搜索
网络安全实验教程使用BPDUFilter提高STP安全性【实验名称】使用BPDUFilter提高STP安全性【实验目的】使用交换机的BPDUFilter特性增强交换网络的稳定性与弹性【背景描述】正常情况下,交换机会向所有启用的接口发送BPDU报文,以便进行生成树的选举与拓扑维护。但是如果交换机的某个端口连接的为终端设备,如PC机、打印机等,而这些设备无需参与STP计算,所以无需接收BPDU报文。【需求分析】我们可以使用BPDU过滤(BPDUFilter)功能禁止BPDU报文从端口发送出去,以防止无需参与STP计算的设备收到多余的BPDU报文。【实验拓扑】【实验设备】交换机3台PC1台【预备知识】交换机转发原理交换机基本配置STP原理PortFast原理BPDUFilter原理50第一章网络基础设施安全实验【实验原理】BPDUFilter功能禁止BPDU报文从端口发送出去,以防止无需参与STP计算的设备收到多余的BPDU报文。【实验步骤】第一步:配置Trunk端口SW1与SW2之间通过两条链路相连以提供冗余性:SW1#configureSW1(config)#interfacefastEthernet0/23SW1(config-if)#switchportmodetrunkSW1(config-if)#exitSW1(config)#interfacefastEthernet0/24SW1(config-if)#switchportmodetrunkSW1(config-if)#endSW1#SW2#configureSW2(config)#interfacefastEthernet0/23SW2(config-if)#switchportmodetrunkSW2(config-if)#exitSW2(config)#interfacefastEthernet0/24SW2(config-if)#switchportmodetrunkSW2(config-if)#endSW2#第二步:启用生成树协议—RSTPSW1#configureSW1(config)#spanning-treemoderstpSW1(config)#spanning-treeSW1(config)#SW2#configureSW2(config)#spanning-treemoderstpSW2(config)#spanning-treeSW2(config)#第三步:验证测试查看生成树的选举结果,由于SW2具有更小的MAC地址,所以SW2被选为根桥:SW1#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:251网络安全实验教程ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f882.f4a1Priority:32768TimeSinceTopologyChange:0d:2h:37m:57sTopologyChanges:10DesignatedRoot:8000.00d0.f821.a542RootCost:200000RootPort:23SW2#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f821.a542Priority:32768TimeSinceTopologyChange:0d:2h:38m:28sTopologyChanges:14DesignatedRoot:8000.00d0.f821.a542RootCost:0RootPort:0第四步:配置SW3将SW3配置为具有更小数值的优先级,以确保SW3有资格成为新的根桥,并启用RSTP:SW3#configureSW3(config)#spanning-treepriority409652第一章网络基础设施安全实验SW3(config)#spanning-treemoderstpSW3(config)#spanning-treeSW3(config)#第五步:将SW3接入SW2的F0/1端口交换机提示拓扑变更:SW2#Dec323:09:37SW2%7:%LINKCHANGED:InterfaceFastEthernet0/1,changedstatetoupDec323:09:37SW2%7:%LINEPROTOCOLCHANGE:InterfaceFastEthernet0/1,changedstatetoUPDec323:09:40SW2%7:2007-12-323:09:40topochange:topologyischangedDec323:09:41SW2%7:2007-12-323:09:41topochange:topologyischanged查看生成树的选举结果,可以看到SW3成为了新的根桥:SW2#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f821.a542Priority:32768TimeSinceTopologyChange:0d:0h:0m:36sTopologyChanges:16DesignatedRoot:1000.00d0.f834.6af0RootCost:200000RootPort:1SW1#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:253网络安全实验教程BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f882.f4a1Priority:32768TimeSinceTopologyChange:0d:0h:1m:22sTopologyChanges:12DesignatedRoot:1000.00d0.f834.6af0RootCost:400000RootPort:23SW3#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f834.6af0Priority:4096TimeSinceTopologyChange:0d:0h:1m:56sTopologyChanges:6DesignatedRoot:1000.00d0.f834.6af0RootCost:0RootPort:0通过以上测试可以看出,由于SW3的加入,造成STP重新进行计算。第六步:将SW3从SW2的F0/1端口断开,使网络恢复以前的拓扑第七步:配置BPDUFilter启用SW2的F0/1端口的BPDUFilter特性:SW2#configureSW2(config)#interfacefastEthernet0/154第一章网络基础设施安全实验SW2(config-if)#spanning-treebpdufilterenableSW2(config-if)#endSW2#查看BPDUFilter状态:SW2#showspanning-treeinterfacefastEthernet0/1PortAdminPortFast:DisabledPortOperPortFast:DisabledPortAdminLinkType:autoPortOperLinkType:point-to-pointPortBPDUGuard:disablePortBPDUFilter:enablePortState:discardingPortPriority:128PortDesignatedRoot:8000.00d0.f821.a542PortDesignatedCost:0PortDesignatedBridge:8000.00d0.f821.a542PortDesignatedPort:8001PortForwardTransitions:3PortAdminPathCost:200000PortOperPathCost:200000PortRole:disableport第八步:将SW3再次接入SW2的F0/1端口查看SW2与SW1的生成树状态,SW2仍然为根桥:SW2#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f821.a542Priority:32768TimeSinceTopologyChange:0d:0h:20m:26sTopologyChanges:1655网络安全实验教程DesignatedRoot:8000.00d0.f821.a542RootCost:0RootPort:0SW1#showspanning-treeStpVersion:RSTPSysStpStatus:ENABLEDMaxAge:20HelloTime:2ForwardDelay:15BridgeMaxAge:20BridgeHelloTime:2BridgeForwardDelay:15MaxHops:20TxHoldCount:3PathCostMethod:LongBPDUGuard:DisabledBPDUFilter:DisabledBridgeAddr:00d0.f882.f4a1Priority:32768TimeSinceTopologyChange:0d:0h:20m:56sTopologyChanges:12DesignatedRoot:8000.00d0.f821.a542RootCost:200000RootPort:23通过以上测试可以看出,由于S