1、信息安全产品配置与应用Configuration and Application of Information Security Products重庆电子工程职业学院|路亚模块八、路由交换安全配置生成树生成树协议协议Spanning Tree Protocol教学目标(教学目标(Objectives )n1.IP地址概念(Concept of IP Address)n2.IP地址分类 (Class of IP Address)n3.保留和私有地址(Reserved and Private IP Address)n4.网络掩码和子网划分(Network Mask and Subnetting)5
2、.可变长度子网掩码(VLSM)n6.汇总和CIDR(Summarization and CIDR)ObjectivesnRedundant topologiesnSpanning Tree Protocol冗余(冗余(Redundancy)冗余网络拓扑确保网络持续工作,避免单点故障冗余网络拓扑确保网络持续工作,避免单点故障Redundant networking topologies are designed to ensure that networks continue to function in the presence of single points of failure.冗余拓扑
3、(冗余拓扑(Redundant Topologies)冗余拓扑(冗余拓扑(Redundant Topologies)n1.冗余拓扑的目标是为了避免网络出现单点故障nA goal of redundant topologies is to eliminate network outages caused by a single point of failure.n2.所有的网络需要冗余来提高可靠性nAll networks need redundancy for enhanced reliability.简单的冗余交换拓扑简单的冗余交换拓扑(Simple Redundant Switched T
4、opology)简单的冗余交换拓扑简单的冗余交换拓扑(Simple Redundant Switched Topology)n1.冗余拓扑消除了单点故障nRedundant topologies eliminate single points of failure.n2.交换机对不知道地址的帧进行泛洪nSwitches will flood frames for unknown destinations.n3.交换机对广播和组播也进行泛洪。n Broadcasts and multicasts are also flooded.n4.冗余交换拓扑或许会带来广播风暴、多帧拷贝以及MAC地址表不稳
5、定的问题nA redundant switched topology may cause broadcast storms,multiple frame copies,and MAC address table instability problems.广播风暴(广播风暴(Broadcast Storm)多帧传输(多帧传输(Multiple Frame Transmissions)在冗余交换网络中,对终端设备来讲,收到多帧相同数据是可能的。在冗余交换网络中,对终端设备来讲,收到多帧相同数据是可能的。In a redundant switched network it is possible f
6、or an end device to receive multiple frames.MAC地址表不稳定(地址表不稳定(MAC Database Instability)交换机从错误的接口学到交换机从错误的接口学到MAC地址。地址。A switch can learn that a MAC address is on a port when it is not.创建逻辑无环路拓扑创建逻辑无环路拓扑(Creating a logical loop free topology)n1.冗余增加了可靠性,但是同时将物理环路带进网络。Reliability is increased by redund
7、ancy.redundancy connections introduce physical loops into the network.n2.解决办法就是创建逻辑无环路拓扑,同时保留物理环存在nThe solution is to allow physical loops,but create a loop free logical topology.n3.无环路拓扑称为树,并且是可扩展的树。nThe loop free logical topology created is called a tree.It is a spanning tree because all devices i
8、n the network are reachable or spanned.n4.创建无环路拓扑的算法称为生成树算法。nThe algorithm used to create this loop free logical topology is the spanning-tree algorithm.STP术语(术语(STP Terms)n1.桥ID(Bridge ID)n2.开销(Cost)n3.桥协议数据单元(BPDU)桥桥ID(Bridge ID)1.BID用来识别每一个交换机用来识别每一个交换机/网桥。网桥。2.BID用来确定网络的中心,在用来确定网络的中心,在STP中称为根桥。中
9、称为根桥。3.优先级默认为优先级默认为32768The BID consists of a bridge priority that defaults to 32768开销(开销(Cost)n最短路径是cost累加,而cost是基于链路的速率的。nShortest path is based on cumulative link costs.Link costs are based on the speed of the link.桥协议数据单元(桥协议数据单元(BPDU)n1.交换机发送的创建逻辑无环路的数据包称为BPDUnThe message that a switch sends,al
10、lowing the formation of a loop free logical topology,is called a Bridge Protocol Data Unit(BPDU).n 2.BPDU在阻塞的接口上也可以接收,这确保如果链路或设备出现问题,新的生成树会被计算n BPDUs continue to be received on blocked ports.This ensures that if an active path or device fails,a new spanning tree can be calculated.n3.默认,BPDU 2秒发送一次nB
11、y default BPDUs are sent every two seconds.Spanning-Tree Protocol生成树操作(生成树操作(Spanning-Tree Operation)Spanning-Tree Operation(cont.)n1.选举根桥,BID最小即是nSelect a single switch that will act as the root of the spanning tree n2.计算自己到根桥距离nCalculate the shortest path from itself to the root switch n3.选择根端口,距离
12、根桥最近的接口nChoose one of its ports as its root port,for each non-root switch.This is the interface that gives the best path to the root switch.n4.选指定端口和非指定端口,非指定端口被阻塞。nSelect ports that are part of the spanning tree,the designated ports.Non-designated ports are blocked.生成树操作规则(生成树操作规则(Spanning-Tree Ope
13、ration Rules)n1.每个网络只有一个根桥nOne root bridge per network.n2.每个非根桥只有一个根端口nOne root port per nonroot bridge.n3.每个段只有一个指定端口nOne designated port per segment.n4.非指定端口不被使用nNondesignated ports are unused.STP实例(实例(STP Example)生成树端口状态(生成树端口状态(Spanning-Tree Port States)生成树端口状态(生成树端口状态(Spanning-Tree Port States)
14、n1.在阻塞状态,端口仅能接收BPDU,需要20秒改变这种状态nIn the blocking state,ports can only receive BPDUs.It may take up to 20 seconds to change from this state.n2.在侦听状态,交换机确定是否有到根桥的其它路径。该状态持续15秒。在该状态,用户的数据不能转发,也不能学习MAC地址。nIn listening state,switches determine if there are any other paths to the root bridge.the forward de
15、lay and lasts for 15 seconds.In the listening state,user data is not being forwarded and MAC addresses are not being learned.生成树端口状态(生成树端口状态(Spanning-Tree Port States)n3.在学习状态,用户的数据不能转发,但是可以学习MAC地址,该状态持续15秒。nIn learning state user data is not forwarded,but MAC addresses are learned from any traffic
16、that is seen.The learning state lasts for 15 seconds and is also called the forward delay.n4.在转发状态,用户数据被转发,MAC地址继续学习,BPDU仍然工作。nIn forwarding state user data is forwarded and MAC addresses continue to be learned.BPDUs are still processed.Case StudynRefer to the exhibit.All switches have the default S
17、TP configuration and all links are Fast Ethernet.Which port on which switch will Spanning Tree place in blockingmode?思考题(思考题(Questions)1.环路的存在,会导致 、和 问题。2.交换机的ID由 和 组成。3.选举根桥时,具有较 值的桥ID的交换机会成为根桥。4.100M链路的新STP Cost为 。5.STP收敛后 口和 口是处于转发状态的。6.决定指定口时,会按顺序考虑 、和 因素。7.缺省时,转发延时为 秒,Hello时间为 秒,BPDU的存活时间为 秒。8.STP中,交换机的端口有 、和 状态。
