无色无味(杨波) 的Web Log(博客)
H3C设备与Cisco ACS配合做Telnet 登录验证
软件平台:
H3C设备:模拟器(Simware V5.2)
ACS: cisco acs 4.12
网络拓扑:
各个设备的IP:
SW:192.168.77.2
ACS server:192.168.77.3
User Client:192.168.77.10
反掩码应用于CISCO 网络设备
反掩码应用于CISCO
本实验不指任何具体的CISCO设备。仅限于CISCO模拟器。
同理,在R1上有IP地址:172.16.0.1/24
在R2上面有IP地址:172.16.1.1/24
在R2上面有4个Loop接口。
Interface IP-Address
FastEthernet0/0 172.16.0.2
Loopback0 192.168.0.1
Loopback1 192.168.1.1
Loopback2 192.168.2.1
Loopback3 192.168.3.1
Loopback4 192.168.4.1
在R1上面有ACL一条:
access-list 1 deny 192.168.0.0 0.0.2.255
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0
ip access-group 1 in
等双方都路由状态都FULL 后。在R2用PING做测试。
测试结果为:
IP段
通?
192.168.0.1/32
不通
192.168.1.1/32
通
192.168.2.1/32
不通
从上面的表可以看出。这儿的不连续反掩码是有生效的。
所以证明在CISCO中也支持不连续的反掩码。
Router#ping ip
Target IP address: 172.16.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
U.U.U
Success rate is 0 percent (0/5)
Router#ping ip
Target IP address: 172.16.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/28/60 ms
Router#pin gip
Translating “gip”
Translating “gip”
% Unrecognized host or address, or protocol not running.
Router#ping ip
Target IP address: 172.16.0.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
U.U.U
Success rate is 0 percent (0/5)
Router#
About Cisco EIGRP(二)
As with most other routing protocols, the best path to a destination is the path with the lowest metric. EIGRP has the ability to use several variables to compute the metric to a destination network. The first five listed above are those variables: bandwidth, delay, reliability, load, and MTU. Only bandwidth and delay are used by default. It is highly recommended that the defaults be maintained, because using other variables can result in unknown problems in your network.
The values of bandwidth and delay are determined from the bandwidth and delay values associated with the router interfaces. There are default values, but the values can be changed per interface with the bandwidth and delay subinterface commands.
The formula for computing EIGRP metrics follows:
Metric – {[K1 * Bandwidth + (K2 * Bandwidth)/(256 – Load) + K3 * Delay] * [K5/(Reliability + K4)]} * 256
The default K-values follow: K1 = 1; K2 = 0; K3 = 1; K4 = 0; K5 = 0; therefore, the metric formula can be simplified to:
Metric = (Bandwidth + Delay) * 256
Bandwidth = 10000000/Minimum bandwidth along path; and Delay = Sum of delays along path.
Therefore, the final metric formula becomes:
([10000000/Minimum bandwidth] + Sum of delay/10) * 256
Note: Formula uses the bandwidth in kilobits per second and delay as configured on the interface, which is in microseconds.
Metric example:
In this example, the total cost (metric) for Router_A to get to Network A through Router_B would be:
Minimum bandwidth = 128kbps
Total delay = 100 + 100 + 1000 = 1200/10 ms
([10000000/128] + 1200/10) * 256 = 20030720
The total cost to the same destination through Router_C follows:
Minimum bandwidth = 512kbps
Total delay = 1000 + 100 + 100 = 1200/10 ms
([10000000/512] + 1200/10) * 256 = 5030720
The path through Router_C has the lowest cost. Router_A would, therefore, choose the path through Router_C as the best path and put it in its routing table. This path would then be known as the successor (explained later).
In the above topology, the metric of Router_B to Network A would be 307200. Router_C would also have a metric of 307200 to Network A.
新版 CCNP 学习用书
新版 CCNP 学习用书 CCNP ROUTE 642-902
新版 CCNP 学习用书 CCNP SWITCH 642-813
新版 CCNP 学习用书 CCNP TSHOOT 642-832
2010年新版思科CCNP认证资讯(642-902,642-813,642-832)
EtherChannel Between Catalyst 3550/3560/3750 Series Switches and Catalyst Switches Running Cisco IOS System Software Configuration Example
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Theory
Important Notes
Configure
Network Diagram
Configurations
Verify
Catalyst 3550
Catalyst 6500/6000
Troubleshoot
Err-Disable State
“speed nonegotiate” Command Does not Appear in the Running Configuration
Related Information
Introduction
关于cisco3550交换机 端口err-disable的一点知识记录
近期在实施一工程。期中使用了一台S7510E与几台Cisco 3550的光口做端口聚合。聚合做好后。 有时出现整个片区断网的情况。查端口状态为err-disable。有时手工的在3550端将端 口shutdown再no shutdown后。正常。
经查这种情况可能有6种情况引起。
1、聚合协议不匹配
2、双工不匹配、
3、BPDU
4、UDLD (cisco 私有协议)
5、链路抖动
6、Keeplive loopback。
经分析。在这儿 聚合协议不匹配与双工不匹配首先排除。因为查看两端均为1G、双工。再从日志上有CNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on GigabitEthernet0/2..
解决方法:停用现3550上面的Loopback。 再做观察。 目前为止末发现异常。 不过还需要继续观察。
随附资料:
交换机出现err-disable的原因及解决方法
导致交换机接口出现err-disable的几个常见原因:
引用
1. EtherChannel misconfiguration
2. Duplex mismatch
3. UDLD
4. Link-flap error
5. Loopback error
6. Port security violation
第一个当F EC两端配置不匹配的时候就会出现err-disable。假设Switch A把FEC模式配置为on,这时Switch A是不会发送PAgP包和相连的Switch B去协商FEC的,它假设Switch B已经配置好FEC了。但实事上Swtich B并没有配置FEC,当Switch B的这个状态超过1分钟后,Switch A的STP就认为有环路出现,因此也就出现了err-disable。解决办法就是把FEC的模式配置为channel-group 1 mode desirable non-silent这个意思是只有当双方的FEC协商成功后才建立channel,否则接口还处于正常状态。
第二个原因就是双工不匹配。一端配置为half-duplex后,他会检测对端是否在传输数据,只有对端停止传输数据,他才会发送类似于ack的包来让链路up,但对端却配置成了full-duplex,他才不管链路是否是空闲的,他只会不停的发送让链路up的请求,这样下去,链路状态就变成err-disable了。
三、第三个原因BPDU,也就是和portfast和BPDU guard有关。如果一个接口配置了portfast,那也就是说这个接口应该和一个pc连接,pc是不会发送spanning-tree的BPDU帧的,因此这个口也接收BPDU来生成spanning-tree,管理员也是出于好心在同一接口上配置了BPDU guard来防止未知的BPDU帧以增强安全性,但他恰恰不小心把一个交换机接到这个同时配置了portfast和BPDU guard接口上,于是这个接口接到了BPDU帧,因为配置了BPDU guard,这个接口自然要进入到err-disable状态。解决办法:no spanning-tree portfast bpduguard default,或者直接把portfast关了。
第四个原因是UDLD。UDLD是cisco的私有2层协议,用于检测链路的单向问题。有的时候物理层是up的,但链路层就是down,这时候就需要UDLD去检测链路是否是真的up的。当AB两端都配置好UDLD后,A给B发送一个包含自己port id的UDLD帧,B收到后会返回一个UDLD帧,并在其中包含了收到的A的port id,当A接收到这个帧并发现自己的port id也在其中后,认为这链路是好的。反之就变成err-disable状态了。假设A配置了UDLD,而B没有配置UDLD:A给B发送一个包含自己port id的帧,B收到后并不知道这个帧是什么,也就不会返回一个包含A的port id的UDLD帧,那么这时候A就认为这条链路是一个单向链路,自然也就变成err-disable状态了。
第五个原因就是链路的抖动,当链路在10秒内反复up、down五次,那么就进入err-disable状态。
第六个原因就是keepalive loopback。在12.1EA之前,默认情况下交换机会在所有接口都发送keepalive信息,由于一些不通交换机协商spanning-tree可能会有问题,一个接口又收到了自己发出的keepalive,那么这个接口就会变成err-disable了。解决办法就是把keepalive关了。或者把ios升到12.2SE。
最后一个原因,相对简单,就是由于配置了port-security violation shutdown。
Common Error Messages on Catalyst 6500/6000 Series Switches Running Cisco IOS Software
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
%C6KPWR-SP-4-UNSUPPORTED: unsupported module in slot [num], power not allowed: [chars]
Problem
Description
Workaround
%DUAL-3-INTERNAL: IP-EIGRP 1: Internal Error
Problem
Description
Workaround
%EARL_L3_ASIC-SP-4-INTR_THROTTLE: Throttling “IP_TOO_SHRT”
Problem
Description
Workaround
%EARL_L3_ASIC-SP-3-INTR_WARN: EARL L3 ASIC: Non-fatal interrupt [chars]
Problem
Description
Workaround
%EARL_NETFLOW-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [[dec]%]
Problem
Description
Workaround
%ETHCNTR-3-LOOP_BACK_DETECTED : Keepalive packet loop-back detected on [chars]
Problem
Description
Workaround
loadprog: error – on file open boot: cannot load “cisco2-Cat6k-MSFC”
Problem
Description
Workaround
%L3_ASIC-DFC3-4-ERR_INTRPT: Interrupt TF_INT:FI_DATA_INT
Problem
Description
%MLS_STAT-SP-4-IP_LEN_ERR: MAC/IP length inconsistencies
Problem
Description
%MLS_STAT-SP-4-IP_CSUM_ERR: IP checksum errors
Problem
Description
Workaround
%MCAST-SP-6-ADDRESS_ALIASING_FALLBACK
Problem
Description
c6k_pwr_get_fru_present(): can’t find fru_info for fru type 6, #
Problem
Description
%MROUTE-3-TWHEEL_DELAY_ERR
Problem
Description
%MCAST-SP-6-GC_LIMIT_EXCEEDED
Problem
Description
Workaround
%MISTRAL-SP-3-ERROR: Error condition detected: TM_NPP_PARITY_ERROR
Problem
Description
%MLS_STAT-4-IP_TOO_SHRT: Too short IP packets received
Problem
Description
Processor [number] of module in slot [number] cannot service session requests
Problem
Description
%PM_SCP-1-LCP_FW_ERR: System resetting module [dec] to recover from error: [chars]
Problem
Description
Workaround
%PM_SCP-SP-4-UNK_OPCODE: Received unknown unsolicited message from module [dec], opcode [hex]
Problem
Description
Workaround
%QM-4-TCAM_ENTRY: Hardware TCAM entry capacity exceeded
Problem
Description
Workaround
%slot_earl_icc_shim_addr: Slot [num] is neither SuperCard nor Supervisor – Invalid slot
Problem
Description
%SYSTEM_CONTROLLER-SP-3-ERROR: Error condition detected: TM_NPP_PARITY_ERROR
Problem
Description
Workaround
SP: Linecard endpoint of Channel 14 lost Sync. to Lower fabric and trying to recover now!
Problem
Description
%SYSTEM-1-INITFAIL: Network boot is not supported
Problem
Description
Resolution
CPU_MONITOR-3-TIMED_OUT or CPU_MONITOR-6-NOT_HEARD
Problem
Description
Workaround
% Invalid IDPROM image for linecard
Problem
Description
Workaround
%C6KPWR-4-DISABLED: Power to module in slot [dec] set [chars]
Problem
Description
Workaround
ONLINE-SP-6-INITFAIL: Module [dec]: Failed to [chars]
Problem
Description
Workaround
FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL
Problem
Description
Workaround
MCAST-2-IGMP_SNOOP_DISABLE
Problem
Description
Workaround
C6KERRDETECT-2-FIFOCRITLEVEL: System detected an unrecoverable resources error on the active supervisor pinnacle
Problem
Description
Workaround
SP-RP Ping Test[7]: Test skipped due to high traffic/CPU utilization
Problem
Description
Workaround
SW_VLAN-4-MAX_SUB_INT
Problem
Description
Workaround
MCAST-6-L2_HASH_BUCKET_COLLISION
Problem
Description
Workaround
%QM-4-AGG_POL_EXCEEDED: QoS Hardware Resources Exceeded : Out of Aggregate policers
Problem
Description
Workaround
Cisco Support Community – Featured Conversations
Related Information
Introduction
IPV6 汇聚的
最近在客户处实施全校IPV6升级。规划成每台核心下挂512个 64位的IPV6地址段。然后向backbone区域发送汇聚后的LSA。可是本人最近对OSPFV3研究不深。所以只有自己回家做实验。
R1–R2之间为area0
R1–C1客户端网络走area1
R2–SW1网强为area2
———–R1的V6配置
R1#
interface FastEthernet0/0
no ip address
duplex auto
speed auto
ipv6 address 2001:DA8:C803:FFFF:FFFF:FFFF:FFFF:FB5/126
ipv6 enable
ipv6 ospf 1 area 0
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address 2001:DA8:C803:600::1/64
ipv6 enable
ipv6 ospf 1 area 1
end
ipv6 router ospf 1
router-id 1.1.1.1
log-adjacency-changes
area 1 range 2001:DA8:C803:600::/55
Dec 4 22:21:03.123: OSPFv3: Generate IAP LSA from inter-area route 2001:DA8:C803:600::/55, type 2003, age 0, metric 20, seq 0×80000001 to area 2
我在接口模式下看了好半天。还上cisco网上去查了一下summary-prefix、还查了一下RFC。结果才知道应该在ospf全局下面做区域汇总
现任明教教主共享2009年最新CCNA Security
(解压缩密码:wolfccies)
现任明教教主共享2009年最新CCNA Security 第一天课程
见上一篇日志
现任明教教主共享2009年最新CCNA Security 第二天课程
http://www.rayfile.com/files/f2b8a3cc-cfaf-11de-978c-0014221b798a/
现任明教教主共享2009年最新CCNA Security 第三天课程
http://www.rayfile.com/files/e301f085-d57a-11de-9548-0014221b798a/
现任明教教主共享2009年最新CCNA Security 第四天课程
http://www.rayfile.com/zh-cn/files/101dd3fd-daa9-11de-9df4-0014221b798a/
我自己
