- 论坛徽章:
- 0
|
1、禁止域名解析,输入错误命令以后只显示“% Incomplete command.”
CISCO_2950:
no ip domain-lookup
2、端口映射
将端口5的所有流量映射到端口7
CISCO_2950:
monitor session 2 source interface Fa0/5
monitor session 2 destination interface Fa0/7 ingress vlan 1
3、交换机之间级连端口的工作模式
int fa0/4
sw mode trunk
4、TRUNK简介
Trunk 类型的端口可以属于多个VLAN,可以接收和发送多个VLAN 的报文,一般用于交换机之间连接
的端口;Hybrid 类型的端口可以属于多个VLAN,可以接收和发送多个VLAN的报文,可以用于交换机之间连接,也可以用于连接用户的计算机。Hybrid端口和Trunk 端口的不同之处在于Hybrid口可以允许多个VLAN 的报文发送时不打标签,而Trunk 端口只允许缺省VLAN 的报文发送时不打标签。从而可以看出,在同一台交换机上同时支持Hybrid和trunk端口是没有实际意义的,很容易混淆。
5、CISCO_2950交换机恢复出厂设置
--------------------------------------------
下面方法用CONSOLE连接方式
1、关闭交换机
2、按住面板前MODE按钮不放,加电。进入switch:
3、flash_init
4、load_helper
5、dir flash:
6、delete flash:config.text
7、delete flash:vlan.dat
8、reset
--------------------------------------------
flash_init
load_helper
delete flash:config.text
delete flash:vlan.dat
6、在CISCO2948G上查看每个端口连接的服务器的MAC地址:
sh cam dynamic 1
查看VLAN1各个端口的MAC地址。
----------------------------------------------------------------------------------------------------------------
7、思科channel绑定命令:
我是在2924上配5个vlan,想通过4条线连到5505上,这两边的etherchannel该如何配置,2924我是用snmp来配置的,把各端口指向各vlan以后,按了apply,为什么关机重起后,那些配置全没了.谢谢!
Ciscoworks配置管理是通过替换config文件修改配置的,所以必须将配置导入设备。
2924上的口是fastethernet吗?如果不是不可以做etherchannel的.
你可以做几个TRUNK的LOAD BALANCE来代替
我的2924M-XL的口是fastethernet口,但是standard版,不是enterprise,听说它不支持trunk,vlan我已经设了,但不知道各个属于不同vlans的ports是否要分配不同网段的ip地址?
同一VLAN内的IP地址必须为同一网段.不同VLAN的IP可以在同一网段也可以不在同一网段,但不同VLAN之间一定要通过路由.
VLAN跟IP没什么关系,不过正路的配置是应该这样的,不过要不配成这样也可以啦,在一个VLAN里面有多个IP interface,配多几条路由就可以啦
问题是我现在该怎么把它与5505连接起来,是不是也要在5505上设跟2924一样的vlan,并且把端口set到各个vlan(即与2924上的一一对应?
应该可以做Fast EtherChannel:
Four-Port Fast EtherChannel Configuration Example
This example configuration shows how to configure a four-port Fast Eth
erChannel link between two switches. Figure 6-1 shows two switches con
nected through four 100BaseTX Fast Ethernet ports.
Figure 6-1: Fast EtherChannel Port Bundle Example
Step 1 Make sure that all ports on Switch A and Switch B have the same
port configuration, including VLAN membership, speed, and duplex.
Switch_A> (enable) set vlan 50 1/1-4
VLAN 50 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
50 1/1-4
2/1-2
3/1-3
Switch_A> (enable) set port speed 1/1-4 100
Ports 1/1-4 transmission speed set to 100Mbps.
Switch_A> (enable) set port duplex 1/1-4 full
Ports 1/1-4 set to full-duplex.
Switch_A> (enable)
Switch_B> (enable) set vlan 50 3/1-4
VLAN 50 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
50 3/1-4
Switch_B> (enable) set port speed 3/1-4 100
Ports 3/1-4 transmission speed set to 100Mbps.
Switch_B> (enable) set port duplex 3/1-4 full
Ports 3/1-4 set to full-duplex.
Switch_B> (enable)
Step 2 You can confirm the channeling status of the switches using the
show port channel command.
Switch_A> (enable) show port channel
No ports channelling
Switch_A> (enable)
Switch_B> (enable) show port channel
No ports channelling
Switch_B> (enable)
Step 3 Configure the ports on Switch A to negotiate a Fast EtherChanne
l bundle with the neighboring switch. This example assumes that the ne
ighboring ports on Switch B are in EtherChannel auto mode. The system
logging messages provide information about the formation of the EtherC
hannel bundle.
Switch_A> (enable) set port channel 1/1-4 desirable
Port(s) 1/1-4 channel mode set to desirable.
Switch_A> (enable) %PAGP-5-PORTFROMSTP:Port 1/1 left bridge port 1/1
%PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2
%PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3
%PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4
%PAGP-5-PORTFROMSTP:Port 1/2 left bridge port 1/2
%PAGP-5-PORTFROMSTP:Port 1/3 left bridge port 1/3
%PAGP-5-PORTFROMSTP:Port 1/4 left bridge port 1/4
%PAGP-5-PORTTOSTP:Port 1/1 joined bridge port 1/1-4
%PAGP-5-PORTTOSTP:Port 1/2 joined bridge port 1/1-4
%PAGP-5-PORTTOSTP:Port 1/3 joined bridge port 1/1-4
%PAGP-5-PORTTOSTP:Port 1/4 joined bridge port 1/1-4
Switch_B> (enable) %PAGP-5-PORTFROMSTP:Port 3/1 left bridge port 3/1
%PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/2
%PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/3
%PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/4
%PAGP-5-PORTFROMSTP:Port 3/2 left bridge port 3/1-4
%PAGP-5-PORTFROMSTP:Port 3/3 left bridge port 3/1-4
%PAGP-5-PORTFROMSTP:Port 3/4 left bridge port 3/1-4
%PAGP-5-PORTTOSTP:Port 3/1 joined bridge port 3/1-4
%PAGP-5-PORTTOSTP:Port 3/2 joined bridge port 3/1-4
%PAGP-5-PORTTOSTP:Port 3/3 joined bridge port 3/1-4
%PAGP-5-PORTTOSTP:Port 3/4 joined bridge port 3/1-4
Step 4 After the EtherChannel bundle is negotiated, use the show port
channel command to verify the configuration.
Switch_A> (enable) show port channel
Port Status Channel Channel Neighbor Neigh
bor
mode status device port
----- ---------- --------- ----------- ------------------------- -----
-----
1/1 connected desirable channel WS-C4003 JAB023806(Sw 3/1
1/2 connected desirable channel WS-C4003 JAB023806(Sw 3/2
1/3 connected desirable channel WS-C4003 JAB023806(Sw 3/3
1/4 connected desirable channel WS-C4003 JAB023806(Sw 3/4
----- ---------- --------- ----------- ------------------------- -----
-----
Switch_A> (enable)
Switch_B> (enable) show port channel
Port Status Channel Channel Neighbor Neigh
bor
mode status device port
----- ---------- --------- ----------- ------------------------- -----
-----
3/1 connected auto channel WS-C5000 009979082(Sw 1/1
3/2 connected auto channel WS-C5000 009979082(Sw 1/2
3/3 connected auto channel WS-C5000 009979082(Sw 1/3
3/4 connected auto channel WS-C5000 009979082(Sw 1/4
----- ---------- --------- ----------- ------------------------- -----
-----
Switch_B> (enable)
8、PIX515E重装安装IOS
先启用TFTP服务端,并准备好新版的IOS
在PIX启动时按ESC键进入MONITOR模式:
monitor>interface 0 /在monitor模式不用能简写,这里不能用"interface e0",为什么不能用e0还要进一步试验
monitor>address 192.168.155.242
monitor>server 192.168.155.241
monitor>file pix701.bin
monitor>tftp
monitor>
monitor>
monitor>
9、在PIX上启用TELNET:
telnet 192.168.100.0 255.255.255.0 inside /inside表示内网接口,是自定义的名称
10、设置VLAN
int fa0/15
switchport access vlan 5
switchport mode access
exit
int fa0/16
switchport access vlan 5
switchport mode access
11、TRUNK
在技术领域中把TRUNK翻译为中文是“主干、干线、中继线、长途线” ,不过一般不翻译,直接用原文。而且这个词在不同场合也有不同的解释:1、在网络的分层结构和宽带的合理分配方面,TRUNK被解释为“端口汇聚”,是带宽扩展和链路备份的一个重要途径。TRUNK把多个物理端口捆绑在一起当作一个逻辑端口使用,可以把多组端口的宽带叠加起来使用。TRUNK技术可以实现TRUNK内部多条链路互为备份的功能,即当一条链路出现故障时,不影响其他链路的工作,同时多链路之间还能实现流量均衡,就像我们熟悉的打印机池和MODEM池一样。
2、在电信网络的语音级的线路中,Trunk指“主干网络、电话干线”,即两个交换局或交换机之间的连接电路或信道,它能够在两端之间进行转接,并提供必要的信令和终端设备。
3、 但是在最普遍的路由与交换领域,VLAN的端口聚合也有的叫TRUNK,不过大多数都叫TRUNKING ,如CISCO公司。所谓的TRUNKING是用来在不同的交换机之间进行连接,以保证在跨越多个交换机上建立的同一个VLAN的成员能够相互通讯。其中交换机之间互联用的端口就称为TRUNK端口。与一般的交换机的级联不同,TRUNKING是基于OSI第二层摹<偕杳挥蠺RUNKING技术,如果你在 2个交换机上分别划分了多个VLAN(VLAN也是基于Layer2的),那么分别在两个交换机上的VLAN10和VLAN20的各自的成员如果要互通,就需要在A交换机上设为VLAN10的端口中取一个和交换机B上设为VLAN10的某个端口作级联连接。VLAN20也是这样。那么如果交换机上划了10 个VLAN就需要分别连10条线作级联,端口效率就太低了。当交换机支持TRUNKING的时候,事情就简单了,只需要2个交换机之间有一条级联线,并将对应的端口设置为Trunk,这条线路就可以承载交换机上所有VLAN的信息。这样的话,就算交换机上设了上百个个VLAN也只用1个端口就解决了。
如果是不同台的交换机上相同id的vlan要相互通信,那么可以通过共享的trunk端口就可以实现,如果是同一台上不同id的vlan/不同台不同id的vlan它们之间要相互通信,需要通过第三方的路由来实现;vlan的划分有两个需要注意的地方:一是划分了几个不同的vlan组,都有不同的vlan id号;分配到vlan 组里面的交换机端口也有port id.比如端口1,2,3,4划分到vlan10,5,6,7,8划分到vlan20,我可以把1,3,4的端口的port id设置为10,而把2端口的 port id设置为20;把5,6,7端口的port id设置为20,而把8端口的port id设置为10.这样的话,vlan10中的1,3,4端口能够和vlan20中8端口相互通信;而vlan10中的2端口能够和vlan20中的5, 6,7端口相互通信;虽然vlan id不同,但是port id相同,就能通信,同样vlan id相同,port id不同的端口之间却不能相互访问,比如vlan10中的2端口就不能和1,3,4端口通信。
12、设置交换机密码:
以2970的登陆过程为例:
首先设置TELNET的登陆密码:
en
conf t
line vty 0 4 VTY(virtual terminal line) //telnet
password 0 hisunweihubu
login
line vty 5 15
password 0 hisunweihubu
login
line con 0
password 0 hisunweihubu CON(console) //CONSOLE口登陆时的密码
login
然后设置enable的密码:
enable secret 0 hisunweihubu //en密码设置为hisunweihubu
如果这两个都配置了,而且是不同的字条串,secret有效。
int fa0/15
switchport access vlan 5
switchport mode access
exit
int fa0/16
switchport access vlan 5
switchport mode access
端口映射:
monitor session 2 source int fa0/5 both
monitor session 2 destination int fa0/7 ingress vlan 1
--------------------------------------------------------
三层交换机,VLAN间路由实例:
网络结构描述:
办公网环境IP地址:192.168.110.1 255.255.248.0
被隔离VLAN(vlan 2)的IP地址:192.168.50.1 255.255.255.0
客户机IP地址:192.168.50.203 255.255.255.0 GW:192.168.50.1
由思科3560将VLAN2的流量路由到交换机的第一个以太口上(Fa0/1:192.168.110.87 255.255.255.248),再转发到办公网防火墙(192.168.110.1)至公网。
Switch#sh ru
Building configuration...
Current configuration : 1811 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
--More--
00:04:42: %SYS-5-CONFIG_I: Configured from console ! e
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
no switchport
ip address 192.168.110.87 255.255.248.0
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 2
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.110.1
ip http server
!
!
!
control-plane
!
!
line con 0
line vty 5 15
!
end
Switch#
----------------------------------------------------------------------------------------------------------------
只允许特定的IP地址访问VLAN2的主机:
(公网的流量进入到内网后,源地址还是公网地址)
192.168.110.87#
192.168.110.87#
192.168.110.87#sh ru
Building configuration...
Current configuration : 3071 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 192.168.110.87
!
enable secret 5 $1$iK2b$JRwJ1h3.xdIt9617rVbbL1
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
no switchport
ip address 192.168.110.87 255.255.248.0
ip access-group 101 in
!
interface FastEthernet0/2
no switchport
no ip address
!
interface FastEthernet0/3
switchport access vlan 2
!
interface FastEthernet0/4
switchport access vlan 2
!
interface FastEthernet0/5
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/9
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 3
switchport mode access
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.50.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.110.1
ip http server
!
!
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.110.1 0.0.0.0
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.110.5 0.0.0.0
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.110.4 0.0.0.0
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.110.3 0.0.0.0
access-list 101 deny ip 192.168.7.0 0.0.0.255 192.168.104.0 0.0.7.255
access-list 101 permit ip 192.168.7.0 0.0.0.255 any
int vlan 7
ip access-group 101 in
!
control-plane
!
!
line con 0
password 7 0944471A0C0B0017020411283E
login
line vty 0 4
password 7 12110C0407051B012323312A26
login
line vty 5 15
password 7 045302151A2F5B4B0011101507
login
!
end
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u3/93690/showart_1861624.html |
|
免费注册
发表于 2009-03-13 11:53