设备配置收集

目录

 

 

1  .........................  CATOS与IOS之间做channel工程实例

2 .......................... PAT

3 ...........................6509配置DHCP

4 ........................... Static NAT

5.............................NAT

6.............................典型配置

1 CATOS与IOS之间做channel工程实例

 

CATOS与IOS做channel-group无法成功.接口出现大量错误包导致接口down

处理:
CATOS:
set port channel 1/1-2 mode desirable silent

IOS:
int g3/1
channel-protocol pagp
channel-group 1 mode desirable
int g3/2
channel-protocol pagp
channel-group 1 mode desirable

 

 

2  PAT

 

 

interface FastEthernet0/0
ip address 218.12.35.178 255.255.255.248
no ip directed-broadcast
ip nat outside
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
shutdown
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 218.12.35.177
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255

3 6509 配置DHCP

 

Cisco设备上设置DHCP实例
一位客户想把DHCP SERVER迁移到6509交换机的MSFC上,要求还挺复杂:
1.同时为多个VLAN的客户机分配地址
2.VLAN内有部分地址采用手工分配的方式
3.为客户指定网关、Wins服务器等
4.VLAN 2的地址租用有效期限为1天,其它为3天
5.按MAC地址为特定用户分配指定的IP地址

最终配置如下：

ip dhcp excluded-address 10.1.1.1 10.1.1.19 //不用于动态地址分配的地址
ip dhcp excluded-address 10.1.1.240 10.1.1.254
ip dhcp excluded-address 10.1.2.1 10.1.2.19
!
ip dhcp pool global //global是pool name， 由用户指定
network 10.1.0.0 255.255.0.0 //动态分配的地址段
domain-name client.com //为客户机配置域后缀
dns-server 10.1.1.1 10.1.1.2 //为客户机配置dns服务器
netbios-name-server 10.1.1.5 10.1.1.6 //为客户机配置wins服务器
netbios-node-type h-node //为客户机配置节点模式（影响名称解释的顺利,如h-node=先通过wins服务器解释...）
lease 3 //地址租用期限: 3天
ip dhcp pool vlan1
network 10.1.1.0 255.255.255.0 //本pool是global的子pool, 将从global pool继承domain-name等option
default-router 10.1.1.100 10.1.1.101 //为客户机配置默认网关
!
ip dhcp pool vlan2 //为另一VLAN配置的pool
network 10.1.2.0 255.255.255.0
default-router 10.1.2.100 10.1.2.101
lease 1
!
ip dhcp pool vlan1_john //总是为MAC地址为...的机器分配...地址
host 10.1.1.21 255.255.255.0
client-identifier 010050.bade.6384 //client-identifier=01加上客户机网卡地址
!
ip dhcp pool vlan1_tom
host 10.1.1.50 255.255.255.0
client-identifier 010010.3ab1.eac8

相关的DHCP调试命令：
no service dhcp //停止DHCP服务[默认为启用DHCP服务]
sh ip dhcp binding //显示地址分配情况
show ip dhcp conflict //显示地址冲突情况
debug ip dhcp server {events | packets | linkage} //观察DHCP服务器工作情况

如果DHCP客户机分配不到IP地址，常见的原因有两个。第一种情况是没有把连接客户机的端口设置为Portfast方式。MS客户机开机后检查网卡连接正常，Link是UP的，就开始发送DHCPDISCOVER请求，而此时交换机端口正在经历生成树计算，一般需要30-50秒才能进入转发状态。MS客户机没有收到DHCP SERVER的响应就会给网卡设置一个169.169.X.X的IP地址。解决的方法是把交换机端口设置为Portfast方式：CatOS(4000/5000/6000): set spantree portfast mod_num/port_num enable; IOS(2900/3500): interface ... ; spanning-tree portfast。

另外一种情况是DHCP服务器和DHCP工作站不在同一个VLAN，这时候通常通过设置ip helper-address来解决：

interface vlan1
ip address 10.1.1.254 255.255.255.0 //假设DHCP服务器地址为10.1.1.8
interface Vlan2
ip address 10.1.2.254 255.255.255.0
ip helper-address 10.1.1.8 //假设这是DHCP客户机所在的VLAN

 

4 static NAT

 

Router>en （进入特权模式）
Router#config   （进入全局配置模式）
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.   End with CNTL/Z.
Router(config)#ho R3 （命名为R3）
R3(config)#no ip domain-lo
（关闭域名查询，在实验环境中，敲入错误的命令，它将进行域名查询，故关闭他）
R3(config)#line c 0 （进入线路CONSOLE接口0下）
R3(config-line)#logg syn （启用光标跟随，防止日志信息冲断命令显示的位置）
R3(config-line)#exec-t 0 0 （防止超时，0 0 为永不超时）
R3(config-line)#exit
R3(config)#int e0 （进入以太网接口下）
R3(config-if)#ip add 192.168.1.1 255.255.255.0 （设置IP地址）
R3(config-if)#ip nat inside （设置为内部接口）
R3(config-if)#no shut
R3(config-if)#exit
R3(config)#int ser1   （进入串口下）
R3(config-if)#ip add 100.0.0.1 255.255.255.0
R3(config-if)#no shut
R3(config-if)#ip nat outside （设置为外部接口）
R3(config-if)#exit
R3(config)#ip nat inside source static 191.168.1.1 100.0.0.1
（设置静态转换，其中ip nat inside source 为NAT转换关键字，这里是静态，故为STATIC）
R3(config)#ip classless
R3(config)#ip route 0.0.0.0 0.0.0.0 s0(这里是出口或者下一跳地址)
R3(config)#exit

 

 

5 NAT

 

 interface Ethernet0
 ip address 172.18.150.150 255.255.0.0
 no ip directed-broadcast
 ip nat inside            /* 定义此为网络的内部端口 */
!
interface Serial0
 ip address 192.1.1.161 255.255.255.252
 no ip directed-broadcast
 ip nat outside    /*  定义此为网络的外部端口 */

 no ip mroute-cache
 no fair-queue
!
interface Serial1
 no ip address
 no ip directed-broadcast
 shutdown
!        /* 定义从ISP那里申请到的IP在企业内部的分配策阅 */
ip nat pool tech 192.1.1.100 192.1.1.120 netmask 255.255.255.0
ip nat pool deve 192.1.1.121 192.1.1.150 netmask 255.255.255.0
ip nat pool manager 192.1.1.180 192.1.1.200 netmask 255.255.255.0
ip nat pool soft-1 192.1.1.170 192.1.1.179 netmask 255.255.255.0
ip nat pool soft-2 192.1.1.151 192.1.1.159 netmask 255.255.255.0
ip nat pool temp-user 192.1.1.160 192.1.1.160 netmask 255.255.255.0
        /* 将访问列表与地址池对应，以下为动态地址转换*/
ip nat inside source list 1 pool tech
ip nat inside source list 2 pool deve
ip nat inside source list 3 pool manager
ip nat inside source list 4 pool soft-1
ip nat inside source list 5 pool soft-2
             /*   将访问列表与地址池对应，以下为复用动态地址转换*/
ip nat inside source list 6 pool temp-user overload
             /*   将访问列表与地址池对应，以下为静态地址转换*/    
ip nat inside source static 172.18.100.168 192.1.1.168
ip nat inside source static 172.18.100.169 192.1.1.169
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0       /* 设置一个缺省路由 */
!            /* 内部网访问地址表，他指出内部网络能访问外部网的地址段，
分别定义是为了对应 不同的地址池  */
access-list 1 permit 172.18.107.0 0.0.0.255
access-list 2 permit 172.18.101.0 0.0.0.255
access-list 3 permit 172.18.108.0 0.0.0.255
access-list 4 permit 172.18.103.0 0.0.0.255
access-list 4 permit 172.18.102.0 0.0.0.255
access-list 4 permit 172.18.104.0 0.0.0.255
access-list 5 permit 172.18.105.0 0.0.0.255
access-list 5 permit 172.18.106.0 0.0.0.255
access-list 6 permit 172.18.111.0 0.0.0.255

 

6  典型配置

 

这个配置没什么复杂的，很简单，拓扑也就是2个3750堆叠后与一台路由器互联，都很容易。
值得学习的是，很多细节配置的很全面，很多安全性的feature都利用上了，而且也是很规范的配置。
是一个很有钱的企业请cisco写的，呵呵。杀鸡用牛刀了，呵呵。



Building configuration...
Current configuration : 44199 bytes
!
version 12.2
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname *************
!
logging buffered informational
no logging console
enable secret 5 *************
enable password 7 *************
!
no aaa new-model
clock timezone PST 8
no boot auto-copy-sw
switch 1 provision ws-c3750e-48td
switch 2 provision ws-c3750e-48td
stack-mac persistent timer 5
system mtu routing 1500
vtp domain BEIJING_DC
vtp mode transparent
udld aggressive
ip subnet-zero
no ip source-route
ip routing
ip icmp rate-limit unreachable 1000
ip tcp synwait-time 10
ip domain-name novartis.com
ip name-server *.*.*.*
!
ip ssh time-out 60
ip ssh version 2
!
no setup express
!
!
!         
!
errdisable recovery cause bpduguard
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery interval 900
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
spanning-tree extend system-id
spanning-tree pathcost method long
spanning-tree vlan 1-4094 priority 4096
!
vlan internal allocation policy ascending
!
vlan 10
name NetworkManagement
!
vlan 12
name Voice_UNUSED
!
vlan 13
name Video_UNUSED
!
vlan 15
name SERVER_VLAN1
!
vlan 16
name SERVER_VLAN2
!
vlan 17
name SERVER_VLAN3
!
vlan 18
name SERVER_VLAN4
!
vlan 19   
name BT_PRI
!
vlan 20
name BR_SEC
!
vlan 21
name DOM_WAN
!
vlan 22
name Firewall
!
vlan 999
name Unused
!
vlan 1001
name NativeVLAN
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1 - 47
switchport access vlan 18
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
storm-control broadcast level 5.00
storm-control multicast level 5.00
storm-control action trap
spanning-tree portfast
spanning-tree guard none
!
interface GigabitEthernet1/0/48
description Connection to China Telecom 100 Mbps
no switchport
ip address *.*.*.* 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf cost 1000
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!         
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface GigabitEthernet2/0/1 - 47
switchport access vlan 18
switchport mode access
switchport port-security maximum 10
switchport port-security
switchport port-security aging time 2
switchport port-security aging type inactivity
storm-control broadcast level 5.00
storm-control multicast level 5.00
storm-control action trap
spanning-tree portfast
spanning-tree guard none
!
interface GigabitEthernet2/0/48
description Connection to China Netcom 10 Mbps
no switchport
ip address *.*.*.* 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf cost 10000
!
interface GigabitEthernet2/0/49
!
interface GigabitEthernet2/0/50
!
interface GigabitEthernet2/0/51
!
interface GigabitEthernet2/0/52
!
interface TenGigabitEthernet2/0/1
!
interface TenGigabitEthernet2/0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address *.*.*.* 255.255.255.240
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
ntp broadcast
arp timeout 295
!
interface Vlan15
ip address *.*.*.* 255.255.255.192
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
ntp broadcast
arp timeout 295
!
interface Vlan16
ip address *.*.*.* 255.255.255.192
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
ntp broadcast
arp timeout 295
!
interface Vlan17
ip address *.*.*.* 255.255.255.192
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
ntp broadcast
arp timeout 295
!
interface Vlan18
ip address *.*.*.* 255.255.255.128
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
shutdown
ntp broadcast
arp timeout 295
!
interface Vlan19
ip address *.*.*.* 255.255.255.248
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
shutdown
ntp broadcast
arp timeout 295
!
interface Vlan20
ip address *.*.*.* 255.255.255.248
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
shutdown
ntp broadcast
arp timeout 295
!
interface Vlan21
ip address *.*.*.* 255.255.255.240
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
shutdown
ntp broadcast
arp timeout 295
!
interface Vlan22
ip address *.*.*.* 255.255.255.240
ip helper-address *.*.*.*
ip helper-address *.*.*.*
no ip redirects
no ip proxy-arp
load-interval 30
shutdown
ntp broadcast
arp timeout 295
!
router ospf 70
log-adjacency-changes
passive-interface default
no passive-interface GigabitEthernet1/0/48
no passive-interface GigabitEthernet2/0/48
network *.*.*.* *.*.*.* area 0
network *.*.*.* *.*.*.* area 0
network *.*.*.* *.*.*.* area 0
network *.*.*.* *.*.*.* area 0
network *.*.*.* *.*.*.* area 0
network *.*.*.* *.*.*.* area 0
!
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
no ip http secure-server
!
!
snmp-server community DNDSONENET RO 5
snmp-server trap-source Vlan10
snmp-server contact Beijing_Local_IT
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps license
snmp-server enable traps cluster
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps power-ethernet group 1-9
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps mac-notification
snmp-server enable traps stackwise
snmp-server enable traps bgp
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps rtr
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
!
control-plane
!
banner motd ^C
!
line con 0
password 7 ********
logging synchronous
login
transport output none
line vty 0 4
password 7 ********
logging synchronous
login   
transport input telnet
transport output telnet
line vty 5 15
password 7 ********
logging synchronous
login
transport input telnet
transport output telnet
!
end