| 如需注册 @ccie.engineer 、@ccde.engineer 、@ccar.engineer 、@hcie.engineer 、@rhce.engineer 和 @cissp.engineer 邮箱,请点击这里。 |
更多有关于 “ H3C 实验 ” 的文章,请点击这里。
实验环境:
操作系统:Windows 7 专业版(当时最新正式版),模拟器:HCL 2.1.1(当时最新版本)
- 路由器的型号是:H3C MSR36-20
- 交换机的型号是:H3C S5820V2-54QS-GE
实验需求:
- 现有一网络的交换机(SW)上连有:用户 PC( HOST )、存储服务器( SERVER )和网络管理服务器( NMS ,Network Management Server ),具体连线和 IP 地址等信息如上图所示;
- 为方便做实验,HOST 、SERVER 和 NMS 均采用路由器来模拟;
- SW 在转发目的 MAC 地址为 SERVER 的 MAC 地址的报文时不再使用广播,而始终通过单播发送去往 SERVER 的报文;
- 为了增强网络管理的安全性,要求在 SW 上连接 NMS 的端口仅允许这台 NMS 接入。
实验步骤:
本实验主要涉及到的命令是:IPv4 地址的配置、VLAN 划分和 MAC 地址在交换机上的一些使用,跟思科的命令大同小异,在此不做过多的描述。
HOST : sys hostname HOST int g 0/0 ip add 10.0.0.2 255.255.255.0 shutdown undo shutdown
NMS : sys hostname NMS int g 0/0 ip add 10.0.0.3 255.255.255.0 shutdown undo shutdown
SERVER : sys hostname SERVER int g 0/0 ip add 10.0.0.1 255.255.255.0 shutdown undo shutdown
我们先来查看一下 NMS 和 SERVER 在去往 SW 的端口上的 MAC 地址都分别是什么:
[NMS]display interface GigabitEthernet 0/0 GigabitEthernet0/0 Current state: UP Line protocol state: UP Description: GigabitEthernet0/0 Interface Bandwidth: 1000000 kbps Maximum transmission unit: 1500 Allow jumbo frames to pass Broadcast max-ratio: 100% Multicast max-ratio: 100% Unicast max-ratio: 100% Internet address: 10.0.0.1/24 (primary) IP packet frame type: Ethernet II, hardware address: 68b4-6783-0305 IPv6 packet frame type: Ethernet II, hardware address: 68b4-6783-0305 Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0 Last link flapping: 0 hours 8 minutes 22 seconds Last clearing of counters: Never Current system time:2019-05-29 14:48:38 Last time when physical state changed to up:2019-05-29 14:40:16 Last time when physical state changed to down:2019-05-29 14:40:15 Peak input rate: 0 bytes/sec, at 00-00-00 00:00:00 Peak output rate: 0 bytes/sec, at 00-00-00 00:00:00 Last 300 second input: 0 packets/sec 0 bytes/sec 0% Last 300 second output: 0 packets/sec 0 bytes/sec 0% Input (total): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Input (normal): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Input: 0 input errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 frame, 0 overruns, 0 aborts 0 ignored, 0 parity errors Output (total): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output (normal): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output: 0 output errors, 0 underruns, 0 buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, 0 no carrier [NMS]
[SERVER]display interface GigabitEthernet 0/0 GigabitEthernet0/0 Current state: UP Line protocol state: UP Description: GigabitEthernet0/0 Interface Bandwidth: 1000000 kbps Maximum transmission unit: 1500 Allow jumbo frames to pass Broadcast max-ratio: 100% Multicast max-ratio: 100% Unicast max-ratio: 100% Internet address: 10.0.0.1/24 (primary) IP packet frame type: Ethernet II, hardware address: 68b4-4073-0105 IPv6 packet frame type: Ethernet II, hardware address: 68b4-4073-0105 Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0 Last link flapping: 0 hours 0 minutes 8 seconds Last clearing of counters: Never Current system time:2019-05-29 14:50:09 Last time when physical state changed to up:2019-05-29 14:50:01 Last time when physical state changed to down:2019-05-29 14:49:59 Peak input rate: 0 bytes/sec, at 00-00-00 00:00:00 Peak output rate: 0 bytes/sec, at 00-00-00 00:00:00 Last 300 second input: 0 packets/sec 0 bytes/sec 0% Last 300 second output: 0 packets/sec 0 bytes/sec 0% Input (total): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Input (normal): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Input: 0 input errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 frame, 0 overruns, 0 aborts 0 ignored, 0 parity errors Output (total): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output (normal): 0 packets, 0 bytes 0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses Output: 0 output errors, 0 underruns, 0 buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, 0 no carrier [SERVER]
如上所示,NMS 的 GigabitEthernet 0/0 口的 MAC 地址为 68b4-6783-0305 ,SERVER 的 GigabitEthernet 0/0 口的 MAC 地址为 68b4-4073-0105 ,然后再配置 SW :
SW : sys hostname SW vlan 10 port g 1/0/2 g 1/0/5 g 1/0/10 quit int r g 1/0/2 g 1/0/5 g 1/0/10 shutdown undo shutdown # 添加 SERVER 的 MAC 地址,使交换机始终通过端口 GigabitEthernet 1/0/2 单播发送去往 SERVER 的报文: mac-address static 68b4-4073-0105 int g 1/0/2 vlan 10 # 配置端口 GigabitEthernet 1/0/10 最大 MAC 学习数为 0 并手工添加 NMS 的静态 MAC 表项, # 实现 GigabitEthernet 1/0/10 端口只能转发源地址为 NMS 的报文,保证其他主机无法通过此端口通信: int g 1/0/10 mac-address max-mac-count 0 mac-address static 68b4-6783-0305 vlan 10 # 配置当端口学习的 MAC 地址数达到设置的最大 MAC 地址数后,禁止转发收到的源 MAC 地址不 # 在 MAC 地址表里的数据帧: # mac-address max-mac-count disable-forwarding(模拟器上没有这条命令,我敲的是下面那条) undo mac-address max-mac-count enable-forwarding
测试:
在 HOST 上 ping 10.0.0.1( SERVER )和 10.0.0.3( NMS )都没有问题:
[HOST]ping 10.0.0.1 Ping 10.0.0.1 (10.0.0.1): 56 data bytes, press CTRL_C to break 56 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=4.000 ms 56 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=2.000 ms --- Ping statistics for 10.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/1.800/4.000/1.166 ms [HOST]%May 29 16:06:20:502 2019 HOST PING/6/PING_STATISTICS: Ping statistics for 10.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.800/4.000/1.166 ms. [HOST]ping 10.0.0.3 Ping 10.0.0.3 (10.0.0.3): 56 data bytes, press CTRL_C to break 56 bytes from 10.0.0.3: icmp_seq=0 ttl=255 time=5.000 ms 56 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=2.000 ms 56 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 10.0.0.3: icmp_seq=3 ttl=255 time=2.000 ms 56 bytes from 10.0.0.3: icmp_seq=4 ttl=255 time=2.000 ms --- Ping statistics for 10.0.0.3 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/2.400/5.000/1.356 ms [HOST]%May 29 16:06:23:391 2019 HOST PING/6/PING_STATISTICS: Ping statistics for 10.0.0.3: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/2.400/5.000/1.356 ms. [HOST]
现在我们假设 NMS 的 GigabitEthernet 0/0 口的 MAC 地址是 68b4-6783-0306 而不是 68b4-6783-0305 ,修改 SW 的配置:
SW : int g 1/0/10 undo mac-address static 68b4-6783-0305 vlan 10 mac-address static 68b4-6783-0306 vlan 10
现在看看 HOST 能不能 ping 通 10.0.0.1( SERVER )和 10.0.0.3( NMS ):
[HOST]ping 10.0.0.1 Ping 10.0.0.1 (10.0.0.1): 56 data bytes, press CTRL_C to break 56 bytes from 10.0.0.1: icmp_seq=0 ttl=255 time=2.000 ms 56 bytes from 10.0.0.1: icmp_seq=1 ttl=255 time=2.000 ms 56 bytes from 10.0.0.1: icmp_seq=2 ttl=255 time=1.000 ms 56 bytes from 10.0.0.1: icmp_seq=3 ttl=255 time=2.000 ms 56 bytes from 10.0.0.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 10.0.0.1 --- 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/1.600/2.000/0.490 ms [HOST]%May 29 16:26:50:549 2019 HOST PING/6/PING_STATISTICS: Ping statistics for 10.0.0.1: 5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss, round-trip min/avg/max/std-dev = 1.000/1.600/2.000/0.490 ms. [HOST] [HOST]ping 10.0.0.3 Ping 10.0.0.3 (10.0.0.3): 56 data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out --- Ping statistics for 10.0.0.3 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss [HOST]%May 29 16:27:03:360 2019 HOST PING/6/PING_STATISTICS: Ping statistics for 10.0.0.3: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss. [HOST]
可以看到 NMS 已经 ping 不通了,“ 在 SW 上连接 NMS 的端口仅允许这台 NMS 接入 ” 这个需求已配置完成。
“ SW 在转发目的 MAC 地址为 SERVER 的 MAC 地址的报文时不再使用广播,而始终通过单播发送去往 SERVER 的报文 ” 这个需求不容易验证,大家可以多做几次实验然后抓包来看一下。我们可以先看一下 SW 的 MAC 地址表:
[SW]display mac-address MAC Address VLAN ID State Port/Nickname Aging 68b4-4073-0105 10 Static GE1/0/2 N 68b4-6783-0306 10 Static GE1/0/10 N [SW]
可以看到这些 MAC 地址的条目都是静态的,所以交换机就不需要动态学习这些 MAC 地址了,自然直接通过单播发送去往 SERVER 的报文即可。
我们也可以来看一下 H3C 官方文档的注释:
至此,实验完成。
参考自:
- http://www.h3c.com/cn/d_201312/807732_30005_0.htm
本文完。如有疑问,欢迎在下方留言;如本文有什么错误,欢迎在下方留言指正,谢谢。
发表评论?