- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
04-H3C_生成樹典型配置舉例
本章節下載: 04-H3C_生成樹典型配置舉例 (343.98 KB)
資料版本:6W100-20200330
產品版本:Release 7585P05
|
Copyright © 2020 bobty下载软件 版權所有,保留一切權利。 非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部,並不得以任何形式傳播。 除bobty下载软件 的商標外,本手冊中出現的其它公司的商標、產品標識及商品名稱,由各自權利人擁有。 本文檔中的信息可能變動,恕不另行通知。 |
目 錄
本文檔介紹了生成樹的配置舉例。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
本文假設您已了解生成樹特性。
如圖1所示:
· 網絡中所有設備都屬於同一個MST域,設備的端口均允許VLAN 11~30通過。
· Device A和Device B為核心層設備,Device C和Device D為彙聚層設備。
· 假定所有端口路徑開銷相同。
要求通過配置MSTP功能,實現:
· 網絡中無二層環路。
· Device C和Device D的VLAN 11~20報文、VLAN 21~30報文沿不同鏈路分別上行到Device A和Device B,實現流量負載分擔和鏈路備份。
圖1 MSTP配置組網圖
· 要使所有設備屬於同一MST域,在所有設備上配置相同的如下參數:
¡ 生成樹的工作模式(缺省為MSTP模式,無需配置)
¡ 域名(本例配置為test)
¡ 修訂級別(缺省為0,無需配置)
¡ VLAN映射表(本例將VLAN 11~20映射到MSTI 1,VLAN 21~30映射到MSTI 2)
· 為了使MSTI 1和MSTI 2拓撲中的上行鏈路不同並互相作為冗餘備份,配置Device A為MSTI 1的根橋,Device B為MSTI 2的根橋。另外,本例中配置Device A、B、C、D在MSTI 0的優先級依次降低,使Device A成為IST域根。形成的多個生成樹實例拓撲如圖2所示。
圖2 各VLAN對應的生成樹實例的拓撲
# 創建VLAN 11~30。將設備的各端口配置為Trunk端口並允許VLAN 11~30通過。
<DeviceA> system-view
[DeviceA] vlan 11 to 30
[DeviceA] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/3
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] port link-type trunk
[DeviceA-if-range] port trunk permit vlan 11 to 30
[DeviceA-if-range] undo shutdown
[DeviceA-if-range] quit
# 配置MST域的域名為test,將VLAN 11~20映射到MSTI 1,VLAN 21~30映射到MSTI 2。
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name test
[DeviceA-mst-region] instance 1 vlan 11 to 20
[DeviceA-mst-region] instance 2 vlan 21 to 30
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# 配置本設備為MSTI 0和1的根橋。
[DeviceA] stp instance 0 to 1 root primary
# 全局使能生成樹協議。
[DeviceA] stp global enable
# 創建VLAN 11~30。將設備的各端口配置為Trunk端口並允許VLAN 11~30通過。
<DeviceB> system-view
[DeviceB] vlan 11 to 30
[DeviceB] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/3
[DeviceB-if-range] port link-mode bridge
[DeviceB-if-range] port link-type trunk
[DeviceB-if-range] port trunk permit vlan 11 to 30
[DeviceB-if-range] undo shutdown
[DeviceB-if-range] quit
# 配置MST域的域名為test,將VLAN 11~20映射到MSTI 1,VLAN 21~30映射到MSTI 2。
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name test
[DeviceB-mst-region] instance 1 vlan 11 to 20
[DeviceB-mst-region] instance 2 vlan 21 to 30
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# 配置本設備為MSTI 2的根橋,以及MSTI 0的備份根橋。
[DeviceB] stp instance 2 root primary
[DeviceB] stp instance 0 root secondary
# 全局使能生成樹協議。
[DeviceB] stp global enable
# 創建VLAN 11~30。將設備的各端口配置為Trunk端口並允許VLAN 11~30通過。
<DeviceC> system-view
[DeviceC] vlan 11 to 30
[DeviceC] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/2
[DeviceC-if-range] port link-mode bridge
[DeviceC-if-range] port link-type trunk
[DeviceC-if-range] port trunk permit vlan 11 to 30
[DeviceC-if-range] undo shutdown
[DeviceC-if-range] quit
# 配置MST域的域名為test,將VLAN 11~20映射到MSTI 1,VLAN 21~30映射到MSTI 2。
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name test
[DeviceC-mst-region] instance 1 vlan 11 to 20
[DeviceC-mst-region] instance 2 vlan 21 to 30
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# 全局使能生成樹協議。
[DeviceC] stp global enable
# 創建VLAN 11~30。將設備的各端口配置為Trunk端口並允許VLAN 11~30通過。
<DeviceD> system-view
[DeviceD] vlan 11 to 30
[DeviceD] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/2
[DeviceD-if-range] port link-mode bridge
[DeviceD-if-range] port link-type trunk
[DeviceD-if-range] port trunk permit vlan 11 to 30
[DeviceD-if-range] undo shutdown
[DeviceD-if-range] quit
# 配置MST域的域名為test,將VLAN 11~20映射到MSTI 1,VLAN 21~30映射到MSTI 2。
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name test
[DeviceD-mst-region] instance 1 vlan 11 to 20
[DeviceD-mst-region] instance 2 vlan 21 to 30
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# 配置本設備在MSTI 0的優先級為36864,從而使本設備在MSTI 0的優先級低於Device C(Device C使用缺省優先級32768)。
[DeviceD] stp instance 0 priority 36864
# 全局使能生成樹協議。
[DeviceD] stp global enable
(1) 查看生成樹實例拓撲信息
# 查看Device A上生成樹的簡要信息。
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
2 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
# 查看Device B上生成樹的簡要信息。
[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
# 查看Device C上生成樹的簡要信息。
[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
1 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
# 查看Device D上生成樹的簡要信息。
[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
1 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
根據上述顯示信息中的Alternate端口(阻塞端口),可以繪出各VLAN所對應MSTI的拓撲,如圖3所示。
圖3 MSTI 0~2的拓撲
可以看到,Device C和Device D的VLAN 11~20報文和VLAN 21~30報文沿不同的上行鏈路轉發;網絡中無二層環路。
(2) 驗證鏈路備份功能
關閉Device C的端口XGE1/0/1(這是Device C在MSTI 0~1中的上行鏈路所在端口)。然後查看Device A、B、C、D上生成樹的簡要信息。
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
2 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
1 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
2 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
根據上述顯示信息中的Alternate端口(阻塞端口),可以繪出各VLAN所對應MSTI的拓撲,如圖4所示。
圖4 某鏈路斷開後MSTI 0~2的拓撲
可以看到,Device C在MSTI 0~1中的上行鏈路所在端口已從原先的XGE1/0/1切換為XGE1/0/2。
· Device A
#
vlan 1
#
vlan 11 to 30
#
stp region-configuration
region-name test
instance 1 vlan 11 to 20
instance 2 vlan 21 to 30
active region-configuration
#
stp instance 0 to 1 root primary
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
· Device B
#
vlan 1
#
vlan 11 to 30
#
stp region-configuration
region-name test
instance 1 vlan 11 to 20
instance 2 vlan 21 to 30
active region-configuration
#
stp instance 0 root secondary
stp instance 2 root primary
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
· Device C
#
vlan 1
#
vlan 11 to 30
#
stp region-configuration
region-name test
instance 1 vlan 11 to 20
instance 2 vlan 21 to 30
active region-configuration
#
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
· Device D
#
vlan 1
#
vlan 11 to 30
#
stp region-configuration
region-name test
instance 1 vlan 11 to 20
instance 2 vlan 21 to 30
active region-configuration
#
stp instance 0 priority 36864
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 11 to 30
#
如圖5所示:
· Device A和Device B為彙聚層設備,Device C和Device D為接入層設備。
· 假定所有設備的端口路徑開銷相同。
要求通過配置PVST功能,實現:
· 網絡中無二層環路,冗餘鏈路對流量進行負載分擔。
· VLAN 10、20、30中的報文分別按照其VLAN所對應的生成樹轉發。
圖5 PVST配置組網圖
欲實現按每個VLAN阻塞冗餘鏈路,並使冗餘鏈路承載其他VLAN的流量,需要使不同VLAN所對應生成樹的拓撲不同,來增加冗餘鏈路的利用率。本例配置Device A為VLAN 10和30對應生成樹的根橋,Device B為VLAN 20對應生成樹的根橋。
當設備在指定VLAN中被配置為根橋時,其優先級強製變為0;由於各端口路徑開銷相同,根據STP算法可以得到各VLAN所對應生成樹的拓撲,如圖6所示。
圖6 各VLAN所對應生成樹的拓撲圖
# 創建VLAN 10、20和30。將設備的各端口配置為Trunk端口並允許相應VLAN通過。
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] vlan 20
[DeviceA-vlan20] vlan 30
[DeviceA-vlan30] quit
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-mode bridge
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 10 20
[DeviceA-Ten-GigabitEthernet1/0/1] undo shutdown
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-mode bridge
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 20 30
[DeviceA-Ten-GigabitEthernet1/0/2] undo shutdown
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-mode bridge
[DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 10 20 30
[DeviceA-Ten-GigabitEthernet1/0/3] undo shutdown
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# 配置生成樹的工作模式為PVST模式。
[DeviceA] stp mode pvst
# 配置本設備為VLAN 10和30的根橋。
[DeviceA] stp vlan 10 30 root primary
# 全局使能生成樹協議。
[DeviceA] stp global enable
# 創建VLAN 10、20和30。將設備的各端口配置為Trunk端口並允許相應VLAN通過。
<DeviceB> system-view
[DeviceB] vlan 10
[DeviceB-vlan10] vlan 20
[DeviceB-vlan20] vlan 30
[DeviceB-vlan30] quit
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-mode bridge
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 20 30
[DeviceB-Ten-GigabitEthernet1/0/1] undo shutdown
[DeviceB-Ten-GigabitEthernet1/0/1] quit
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-mode bridge
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 10 20
[DeviceB-Ten-GigabitEthernet1/0/2] undo shutdown
[DeviceB-Ten-GigabitEthernet1/0/2] quit
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port link-mode bridge
[DeviceB-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/3] port trunk permit vlan 10 20 30
[DeviceB-Ten-GigabitEthernet1/0/3] undo shutdown
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# 配置生成樹的工作模式為PVST模式。
[DeviceB] stp mode pvst
# 配置本設備為VLAN 20的根橋。
[DeviceB] stp vlan 20 root primary
# 全局使能生成樹協議。
[DeviceB] stp global enable
# 創建VLAN 10和20。將設備的各端口配置為Trunk端口並允許相應VLAN通過。
<DeviceC> system-view
[DeviceC] vlan 10
[DeviceC-vlan10] vlan 20
[DeviceC-vlan20] quit
[DeviceC] interface range ten-gigabitethernet 1/0/1 ten-gigabitethernet 1/0/2
[DeviceC-if-range] port link-mode bridge
[DeviceC-if-range] port link-type trunk
[DeviceC-if-range] port trunk permit vlan 10 20
[DeviceC-if-range] undo shutdown
[DeviceC-if-range] quit
# 配置生成樹的工作模式為PVST模式。
[DeviceC] stp mode pvst
# 全局使能生成樹協議。
[DeviceC] stp global enable
# 創建VLAN 20和30。將設備的各端口配置為Trunk端口並允許相應VLAN通過。
<DeviceD> system-view
[DeviceD] vlan 20
[DeviceD-vlan20] vlan 30
[DeviceD-vlan30] quit
[DeviceD] interface range ten-gigabitethernet 1/0/1 ten-gigabitethernet 1/0/2
[DeviceD-if-range] port link-mode bridge
[DeviceD-if-range] port link-type trunk
[DeviceD-if-range] port trunk permit vlan 20 30
[DeviceD-if-range] undo shutdown
[DeviceD-if-range] quit
# 配置生成樹的工作模式為PVST模式。
[DeviceD] stp mode pvst
# 全局使能生成樹協議。
[DeviceD] stp global enable
# 查看Device A上生成樹的簡要信息。
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
1 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 ALTE DISCARDING NONE
10 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
30 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
# 查看Device B上生成樹的簡要信息。
[DeviceB] display stp brief
VLAN ID Port Role STP State Protection
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
10 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
30 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
# 查看Device C上生成樹的簡要信息。
[DeviceC] display stp brief
VLAN ID Port Role STP State Protection
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
# 查看Device D上生成樹的簡要信息。
[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
1 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
根據上述顯示信息中VLAN 10、20和30的Alternate端口(阻塞端口),可以繪出各VLAN所對應生成樹的拓撲,如圖7所示。
圖7 VLAN10、20、30所對應生成樹的拓撲圖
可以看到,PVST通過按VLAN阻塞冗餘鏈路,消除了二層環路;由於各VLAN流量沿不同路徑轉發,實現了冗餘鏈路的負載分擔。
· Device A
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
stp vlan 10 30 root primary
stp mode pvst
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 30
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20 30
#
· Device B
#
vlan 1
#
vlan 10
#
vlan 20
#
vlan 30
#
stp vlan 20 root primary
stp mode pvst
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20 30
#
· Device C
#
vlan 1
#
vlan 10
#
vlan 20
#
stp mode pvst
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 10 20
#
· Device D
#
vlan 1
#
vlan 20
#
vlan 30
#
stp mode pvst
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 30
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 20 30
#
如圖8所示,用戶局域網內采用分層組網:
· Device A為核心層設備,Device B、Device C為彙聚層設備,Device D、Device E為接入層設備。
· 假定所有設備的端口路徑開銷相同。
現要求使用RSTP技術阻斷二層環路,實現鏈路備份。具體應用需求如下:
· 配置Device A為根橋,並保護根橋不被維護人員的錯誤配置或網絡中的惡意攻擊影響。
· Device C作為Device B的備份——當Device B出現故障的時候,由Device C轉發數據。
· 配置Device D、E與用戶直接相連的端口為邊緣端口,並使能BPDU保護功能。
圖8 RSTP配置組網圖
· 要使Device C成為Device B的備份,就給Device B配置較高的橋優先級。本例中配置Device B的優先級為4096,Device C為8192。
· 要使Device A成為根橋,需要使它的橋ID(優先級+MAC地址)在全網最小。本例中Device A的MAC地址小於Device B(如圖9所示),配置Device A的優先級為4096就可以使它成為根橋。
要配置一台設備為根橋,也可以用stp root primary或stp priority 0命令將其優先級變為0。
· 為了維持根橋的穩定,在Device A、B、C的指定端口上開啟根保護功能。要找到指定端口,可以在完成本例的配置步驟後,在各設備上用display stp brief命令查找角色為DESI的端口;或者根據STP算法預測如圖9所示的生成樹拓撲和指定端口信息。
圖9 RSTP拓撲圖
# 配置設備工作在RSTP模式。
<DeviceA> system-view
[DeviceA] stp mode rstp
# 配置設備的優先級為4096。
[DeviceA] stp priority 4096
# 全局使能生成樹協議。
[DeviceA] stp global enable
# 在與Device B、C相連的指定端口上啟動根保護功能。
[DeviceA] interface range ten-gigabitethernet 1/0/1 ten-gigabitethernet 1/0/2
[DeviceA-if-range] port link-mode bridge
[DeviceA-if-range] stp root-protection
[DeviceA-if-range] undo shutdown
[DeviceA-if-range] quit
# 配置設備工作在RSTP模式。
<DeviceB> system-view
[DeviceB] stp mode rstp
# 配置設備的優先級為4096。
[DeviceB] stp priority 4096
# 全局使能生成樹協議。
[DeviceB] stp global enable
# 在各指定端口上啟動根保護功能。
[DeviceB] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/3
[DeviceB-if-range] port link-mode bridge
[DeviceB-if-range] stp root-protection
[DeviceB-if-range] undo shutdown
[DeviceB-if-range] quit
# 開啟其他端口。
[DeviceB] interface ten-gigabitethernet 1/0/4
[DeviceB-Ten-GigabitEthernet1/0/4] port link-mode bridge
[DeviceB-Ten-GigabitEthernet1/0/4] undo shutdown
[DeviceB-Ten-GigabitEthernet1/0/4] quit
# 配置設備工作在RSTP模式。
<DeviceC> system-view
[DeviceC] stp mode rstp
# 配置設備的優先級為8192。
[DeviceC] stp priority 8192
# 全局使能生成樹協議。
[DeviceC] stp global enable
# 在各指定端口上啟動根保護功能。
[DeviceC] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/2
[DeviceC-if-range] port link-mode bridge
[DeviceC-if-range] stp root-protection
[DeviceC-if-range] undo shutdown
[DeviceC-if-range] quit
# 開啟其他端口。
[DeviceC] interface range ten-gigabitethernet 1/0/3 to ten-gigabitethernet 1/0/4
[DeviceC-if-range] port link-mode bridge
[DeviceC-if-range] undo shutdown
[DeviceC-if-range] quit
Device D、E的配置相同,這裏以Device D為例。
# 配置設備工作在RSTP模式。
<DeviceD> system-view
[DeviceD] stp mode rstp
# 全局使能生成樹協議。
[DeviceD] stp global enable
# 將與用戶直接相連的端口配置為邊緣端口(此處僅以Ten-GigabitEthernet1/0/4為例),並使能BPDU保護功能。
[DeviceD] interface ten-gigabitethernet 1/0/4
[DeviceD-Ten-GigabitEthernet1/0/4] port link-mode bridge
[DeviceD-Ten-GigabitEthernet1/0/4] stp edged-port
[DeviceD-Ten-GigabitEthernet1/0/4] undo shutdown
[DeviceD-Ten-GigabitEthernet1/0/4] quit
[DeviceD] stp bpdu-protection
# 開啟其他端口。
[DeviceD] interface range ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/2
[DeviceD-if-range] port link-mode bridge
[DeviceD-if-range] undo shutdown
[DeviceD-if-range] quit
(1) 查看生成樹實例拓撲信息
# 查看Device A上生成樹的簡要信息。
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
# 查看Device B上生成樹的簡要信息。
[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/4 ROOT FORWARDING NONE
# 查看Device C上生成樹的簡要信息。
[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/4 ROOT FORWARDING NONE
# 查看Device D上生成樹的簡要信息。
[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/4 DESI FORWARDING BPDU
# 查看Device E上生成樹的簡要信息。
[DeviceE] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/4 DESI FORWARDING BPDU
根據上述顯示信息(角色為ALTE的是阻塞端口,DESI是指定端口,ROOT是根端口),可以繪出生成樹的拓撲,如圖10所示。
圖10 RSTP拓撲示意圖
(2) 驗證根橋保護功能
# 初始狀態,Device D認為Device A是根橋。
[DeviceD] display stp
-------[CIST Global Info] [Mode RSTP] -------
Bridge ID : 32768.00e0-fc00-c518
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 4096.0000-fc00-47cd, 40
RegRoot ID/IRPC : 32768.00e0-fc00-c518, 0
...
可以看到,Device D上的根橋ID為Device A的橋ID。
# 出於攻擊根橋的目的,將Device D的橋優先級設為0(比合法根橋Device A的優先級更高),使Device D認為自己是根橋,並往外發送根橋ID為0.00e0-fc00-c518的BPDU。
[DeviceD] stp priority 0
[DeviceD] display stp
-------[CIST Global Info] [Mode RSTP] -------
Bridge ID : 0.00e0-fc00-c518
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 0.00e0-fc00-c518, 0
RegRoot ID/IRPC : 0.00e0-fc00-c518, 0
...
# 將Device E的橋優先級也設為0,使它認為自己是根橋,並往外發送根橋ID為0.7425-8a0f-8000的BPDU。
[DeviceE] stp priority 0
[DeviceE] display stp
-------[CIST Global Info] [Mode RSTP] -------
Bridge ID : 0.7425-8a0f-8000
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 0.7425-8a0f-8000, 0
RegRoot ID/IRPC : 0.7425-8a0f-8000, 0
...
# 查看Device B、C上的生成樹信息。
[DeviceB] display stp
-------[CIST Global Info] [Mode RSTP] -------
Bridge ID : 4096.7425-8a02-4c00
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 4096.0000-fc00-47cd, 20
RegRoot ID/IRPC : 4096.7425-8a02-4c00, 0
...
[DeviceC] display stp
-------[CIST Global Info] [Mode RSTP] -------
Bridge ID : 8192.0cda-41b1-d1c0
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 4096.0000-fc00-47cd, 20
RegRoot ID/IRPC : 8192.0cda-41b1-d1c0, 0
...
可以看到Device B、C的根橋ID仍為Device A的橋ID。這是因為Device B、C上與Device D、E相連的指定端口均開啟了根保護功能,不受優先級更高的BPDU影響。
# 此時如果把Device B的指定端口(例如連接Device E的Ten-GigabitEthernet1/0/2)去掉根保護功能,則會導致Device B上原有合法根橋Device A失去根橋的地位,引起網絡拓撲結構的錯誤變動。
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] undo stp root-protection
[DeviceB-Ten-GigabitEthernet1/0/2] display stp
-------[CIST Global Info] [Mode RSTP] -------
Bridge ID : 4096.7425-8a02-4c00
Bridge times : Hello 2s MaxAge 20s FwdDelay 15s MaxHops 20
Root ID/ERPC : 0.7425-8a0f-8000, 20
...
[DeviceB-Ten-GigabitEthernet1/0/2] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI DISCARDING ROOT
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/4 DESI FORWARDING NONE
(3) 驗證鏈路備份功能
# 假設Device B因故障重啟。在Device B恢複正常前,查看Device A、C、D、E上生成樹的簡要信息。
[DeviceA] dis stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING ROOT
[DeviceC] dis stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING ROOT
0 Ten-GigabitEthernet1/0/4 ROOT FORWARDING NONE
[DeviceD] dis stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/4 DESI FORWARDING BPDU
[DeviceE] dis stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/4 DESI FORWARDING BPDU
可見Device D、E上原先阻塞的端口變為根端口並進入轉發狀態。
根據上述顯示信息可以繪出生成樹的拓撲,如圖11所示。可見Device B故障的時候由Device C轉發數據。
(4) 驗證BPDU保護功能
# 以Device D上的邊緣端口XGE1/0/4為例,當它收到BPDU報文時,端口自動進入down狀態,以保護生成樹拓撲不受外來BPDU影響。可通過以下命令查看被生成樹保護功能down掉的端口信息。
[DeviceD] display stp down-port
Down Port Reason
Ten-GigabitEthernet1/0/4 BPDU-Protected
# 當對端不再發送BPDU報文時,邊緣端口XGE1/0/4恢複Up狀態。
[DeviceD] display interface brief | include UP
InLoop0 UP UP(s) --
M-E0/0/0 UP UP 192.168.2.125
NULL0 UP UP(s) --
XGE1/0/1 UP 1G(a) F(a) T 1
XGE1/0/2 UP 1G(a) F(a) T 1
XGE1/0/4 UP 1G(a) F(a) A 1
· Device A
#
vlan 1
#
stp instance 0 priority 4096
stp mode rstp
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
stp root-protection
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
stp root-protection
#
· Device B
#
vlan 1
#
stp instance 0 priority 4096
stp mode rstp
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
stp root-protection
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
stp root-protection
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
stp root-protection
#
interface Ten-GigabitEthernet1/0/4
port link-mode bridge
#
· Device C
#
vlan 1
#
stp instance 0 priority 8192
stp mode rstp
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
stp root-protection
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
stp root-protection
#
interface Ten-GigabitEthernet1/0/3
port link-mode bridge
#
interface Ten-GigabitEthernet1/0/4
port link-mode bridge
#
· Device D、E
#
vlan 1
#
stp mode rstp
stp bpdu-protection
stp global enable
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
#
interface Ten-GigabitEthernet1/0/2
port link-mode bridge
#
interface Ten-GigabitEthernet1/0/4
port link-mode bridge
stp edged-port
#
· H3C S10500係列交換機 二層技術-以太網交換配置指導-R758X
· H3C S10500係列交換機 二層技術-以太網交換命令參考-R758X
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
