsia2

#

interfaceVlanif20

ipaddress

mpls

mplsldp

#

interfaceGigabitEthernet1/0/0

portlink-typetrunk

porttrunkallow-passvlan10

#

interfaceGigabitEthernet2/0/0

portlink-typetrunk

porttrunkallow-passvlan20

#

interfaceLoopBack1

ipaddress55

#

ospf1

area

network

network55

#

returnP的配置文件#

sysnameP

#

routerid

#

vlanbatch2030

#

mplslsr-id

mpls

#

mplsldp

#

interfaceVlanif20

ipaddress

mpls

mplsldp

#

interfaceVlanif30

ipaddress

mpls

mplsldp

#

interfaceGigabitEthernet1/0/0

portlink-typetrunk

porttrunkallow-passvlan20

#

interfaceGigabitEthernet2/0/0

portlink-typetrunk

porttrunkallow-passvlan30

#

interfaceLoopBack1

ipaddress55

#

ospf1

area

network

network55

network55

#

returnPE2的配置文件#

sysnamePE2

#

routerid

#

vlanbatch3040

#

mplslsr-id

mpls

#

mplsl2vpn

#

vsia2static

pwsignalldp

vsi-id2

peer

#

mplsldp

#

mplsldpremote-peer

remote-ip

#

interfaceVlanif30

ipaddress

mpls

mplsldp

#

interfaceVlanif40

l2bindingvsia2

#

interfaceGigabitEthernet1/0/0

portlink-typetrunk

porttrunkallow-passvlan30

#

interfaceGigabitEthernet2/0/0

portlink-typetrunk

porttrunkallow-passvlan40

#

interfaceLoopBack1

ipaddress55

#

ospf1

area

network

network55

#

return06

配置MAC防漂移示例組網(wǎng)需求某企業(yè)網(wǎng)絡中,用戶需要訪問企業(yè)的服務器。如果某些非法用戶從其他接口假冒服務器的MAC地址發(fā)送報文,則服務器的MAC地址將在其他接口學習到。這樣用戶發(fā)往服務器的報文就會發(fā)往非法用戶,不僅會導致用戶與服務器不能正常通信,還會導致一些重要用戶信息被竊取。如圖6所示,為了提高服務器安全性,防止被非法用戶攻擊,可配置MAC防漂移功能。圖6

配置MAC防漂移組網(wǎng)圖配置思路采用如下的思路配置MAC防漂移:創(chuàng)建VLAN,并將接口加入到VLAN中,實現(xiàn)二層轉發(fā)功能。在服務器連接的接口上配置MAC防漂移功能,實現(xiàn)MAC地址防漂移。操作步驟創(chuàng)建VLAN,并將接口加入到VLAN中。#將GigabitEthernet1/0/1、GigabitEthernet1/0/2加入VLAN10。<HUAWEI>system-view

[HUAWEI]sysnameSwitch

[Switch]vlan10

[Switch-vlan10]quit

[Switch]interfacegigabitethernet1/0/2

[Switch-GigabitEthernet1/0/2]portlink-typetrunk

[Switch-GigabitEthernet1/0/2]porttrunkallow-passvlan10

[Switch-GigabitEthernet1/0/2]quit

[Switch]interfacegigabitethernet1/0/1

[Switch-GigabitEthernet1/0/1]portlink-typehybrid

[Switch-GigabitEthernet1/0/1]porthybridpvidvlan10

[Switch-GigabitEthernet1/0/1]porthybriduntaggedvlan10#在GigabitEthernet1/0/1上配置MAC地址學習的優(yōu)先級為2。[Switch-GigabitEthernet1/0/1]mac-learningpriority2

[Switch-GigabitEthernet1/0/1]quit驗證配置結果#在任意視圖下執(zhí)行displaycurrent-configuration命令,查看接口MAC地址學習的優(yōu)先級配置是否正確。[Switch]displaycurrent-configurationinterfacegigabitethernet1/0/1

#

interfaceGigabitEthernet1/0/1

portlink-typehybrid

porthybridpvidvlan10

porthybriduntaggedvlan10

mac-learningpriority2

#

return配置文件Switch的配置文件#

sysnameSwitch

#

vlanbatch10

#

interfaceGigabitEthernet1/0/1

portlink-typehybrid

porthybridpvidvlan10

porthybriduntaggedvlan10

mac-learningpriority2

#

inte

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論