交换机管理实验拓扑图：实验步骤：1.配置PC IP地址：192.168.88.108/24，Default-gateway:192.168.88.202 ED-SW vlan1 IP地址：192.168.88.203/24，Default-gateway:192.168.88.202 Core2 vlan1 IP地址：192.168.88.202/24，启用IP路由功能所有的端口设置为access模式，启用STP portfast并划分到vlan1ED-SW:interface range FastEthernet0/1 - 24switchport mode access //接口设置为access模式，所有的接口默认属于Vlan1spanning-tree portfastinterface Vlan1 //进入vlan1的虚拟接口的配置模式ip address 192.168.88.203 255.255.255.0 // L2交换机的IP地址只用与管理目的，并不能做为host的默认网关no shutdownip default-gateway 192.168.88.202 //设置交换机的默认网关Core2:interface range FastEthernet0/1 - 24switchport mode accessspanning-tree portfastinterface Vlan1ip address 192.168.88.202 255.255.255.0 // L3交换机的SVI接口IP地址既可以做为管理地址也可以做为网关地址no shutdownip routing //启用L3交换机的路由功能2.验证PC是否ping通ED-SW及Core2C:\Documents and Settings\shkx>ping 192.168.88.203Pinging 192.168.88.203 with 32 bytes of data:Request timed out. //PC首次与ED-SW通信，要学习对方的arp，所以导致第一个数据包丢失Reply from 192.168.88.203: bytes=32 time=58ms TTL=255Reply from 192.168.88.203: bytes=32 time=2ms TTL=255Reply from 192.168.88.203: bytes=32 time=2ms TTL=255Ping statistics for 192.168.88.203:Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),Approximate round trip times in milli-seconds:Minimum = 2ms, Maximum = 58ms, Average = 20msC:\Documents and Settings\pine>ping 192.168.88.202Pinging 192.168.88.202 with 32 bytes of data:Request timed out.Reply from 192.168.88.202: bytes=32 time=57ms TTL=255Reply from 192.168.88.202: bytes=32 time=1ms TTL=255Reply from 192.168.88.202: bytes=32 time=1ms TTL=255Ping statistics for 192.168.88.202:Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),Approximate round trip times in milli-seconds:Minimum = 1ms, Maximum = 57ms, Average = 19ms3.配置ED-SW及Core2允许被telnet远程连接Core2(config)#line vty 0 4 //进入vty配置模式Core2(config-line)#login //允许远程登入Core2(config-line)#password step-lab //设置telnet密码Core2(config)#enable secret step-lab 设置enable模式密码ED-SW(config)#line vty 0 4ED-SW(config-line)#loginED-SW(config-line)#password step-labED-SW(config)#enable secret step-lab4.验证telnet远程登录PC DOS窗口>telnet 192.168.88.202User Access VerificationPassword: //此处输入telnet密码Core2>Core2>DOS窗口>telnet 192.168.88.203User Access VerificationPassword:ED-SW>ED-SW>5.数据VLAN与管理VLAN相同时，便于管理，但是安全性稍弱。

接下来的实验，把数据VLAN与管理VLAN逻辑分开。

ED-SW vlan10 IP地址：192.168.10.203/24，Default-gateway:192.168.10.202 Core2 vlan10 IP地址：192.168.10.202/24，全局启用IP路由功能Core2 vlan1 IP地址：192.168.88.202/24Core2与EDSW之间的线路设置为Trunk其他所有的端口设置为access模式，启用STP portfast并划分到vlan1在原有的配置基础之上，添加一下命令：ED-SW:interface Vlan10ip address 192.168.10.203 255.255.255.0 //管理地址改到新的IP地址no shutdowninterface Vlan1no ip addressshutdownip default-gateway 192.168.10.202interface FastEthernet0/24switch mode trunkCore2:interface Vlan10ip address 192.168.10.202 255.255.255.0no shutdowninterface FastEthernet0/21switch trunk encapsulation dot1qswitch mode trunk6. 验证PC是否可以跨VLAN管理ED-SWPC DOS>telnet 192.168.10.203 //此时PC在vlan1，C2950的管理地址配置在Vlan10上面User Access VerificationPassword:ED-SW>ED-SW>7. 此时Core2及PC都可以远程登录ED-SWCore2#telnet 192.168.10.203Trying 192.168.10.203 ... OpenUser Access VerificationPassword:ED-SW>ED-SW>8.如果交换机只支持telnet，不支持SSH。

那么可以通过access-class命令调用acl来限制特定源IP地址的访问，以提高安全性ED-SW：access-list 1 permit host 192.168.88.108line vty 0 4access-class 1 in9.验证限制的效果PC DOS>telnet 192.168.10.203User Access VerificationPassword:ED-SW> //现在只有此PC可以登录ED-SWED-SW>Core2#telnet 192.168.10.203Trying 192.168.10.203 ...% Connection refused by remote host // Core2登录到ED-SW，被拒绝Core2#10. 配置ED-SW允许SSH登录ED-SW(config)#ip domain-name //设置域名，用于生成RSA keyED-SW(config)#crypto key generate rsa //RSA key生成命令The name for the keys will be: Choose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]: // RSA key的长度Generating RSA keys ...[OK]01:54:49: %SSH-5-ENABLED: SSH 1.99 has been enabled // RSA key生成后，系统自动启用SSH Version 1ED-SW(config)#ip ssh version 2 //建议使用SSH Version 2，安全性更佳ED-SW(config)#username pine privilege 15 secret step-lab //设置本地用户密码及对应的权限级别ED-SW(config)#line vty 0 4ED-SW(config-line)#transport input ssh //只允许SSH远程登录ED-SW(config-line)#login local11. 验证PC DOS>telnet 192.168.10.203正在连接到192.168.10.203...不能打开到主机的连接，在端口 23: 连接失败 //此时telnet 23端口被系统关闭此实验使用SecureCRT软件做为SSH客户端软件打开SecureCRT软件主界面→ quick connect →输入主机名或者IP地址→输入用户名→点击“connet”SecureCRT会提示你是否接收交换机RSA的公钥，点击“Accept & Save” //用于加密共享随机密钥，交换机的私钥用于解密输入用户名密码即可登录ED-SW#12. 配置SPAN，拷贝ED-SW F0/2端口所有进出流量到F0/3端口 //此端口常常接IDS设备，Sniffer工具等等ED-SW(config)#monitor session 1 source interface f0/2 both //设置源端口所有进出方向流量ED-SW(config)#monitor session 1 destination interface fastEthernet 0/3 //设置目标端口13.验证配置ED-SW#sh monitor session 1Session 1---------Type : Local SessionSource Ports :Both : Fa0/2Destination Ports : Fa0/3Encapsulation : NativeIngress: Disabled14.实验完成。