{"id":426,"date":"2020-04-06T14:44:34","date_gmt":"2020-04-06T12:44:34","guid":{"rendered":"http:\/\/tech.sosthe.sk\/?page_id=426"},"modified":"2020-04-06T15:14:23","modified_gmt":"2020-04-06T13:14:23","slug":"3-nastavenie-interface-portu-access-trunk-port-security","status":"publish","type":"page","link":"http:\/\/tech.sosthe.sk\/index.php\/ccna\/cisco-ios\/3-nastavenie-interface-portu-access-trunk-port-security\/","title":{"rendered":"3. Nastavenie interface \/ portu – access, trunk, port security"},"content":{"rendered":"

Zna\u010denie portov<\/h3>\n

Rozhranie na switchi –\u00a0interfaces<\/strong>\u00a0, s\u00fa hlavne\u00a0fyzick\u00e9 porty<\/em><\/strong>\u00a0a\u00a0VLAN<\/abbr>\u00a0y<\/em><\/strong>\u00a0(presnej\u0161ie virtu\u00e1lny interface pre VLAN – Switch Virtual Interface – SVI).\u00a0Popri tom v\u0161ak existuje cel\u00fd rad \u010fal\u0161\u00edch, napr. EtherChannel (port-channel), s\u00e9riov\u00e1 linka (serial), konzola (console), asynchr\u00f3nne linka (TTY), sie\u0165ov\u00fd termin\u00e1l (VTY) – telnet.<\/p>\n

Fyzick\u00e9 porty<\/strong> switcha sa ozna\u010duj\u00fa (adresuj\u00fa)\u00a0typom<\/em><\/strong>\u00a0, dnes hlavne\u00a0FastEthernet<\/em><\/strong>\u00a0(sta\u010d\u00ed f),\u00a0GigabitEthernet<\/em><\/strong>\u00a0(sta\u010d\u00ed g) a\u00a0TenGigabitEthernet<\/strong><\/em>\u00a0(sta\u010d\u00ed t), a\u00a0\u010d\u00edslom portu<\/em><\/strong>\u00a0.\u00a0\u010c\u00edslo portu<\/strong> je re\u0165azec, ktor\u00fd m\u00e1 tvar pod\u013ea typu switcha.\u00a0Naj\u010dastej\u0161ie je {slot}\/{port}<\/code>alebo\u00a0{stack}\/{slot}\/{port}<\/code>.\u00a0Be\u017en\u00e9 (nemodul\u00e1rne) switche s\u00fa bran\u00e9, ako by boli v slote 0, tak\u017ee pr\u00edklad adresovania (napr\u00edklad pre switch C2690) je\u00a0f0\/1<\/code>a je n\u00edm ozna\u010den\u00fd FastEthernet (100Mbit \/ s) port \u010d\u00edslo 1. Stohovate\u013en\u00e9 switche (podporuj\u00fa stack), ako je potrebn\u00e9 Catalyst 3750, adresujeme napr\u00edkladg1\/0\/1<\/code>, \u010co ozna\u010duje GigabitEthernet (1Gbit \/ s) port, ktor\u00fd je na prvom switchi vo stacku (alebo samostatnom), v slote 0, port \u010d\u00edslo 1.<\/p>\n

Konfigur\u00e1cia portov<\/h3>\n

V\u00fdber portu<\/h4>\n

Ke\u010f chceme konfigurova\u0165 nejak\u00fd interface \/ port, tak sa z privilegovan\u00e9ho m\u00f3du prepneme do konfigur\u00e1cie dan\u00e9ho portu.\u00a0Pre zjednodu\u0161enie m\u00f4\u017eeme konfigurova\u0165 aj viac portov naraz, vtedy sa vyu\u017e\u00edva, v IOSu be\u017en\u00e1 not\u00e1cie,\u00a0poml\u010dka<\/strong><\/em>\u00a0pre ur\u010denie rozsahu (iba v r\u00e1mci stacku \/ slotu, za poml\u010dku zad\u00e1vame \u010d\u00edslo) a\u00a0\u010diarka<\/strong><\/em>\u00a0pre vymenovanie portov (za \u010diarku zad\u00e1vame cel\u00e9 ozna\u010denie portu).<\/p>\n

SWITCH (config) # interface f0 \/ 5 <\/strong>               \/\/ prepneme sa na kofigur\u00e1ciu porta 5 \r\nSWITCH (config) # interface range f0 \/ 1-5, G0 \/ 1 <\/strong>  \/\/ vyberieme porty 1 a\u017e 5 (fast) a 1 (gigabit) \r\nSWITCH ( config-if) #                           \/\/ interface configuration mode<\/span><\/pre>\n
Stav portu, vyp\u00ednanie<\/h4>\n
Interface m\u00f4\u017ee by\u0165 v nieko\u013ek\u00fdch stavoch, navy\u0161e sa m\u00f4\u017eeme pozera\u0165 na\u00a0stav portu glob\u00e1lne<\/strong><\/em>\u00a0(vtedy sa pou\u017e\u00edvaj\u00fa hlavn\u00e9 ozna\u010denie stavov disabled, notconnect, connected) alebo sa pozer\u00e1me zvl\u00e1\u0161\u0165 na\u00a0fyzick\u00fd \/ administra\u010dn\u00e9 stav<\/strong><\/em>\u00a0(administrative status) a\u00a0opera\u010dn\u00e9 stav<\/strong><\/em>\u00a0(operational \/ line status) portu (vtedy sa pou\u017e\u00edva hlavne up, down).\u00a0Interne sa udr\u017euje stav portu oddelene a len pre niektor\u00e9 v\u00fdstupy sa prev\u00e1dza (napr\u00edklad\u00a0show interfaces status<\/code>).\u00a0Administra\u010dn\u00fd stav je ten, ktor\u00fd m\u00f4\u017eeme riadi\u0165 pr\u00edkazmi (pomocou shutdown<\/code>), opera\u010dn\u00fd stav sa nastavuje automaticky pod\u013ea stavu linky.\u00a0Ak v\u0161ak nastav\u00edme administra\u010dn\u00fd stav na down, tak sa aj opera\u010dn\u00fd stav prepne na down. Existuj\u00fa aj r\u00f4zne \u0161peci\u00e1lne stavy ako chyby alebo testovanie.\u00a0Ur\u010dit\u00fd poh\u013ead na najbe\u017enej\u0161ie stavy je:<\/p>\n
    \n
  • vypnut\u00fd – disabled (down, down)<\/strong>\u00a0– nejde cez neho \u017eiadna komunik\u00e1cia<\/li>\n
  • vypnut\u00fd chybou – error-disabled (down, down)<\/strong>\u00a0– nejde cez neho \u017eiadna komunik\u00e1cia, informuje o chybe<\/li>\n
  • zapnut\u00fd nespojen\u00fd – notconnect (up, down)<\/strong>\u00a0– fyzicky nepripojen\u00fd, po zapojen\u00ed komunikuje<\/li>\n
  • zapnut\u00fd spojen\u00fd – connected (up, up)<\/strong>\u00a0– funk\u010dn\u00e9 a komunikuj\u00face<\/li>\n<\/ul>\n
    Pre prep\u00ednanie stavu medzi vypnut\u00fdm a zapnut\u00fdm sl\u00fa\u017eia pr\u00edkazy<\/p>\n
    SWITCH (config-if) # shutdown     <\/strong>\/\/ vypnutie portu \r\nSWITCH (config-if) # no shutdown <\/strong>\/\/ zapnutie portu<\/span><\/pre>\n
    Ak je port v\u00a0error-disabled<\/em><\/strong>\u00a0stave, kam sa m\u00f4\u017ee dosta\u0165 napr\u00edklad v\u010faka chybe v\u00a0spanning tree<\/em>\u00a0alebo\u00a0port security<\/em>\u00a0, treba ho najprv vypn\u00fa\u0165 a a\u017e potom zapn\u00fa\u0165.\u00a0Uv\u00e1dza sa, \u017ee v predvolenom stave s\u00fa interface vypnut\u00e9 (shutdown), ale nie je to pravda \u00faplne v\u017edy.\u00a0Odpor\u00fa\u010dam nepou\u017e\u00edvan\u00e9 porty vyp\u00edna\u0165 (najlep\u0161ie glob\u00e1lne pri \u00favodnej konfigur\u00e1cii) a pri konfigur\u00e1cii portu ho v\u017edy zapn\u00fa\u0165.<\/p>\n
    Z\u00e1kladn\u00e9 vlastnosti portu<\/h4>\n
    Pre port m\u00f4\u017eeme nastavova\u0165 v\u0161eobecn\u00e9 vlastnosti ako je\u00a0duplex, r\u00fdchlos\u0165, opis, MDIX<\/strong><\/em>\u00a0a \u010fal\u0161ie.\u00a0Defaultn\u00e9 nastavenie pre duplex, speed a MDIX je\u00a0auto<\/code>, \u010do je v s\u00fa\u010dasnosti vo v\u00e4\u010d\u0161ine pr\u00edpadov vyhovuj\u00face.\u00a0Vkladanie popisu k jednotliv\u00fdm portom je ur\u010dite dobr\u00fd zvyk a je dobr\u00e9 ho v\u017edy pou\u017e\u00edva\u0165.<\/p>\n
    SWITCH (config-if) # duplex full<\/strong>  \r\nSWITCH (config-if) # speed 100<\/strong>  \r\nSWITCH (config-if) # description 3.14<\/strong> \r\nSWITCH (config-if) # MDIX auto<\/strong><\/span><\/pre>\n
    Nastavenie defaultn\u00fdch hodn\u00f4t pre interface<\/h4>\n
    Zresetovanie nastavenia portu do v\u00fdchodiskov\u00fdch (tov\u00e1rensk\u00fdch) hodn\u00f4t m\u00f4\u017eeme vykona\u0165 jedn\u00fdm pr\u00edkazom.<\/p>\n
    SWITCH (config) # default interface f0 \/ 1<\/strong><\/span><\/pre>\n
    Zobrazenie inform\u00e1ci\u00ed o INTERFACE<\/h4>\n
    O Interface m\u00f4\u017eeme zisti\u0165 ve\u013ek\u00fd rad inform\u00e1ci\u00ed.\u00a0Niektor\u00e9 pr\u00edkazy, ktor\u00e9 m\u00f4\u017eeme pou\u017ei\u0165, s\u00fa nasleduj\u00face.<\/p>\n
    SWITCH # show interfaces<\/strong> \r\nSWITCH # show interfaces status<\/strong> \r\nSWITCH # show interfaces summary<\/strong> \r\nSWITCH # show interfaces switchport<\/strong><\/span><\/pre>\n
    typy interface<\/h4>\n
    Hlavn\u00e9 Interface na switchi s\u00fa:<\/p>\n
      \n
    • fyzick\u00e9 porty<\/strong>\u00a0– switch porty a Routed porty<\/li>\n
    • VLANy<\/strong>\u00a0– Switch Virtual Interface<\/li>\n
    • port channel<\/strong>\u00a0– EtherChannel interface<\/li>\n<\/ul>\n
      switch Port<\/h3>\n
      Switch Port<\/em><\/strong>\u00a0je Layer 2 (2. vrstva OSI modelu) interface asociovan\u00fd s fyzick\u00fdm portom.\u00a0Porty switcha s\u00fa defaultne switch porty a s\u00fa zaraden\u00e9 do jednej alebo viacer\u00fdch VLAN. Parametre, ktor\u00e9 sa t\u00fdkaj\u00fa charakterist\u00edk prep\u00ednanie, sa konfiguruj\u00fa pr\u00edkazomswitchport<\/code>v konfigura\u010dnom m\u00f3de interfacu.\u00a0Switch port m\u00f4\u017ee pracova\u0165 v jednom z nasleduj\u00facich\u00a0m\u00f3dov<\/strong><\/em>\u00a0:<\/p>\n
        \n
      • access<\/em><\/strong>\u00a0– typicky pre koncov\u00fdch zariaden\u00ed (PC, server, tla\u010diare\u0148), prij\u00edma netagovan\u00e9 pakety (bez ur\u010denia VLANy) a zara\u010fuje je tej\u00a0VLAN<\/abbr>\u00a0y, ktor\u00fa m\u00e1 nastaven\u00fa<\/li>\n
      • trunk<\/em><\/strong>\u00a0– in\u00fd switch \u010di akt\u00edvny prvok, komunik\u00e1cia je tagovanie a pren\u00e1\u0161a sa vybran\u00e9\u00a0VLAN<\/abbr>\u00a0y<\/li>\n
      • dynamic<\/em><\/strong>\u00a0– rokuje o stave portu (access alebo trunk) pomocou protokolu DTP<\/li>\n
      • tunnel<\/strong><\/em>\u00a0– vyu\u017e\u00edva IEEE 802.1q Tunneling pre prenos inform\u00e1cie o VLAN cez sie\u0165 ISP<\/li>\n<\/ul>\n
        Nastavenie portu do pr\u00edslu\u0161n\u00e9ho m\u00f3du sa vykon\u00e1va nasleduj\u00facim pr\u00edkazom:<\/p>\n
        SWITCH (config-if) # switchport mode access<\/strong> \r\nSWITCH (config-if) # switchport mode trunk<\/strong> \r\nSWITCH (config-if) # switchport mode dynamic<\/strong> \r\nSWITCH (config-if) # switchport mode dot1q-tunnel<\/strong><\/span><\/pre>\n
        Ak m\u00e1me\u00a0routovanie port<\/strong><\/em>\u00a0, tak ich m\u00f4\u017eeme previes\u0165 na\u00a0switch port<\/strong><\/em>\u00a0pomocou pr\u00edkazu:<\/p>\n
        SWITCH (config-if) # switchport<\/strong><\/span><\/pre>\n
        Access mode<\/strong><\/h4>\n
        Toto je defaultn\u00fd m\u00f3d switch portu.\u00a0Ak je port v\u00a0pr\u00edstupovom m\u00f3de<\/em><\/strong>\u00a0, mali by sme ho zaradi\u0165 do spr\u00e1vnej\u00a0VLAN<\/abbr>\u00a0y.\u00a0M\u00f4\u017ee by\u0165 \u010dlenom len jednej VLANy, v predvolenom stave s\u00fa v\u0161etky porty vo VLAN 1.<\/p>\n
        SWITCH (config-if) # switchport access vlan 100<\/strong><\/span><\/pre>\n
        Mimo manu\u00e1lneho zaradenie portu do VLANy m\u00f4\u017eeme tie\u017e vyu\u017ei\u0165 protokol\u00a0IEEE 802.1x<\/strong><\/em>\u00a0(spolu s RADIUS serverom) alebo dynamick\u00e9 zaradenie pomocou\u00a0VLAN Membership Policy Server<\/strong><\/em>\u00a0(VMPS).<\/p>\n
        Pokia\u013e na\u00a0access port<\/strong><\/em>\u00a0doraz\u00ed tagovan\u00fd paket (s ozna\u010denou VLAN pomocou ISL alebo 802.1q), tak je zahoden\u00fd.<\/p>\n
        \u0160tandardn\u00e1 hodnota\u00a0MTU<\/em><\/strong>\u00a0(Maximum Transmission Unit) pre Ethernet je\u00a01518 B<\/strong>\u00a0, (1500B ve\u013ekos\u0165 paketu + 18B hlavi\u010dka a zakon\u010denie r\u00e1mca).\u00a0Ke\u010f sa pou\u017eije IEEE 802.1q, tak m\u00f4\u017ee pr\u00eds\u0165 r\u00e1mec o 4B v\u00e4\u010d\u0161ie, teda 1522B, ke\u010f sa pou\u017eije ISL, tak o 30B v\u00e4\u010d\u0161\u00ed, \u010do je 1548B.\u00a0Ak port nie je nastaven\u00fd ako trunk a pr\u00edde takto ve\u013ek\u00fd r\u00e1mec, tak sa zahod\u00ed a hl\u00e1si sa ako\u00a0Giant<\/em><\/strong>\u00a0(Jumbo frame).\u00a0V po\u010d\u00edtadl\u00e1ch pre interface sa giant pakety zobrazuj\u00fa.<\/p>\n
        SWITCH # show system MTU<\/strong> \r\nSWITCH (config-if) # system MTU jumbo 9000<\/strong><\/span><\/pre>\n
        Trunk mode<\/strong><\/h4>\n
        Trunk mode<\/em><\/strong>\u00a0sl\u00fa\u017ei prim\u00e1rne k tomu, aby sme viac switchov prepojili medzi sebou a komunik\u00e1cia zostala v spr\u00e1vnej\u00a0VLAN<\/abbr>\u00a0\u0165.\u00a0Dnes sa tie\u017e \u010dasto pou\u017e\u00edva pre pripojenie niektor\u00fdch serverov, ktor\u00e9 potrebuj\u00fa komunikova\u0165 do viacer\u00fdch VLAN.\u00a0Ak by sme switche prepojili access portom, tak by sa pren\u00e1\u0161ala iba komunik\u00e1cie vo\u00a0VLAN<\/abbr>\u00a0\u0165, v ktorej by bol nastaven\u00fd dan\u00fd port a na druhom switchi by bol paket vo\u00a0VLAN<\/abbr>\u00a0\u0165 tohto portu.<\/p>\n
        Ak je port v\u00a0trunk m\u00f3de<\/em><\/strong>\u00a0, je bodov pre konfigur\u00e1ciu viac.\u00a0U vy\u0161\u0161\u00edch modelov switchov (v\u0161eobecne L3 switchov a vy\u0161\u0161ie) vol\u00edme met\u00f3du, ktorou sa k paketom dopl\u0148uje inform\u00e1cie o zaraden\u00ed do VLAN<\/abbr>\u00a0y.\u00a0K dispoz\u00edcii m\u00e1me<\/p>\n
          \n
        • IEEE 802.1q<\/strong>\u00a0– \u0161tandardizovan\u00e1 met\u00f3da, ktor\u00fa podporuj\u00fa v\u0161etky switche.\u00a0Funguje na princ\u00edpe tzv. Tagovanie, do hlavi\u010dky paketu prid\u00e1 4B inform\u00e1ciu (2B – 0x8100 = je to 802.1q \/ 802.1p, 2B – priorita + \u010d\u00edslo VLANy) a prepo\u010d\u00edta CRC.\u00a0Pou\u017e\u00edva sa tie\u017e pre QoS.<\/li>\n
        • Cisco ISL<\/strong>\u00a0– Cisco propriet\u00e1rnu met\u00f3da, ktor\u00fa podporuj\u00fa iba vy\u0161\u0161ie rady switchov.\u00a0Vezme cel\u00fd p\u00f4vodn\u00fd paket a zabal\u00ed ho (encapsulate) ako obsah nov\u00e9ho paketu.\u00a0Prid\u00e1va teda 30B k obsahu.<\/li>\n<\/ul>\n
          SWITCH (config-if) # switchport trunk Encapsulation dot1q<\/strong><\/span><\/pre>\n
          N\u00e1sledne m\u00f4\u017eeme ur\u010di\u0165, ktor\u00e9\u00a0VLAN<\/abbr>\u00a0y chceme, aby sa\u00a0pren\u00e1\u0161ali v danom trunku<\/em><\/strong>\u00a0.\u00a0Defaultne sa pren\u00e1\u0161a v\u0161etky, ale kv\u00f4li bezpe\u010dnosti a prev\u00e1dzky m\u00f4\u017eeme chcie\u0165 niektor\u00e9 VLANy obmedzi\u0165.\u00a0Zadan\u00edm \u010d\u00edsla\u00a0VLAN<\/abbr>\u00a0y (alebo \u010d\u00edsel oddelen\u00fdch \u010diarkou \u010di rozsah s poml\u010dkou) vykon\u00e1me nastavenie a predch\u00e1dzaj\u00face hodnoty sa vyma\u017e\u00fa.\u00a0M\u00f4\u017eeme vyu\u017ei\u0165 tie\u017e pomocn\u00e1 k\u013e\u00fa\u010dov\u00e9 slov\u00e1 pre modifik\u00e1ciu zoznamu\u00a0add<\/code>,\u00a0remove<\/code>,\u00a0all<\/code>,\u00a0none<\/code>,\u00a0except<\/code>.<\/p>\n
          SWITCH (config-if) # switchport trunk allowed vlan 100,200<\/strong> \r\nSWITCH (config-if) # switchport trunk allowed vlan add 300<\/strong><\/span><\/pre>\n
          S\u00favisiacim \u00fadajom je nastavenie\u00a0nat\u00edvny\u00a0VLAN<\/abbr>\u00a0y<\/strong>\u00a0, t\u00e1 sl\u00fa\u017ei na prenos paketov, ktor\u00e9 neboli dan\u00e9 do tejto\u00a0VLAN<\/abbr>\u00a0y.\u00a0Inak povedan\u00e9, ak do portu, ktor\u00fd je nakonfigurovan\u00fd ako trunk, pripoj\u00edme norm\u00e1lny stanicu (ktor\u00e1 nepodporuje trunk), tak bude komunikova\u0165 v tejto VLAN.\u00a0\u0160tandardne je to VLAN 1. D\u00f4le\u017eit\u00e9 je, aby na oboch stran\u00e1ch trunku bola nastaven\u00e1 rovnak\u00e1 nat\u00edvne\u00a0VLAN<\/abbr>\u00a0a.<\/p>\n
          SWITCH (config-if) # switchport trunk native vlan 1<\/strong><\/span><\/pre>\n
          Viac inform\u00e1ci\u00ed o konfigur\u00e1cii VLAN sa nach\u00e1dza v \u010dl\u00e1nku – konfigur\u00e1cia VLAN, VTP\u00a0.<\/p>\n
          dot1q-tunnel mode<\/h4>\n
          IEEE 802.1q Tunneling<\/em><\/strong>\u00a0umo\u017e\u0148uje pren\u00e1\u0161a\u0165 r\u00e1mce, ktor\u00e9 s\u00fa tagovanie na\u0161imi \u010d\u00edslami VLAN, cez sie\u0165 service providera.\u00a0Vykon\u00e1va sa\u00a0dvojit\u00e9 tagovanie<\/em><\/strong>\u00a0, kedy sa pakety, ktor\u00e9 prich\u00e1dza na tunnel port a s\u00fa u\u017e otegov\u00e1ny na\u0161ej VLAN, dopln\u00ed o druh\u00fd tag s \u010d\u00edslom VLANy, ktorou sa pren\u00e1\u0161a v r\u00e1mci siete service providera.<\/p>\n
          Routed Port<\/h3>\n
          Routed Port<\/em><\/strong>\u00a0je fyzick\u00fd port, ktor\u00fd funguje ako Layer 3 (3. vrstva OSI) interface, rovnako ako na routeru, a komunik\u00e1cia prebieha pomocou routovanie.\u00a0Routovanie port nie je zaraden\u00fd do \u017eiadnej VLANy a m\u00f4\u017eeme mu priradi\u0165 L3 adresu (teda IP adresu).\u00a0Tie\u017e nepodporuje \u017eiadne L2 protokoly, ako je DTP a STP.\u00a0Routovanie porty s\u00fa podporovan\u00e9 len na L3 switchoch (tie podporuj\u00fa routovanie).<\/p>\n
          SWITCH (config-if) # no switchport<\/strong> \r\nSWITCH (config-if) # ip address 192.168.100.2 255.255.255.0<\/strong><\/span><\/pre>\n
          port security<\/strong><\/h3>\n
          Port security<\/strong>\u00a0je jednoduch\u00e1 a zauj\u00edmav\u00e1 met\u00f3da zabezpe\u010denia pr\u00edstupu do siete.\u00a0Na portu, kde je nastaven\u00e1, kontroluje, \u010di pakety prich\u00e1dza z povolenej\u00a0MAC adresy<\/em><\/strong>\u00a0.\u00a0Ak teda pou\u017e\u00edvate\u013e pripoj\u00ed do z\u00e1suvky in\u00e9 zariadenie, nebude m\u00f4c\u0165 komunikova\u0165.<\/p>\n
          Pre nastavenie\u00a0Port security<\/em><\/strong>\u00a0mus\u00ed by\u0165 port vo\u00a0statickom m\u00f3de<\/em>\u00a0(trunk, access, ale nie dynamic).\u00a0Zapnutie port security pre dan\u00fd port:<\/p>\n
          SWITCH (config-if) # switchport port-security<\/strong><\/span><\/pre>\n
          M\u00f4\u017eeme nastavi\u0165\u00a0ko\u013eko MAC adries<\/em><\/strong> pre port (alebo ur\u010dit\u00fa VLAN) je povolen\u00e9 (napr\u00edklad ak je do portu pripojen\u00fd switch). Defaultn\u00e1 hodnota 1.<\/p>\n
          SWITCH (config-if) # switchport port-security maximum 1<\/strong><\/span><\/pre>\n
          Ak nezad\u00e1me \u017eiadne povolenej MAC adresy, tak sa pou\u017e\u00edvaj\u00fa adresy dynamicky (do\u010dasne sa ukladaj\u00fa pre aktu\u00e1lnu komunik\u00e1ciu a\u017e do maxima).\u00a0Alebo m\u00f4\u017eeme\u00a0MAC adresy<\/em><\/strong>\u00a0zada\u0165 ru\u010dne ako statick\u00e9 adresy.\u00a0U dynamick\u00fdch adries m\u00f4\u017eeme nastavi\u0165, aby sa tieto adresy ukladali do be\u017eiaci konfigur\u00e1cie (vytvor\u00ed sa statick\u00fd z\u00e1znam, ale ak neulo\u017e\u00edme konfigur\u00e1ciu, tak sa po re\u0161tarte zma\u017e\u00fa).<\/p>\n
          SWITCH (config-if) # switchport port-security mac-address 0018.deda.2990             <\/strong>\/\/ pevn\u00e1 adresa \r\nSWITCH (config-if) # switchport port-security mac-address 0000.02000.0004 vlan 3     <\/strong>\/\/ adresa na trunku vo VLAN 3 \r\nSWITCH (config-if) # switchport port-security mac-address sticky <\/strong>                    \/\/ uklada\u0165 dynamick\u00e9 adresy \r\nSWITCH (config-if) #switchport port-security mac-address 001e.138c.7430 vlan voice <\/strong> \/\/ adresa vo Voice VLAN<\/span><\/pre>\n
          \u010ealej vol\u00edme, \u010do sa deje pri\u00a0poru\u0161en\u00ed pravidiel<\/em><\/strong>\u00a0, teda ak pr\u00edde komunik\u00e1cie z MAC adresy, ktor\u00e1 nie je povolen\u00e1 (a dosiahlo sa maxima).\u00a0Default je shutdown.\u00a0Mo\u017enosti s\u00fa:<\/p>\n
            \n
          • protect<\/strong>\u00a0– nepovolen\u00e1 komunik\u00e1cie je Zahazov\u00e1n\u00ed, povolenej MAC adresy st\u00e1le komunikuj\u00fa<\/li>\n
          • restrict<\/strong>\u00a0– po\u0161le informat\u00edvny SNMP trap<\/li>\n
          • shutdown<\/strong>\u00a0– port sa zablokuje, prepne do stavu\u00a0Error-disabled<\/em>\u00a0(pripom\u00ednam, \u017ee pre op\u00e4tovn\u00e9 zapnutie je potrebn\u00e9 ho najsk\u00f4r vypn\u00fa\u0165)<\/li>\n<\/ul>\n
            SWITCH (config-if) # switchport port-security violation shutdown<\/strong><\/span><\/pre>\n
            Pozn .:<\/strong><\/em>\u00a0K<\/strong>\u00a0p<\/em>oru\u0161eniu pravidiel<\/strong><\/em>\u00a0d\u00f4jde aj v pr\u00edpade, ke\u010f je MAC adresa zadan\u00e1 pre ur\u010dit\u00fd port a t\u00e1to adresa sa objav\u00ed na inom porte tohto switcha.<\/p>\n
            Ak sa port prepne do\u00a0Error-disabled<\/em>\u00a0stavu, tak je treba z\u00e1sah administr\u00e1tora, aby ho op\u00e4\u0165 zapol.\u00a0Je v\u0161ak mo\u017en\u00e9 nastavi\u0165 aj\u00a0automatick\u00e9 znovuzapnutie portu<\/em><\/strong>\u00a0po ur\u010ditej dobe:<\/p>\n
            SWITCH (config) # errdisable recovery cause psecure-violation<\/strong>  \r\nSWITCH (config) # errdisable recovery interval 60 <\/strong>               \/\/ \u010das v sekund\u00e1ch, 60 - 86400\r\n<\/span><\/pre>\n
            Ak chceme, aby sa\u00a0MAC adresy<\/em><\/strong>\u00a0pre port po ur\u010ditej dobe\u00a0automaticky zmazali<\/em><\/strong>\u00a0, m\u00f4\u017eeme pou\u017ei\u0165 k\u013e\u00fa\u010dov\u00e9 slovo\u00a0aging<\/code>v rade variantov.\u00a0Napr\u00edklad ak chceme, aby dynamick\u00e9 adresy mali platnos\u0165 10 min\u00fat:<\/p>\n
            SWITCH (config-if) # switchport port-security aging time 10<\/strong><\/span><\/pre>\n
            V predvolenom stave po zapnut\u00ed\u00a0Port security<\/em><\/strong>\u00a0, je povolen\u00e1 jedna MAC adresa, ktor\u00e1 sa pou\u017e\u00edva dynamicky, teda prv\u00e9 zariadenie, ktor\u00e9 za\u010dne komunikova\u0165.\u00a0Ak sa pok\u00fasi komunikova\u0165 \u010fal\u0161ie zariadenia, d\u00f4jde k zablokovaniu portu.<\/p>\n
            Hlavn\u00e9 pr\u00edkazy pre\u00a0zobrazenie inform\u00e1ci\u00ed<\/em><\/strong>\u00a0o Port security s\u00fa<\/p>\n
            SWITCH # show port-security <\/strong>                 \/\/ info pre v\u0161etky interface \r\nSWITCH # show port-security address <\/strong>         \/\/ tabu\u013eka MAC adries a s\u00favisiace info \r\nSWITCH # show port-security interface f0 \/ 1 <\/strong>  \/\/ detailn\u00e9 info pre ur\u010dit\u00fd interface<\/span><\/pre>\n
            protected port<\/span><\/h3>\n
            Medzi porty, ktor\u00e9 s\u00fa nastaven\u00e9 ako Protected, sa neposiela \u017eiadna komunik\u00e1cia na Layer 2 (broadcast, multicast, unicast), iba komunik\u00e1cie na Layer 3 (teda s IP adresou a pomocou routovanie).<\/p>\n
            SWITCH (config-if) # switchport protected<\/strong><\/span><\/pre>\n
            Viac inform\u00e1ci\u00ed o Protected Port sa nach\u00e1dza v \u010dl\u00e1nku\u00a0– Private VLAN a Protected Port\u00a0.<\/p>\n
            Spanning Tree Protocol<\/h3>\n
            Protokol\u00a0STP<\/strong>\u00a0–\u00a0Spanning Tree Protocol<\/strong>\u00a0sl\u00fa\u017ei na zabr\u00e1nenie vzniku slu\u010diek v sieti, napr\u00edklad pri redundantn\u00e9 topol\u00f3gie alebo pri chybnom prepojen\u00ed switchov.\u00a0Jedn\u00e1 sa o \u0161tandardizovan\u00fd protokol IEEE 802.1D, ku ktor\u00e9mu existuje rad vylep\u0161en\u00fdch verzi\u00ed.\u00a0Funguje na princ\u00edpe n\u00e1jdenie najkrat\u0161ej cesty v ohodnoten\u00fd grafe a nepotrebn\u00e9 porty zablokuje.\u00a0Z\u00e1kladn\u00e1 verzia STP be\u017e\u00ed na switchi defaultne a nie je potrebn\u00e1 \u017eiadna konfigur\u00e1cia.<\/p>\n
            Ak je k dan\u00e9mu portu switcha pripojen\u00e9 zariadenie ako server \u010di pracovnej stanice a teda na tomto porte nem\u00f4\u017ee vznikn\u00fa\u0165 slu\u010dka, tak m\u00f4\u017eeme tento port nastavi\u0165 do m\u00f3du\u00a0portfast<\/code>, ktor\u00fd zabr\u00e1ni \u00favodn\u00e9mu blokovanie portu a port sa v\u00fdrazne r\u00fdchlej\u0161ie zapne.<\/p>\n
            SWITCH (config-if) # spanning-tree portfast<\/strong><\/span><\/pre>\n
            Viac inform\u00e1ci\u00ed o STP sa nach\u00e1dza v \u010dl\u00e1nku\u00a0– Spanning Tree Protocol\u00a0.<\/p>\n
            Nastavenie IP adresy a br\u00e1ny<\/h3>\n
            Niektor\u00fdm interfac\u016fm m\u00f4\u017eeme nastavi\u0165\u00a0IP adresu<\/strong>\u00a0, hlavne sa jedn\u00e1 o VLANy (SVI).\u00a0T\u00e1to adresa sl\u00fa\u017ei prim\u00e1rne na\u00a0komunik\u00e1ciu so switchom<\/em><\/strong>\u00a0, ale aj pre \u010fal\u0161ie slu\u017eby, ako je\u00a0routovanie<\/em><\/strong>\u00a0alebo\u00a0DHCP server<\/em><\/strong>\u00a0.\u00a0Zjednodu\u0161ene m\u00f4\u017eeme poveda\u0165, \u017ee nastavujeme adresu switchu.\u00a0Ak nepou\u017e\u00edvame VLANy, tak ju mus\u00edme nastavi\u0165 na\u00a0VLAN 1<\/strong>\u00a0.\u00a0V opa\u010dnom pr\u00edpade je vhodn\u00e9 ma\u0165 \u0161peci\u00e1lny VLAN pre spr\u00e1vu a tu nastavi\u0165 IP adresu.<\/p>\n
            Adresu m\u00f4\u017eeme nastavi\u0165\u00a0napevno<\/em><\/strong>\u00a0alebo ju necha\u0165 prira\u010fova\u0165\u00a0DHCP serverom<\/em><\/strong>\u00a0.\u00a0Ak nastavujeme adresu napevno, mus\u00edme ju zada\u0165 spolu s maskou siete, v ktorej je t\u00e1to adresa platn\u00e1 (to je z d\u00f4vodu \u010fal\u0161\u00edch slu\u017eieb).<\/p>\n
            SWITCH (config) # interface vlan 1<\/strong> \r\nSWITCH (config-if) # ip address 192.168.190.2 255.255.255.0<\/strong><\/span><\/pre>\n
            V niektor\u00fdch pr\u00edpadoch potrebujeme nastavi\u0165\u00a0adresu br\u00e1ny<\/em><\/strong>\u00a0(gateway address).\u00a0Ak budeme sa switchom komunikova\u0165 iba z lok\u00e1lneho subnetu, tak to nie je potrebn\u00e9.\u00a0V opa\u010dnom pr\u00edpade mus\u00edme adresu nastavi\u0165, aby switch vedel kam posiela\u0165 odpovede.\u00a0Br\u00e1na sa nastavuje pre cel\u00fd switch.<\/p>\n
            SWITCH (config) # ip default-gateway 192.168.190.1<\/strong><\/span><\/pre>\n
            UniDirectional Link Detection – UDLD<\/h3>\n
            Jedn\u00e1 sa o L2 protokol, ktor\u00fd umo\u017e\u0148uje fyzick\u00fa konfigur\u00e1ciu \/ prepojenia prim\u00e1rne optick\u00e9ho k\u00e1bla (fiber-optic), ale aj kr\u00faten\u00e9 dvojlinky (twisted-pair).\u00a0Monitoruje, \u010di nevzniklo len\u00a0jednosmern\u00e9<\/em><\/strong> (unidirectional) spojenie (Tx a Rx).\u00a0Teda u optiky, \u010di nie je preru\u0161en\u00fd jeden z dvojice k\u00e1blov a tie\u017e, \u017ee s\u00fa p\u00e1ry spr\u00e1vne zapojen\u00e9 na oboch stran\u00e1ch.\u00a0U metalick\u00e9ho k\u00e1bla kontroluje, \u017ee nie je preru\u0161en\u00e9 jedno vl\u00e1kno.\u00a0Ak detekuje jednosmern\u00e9 spojenie, tak sa port prepne do error-disabled stavu.\u00a0Rovnak\u00fa konfigur\u00e1ciu je potrebn\u00e9 vykona\u0165 na oboch stran\u00e1ch.<\/p>\n
            Pre v\u0161etky optick\u00e9 porty m\u00f4\u017eeme zapn\u00fa\u0165 glob\u00e1lne.<\/p>\n
            SWITCH (config) # udld enable<\/strong><\/span><\/pre>\n
            Alebo m\u00f4\u017eeme zapn\u00fa\u0165 pre vybran\u00e9 interface, to funguje aj pre metaliku<\/p>\n
            SWITCH (config-if) # udld enable<\/strong><\/span><\/pre>\n
            Zobrazenie inform\u00e1ci\u00ed o UDLD a reset vypnut\u00fdch interface vykon\u00e1me nasledovne.<\/p>\n
            SWITCH # show udld<\/strong>  \r\nSWITCH # udld reset <\/strong>     \/\/ resetuje interface, ktor\u00e9 boli vypnut\u00e9 pomocou UDLD<\/span><\/pre>\n
            Na z\u00e1ver – ukladanie konfigur\u00e1cie<\/h3>\n
            D\u00f4le\u017eit\u00e9 upozornenie.\u00a0Na z\u00e1ver konfigur\u00e1cie treba vykonan\u00e9 zmeny ulo\u017ei\u0165 do startup konfigur\u00e1cie, aby sme o ne pri re\u0161tarte nepri\u0161li.<\/p>\n
            SWITCH # copy running-config startup-config \t <\/strong>\/\/ ulo\u017ei\u0165 \r\nDestination filename [startup-config]?       \/\/ dotaz na meno, stla\u010dte ENTER\r\nBuilding configuration ...\r\n[OK]<\/span><\/pre>\n
            Alebo m\u00f4\u017eeme pou\u017ei\u0165 krat\u0161ie pr\u00edkaz.<\/p>\n
            SWITCH # write<\/strong>\r\nBuilding configuration ...\r\n[OK]<\/span><\/pre>\n
            Pr\u00edklady nastavenia<\/h3>\n
            Nastavenie portu pre u\u017e\u00edvate\u013eov<\/h4>\n
            SWITCH> enable                                 <\/strong>\/\/ prepnutie do privilegovan\u00e9ho m\u00f3du \r\nSWITCH # configure terminal                     <\/strong>\/\/ prepnutie do konfigur\u00e1cie \r\nSWITCH (config) # interface f0 \/ 1 <\/strong>                \/\/ konfigur\u00e1cia dan\u00e9ho portu switcha \r\nSWITCH (config-if) # shutdown                 <\/strong>   \/\/ odpor\u00fa\u010dan\u00e9 najprv vypn\u00fa\u0165 port, mal u\u017e by\u0165 vypnut\u00fd \r\nSWITCH (config-if) # switchport mode access      <\/strong>\/\/ port do pr\u00edstupov\u00e9ho m\u00f3du \r\nSWITCH (config-if) # switchport access vlan 100 <\/strong> \/\/ zaradi\u0165 do patri\u010dnej VLANy \r\nSWITCH (config-if) # description 3.14 <\/strong>           \/\/ popis portu \r\nSWITCH ( config-if) # spanning-tree portfast     <\/strong>\/\/ do z\u00e1suvky je zapojen\u00fd po\u010d\u00edta\u010d, r\u00fdchly n\u00e1beh \r\nSWITCH (config-if) # no shutdown              <\/strong>   \/\/ zapnutia portu \r\nSWITCH (config-if) # exit                     <\/strong>   \/\/ o \u00farove\u0148 sp\u00e4\u0165 \r\nSWITCH (config) # exit                           <\/strong>\/\/ o \u00farove\u0148 sp\u00e4\u0165 \r\nSWITCH # copy running-config startup-config <\/strong>   \/\/ ulo\u017ei\u0165 \r\nDestination filename [startup-config]?       \/\/ dotaz na meno, stla\u010dte ENTER\r\nBuilding configuration ...\r\n[OK]<\/span><\/pre>\n
            Nastavenie portu pre prepojenie medzi switchu – trunk<\/h4>\n
            SWITCH> enable                               <\/strong>\/\/ prepnutie do privilegovan\u00e9ho m\u00f3du \r\nSWITCH # configure terminal                   <\/strong>\/\/ prepnutie do konfigur\u00e1cie \r\nSWITCH (config) # interface g1 \/ 0\/25 <\/strong>           \/\/ konfigur\u00e1cie dan\u00e9ho portu switcha \r\nSWITCH (config-if) # shutdown                  <\/strong>\/\/ odpor\u00fa\u010dan\u00e9 najprv vypn\u00fa\u0165 port, mal u\u017e by\u0165 vypnut\u00fd \r\nSWITCH (config-if) # switchport trunk Encapsulation dot1q    <\/strong>\/\/ nastavenie met\u00f3dy dopl\u0148ovanie inform\u00e1ci\u00ed o VLAN, norma 802.1q, nastavuje sa len na vy\u0161\u0161\u00edch modeloch switchov \r\nSWITCH (config-if) # switchport trunk allowed vlan 2-200     <\/strong>\/ \/ ktor\u00e9 VLANy sa pren\u00e1\u0161a \r\nSWITCH (config-if) #switchport trunk native vlan 1          <\/strong>\/\/ r\u00e1mca bez VLANy sa pren\u00e1\u0161a cez trunk v Native VLAN \r\nSWITCH (config-if) # switchport mode trunk     <\/strong>\/\/ port do TRUNK m\u00f3du \r\nSWITCH (config-if) # switchport nonegotiate    <\/strong>\/\/ nevyjedn\u00e1va sa trunk protokolom DTP  \r\nSWITCH (config-if) # description 3.14 <\/strong>         \/\/ popis portu \r\nSWITCH (config-if) # no shutdown               <\/strong>\/\/ zapnutia portu \r\nSWITCH (config-if) # end <\/strong>                      \/\/ sko\u010d\u00ed rovno do privilegovan\u00e9ho m\u00f3du \r\nSWITCH # write <\/strong>                              \/\/ ulo\u017eenie konfigur\u00e1cie<\/span><\/pre>\n
            Rovnak\u00fa konfigur\u00e1ciu je potrebn\u00e9 vykona\u0165 na druhej strane, teda na druhom switchi a portu, ktor\u00fdm s\u00fa prepojen\u00e9.<\/p>\n
            Nastavenie Port Security<\/h4>\n
            SWITCH> enable                              <\/strong>               \/\/ prepnutie do privilegovan\u00e9ho m\u00f3du \r\nSWITCH # configure terminal                       <\/strong>          \/\/ prepnutie do konfigur\u00e1cie \r\nSWITCH (config) # interface f0 \/ 5 <\/strong>                            \/\/ konfigur\u00e1cie dan\u00e9ho portu switcha \r\nSWITCH (config-if) # switchport port-security <\/strong>               \/\/ zapneme port security \r\nSWITCH (config-if) # switchport port-security maximum 1 <\/strong>     \/\/ po\u010det MAC adries , 1 je default\r\nSWITCH (config-if) # switchport port-security violation shutdown <\/strong> \/\/ pri poru\u0161en\u00ed zablokova\u0165 port , default\r\nSWITCH (config-if) # switchport port-security mac-address sticky <\/strong> \/\/ napevno ulo\u017ei\u0165 dynamick\u00fa MAC adresu \r\nSWITCH (config-if) # ^ Z                       <\/strong>               \/\/ CTRL + Z sko\u010d\u00ed rovno do privilegovan\u00e9ho m\u00f3du \r\nSWITCH # write <\/strong>                                            \/\/ ulo\u017eenie konfigur\u00e1cie<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
            Zna\u010denie portov Rozhranie na switchi –\u00a0interfaces\u00a0, s\u00fa hlavne\u00a0fyzick\u00e9 porty\u00a0a\u00a0VLAN\u00a0y\u00a0(presnej\u0161ie virtu\u00e1lny interface pre VLAN – Switch Virtual Interface – SVI).\u00a0Popri tom v\u0161ak existuje cel\u00fd rad \u010fal\u0161\u00edch,…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":431,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/426"}],"collection":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/comments?post=426"}],"version-history":[{"count":4,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/426\/revisions"}],"predecessor-version":[{"id":444,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/426\/revisions\/444"}],"up":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/431"}],"wp:attachment":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/media?parent=426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}