cisco7507(config)#no logging buffer
18、限流方法:
Cisco设备制定限流策略以及应用:
Switch# conf t
Switch (config)# access-list 1 permit any Switch (config)# class-map match-all c9M Switch (config-cmap)# match access-group 1 Switch (config-cmap)# exit Switch(config)# policy-map p9M Switch (config-pmap)# class c9M
Switch (config-pmap-c)# police 9000000 4096 exceed-action drop Switch (config-pmap-c)# exit Switch# conf t
Switch(config)# interface f0/13
Switch(config-if)# service-policy input p9M Switch(config-if)# exit Switch(config)# interface f0/14
Switch(config-if)# service-policy input p9M Switch(config-if)# exit Switch# wr
19、ACL使用方法
Switch (config)# access-list access-list-number {permit|deny}{protocol}
{source source-wildcard|any}{destination destination-wildcard|any}
例1:允许北京电信IDC内部的ip地址telnet到各个网络设备 Switch (config)# access-list 101 permit tcp 218.30.26.0 0.0.0.63 any eq telnet Switch (config)# access-list 101 permit tcp 218.30.27.0 0.0.0.127 any eq telnet Switch (config)# access-list 101 permit tcp 218.30.25.0 0.0.0.255 any eq telnet
11
例2:ACL限制对客户的192.168.1.119的访问
Switch (config)# access-list 130 deny ip host 192.168.1.119 any Switch (config)# access-list 130 permit ip any any Switch(config)# interface f0/22
Switch(config-if)# ip access-group 130 in
例3:172.21.0.0(VLAN 31)、172.22.0.0(VLAN 32)、172.23.0.0(VLAN 33)三个网
段之间不能互相访问,其他网段均能访问,配置方法如下:
SS6509-1#conf t
SS6509-1(config)# access-list 101 deny ip any 172.22.0.0 0.0.255.255 SS6509-1(config)# access-list 101 deny ip any 172.23.0.0 0.0.255.255 SS6509-1(config)# access-list 101 permit ip any any
SS6509-1(config)# access-list 102 deny ip any 172.21.0.0 0.0.255.255 SS6509-1(config)# access-list 102 deny ip any 172.23.0.0 0.0.255.255 SS6509-1(config)# access-list 102 permit ip any any
SS6509-1(config)# access-list 103 deny ip any 172.21.0.0 0.0.255.255 SS6509-1(config)# access-list 103 deny ip any 172.22.0.0 0.0.255.255 SS6509-1(config)# access-list 103 permit ip any any SS6509-1(config)#int vlan 31
SS6509-1(config-if)# ip access-group 101 in SS6509-1(config)#int vlan 32
SS6509-1(config-if)# ip access-group 102 in SS6509-1(config)#int vlan 33
SS6509-1(config-if)# ip access-group 103 in
20、在两台6509上配置HSRP
将需要起HSRP的三层端口分别在两台主备6509上进行如下配置: SS6509-1#vlan database
SS6509-1 (vlan)#vlan 31 name **** SS6509-1 (vlan)#exit
12
SS6509-1#conf t
SS6509-1(config)#int vlan 31
SS6509-1(config-if)#description **** ****
SS6509-1(config-if)#ip address 172.21.11.252 255.255.0.0
SS6509-1(config-if)#standby 100 ip 172.21.11.254 (定义standby组号及虚IP地址) SS6509-1(config-if)#standby 100 priority 120
(定义该设备本standby组的优先级,优先级的值越大优先级越高)
SS6509-2#vlan database
SS6509-2 (vlan)#vlan 31 name **** SS6509-2(vlan)#exit SS6509-2#conf t
SS6509-2(config)#int vlan 31
SS6509-2(config-if)#description **** ****
SS6509-2(config-if)#ip address 172.21.11.253 255.255.0.0
SS6509-2(config-if)#standby 100 ip 172.21.11.254 (定义standby组号及虚IP地址) SS6509-2(config-if)#standby 100 priority 100 (定义该设备本standby组的优先级)
21、配置端口MAC梆定
Switch(config)# mac access-list extended f02
Switch((config-ext-macl)# permit host 0016.d325.f96a any Switch(config)# interface FastEthernet0/2 Switch(config-if)# mac access-group f02 in
四、 交换机的日常维护
1、更改交换机的telnet、enable密码(详见上面操作) 2、更改交换机的SNMP串(详见上面操作) 3、增加、删除VLAN(详见上面操作) 4、开、关闭端口(详见上面操作)
5、定期保存所有交换机的配置信息,遇到突发情况恢复交换机的配置
13
交换机的IOS保存和恢复是采用TFTP协议完成,所以首先你必须要下载一个TFTP软件,然后按照下面的步骤来进行:
① 在你的机器上启动TFTP 。
② 登陆到3500交换机,然后在enable状态下输入如下命令来完成IOS的保存:
switch# copy flash tftp
Source IP address or hostname [171.68.206.171]? Source filename []? cat6000-sup2k8.7-1-1.bin Destination filename [cat6000-sup2k8.7-1-1.binn]?
Loading cat6000-sup2k8.7-1-1.bin to 171.68.206.171 (via VLAN1): !!!! !!!!!!!!!!!
[OK - 1125001 bytes]
③ 恢复配置时,执行如下命令:
switch# copy tftp flash
Source IP address or hostname []? 171.68.206.171 Source filename []? cat6000-sup2k8.7-1-1.bin
Destination filename [cat6000-sup2k8.7-1-1.bin]? y
Loading cat6000-sup2k8.7-1-1.bin from 171.68.206.171 (via VLAN1): !!!! !!!!!!!!!!!
[OK - 1125001 bytes]
6、交换机IOS版本升级
7、恢复交换机口令(不同款交换机恢复口令的方法详见《pswdrec_3700》)
以2950为例,恢复口令的操作方法如下:
Connect a terminal or PC with terminal emulation software to the console port. For more information, refer to the switch hardware installation guide.
Step 2 Set the line speed on the emulation software to 9600 baud. Step 3 Unplug the switch power cord.
Step 4 Press the Mode button, and at the same time, reconnect the power cord to the switch.
You can release the Mode button a second or two after the LED above port 1X goes off. Several lines of information about the software appear, as do instructions:
The system has been interrupted prior to initializing the flash file system. These commands will initialize the flash file system, and finish loading the operating system software:
14
flash_init load_helper boot
Step 5 Initialize the Flash file system: switch: flash_init
Step 6 If you had set the console port speed to anything other than 9600, it has been reset to that particular speed. Change the emulation software line speed to match that of the switch console port. Step 7 Load any helper files: switch: load_helper
Step 8 Display the contents of Flash memory as in this example: switch: dir flash:
The switch file system is displayed: Directory of flash:/
3 drwx 10176 Mar 01 2001 00:04:34 html 6 -rwx 2343 Mar 01 2001 03:18:16 config.text
171 -rwx 1667997 Mar 01 2001 00:02:39 c2950-i6q412-mz.121-9.EA1.bin 7 -rwx 3060 Mar 01 2001 00:14:20 vlan.dat 172 -rwx 100 Mar 01 2001 00:02:54 env_vars 7741440 bytes total (3884509 bytes free)
Step 9 Rename the configuration file to config.text.old. This file contains the password definition.
switch: rename flash:config.text flash:config.text.old Step 10 Boot the system: switch: boot
You are prompted to start the setup program. Enter N at the prompt: Continue with the configuration dialog? [yes/no]: N
Step 11 At the switch prompt, change to privileged EXEC mode: switch> enable
15
Step 12 Rename the configuration file to its original name: switch# rename flas
16