企业网络建设之二层网络技术优化办法
<h1 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">1、</span>概述</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>绝大部分大型网络的网络设备数量较多,网络结构较为<span style="color: black;">繁杂</span>,然而大部分网络<span style="color: black;">显现</span>问题时,<span style="color: black;">都数</span>是<span style="color: black;">因为</span>二层协议<span style="color: black;">导致</span>的网络中断,影响规模<span style="color: black;">很强</span>,<span style="color: black;">引起</span>用户<span style="color: black;">没法</span>正常业务及上网办公等问题,其实<span style="color: black;">日前</span>的二层网络技术已有<span style="color: black;">必定</span><span style="color: black;">累积</span>,能够<span style="color: black;">处理</span>绝大部分的二层网络问题,为此结合大型二层网络架构<span style="color: black;">供给</span>技术优化手段,<span style="color: black;">保准</span>企业网络的稳定性<span style="color: black;">靠谱</span>性。</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">2、</span>网络优化<span style="color: black;">目的</span></h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">综合<span style="color: black;">以上</span>的问题,在现有的<span style="color: black;">基本</span>上,从设备、配置、<span style="color: black;">守护</span>等层面进行改造,采用先进稳定的技术和管理模式,为了<span style="color: black;">保准</span><span style="color: black;">基本</span>网络的安全性、稳定性,建设一个快速、<span style="color: black;">有效</span>、通畅、安全的办公网络,优化后的网络架构必须具备以下几点:</p><strong style="color: blue;">安全<span style="color: black;">靠谱</span>性:</strong><span style="color: black;">经过</span>二层网络的<span style="color: black;">调节</span>和优化,实现网络的安全稳定运行,即使网络中<span style="color: black;">出现</span>单条链路中断,或攻击包时,<span style="color: black;">亦</span>能稳定运行并<span style="color: black;">即时</span>实现日志告警,从而<span style="color: black;">加强</span>企业网络的<span style="color: black;">靠谱</span>性。<strong style="color: blue;">方便运维:</strong><span style="color: black;">经过</span>技术手段隔离各个二级<span style="color: black;">公司</span>或二层广播报文,成立个节点独立<span style="color: black;">守护</span>模式,以便缩小影响范围,防止大面积网络瘫痪,有效的<span style="color: black;">加强</span>运维工作,实现当问题<span style="color: black;">显现</span>时能够快速的定位到问题源<span style="color: black;">即时</span><span style="color: black;">处理</span>。<h1 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">3、</span>优化<span style="color: black;">方法</span></h1>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">3.1 网络优化</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">大型网络中的二层设备众多,其汇聚设备<span style="color: black;">亦</span>分布在各个区域,分别负责该区域的数据转发,针对二层环境<span style="color: black;">供给</span>如下两种常规优化<span style="color: black;">办法</span>;</p>接入交换机与汇聚交换机之间<span style="color: black;">经过</span>trunk模式互联,所有终端的网关<span style="color: black;">位置</span>都在汇聚交换机上。虽然开启了stp功能,<span style="color: black;">然则</span>误操作<span style="color: black;">亦</span>很容易<span style="color: black;">显现</span>环路,<span style="color: black;">引起</span><span style="color: black;">全部</span>网络的故障。<span style="color: black;">因此</span>将下接二级机构的互联接口<span style="color: black;">调节</span>为三层路由模式,缩小影响范围,方便快速定位问题。在楼层汇聚层交换机上关闭汇聚交换机空闲端口,<span style="color: black;">加强</span>网络安全性,防止外来人员随意接入骨干设备。<h1 style="color: black; text-align: left; margin-bottom: 10px;">3.2 STP生成树优化</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">网络中互联交换机之间虽然启用了生成树协议,<span style="color: black;">然则</span>并不完善,<span style="color: black;">非常多</span>优化策略并<span style="color: black;">无</span><span style="color: black;">运用</span>,<span style="color: black;">例如</span>边缘端口和bpduguard等。边缘端口(portfast)<span style="color: black;">指的是</span>不直接与任何交换机连接,<span style="color: black;">亦</span>不<span style="color: black;">经过</span>端口所连接的网络间接与任何交换机相连的端口。用户<span style="color: black;">倘若</span>将某个端口指定为边缘端口,<span style="color: black;">那样</span>当该端口由堵塞状态向转发状态迁移时,这个端口<span style="color: black;">能够</span>实现快速迁移,而无需等待延迟时间。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">图1 配置STP功能图</strong></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-axegupay5k/0956a5f9ecc14c818362f2dbb948d955~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1725641323&x-signature=L6DYwB8BcZwGr%2FeIBFUNvRwNTpQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置STP功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置环网中的设备生成树协议工作在STP模式</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp mode stp # 配置交换设备SwitchA的STP工作模式。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp mode stp # 配置交换设备SwitchB的STP工作模式。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp mode stp # 配置交换设备SwitchC的STP工作模式。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp mode stp # 配置交换设备SwitchD的STP工作模式。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">所有交换机配置STP域名</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">stp region-configuration</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">region-name <span style="color: black;">XXX</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置根桥和备份根桥设备</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp root primary # 配置SwitchA为根桥。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp root secondary # 配置SwitchD为备份根桥。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置端口的路径开销值,实现将该端口阻塞</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp pathcost-standard legacy # 配置SwitchA的端口路径开销计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp pathcost-standard legacy # 配置SwitchB的端口路径开销计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp pathcost-standard legacy # 配置SwitchC端口GigabitEthernet0/0/1端口路径开销值为20000。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 0/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp cost 20000</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> quit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp pathcost-standard legacy # 配置SwitchD的端口路径开销计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">与终端相连的交换端口开启BPDU<span style="color: black;">守护</span>与过滤功能</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">将与PC机相连的端口设置为边缘端口并使能端口的BPDU报文过滤功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 0/0/2</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp edged-port enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> stp bpdu-filter enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在全局视图:stp bpdu-protection</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">3.2 MSTP生成树优化</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在一个<span style="color: black;">繁杂</span>的网络中,<span style="color: black;">因为</span>冗余备份的需要,规划者一般都倾向于在设备之间<span style="color: black;">安排</span>多条<span style="color: black;">理学</span>链路,其中一条<span style="color: black;">做为</span>主用链路,其他<span style="color: black;">做为</span>备份链路。<span style="color: black;">这般</span>就难免会形成环路,若网络中存在环路,可能会<span style="color: black;">导致</span>广播风暴和MAC表项被破坏。为此,<span style="color: black;">能够</span>在网络中<span style="color: black;">安排</span>MSTP协议预防环路。MSTP可阻塞二层网络中的冗余链路,将网络修剪成树状,达到消除环路的目的。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">图2 配置MSTP功能图</strong></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-6w9my0ksvp/9b63bf7e0325496f91e982273431ba28~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1725641323&x-signature=cavpLMix6maViZQcm6%2F%2BwsKjDjI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置MSTP功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置MST域</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA] stp region-configuration</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA-mst-region] region-name RG1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchA-mst-region] instance 1 vlan 2 to 10</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchA-mst-region] instance 2 vlan 11 to 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchA-mst-region] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchB的MST域</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB] stp region-configuration</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB-mst-region] region-name RG1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchB-mst-region] instance 1 vlan 2 to 10</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchB-mst-region] instance 2 vlan 11 to 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchB-mst-region] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchC的MST域。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchC] stp region-configuration</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchC-mst-region] region-name RG1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC-mst-region] instance 1 vlan 2 to 10</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC-mst-region] instance 2 vlan 11 to 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC-mst-region] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchD的MST域。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchD] stp region-configuration</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchD-mst-region] region-name RG1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD-mst-region] instance 1 vlan 2 to 10</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD-mst-region] instance 2 vlan 11 to 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD-mst-region] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置MSTI1的根桥与备份根桥</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA] stp instance 1 root primary //配置SwitchA为MSTI1的根桥</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB] stp instance 1 root secondary //配置SwitchB为MSTI1的备份根桥</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置MSTI2的根桥与备份根桥</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB] stp instance 2 root primary //配置SwitchB为MSTI2的根桥</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA] stp instance 2 root secondary //配置SwitchA为MSTI2的备份根桥</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchA的端口路径开销值的计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA] stp pathcost-standard legacy</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchB的端口路径开销计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB] stp pathcost-standard legacy</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchC的端口路径开销计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span>,将端口10GE1/0/2在实例MSTI2中的路径开销值配置为20000。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchC] stp pathcost-standard legacy</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC] interface 10ge 1/0/2</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC-10GE1/0/2] stp instance 2 cost 20000</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC-10GE1/0/2] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置SwitchD的端口路径开销计算<span style="color: black;">办法</span>为华为计算<span style="color: black;">办法</span>,将端口10GE1/0/2在实例MSTI1中的路径开销值配置为20000。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchD] stp pathcost-standard legacy</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD] interface 10ge 1/0/2</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD-10GE1/0/2] stp instance 1 cost 20000</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD-10GE1/0/2] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">设备全局开启MSTP</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA] stp enable //在SwitchA上<span style="color: black;">起步</span>MSTP</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB] stp enable //在SwitchB上<span style="color: black;">起步</span>MSTP</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchC] stp enable //在SwitchC上<span style="color: black;">起步</span>MSTP</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchD] stp enable //在SwitchD上<span style="color: black;">起步</span>MSTP</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">将与终端相连的所有端口都关闭MSTP</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"># 配置SwitchC端口10GE1/0/1的STP去使能。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchC] interface 10ge 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchC-10GE1/0/1] stp disable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchC-10GE1/0/1] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"># 配置SwitchD端口10GE1/0/1的STP去使能。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchD] interface 10ge 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchD-10GE1/0/1] stp disable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchD-10GE1/0/1] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置<span style="color: black;">守护</span>功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">如在各实例的根桥设备的指定端口配置根<span style="color: black;">守护</span>功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA] interface 10ge 1/0/1 //在SwitchA端口10GE1/0/1上<span style="color: black;">起步</span>根<span style="color: black;">守护</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchA-10GE1/0/1] stp root-protection</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchA-10GE1/0/1] commit</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB] interface 10ge 1/0/1 //在SwitchB端口10GE1/0/1上<span style="color: black;">起步</span>根<span style="color: black;">守护</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[~SwitchB-10GE1/0/1] stp root-protection</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[*SwitchB-10GE1/0/1] commit</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">3.3 <span style="color: black;">安排</span>环路检测功能</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">网络中的环路会<span style="color: black;">引起</span>设备对广播、组播以及未知单播等报文进行重复发送,<span style="color: black;">导致</span>网络资源浪费<span style="color: black;">乃至</span>网络瘫痪。为了能够<span style="color: black;">即时</span><span style="color: black;">发掘</span>二层网络中的环路,Loop Detection正是<span style="color: black;">这般</span>的检测技术。它<span style="color: black;">经过</span>从接口周期性发送检测报文,<span style="color: black;">检测</span>该报文<span style="color: black;">是不是</span>返回本设备(不<span style="color: black;">需求</span>收、发接口为同一接口),<span style="color: black;">从而</span>判断该接口、设备所在网络或设备下挂网络<span style="color: black;">是不是</span>存在环路。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">图3配置STP功能图</strong></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-6w9my0ksvp/98e39996bfaf445890534be917f42b5f~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1725641323&x-signature=G2%2BsusouuhLjRrsRytdOWPf8HsU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">开启全局的Loop Detection功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> sysname Switch</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> loop-detection enable //使能全局的Loop Detection功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">开启VLAN的Loop Detection功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> vlan batch 10 to 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> loop-detection enable vlan 10 to 20 //配置设备对VLAN10到VLAN20下的所有接口进行环路检测</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置Loop Detection检测报文的发送周期</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> loop-detection interval-time 10 //配置Loop Detection检测报文的发送周期为10s</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置Loop Detection处理动作</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">打开Loop Detection告警开关。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> snmp-agent trap enable feature-name ldttrap //打开Loop Detection的告警开关,使设备<span style="color: black;">拥有</span>发送Loop Detection Trap报文的功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置Loop Detection处理动<span style="color: black;">做为</span>Shutdown。</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[</p>Switch-GigabitEthernet1/0/1] stp disable //去使能接口的STP功能
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> port hybrid tagged vlan 10 to 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[</p>Switch-GigabitEthernet1/0/1] loop-detection mode port-shutdown //配置Loop Detection检测到环路时对接口GE1/0/1的处理动<span style="color: black;">做为</span>Shutdown
<h1 style="color: black; text-align: left; margin-bottom: 10px;">3.4 广播域<span style="color: black;">控制</span></h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">广播域<span style="color: black;">掌控</span><span style="color: black;">反常</span>流量的<span style="color: black;">办法</span>有两种,分别是流量<span style="color: black;">控制</span>和风暴<span style="color: black;">掌控</span>,两种用于<span style="color: black;">掌控</span>广播、未知组播以及未知单播报文,防止这三类报文<span style="color: black;">导致</span>广播风暴的安全技术。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">流量<span style="color: black;">控制</span><span style="color: black;">重点</span><span style="color: black;">经过</span>配置阈值来限制流量,而风暴<span style="color: black;">掌控</span>则<span style="color: black;">重点</span><span style="color: black;">经过</span>关闭端口来阻断流量</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">图4配置组网图</strong></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-6w9my0ksvp/5263871c45224e0e85bef9260069f862~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1725641323&x-signature=MuXAcbTlwrFxMLJCzH5J9VgjJ80%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">流量<span style="color: black;">控制</span>配置</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 0/0/1 //进入接口视图</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置广播流量<span style="color: black;">控制</span>,按百分比<span style="color: black;">控制</span>,百分比值为20%。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> broadcast-suppression 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置未知组播流量<span style="color: black;">控制</span>,按百分比<span style="color: black;">控制</span>,百分比值为20%。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> multicast-suppression 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置未知单播流量<span style="color: black;">控制</span>,按百分比<span style="color: black;">控制</span>,百分比值为20%。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> unicast-suppression 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">验证配置结果</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">执行命令display flow-suppression interface查看GE0/0/1接口下的流量<span style="color: black;">控制</span>配置<span style="color: black;">状况</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> display flow-suppression interface gigabitethernet 0/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">风暴<span style="color: black;">掌控</span>配置</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet0/0/1 //进入接口视图</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置广播风暴<span style="color: black;">掌控</span>最小1000个包,最大2000个包</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> storm-control broadcast min-rate 1000 max-rate 2000</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置未知组播风暴<span style="color: black;">掌控</span>最小1000个包,最大2000个包</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> storm-control multicast min-rate 1000 max-rate 2000</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置未知单播风暴<span style="color: black;">掌控</span>最小1000个包,最大2000个包</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> storm-control unicast min-rate 1000 max-rate 2000</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置风暴<span style="color: black;">掌控</span>的动<span style="color: black;">做为</span>阻塞报文</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> storm-control action block</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置打开风暴<span style="color: black;">掌控</span>时记录日志的功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> storm-control enable log</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置风暴<span style="color: black;">掌控</span>的检测时间间隔</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> storm-control interval 90</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">验证配置结果</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">执行命令display storm-control interface查看GE0/0/1接口下的风暴控制配置<span style="color: black;">状况</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> display storm-control interface gigabitethernet 0/0/1</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">3.5 DHCP防护</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DHCP Server仿冒者攻击:在网络上随意添加一台DHCP服务器,它<span style="color: black;">能够</span>为客户端分配IP<span style="color: black;">位置</span>以及其他网络参数。<span style="color: black;">倘若</span>该DHCP服务器为用户分配错误的IP<span style="color: black;">位置</span>和其他网络参数,将会对网络<span style="color: black;">导致</span>非常大的<span style="color: black;">害处</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">为了为DHCP用户<span style="color: black;">供给</span>更<span style="color: black;">优秀</span>的服务,网络管理员<span style="color: black;">能够</span><span style="color: black;">经过</span>配置DHCP Snooping功能,实现DHCP攻击防范。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">图5配置组网图</strong></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-6w9my0ksvp/58aef5ee0784459a8033491f9e810b63~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1725641323&x-signature=sK0ifPgS2onJMHjifW%2FpEgV%2BUig%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">图5</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">开启DHCP Snooping基本功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">使能全局DHCP Snooping功能并配置设备仅处理DHCPv4报文</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping enable ipv4</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">使能用户侧接口的DHCP Snooping功能。以GE1/0/1接口为例,GE1/0/2的配置与GE1/0/1接口相同,<span style="color: black;">再也不</span>赘述。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">使能ARP与DHCP Snooping的联动功能。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> arp dhcp-snooping-detect enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">检测DHCP Request报文中GIADDR字段<span style="color: black;">是不是</span>非零的功能。以GE1/0/1接口为例,GE1/0/2的配置与GE1/0/1接口相同,<span style="color: black;">再也不</span>赘述。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping check dhcp-giaddr enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">配置DHCP报文上送DHCP报文处理单元的最大<span style="color: black;">准许</span>速率并丢弃报文告警功能</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置DHCP报文上送DHCP报文处理单元的最大<span style="color: black;">准许</span>速率为90pps。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping check dhcp-rate enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping check dhcp-rate 90</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">使能丢弃报文告警功能,并配置报文限速告警阈值。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping alarm dhcp-rate enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping alarm dhcp-rate threshold 500</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在用户侧接口进行配置。以GE1/0/1接口为例,GE1/0/2的配置与GE1/0/1接口相同,<span style="color: black;">再也不</span>赘述。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping check dhcp-request enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping alarm dhcp-request enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping alarm dhcp-request threshold 120</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">配置接口<span style="color: black;">准许</span>接入的最大用户数并使能对CHADDR字段<span style="color: black;">检测</span>功能,<span style="color: black;">同期</span>使能数据帧头MAC<span style="color: black;">位置</span>与DHCP报文中的CHADDR字段不一致被丢弃的报文达到阈值时产生告警信息功能。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在用户侧接口进行配置。以GE1/0/1接口为例,GE1/0/2的配置与GE1/0/1接口相同,<span style="color: black;">再也不</span>赘述。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> interface gigabitethernet 1/0/1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping max-user-number 20</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping check dhcp-chaddr enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping alarm dhcp-chaddr enable</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> dhcp snooping alarm dhcp-chaddr threshold 120</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> quit</p>
认真阅读了楼主的帖子,非常有益。 你的留言真是温暖如春,让我感受到了无尽的支持与鼓励。 你的见解真是独到,让我受益良多。 楼主的文章非常有意义,提升了我的知识水平。
页:
[1]