2010年9月28日
Etherchannel Lab實作
SW1的設定:
先設定將fastEthernet介面給設為100全雙工
SW1#config t
SW1(config)#interface range fa1/0 -15
SW1(config-if-range)#speed 100
SW1(config-if-range)#dupl
SW1(config-if-range)#duplex full
SW1(config-if-range)#no shutdown
SW1(config-if-range)#exit
設定Etherchannel
SW1(config)#int range fa1/0 - 2
SW1(config-if-range)#channel-group 1 mode on
SW1(config-if-range)#exit
將Etherchannel的邏輯介面設定為Trunk Port
SW1(config)#interface port-channel 1
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#exit
檢查Port-channel1是否有建立好了
SW1#show ip interface Port-channel1
Port-channel1 is up, line protocol is up
Internet protocol processing disabled
設定vtp,SW1設為Server Mode
SW1(config)#vtp domain lucky
Changing VTP domain name from NULL to lucky
SW1(config)#vtp mode Server
Device mode already VTP SERVER.
SW1(config)#vtp version 2
建立Vlan資料
SW1(config)#vlan 10
SW1(config-vlan)#name MIS
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name Sales
SW1(config-vlan)#exit
指定fastEthernet介面對應的Vlan
SW1(config)#interface fa1/10
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config-if)#int fa1/11
SW1(config-if)#switch mod access
SW1(config-if)#switchport access vlan 20
SW1(config-if)#exit
SW1(config)#exit
檢查Etherchannel的設定
SW1#show etherchannel ?
1-6 Channel group number
brief Brief information
detail Detail information
load-balance Load-balance/frame-distribution scheme among ports in
port-channel
port Port information
port-channel Port-channel information
summary One-line summary per channel-group
SW2的設定:
先設定將fastEthernet介面給設為100全雙工
SW2#configure t
SW2(config)#int range fa1/0 -15
SW2(config-if-range)#speed 100
SW2(config-if-range)#duplex full
SW2(config-if-range)#no shutdown
SW2(config-if-range)#exit
設定Etherchannel
SW2(config)#int range fa1/0 -2
SW2(config-if-range)#channel-group 1 mode on
SW2(config-if-range)#exit
將Etherchannel的邏輯介面設定為Trunk Port
SW2(config)#interface port-channel 1
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#exit
設定vtp,SW2設為Client Mode
SW2(config)#vtp
SW2(config)#vtp domain lucky
SW2(config)#vtp mode client
SW2(config)#exit
指定fastEthernet介面對應的Vlan
SW2(config)#interface fa1/10
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 10
SW2(config-if)#int fa1/11
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 20
SW2(config-if)#exit
SW2(config)#exit
測試查看是否可以正常Ping通
2010年9月19日
VTP LAB實作
VTP協定(VLAN Trunking Protocol):用來傳送和同步VLAN的資訊
vtp mode server
This command is executed in global configuration mode and sets the switch as a VTP Server.
This is the default VTP mode for a new switch with the VTP domain set to NULL
vtp mode client
This command is executed in global configuration mode and sets the switch as a VTP client which learns its VLAN information from the VTP Server in its specified VTP Domain.
vtp domain domainname
This command is executed in global configuration mode and sets the VTP domain of a device.
vtp version X (X=version 1 or version 2)
This command is executed in global configuration mode and sets the VTP Version of the device.
vtp password
This command is executed in global configuration mode and sets the VTP password to prevent unauthorized VTP Servers and/or Clients in a particular VTP Domain.
show vtp password
This command can only be executed in privileged mode and displays the current VTP Password.
show vtp status
This command can be executed from user or privileged mode to view the current VTP configuration such as VTP mode, Domain, Version, Pruning and more.
show vtp counters
This command can be executed from user or privileged mode to view the current VTP advertisement and pruning statistics.
show interface fa1/0 pruning
This command can display VTP pruning state.
Switch 1的設定
SW1>en
SW1#configure t
Enter configuration commands, one per line. End with CNTL/Z.
先設定Trunk port
SW1(config)#int range fa1/0 - 2
SW1(config-if-range)#speed 100
SW1(config-if-range)#duplex full
SW1(config-if-range)#no shutdown
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#exit
設定VTP角色與網域
SW1(config)#vtp mode server
Device mode already VTP SERVER.
SW1(config)#vtp domain lucky
Changing VTP domain name from NULL to lucky
SW1(config)#vtp version 2
SW1(config)#exit
建立Vlan資料
SW1#configure t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#name aaa
SW1(config-vlan)#vlan 20
SW1(config-vlan)#name bbb
SW1(config-vlan)#vlan 30
SW1(config-vlan)#name ccc
SW1(config-vlan)#vlan 40
SW1(config-vlan)#name ddd
SW1(config)#exit
SW1#show vtp status
VTP Version : 2
Configuration Revision : 5
Maximum VLANs supported locally : 36
Number of existing VLANs : 9
VTP Operating Mode : Server
VTP Domain Name : lucky
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x9D 0xB2 0x9D 0x4C 0xC5 0xCF 0x0B 0xC9
Configuration last modified by 0.0.0.0 at 3-1-02 00:12:37
Local updater ID is 0.0.0.0 (no valid interface found)
SW1#show int trunk
Switch 2的設定
SW2>en
SW2#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#int fa1/0
SW2(config-if)#speed 100
SW2(config-if)#duplex full
SW2(config-if)#no shutdown
SW2(config-if)#switchport mode trunk
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#exit
SW2(config)#vtp mode client
Setting device to VTP CLIENT mode.
SW2(config)#vtp domain lucky
Changing VTP domain name from NULL to lucky
SW2(config)#exit
SW2#show vtp status
VTP Version : 2
Configuration Revision : 5
Maximum VLANs supported locally : 36
Number of existing VLANs : 9
VTP Operating Mode : Client
VTP Domain Name : lucky
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x9D 0xB2 0x9D 0x4C 0xC5 0xCF 0x0B 0xC9
Configuration last modified by 0.0.0.0 at 3-1-02 00:12:37
查看是否已同步VTP資訊,取得網域中的Vlan資料
SW2#show vlan-switch brief
Switch 3的設定
SW3>en
SW3#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int fa1/0
SW3(config-if)#speed 100
SW3(config-if)#duplex full
SW3(config-if)#no shutdown
SW3(config-if)#switchport mode trunk
SW3(config-if)#switchport trunk encapsulation dot1q
SW3(config-if)#exit
SW3(config)#vtp mode client
Setting device to VTP CLIENT mode.
SW3(config)#vtp domain lucky
Changing VTP domain name from NULL to lucky
SW3(config)#exit
Switch 4的設定
SW4>en
SW4#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#int fa1/0
SW4(config-if)#speed 100
SW4(config-if)#duplex full
SW4(config-if)#no shutdown
SW4(config-if)#switchport mode trunk
SW4(config-if)#switchport trunk encapsulation dot1q
SW4(config-if)#exit
SW4(config)#vtp mode client
Setting device to VTP CLIENT mode.
SW4(config)#vtp domain lucky
Changing VTP domain name from NULL to lucky
SW4(config)#exit
2010年9月9日
Cisco Switch設定防止廣播風暴發生
當區網裡的某台電腦中了ARP病毒後,會一直送出ARP廣播封包,造成Broadcast Storm
解決方法:
Step 1:
先利用軟體找出中了ARP病毒電腦的MAC地址(可用wireshark分析)
Step 2:
show mac-address-table address 0030.8812.bf7b(中毒電腦的MAC)找到其所在的port
Switch#show mac-address-table address 0030.8812.bf7b
Mac Address Table
-------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
112 0030.8812.bf7b DYNAMIC Gi1/1/1
Total Mac Addresses for this criterion: 1
Step 3:
在Interface設定模式下使用storm-control broadcast level pps 300 150 指令來設定阻攔規則
當該port發送廣播封包達到300個/s的廣播封包時開始blocking,低於150個/s廣播封包時停止blocking
Switch#show run int Gi1/1/1
Building configuration...
Current configuration : 366 bytes
!
interface GigabitEthernet1/1/1
no switchport
bandwidth 6000
ip address 192.72.143.21 255.255.255.252
no ip redirects
no ip proxy-arp
load-interval 30
speed 100
duplex full
storm-control broadcast level pps 300 150
storm-control multicast level pps 300 150
storm-control action shutdown
storm-control action trap
end
解決方法:
Step 1:
先利用軟體找出中了ARP病毒電腦的MAC地址(可用wireshark分析)
Step 2:
show mac-address-table address 0030.8812.bf7b(中毒電腦的MAC)找到其所在的port
Switch#show mac-address-table address 0030.8812.bf7b
Mac Address Table
-------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
112 0030.8812.bf7b DYNAMIC Gi1/1/1
Total Mac Addresses for this criterion: 1
Step 3:
在Interface設定模式下使用storm-control broadcast level pps 300 150 指令來設定阻攔規則
當該port發送廣播封包達到300個/s的廣播封包時開始blocking,低於150個/s廣播封包時停止blocking
Switch#show run int Gi1/1/1
Building configuration...
Current configuration : 366 bytes
!
interface GigabitEthernet1/1/1
no switchport
bandwidth 6000
ip address 192.72.143.21 255.255.255.252
no ip redirects
no ip proxy-arp
load-interval 30
speed 100
duplex full
storm-control broadcast level pps 300 150
storm-control multicast level pps 300 150
storm-control action shutdown
storm-control action trap
end