学习交换机的深入笔记02具体交换机的配置.doc

目 录Catalyst1900交换机上速配VLAN3基本的VLAN配置31、单个交换机VLAN配置32、多个交换机的配置5使用VTP配置VLAN71、VTP作用72、VTP三种模式：Server(缺省)、Client、Transparent73、VTP裁剪74、使用VTP配置VLAN75VLAN配置概要10Catalyst 2924112950配置132950 配置-实现端口与IP的绑定132950-24的配置包括CMS212950的QOS配置- service-policy252004-05-18-Cisco2950-24-升级到121-20-EA1a29Catalyst2950软件配置指南35网络设计35常见命令38配置交换机的ip：40增加安全地址43增加静态地址到MAC地址表43Configuring Static Addresses for EtherChannel Port Groups43Configuring 802.1X Port-Based Authentication44理解802.1x认证44配置802.1X 认证46Enabling Multiple Hosts48重新设定802.1x恢复default值49显示802.1x统计信息和状态49配置 VLANs49使用Telnet改变Management VLAN50Assigning VLAN Port Membership Modes50分配Static-Access Ports 到一个 VLAN51Using VTP51VLANs in the VTP Database55How VLAN Trunks Work56How the VMPS Works59Configuring STP59Understanding Basic STP Features60Creating the STP Topology60STP and IEEE 802.1Q Trunks60STP and Redundant Connectivity61Understanding Advanced STP Features61Understanding UplinkFast62Understanding BackboneFast63Configuring Basic STP Features63Default STP Configuration63Disabling STP64Configuring the Root Switch65Configuring a Secondary Root Switch65Configuring STP Port Priority65Configuring the Switch Priority of a VLAN66Configuring STP for Use in a Cascaded Cluster66Displaying STP Status67Configuring Advanced STP Features67Configuring Port Fast67Configuring BPDU Guard68CISCO2950 24口，不允许相互访问的问题- Pvlan 实例683550配置682006-04-17-3550-route-map-test692006-04-18-武汉3550EMI803550 EMI 限速试验报告853550-EMI 基于时间的访问控制与端口绑定903550 交换机的 QoS 时序及队列953550交换机1123550NetScreen 208 VLAN间路由1133550peizhi1233750系列交换机149SPF-small form-factor pluggable149LC connector150RJ45 connector150XENPAK SC connector150Cisco堆叠产品的革命性更新3750发布152关于备份 Cisco 3750 IOS153新的万兆3750以太网交换机，Cisco万兆以太网策略153PDF-Getting Started Guide155CMS-Running Express Setup156Resetting the Switch157Cisco建议的堆叠方式和冗余方式157垂直式堆叠-Vertical Stacking157端到端的堆叠- Side-By-Side Stacking158模块安装159PDF-Hardware Installation Guide160分类:160支持的SFP modules:161Powering Considerations162Cabling Considerations163100M/1000M Cable接头规范165初始配置交换机166PDF-Software Configuration guide- 12.2(25)SE167Features167Availability Features168VLAN Features168Security Features169QoS and CoS Features170Layer 3 Features171Power over Ethernet Features172Monitoring Features172初始化后交换机的缺省配置172网络配置举例178设计要求1792948G-L3180关于catalyst 2948L3180快速配置2948G-L3183Configuring IRB188Example of a Catalyst 2948G-L3 with ISL and VLAN1902948G保存原配置的情况下破解密码194Catalyst5000195Catalyst5000交换机的vlan195Catalyst5500交换机 VLAN设置200End209Catalyst1900交换机上速配VLAN基本的VLAN配置1、单个交换机VLAN配置当不使用VTP协议时，交换机应该配置成VTP transparent(透明模式)，此时交换机VLAN的配置主要包括如下内容：- Disabling VTP (VTP Transparent Mode)使用全局命令，启用VTP的transparent 模式；使用全局命令定义每个VLAN的编号（必须的）和相应的名称（可选的）；使用接口子命令，将每个端口分配到相应的VLAN。假定有如图1所示的交换机划分的三个VLAN，其配置如下： switch(config)#vtp transparent domani dummyswitch(config)#vlan 2 name VLAN2switch(config)#vlan 3 name VLAN3switch(config)#interface e 0/5switch(config-if)#vlan-membership static 2switch(config)#interface e 0/6switch(config-if)#vlan-membership static 2switch(config)#interface e 0/7switch(config-if)#vlan-membership static 2switch(config)#interface e 0/8switch(config-if)#vlan-membership static 2switch(config)#interface e 0/9switch(config-if)#vlan-membership static3switch(config)#interface e 0/10switch(config-if)#vlan-membership static3switch(config)#interface e 0/11switch(config-if)#vlan-membership static3switch(config)#interface e 0/12switch(config-if)#vlan-membership static3在以上的配置中，让大家觉得奇怪的是没有配置VLAN1，这没有关系，因为它是自动配置的，而且任何没有指定静态VLAN配置的端口都被认为是在VLAN1中的，同样交换机的地址也被认为是在VLAN1的广播域中。在配置完成后，可以使用”show vlan vlan#”命令来显示一个特定的VLAN信息，验证VLAN的参数，例如：switch#show vlan 32、多个交换机的配置 为了允许VLAN跨越多个交换机，这就必须配置主干(trunk)来连接这些交换机。Cisco要求在这种主干链路上使用诸如ISL的主干协议，于是启用主干协议的命令就是trunk。使用trunk接口配置命令将一个快速以太网接口设置成主干模式，在Cisco Catalyst 1900交换机上有两个快速以太网接口fa0/26和fb0/27。在使用动态交换链路协议(DISL)为ISL时，启用和定义主干协议类型可以静态和动态地进行。trunk接口配置命令的语法如下：switch(config)#trunk on/off/desirable/auto/nonnegotiateon-将端口配置成永久的ISL主干模式，并与连接设备协商将链路转换成主干模式；off-禁止端口的主干模式，并与连接设备协商将路转换成非主干模式；desirable-触发端口进行协商，将链路从非主干模式转换成主干模式；如连接设备在 on,desirable或auto状态下，此端口将和主干进行协商，否则该端口为非主干端口；auto-只有在连接设备是on或desirable状态下才使端口变为主干；nonnegotiate-将端口配置成永久的主干模式，并且不和对方协商。在实际工作中，可根据配置参数的选项，设置成相应的模式。图2 图2是有两个交换机组成三个VLAN的配置示例，其配置如下： switch1(config)#interface e fa 0/26-将0/26端口设置为属于vlan1,2,3switch1(config-if)#trunk onswitch1(config-if)#vlan-membership static 1switch1(config-if)#vlan-membership static 2switch1(config-if)#vlan-membership static 3switch1(config)#interface e fb 0/27-将0/27端口设置为属于vlan1,2,3switch1(config-if)#trunk onswitch1(config-if)#vlan-membership static 1switch1(config-if)#vlan-membership static 2switch1(config-if)#vlan-membership static 3注意：两个快速以太网端口上不但被配置为主干有效，而且3个VLAN都被静态地配置到这些端口上，通过同时配置这些VLAN，交换机将主干端口当成这些VLAN的一部分，当然网络中的路由器也必须配置成支持ISL。为验证主干配置和VLAN端口分配情况，可使用“show trunk a/b“和”show vlan-membership”。其中a /b分别代表快速以太网端口0/26和0/27。使用VTP配置VLAN 1、VTP作用 交换机通过VTP定时（每5分钟）或实时（当交换机的参数有改变时），向同一管理域进行多点传送公共管理域消息，并通过同一管理域同步所配置VLAN的识别信息(在网络较大时作用明显)，支持混合介质(FDDI、ATM等)，精确跟踪VLAN的增、减、更名等实时情况。VTP为第二层信息协议，主要是维护配置的一致性。缺省情况下交换机处于non-management-domain状态，其VLAN信息不会宣告出去。通过设置VTP Pruning 裁剪(缺省为关状态)，增加可用带宽。2、VTP三种模式：Server(缺省)、Client、Transparent Server：创建、更改和删除VLAN以及用于整个VTP域的其它配置参数，这些消息被依次传到相同域中的VTP客户，VLAN配置信息存于NVRAMClient：VLAN配置信息不存于NVRAM，当在VTP的客户也不能创建、更改和删除VLAN，只能同步收到的VLAN信息Transparent：当交换机不需要或不想加入VTP时，主要是用作本地管理，不与其它交换机共享VLAN信息，但仍可以将VTP通告转送到其它交换机。3、VTP裁剪 由于ISL主干线路承载了所有VLAN的流量，因此，有些流量可能不必广播到在无需运载它们的链路上,VTP裁剪使用VLAN通告来决定什么时候该主干连接不需要泛洪式的传输，缺省的情况下，主干连接运载此VTP管理域中的所有VLAN流量，而在实际工作中，有些交换机交不必将本地端口配置到每个VLAN中，这样启用VTP配置就成为必要。4、使用VTP配置VLAN对Catalyst 1900交换机，默认的VTP配置参数如下：VTP域名：None（无）VTP模式：Server（服务器）VTP口令：None（无）VTP裁剪：Disabled（禁止）VTP陷阱：Enabled（启用）VTP域名可以指定或学习到，缺省的情况下是不设置的。如果缺省配置收到一个有域名的VTP通告，它就会使用该域名；如果交换机已配置了域名，又收到一个域名通告，则会忽略。VTP和管理域可以设置口令，但在域中的所有交换机必须输入相的口令，否则VTP将不能正常工作。VTP服务器上的VTP裁剪的启用和禁止将会传播到整个管理域中，如果VTP裁剪启用，除VLAN1上的所有VLAN将被裁剪。假定有如图3的VLAN连接，具体配置如下：作为VTP服务器交换机1的配置 switch1#configure terminal switch1(cofig)#ip address 1 图3 switch1(cofig)#ip defaul-gateway switch1(cofig)#vtp server domain Hartsfield purning enable switch1(cofig)#vlan 2 name vlan2 switch1(cofig)#vlan 3 name vlan3 switch1(cofig)#interface e 0/5 switch1(cofig-if)#valn-membership static 2 switch1(cofig)#interface e 0/6 switch1(cofig-if)#valn-membership static 2 . switch1(cofig)#interface e 0/9 switch1(cofig-if)#valn-membership static 3 switch1(config)#interface e fa 0/26switch1(config-if)#trunk onswitch1(config-if)#vlan-membershi static 1. switch1(config)#interface e fb 0/27switch1(config-if)#trunk onswitch1(config-if)#vlan-membershi static 1switch2(config-if)#vlan-membershi static 2switch2(config-if)#vlan-membershi static 3 . 作为VTP客户交换机2的配置 switch2#configure terminal switch2(cofig)#ip address 2 switch2(cofig)#ip defaul-gateway switch2(cofig)#vtp client switch2(cofig)#interface e 0/5 switch2(cofig-if)#valn-membership static 3 switch2(cofig)#interface e 0/6 switch2(cofig-if)#valn-membership static 3 switch2(cofig)#interface e 0/7 switch2(cofig-if)#valn-membership static 3 switch2(cofig)#interface e 0/8 switch2(cofig-if)#valn-membership static 3 switch2(cofig)#interface e 0/9 switch2(cofig-if)#valn-membership static 3 . switch2(config)#interface e fa 0/27switch2(config-if)#trunk onswitch2(config-if)#vlan-membershi static 1switch2(config-if)#vlan-membershi static 3 注意：在交换机2配置中没有域名，这可能通过第一个通告学习到；在交换机2配置中无须对VLAN进行定义，而且在VTP客户模式下是不能定义的。在交换机1中裁剪被启用，VTP从交换机2中裁剪VLAN2，因交换机2中没有VLAN2端口。为了验证新的配置或了解VTP的配置信息可以使用命令：switch1#show vtp5VLAN配置概要 由于篇幅的限制，有关术语和概念以及VLAN配置的其它具体情况就不作介绍了，下面就VLAN配置概括如下：1、配置原则 最大VLAN数、预置VLAN，CDP、VTP和IP地址对VLAN1有效2、配置步骤 Enable VTP(可选)=Enable Trunking=Create VLANs=Assign Vlan to ports3、VTP配置内容和原则 Passwod：域管理密码在同一域所有交换机上设置相同，否则VTP不会正常工作；在Server上配置pruning功能会影响整个VTP域(VTP宣告时所涉及的参数)；trap：缺省开启，每个新的VTP信息发出时会产生一个SNMP信息；vtp有两个版本：V1仅支持Ethernet，V2同时也支持Token Ring。4、VTP配置命令 Show vtp：确认最新的配置改变Trunk on/off/disirable/auto/nonegotiate (只能在百、千兆口)Show trunkVlan # ：编号范围，可以不命名Show vlanVlan更名Vlan-membership static vlan# 或 dynamic 缺省地所有端口都属VLAN1Show vlan-membershipShow spantree vlan# 确认某VLAN是否运行了STP。 Catalyst 2924Catalyst 2924-标准catalyst IOS1.只有一个管理端口：并且属于每一个Vlan; 如：24/0属于每一个VLAN2.interface fa 24/0ip add interface fa 24/0.2-为网段配置trunkencap dotiq mode trunkip add 标准cisco IOS,不用配置 fa 24/0.1CatOS,以后配置 fa 24/0.13.#int rang 13/0 24/0-配置vlan()#switchport vlan 2-?这时，default Vlan 1包括0/0-12/0;同时包括24/013/0-24/0属于vlan 2;同时包括24/04.24/0与路由器2620的ethernet port连接-直联线ip default-gateway ip_addressCATOS:-如：catalyst 5000set ip route default primaryset ip route default Cat5000 (enable)set spantree priority 网桥优先级 v l a nConfiguring the Relay DeviceYou need to use a relay device if the DHCP, DNS, or TFTP servers are on a different LAN than theswitch. You must configure this relay device to forward received broadcast packets on an interface to thedestination host. This configuration ensures that broadcasts from the DHCP client can reach the DHCP,DNS, and TFTP servers and that broadcasts from the servers can reach the DHCP client.If the relay device is a Cisco router, you enable IP routing (ip routing global configuration command)and configure it with helper addresses by using the ip helper-address interface configuration command.For example, in Figure 6-2, you configure the router interfaces as follows:On interface :router(config-if)# ip helper-address router(config-if)# ip helper-address router(config-if)# ip helper-address On interface router(config-if)# ip helper-address snmp-server host communication-string2950配置2950 配置-实现端口与IP的绑定在Cisco catalyst 2950交换机上，通过配置extended ACL来实现端口与IP的绑定。配置如下：2950#show runCurrent configuration : 5396 bytes!version 12.1no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 2950!enable secret 5 $1$kJ.v$gF4osmkOwfvOy7vkwI3j/.!ip subnet-zero!no ip domain-lookup!spanning-tree mode pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-idspanning-tree uplinkfast!interface FastEthernet0/1switchport access vlan 30switchport mode accessip access-group ip1 inspanning-tree portfast!interface FastEthernet0/2switchport access vlan 30switchport mode accessip access-group ip2 inspanning-tree portfast!interface FastEthernet0/3switchport access vlan 30switchport mode accessip access-group ip3 inspanning-tree portfast!interface FastEthernet0/4switchport access vlan 30switchport mode accessip access-group ip4 inspanning-tree portfast!interface FastEthernet0/5switchport access vlan 30switchport mode accessip access-group ip5 inspanning-tree portfast!interface FastEthernet0/6switchport access vlan 30switchport mode accessip access-group ip6 inspanning-tree portfast!interface FastEthernet0/7switchport access vlan 30switchport mode accessip access-group ip7 inspanning-tree portfastinterface FastEthernet0/8switchport access vlan 30switchport mode accessip access-group ip8 inspanning-tree portfast!interface FastEthernet0/9switchport access vlan 30switchport mode accessip access-group ip9 inspanning-tree portfast!interface FastEthernet0/10switchport access vlan 30switchport mode accessip access-group ip10 inspanning-tree portfast!interface FastEthernet0/11switchport access vlan 30switchport mode accessip access-group ip11 inspanning-tree portfast!interface FastEthernet0/12switchport access vlan 30switchport mode accessip access-group ip12 inspanning-tree portfast!interface FastEthernet0/13switchport access vlan 30switchport mode accessip access-group ip13 inspanning-tree portfast!interface FastEthernet0/14switchport access vlan 30switchport mode accessip access-group ip14 inspanning-tree portfast!interface FastEthernet0/15switchport access vlan 30switchport mode accessip access-group ip15 inspanning-tree portfast!interface FastEthernet0/16switchport access vlan 30switchport mode accessip access-group ip16 inspanning-tree portfast!interface FastEthernet0/17switchport access vlan 30switchport mode accessip access-group ip17 inspanning-tree portfast!interface FastEthernet0/18switchport access vlan 30switchport mode accessip access-group ip18 inspanning-tree portfast!interface FastEthernet0/19switchport access vlan 30switchport mode accessip access-group ip19 inspanning-tree portfast!interface FastEthernet0/20switchport access vlan 30switchport mode accessip access-group ip20 inspanning-tree portfast!interface FastEthernet0/21switchport access vlan 30switchport mode accessip access-group ip21 inspanning-tree portfast!interface FastEthernet0/22switchport access vlan 30switchport mode accessip access-group ip22 inspanning-tree portfast!interface FastEthernet0/23switchport access vlan 30switchport mode accessip access-group ip23 inspanning-tree portfast!interface FastEthernet0/24switchport access vlan 30switchport mode accessip access-group ip24 inspanning-tree portfast!interface GigabitEthernet0/1switchport mode trunk!interface GigabitEthernet0/2spanning-tree stack-port!interface Vlan1no ip addressno ip route-cacheshutdown!interface Vlan100ip address 2 no ip route-cache!ip default-gateway 54ip http server!ip access-list extended ip1permit ip host anyip access-list extended ip10permit ip host 0 anyip access-list extended ip11permit ip host 1 anyip access-list extended ip12permit ip host 2 anyip access-list extended ip13permit ip host 3 anyip access-list extended ip14permit ip host 4 anyip access-list extended ip15permit ip host 5 anyip access-list extended ip16permit ip host 6 anyip access-list extended ip17permit ip host 7 anyip access-list extended ip18permit ip host 8 anyip access-list extended ip19permit ip host 9 anyip access-list extended ip2permit ip host anyip access-list extended ip20permit ip host 0 anyip access-list extended ip21permit ip host 1 anyip access-list extended ip22permit ip host 2 anyip access-list extended ip23permit ip host 3 anyip access-list extended ip24permit ip host 4 anyip access-list extended ip3permit ip host anyip access-list extended ip4permit ip host anyip access-list extended ip5permit ip host anyip access-list extended ip6ip access-list extended ip5permit ip host anyip access-list extended ip6permit ip host anyip access-list extended ip7permit ip host anyip access-list extended ip8permit ip host anyip access-list extended ip9permit ip host anysnmp-server community private RO!line con 0line vty 0 4password !#$%loginline vty 5 15password !#$%login!end2950#2950-24的配置包括CMSl Catalyst 4000 Family交换机使用Catalyst Software Release 7.1)l Catalyst5000 Switchl Catalyst 3550 Multilayer Switch使用Cisco IOS Release 12.1(6)EA1l Catalyst 2924-标准catalyst IOSl 2948G-L3 and the Catalyst 4908G-L3 交换路由使用Cisco IOS Release 12.0l Cisco IOS Release12.1(6)EA2 不支持 Catalyst 2950-12 and 2950-24 switches.ve