cisco常见应用场景和配置.ppt

方剑锋浙大快威工程内容安排,Cisco交换设备介绍常见应用场景和配置常见故障诊断,基本配置（一）,更改主机名,Switch(config)#hostnameS2-C-HZXH-7609-1,设置时钟和NTP时钟同步,Switch(config)#clocktimezoneBeijing8Switch(config)#ntpserver1,时间戳设置,Switch(config)#servicetimestampsdebugdatetimemseclocaltimeSwitch(config)#servicetimestampslogdatetimemseclocaltime,基本配置（二）,AAA认证配置,iptacacssource-interfaceLoopback0tacacs-serverhost6tacacs-serverkeyhzdxaaanew-modelaaaauthenticationlogindefaultgrouptacacs+lineenableaaaauthenticationenabledefaultgrouptacacs+enableaaaaccountingcommands15defaultstart-stopgrouptacacs+,telnet参数设置,linevty04access-class9inexec-timeout30passwordwyzx2008,基本配置（三）,Log日志设置,loggingtrapnotificationsloggingsource-interfaceLoopback0logging4,SNMP设置,Switch(config)#snmp-servercommunitysjzx2004RO9,VLAN配置,创建和删除VLAN,Switch(config)#vlan1200Switch(config-vlan)#nametestSwitch(config)#novlan1200,创建SVI,interfaceVlan1200descriptiontestipaddress7752noipredirectsnoipunreachablesnoipproxy-arp,定义VTP模式和使用扩展VLAN,Switch(config)#vtpmodetransparentSwitch(config)#spanning-treeextendsystem-id,接口配置（一）,Access接口,interfaceFastEthernet6/3descriptionL1212628switchport(45和35系列交换机上不需要此命令)switchportaccessvlan3103switchportmodeaccessspeed10duplexfull,trunk接口,interfaceGigabitEthernet1/1descriptionto7609-3/2switchport(45和35系列交换机上不需要此命令)switchporttrunkencapsulationdot1qswitchporttrunkallowedvlan700,810,821,842,849,859,868,974switchporttrunkallowedvlanadd11201-1244,3101-3148switchportmodetrunk,接口配置（二）,路由接口配置,interfaceGigabitEthernet1/1descriptionto7609-3/2noswitchport(65/76上不需要此命令）ipaddress7752noipredirectsnoipunreachablesnoipproxy-arp,QINQ接口配置,interfaceGigabitEthernet7/22descriptionGuDang-OLT-C200-1-port2mtu1538switchport(35系列交换机上不需要此命令)switchportaccessvlan702switchportmodedot1q-tunnelnocdpenablespanning-treebpdufilterenable,接口配置（三）,接口限速配置（45系列交换机）,policy-map4Mclassclass-defaultpolice4mbps400kbyteconform-actiontransmitexceed-actiondropinterfaceFastEthernet6/11service-policyinput4Mservice-policyoutput4M,接口限速配置（35系列交换机）,class-mapmatch-allIPclassmatchipdscp0policy-maprate-4MclassIPclasspolice4200000300000exceed-actiondropinterfaceFastEthernet6/11service-policyinputrate-4M,EtherChannelTechnology,LoadsharingandredundancyprovidedIncrementalwaytoscalelinkbandwidthSwitches,routers,andservers,EtherChannel,100/1000Ethernet2,A,B,EtherChannel,Etherchannel-Whatsupportsit?,Catalyst2900XL,Catalyst3500XL,Catalyst5000,Catalyst6000,Catalyst4000,BandwidthOptions,Ethernet/FastEthernet,FastEtherChannel,10,100Mbps,200,400Mbps,GigabitEtherChannel,2,4Gbps,GigabitEthernet,1Gbps,SmoothmigrationtohigherbandwidthsGainresiliencyatsametimeConsideredasonelinktoSTP,RoutingProtocolsFeaturedonCatalystfamilyandCiscoIOS,Catalyst6000AdditionalOptions,FastEtherChannel,200800Mbps,GigabitEtherChannel,28Gbps,Bundleformedwith28linksBundlememberscanexistondifferentcardsMaximumbandwidthof16Gbps(FDX)possibleOddcombinationsalsovalid(3,5,6,7),Howdoesitwork,TakethesourceanddestinationMACaddress-converttoBinary,Takelast2bitsofbothaddressesandperformXOR,Resultsdeterminewhichlinktouse00-Link101-Link202-Link303-Link4,Catalyst6000usesapolynomialequationintheEarl5tocalculateetherchannelpath,ConfiguringEtherchannelonthe6000,Catalyst6000supportsamaximumof128EtherchannelGroups,1.AllportsmustbeinsameVLAN2.Ifchannelisconfiguredastrunk,thentrunkmodemustbesameonallports3.Allportsinchannelmustbesamespeedandduplexsetting4.BroadcastlimitMUSTbesameonallportsinchannel5.Portsecurityonportsstopstheetherchannelgroupbeingcreated6.IfoneoftheportshasSPANenabled,etherchannelgroupwillnotform7.Protocolfilteringmustbesameonallportsinchannelgroup,EtherchannelRestrictions,端口聚合配置,interfacePort-channel7descriptionto_liuxia4506switchportswitchporttrunkencapsulationdot1qswitchporttrunkallowedvlan17,18,105,184,326,358,361,365-367switchporttrunkallowedvlanadd369-373,501-599,700,801switchportmodetrunkinterfaceGigabitEthernet3/14descriptionto_liuxia4506switchportswitchporttrunkencapsulationdot1qswitchporttrunkallowedvlan17,18,105,184,326,358,361,365-367switchporttrunkallowedvlanadd369-373,501-599,700,801switchportmodetrunkchannel-group7modedesirableinterfaceGigabitEthernet4/3descriptionto_liuxia4506-1/1switchportswitchporttrunkencapsulationdot1qswitchporttrunkallowedvlan17,18,105,184,326,358,361,365-367switchporttrunkallowedvlanadd369-373,501-599,700,801switchportmodetrunkchannel-group7modedesirableport-channelload-balancesrc-dst-port,查看命令,Showinterfaceshowipinterfacebriefshowinterfacestatusshowinterfacedescriptionshowinterfacetrunkshowmac-address-tableshowspanning-tree,StandardChecksSourceaddressGenerallypermitsordeniesentireprotocolsuiteExtendedChecksSourceandDestinationaddressGenerallypermitsordeniesspecificprotocolsInboundorOutbound,WhatAreAccessLists?,OutgoingPacket,E0,S0,IncomingPacket,AccessListProcesses,Permit?,Protocol,AListofTests:DenyorPermit,PacketstoInterface(s)intheAccessGroup,PacketDiscardBucket,Y,Interface(s),Destination,Deny,Y,MatchFirstTest?,Permit,N,Deny,Permit,MatchNextTest(s)?,Deny,MatchLastTest?,Y,Y,N,Y,Y,Permit,ImplicitDeny,Ifnomatchdenyall,Deny,N,0meanscheckcorrespondingaddressbitvalue1meansignorevalueofcorrespondingaddressbit,donotcheckaddress(ignorebitsinoctet),=,0,0,0,0,0,0,0,0,Octetbitpositionandaddressvalueforbit,ignorelast6addressbits,checkalladdressbits(matchall),ignorelast4addressbits,checklast2addressbits,Examples,WildcardBits:HowtoChecktheCorrespondingAddressBits,ExamplechecksalltheaddressbitsAbbreviatethiswildcardmaskusingtheIPaddressprecededbythekeywordhost(host9),Testconditions:Checkalltheaddressbits(matchall),9,,(checksallbits),AnIPhostaddress,forexample:,Wildcardmask:,WildcardBitstoMatchaSpecificIPHostAddress,Acceptanyaddress:55Abbreviatetheexpressionusingthekeywordany,Testconditions:Ignorealltheaddressbits(matchany),,55,(ignoreall),AnyIPaddress,Wildcardmask:,WildcardBitstoMatchAnyIPAddress,CheckforIPsubnets/24to/24,Network.host,Wildcardmask:00001111|00010000=1600010001=1700010010=18:00011111=31,Addressandwildcardmask:55,WildcardBitstoMatchIPSubnets,ACL配置,标准ACL,扩展ACL,access-list9permit1access-list9permit1access-list9permit1access-list9denyany,access-list101denytcp5555eq21access-list101denytcp5555eq20access-list101permitipanyany,应用到接口,interfaceVlan27ipaccess-group101in,VACL介绍,传统的accesslist（RACL）只有当数据包经过三层端口，才能对数据包起过虑作用。有些数据包，它可能只是在某一个vlan内部，即不经过三层端口，也不夸过vlan，要对这些数据包做过虑的话，则可以用vlanaccesslist（VACL）,VACL配置命令,定义一个VACL：vlanaccess-mapmap-namesequence-numbermatchipaddressacl-number|acl-name|ipxaddressacl-number|acl-name|macaddressacl-nameactiondrop|forwardcapture|redirectinterfacetypemod/num把VACL应用在vlan上：Switch(config)#vlanfiltermap-namevlan-listvlan-list,VACLEXAMPLE,ipaccess-listextendedmatch_allpermitipanyanyipaccess-listextendedviruspermitudpanyanyeq135permittcpanyanyeq135permittcpanyanyeq139permittcpanyanyeq4444permittcpanyanyeq1434permitudpanyanyeq1434permittcpanyanyeq445vlanaccess-mapvacl10matchipaddressvirusactiondropvlanaccess-mapvacl20matchipaddressmatch_allactionforwardvlanfiltervaclvlan-list821,1105,1174,路由协议分类,距离向量：用于根据距离(distance)来判断最佳路径，当1个数据包每经过1个router时，被称之为经过1跳.经过跳数最少的则作为最佳路径.这类协议的例子有RIP和IGRP，它们将整个路由表向与它们直接相连的相邻routers。链路状态：也叫最短路径优先(shortest-path-first)协议.每个router创建3张单独的表，1张用来跟踪与它直接相连的相邻router;1张用来决定网络的整个拓扑结构;另外1张作为路由表.所以这种协议对网络的了解程度要比距离向量高.这类协议例子有OSPF。混合型：综合了前2者的特征，这类协议的例子有EIGRP。,Ospf路由协议,OSPF能够把网络设计为层次化，这样就把1个大的网络分割成几个小的网络，叫做区域(area).这是OSPF最好的设计方法.把OSPF设计成层次化的好处是：1、减少路由成本(overhead)2、加速汇聚3、把大网络分割成小的区域,典型的OSPF设计图，如下：,Area0,Area1,Area2,AutonomousSystem,ConfiguringOSPF,EnablingOSPF启用OSPF在全局配置模式下使用routerospf进程ID命令，进程ID范围是1到65535。可以在同1个router上使用不止1个的OSPF进程，但是这并不等于多域(multi-area)的OSPF.第二个进程保持完整的拓扑数据库的拷贝，而且独立于第一个进程进行管理通信。ConfiguringOSPFAreasOSPF使用wildmask来进行配置，如下：RouterA