[Switch] 시스코 카탈리스트 3560 - L3 스위치 (VLAN, ACL) 설정

시스코 카탈리스트 3560 - L3 스위치 (VLAN, ACL) 설정

지나가다가 좋은 블로그가 L3스위치 글이 찾아 공유하고자 입니다. 글을 시작 전 출처를 먼저 링크 보여드립니다.

출처: http://mcchae.egloos.com/5202403

시스코 카탈리스트 3560 스위치 설정

 

(씨리얼 연결로 9600 스피드로 연결합니다)

Switch에 Com port로 연결

Switch> enable

Switch#

 

Switch 초기화.

Switch# erase start<tab>

파워 스위치를 껐다가 다시 연결 후, default 설정으로 들어감

 

VLAN 생성

Switch# vlan database

Switch(vlan)# vlan 110 name 110_A

Switch(vlan)# vlan 120 name 120_A

Switch(vlan)# vlan 130 name 130_A

Switch(vlan)# vlan 140 name 140_A

Switch(vlan)# exit

 

110 vlan에 1~6 기가포트 할당

Switch# conf terminal

Switch# int range g 0/1 - 6

Switch# switchport access vlan 110

Switch# end

 

120 vlan에 7~12 기가포트 할당

Switch# conf terminal

Switch# int range g 0/7 - 12

Switch# switchport access vlan 120

Switch# end

 

130 vlan에 13~18, 27 기가포트 할당

Switch# conf terminal

Switch# int range g 0/13 - 18

Switch# switchport access vlan 130

Switch# int g 0/27

Switch# switchport access vlan 130

Switch# end

 

140 vlan에 19~24, 28 기가포트 할당

Switch# conf terminal

Switch# int range g 0/19 - 24

Switch# switchport access vlan 140

Switch# int g 0/28

Switch# switchport access vlan 140

Switch# end

 

각 vlan에 ip 설정

Switch# conf terminal

Switch# int vlan 110

Switch# ip address 110.0.0.1 255.0.0.0

Switch# no shutdown

Switch# int vlan 120

Switch# ip address 120.0.0.1 255.0.0.0

Switch# no shutdown

Switch# int vlan 130

Switch# ip address 130.0.0.1 255.0.0.0

Switch# no shutdown

Switch# int vlan 140

Switch# ip address 140.0.0.1 255.0.0.0

Switch# no shutdown

Switch# end

 

프람프트 변경

Switch# conf terminal

Switch# hostname EXT_Switch

EXT_Switch# end

 

L3 라우터로 동작 설정

EXT_Switch# conf terminal

EXT_Switch# ip routing

EXT_Switch# end

 

25번(1.1.1.1) 포트를 통하여 다른 스위치로 전달을 위한 포트 및 주소 설정

EXT_Switch# conf terminal

EXT_Switch# int g 0/25

EXT_Switch# no switch

EXT_Switch# ip address 1.1.1.1 255.255.255.0

EXT_Switch# no shutdown

EXT_Switch# end

 

다른스위치의 25번(1.1.1.2)을 통하여 디폴트 전달을 하기 위하여 설정

EXT_Switch# conf terminal

EXT_Switch# ip route 0.0.0.0 0.0.0.0 1.1.1.2

EXT_Switch# end

 

설정 확인 및 저장

EXT_Switch# show run

EXT_Switch# show vlan

EXT_Switch# wr mem

EXT_Switch# copy run<tab> start<tab>

 

CPU usage 확인

EXT_Switch# show process cpu

 

다음은 하두 가지 더 알아낸 사실이다.

 

텔넷 접속

conf t

interface Vlan1

ip address 192.168.1.33 255.255.255.0

line vty 0 4

password cqroot

no login

end

wr

 

주의) 만약 telnet 후 enable을 했는데 "No password set" 이라는 메시지가 나오면

conf t

enable secret <password>

와 같이 enable 암호를 지정해야 한다.

! 다음 세 줄은 다른 의미

ip default-gateway 192.168.1.254

ip classless

ip http server

 

Static Routing (wikipedia 참조)

To configure a static route to network 10.10.20.0/24, pointing to a next-hop router with the IP address of 192.168.100.1, type: (Note that this example is written in the Cisco IOS command line syntax and will only work on certain Cisco routers[2])

Router> enable

Router# configure terminal

Router(config)# ip route 10.10.20.0 255.255.255.0 192.168.100.1

The other option is to define a static route with reference to the outgoing interface which is connected to the next hop towards the destination network.

Router> enable

Router# configure terminal

Router(config)# ip route 10.10.20.0 255.255.255.0 Serial 0/0

또는

Router(config)# ip route 10.10.20.0 255.255.255.0 vlan 110

 

Internal SPAN을 이용한 포트 미러링

conf t

monitor session 1 source interface Gi0/1 - 22 rx

monitor session 1 destination interface Gi0/25

monitor session 2 source interface Gi0/1 - 22 tx

monitor session 2 destination interface Gi0/26

! 위의 1,2 세션과 중복되는 source를 가지면 아래에서 오류 발생

monitor session 3 source interface Gi0/1 - 22 both

monitor session 3 destination interface Gi0/24

end

wr

 

모니터링 해제는

conf t

no monitor session 1

end

wr

 

 

ACL 설정

1) ACL 생성

# conf t

#access-list 11 deny tcp 10.20.30.0 0.0.0.255

#access-list 11 permit ip any

standard access-list (1~99)

#access-list 111 deny tcp any any eq 4444

#access-list 111 deny tcp 10.10.0.0 0.0.255.255 any

#access-list 111 permit ip any any

extended access-list (100~199)

위에 명령은 default가 deny이므로 꼭 적용

2) ACL 적용

# conf t

#int vlan 5

#ip access-group 111 in

3) ACL 해제

# conf t

#int vlan 5

#no ip access-group 111 in

#exit

#no access-list 111

추가시에는 기존 리스트와 함께 다시 새로 적용함을 원칙으로 하세요..

ACL 적용 제거하고, ACL 지우고, 새로 ACL 만들고 다시 적용하는게 젤 안전합니다

PDF 참조 : access_list.pdf

 

터미널에서 more 멈춤 없애기

# conf t

# line vty 0 4

# length 0

# exit

ARP 테이블 관련

# show arp

# clear arp

# conf t

# ip arp inspection vlan 10

# end

 

MAC-Learning 관련

# show mac-address-table

 

IPv6 관련

초기에는 IPv6를 사용할 수 있도록 되어 있지 않습니다.

이를 사용하려면,

 

# conf t

# sdm prefer dual-ipv4-and-ipv6 default

# end

# wr mem

# reload

 

하고 시스템을 reboot한 다음,

>en

# show sdm

00:04:29: %SYS-5-CONFIG_I: Configured from console by console pref

Switch#show sdm prefer

The current template is "desktop IPv4 and IPv6 default" template.

The selected template optimizes the resources in

the switch to support this level of features for

8 routed interfaces and 1024 VLANs.

 

number of unicast mac addresses: 2K

number of IPv4 IGMP groups + multicast routes: 1K

number of IPv4 unicast routes: 3K

number of directly-connected IPv4 hosts: 2K

number of indirect IPv4 routes: 1K

number of IPv6 multicast groups: 1K

number of directly-connected IPv6 addresses: 2K

number of indirect IPv6 unicast routes: 1K

number of IPv4 policy based routing aces: 0

number of IPv4/MAC qos aces: 512

number of IPv4/MAC security aces: 1K

number of IPv6 policy based routing aces: 0

number of IPv6 qos aces: 510

number of IPv6 security aces: 510

 

와 같은 식으로 활성화 되었는지 확인 가능합니다.

 

 

 

IPv4 3560G 스위치 설정 예)

Switch#show running-config

Building configuration...

Current configuration : 2412 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable secret 5 ​Lmos$PVgzp4oxAiE.01xbXqq6O.

!

no aaa new-model

system mtu routing 1500

ip subnet-zero

ip routing

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport access vlan 10

!

interface GigabitEthernet0/2

switchport access vlan 10

!

interface GigabitEthernet0/3

switchport access vlan 10

!

interface GigabitEthernet0/4

switchport access vlan 10

!

interface GigabitEthernet0/5

switchport access vlan 10

!

interface GigabitEthernet0/6

switchport access vlan 10

!

interface GigabitEthernet0/7

switchport access vlan 10

!

interface GigabitEthernet0/8

switchport access vlan 10

!

interface GigabitEthernet0/9

switchport access vlan 10

!

interface GigabitEthernet0/10

switchport access vlan 10

!

interface GigabitEthernet0/11

switchport access vlan 10

!

interface GigabitEthernet0/12

switchport access vlan 10

!

interface GigabitEthernet0/13

switchport access vlan 40

!

interface GigabitEthernet0/14

switchport access vlan 40

!

interface GigabitEthernet0/15

switchport access vlan 40

!

interface GigabitEthernet0/16

switchport access vlan 40

!

interface GigabitEthernet0/17

switchport access vlan 40

!

interface GigabitEthernet0/18

switchport access vlan 40

!

interface GigabitEthernet0/19

switchport access vlan 40

!

interface GigabitEthernet0/20

switchport access vlan 40

!

interface GigabitEthernet0/21

switchport access vlan 192

!

interface GigabitEthernet0/22

switchport access vlan 192

!

interface GigabitEthernet0/23

switchport access vlan 192

!

interface GigabitEthernet0/24

switchport access vlan 192

!

interface GigabitEthernet0/25

switchport access vlan 40

!

interface GigabitEthernet0/26

switchport access vlan 40

!

interface GigabitEthernet0/27

switchport access vlan 40

!

interface GigabitEthernet0/28

switchport access vlan 40

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 10.20.30.1 255.255.255.0

!

interface Vlan40

ip address 40.50.60.1 255.255.255.0

!

interface Vlan192

ip address 192.168.1.73 255.255.255.0

!

ip classless

ip route 100.200.0.0 255.255.0.0 10.20.30.2

ip http server

!

!

control-plane

!

!

line con 0

line vty 0 4

password cqroot

no login

line vty 5 15

login

!

end