차등화 된 서비스를 제공하기 위해 서비스 별로 분류하여 마킹을 진행.

셋팅

ip access-list extended acl-ftp

 permit tcp host 192.168.2.1 eq ftp-data any

 permit tcp host 192.168.2.1 eq ftp any

!

class-map match-any ftp

 match access-group name acl-ftp

!

policy-map kong

 class ftp

  set precedence 3

interface FastEthernet0/1

 switchport trunk encapsulation dot1q

 switchport mode trunk

 service-policy input kong

!

interface FastEthernet0/2

 switchport trunk encapsulation dot1q

 switchport mode trunk

 service-policy input kong

interface Port-channel 1

 switchport trunk encapsulation dot1q

 switchport mode trunk

결과값

HQ_SE_2F_L3_1#show mls qos

QoS is enabled

Differentiated Services Field: 0x60 (DSCP: CS3, ECN: Not-ECT)

0110 00.. = Differentiated Services Codepoint: Class Selector 3 (24)

.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)

HQ_SE_2F_L3_1#

show policy-map interface f0/1-2

 FastEthernet0/1

  Service-policy input: kong

 Class-map: ftp (match-any)

   0 packets, 0 bytes

   5 minute offered rate 0 bps,

   Match: access-group acl-ftp

     0 packets, 0 bytes

     5 minute rate 0 bps

정상작동 테스트 (재분류)

Service-policy input: kong

   Class-map: reftp (match-any)

     958955 packets, 959638048 bytes

     5 minute offered rate 16591000 bps, drop rate 0 bps

     Match: ip precedence 3

       958954 packets, 959638048 bytes

       5 minute rate 16591000 bps

     QoS Set

       precedence 4

         Packets marked 958965

0110 00.. = Differentiated Services Codepoint:

Class Selector 4 (24)

(Port-Channel 1)

HQ_SE_2F_L3_1(config-if)#service-policy input kong

QoS: policymap is not supported on virtual interfaces

Service Policy attachment failed

패킷에 대한 암호화 및 인증을 실시하여 데이터에 대한 기밀성을 보장하고 지사 2곳과 근거리에서 통신하는 효과를 얻을 수 있다.

셋팅

HQ_SE_Core_R1

crypto isakmp policy 10

 authentication pre-share

crypto isakmp key 6 tae address 0.0.0.0 0.0.0.0

crypto ipsec transform-set eung esp-3des esp-md5-hmac   

crypto ipsec profile vpn-1

 set transform-set eung

!

interface Tunnel0

 ip address 192.168.81.1 255.255.255.0

 no ip redirects

 ip nhrp authentication kong

 ip nhrp map multicast dynamic

 ip nhrp network-id 2811

 ip nhrp holdtime 360

 ip nhrp cache non-authoritative

 tunnel source 200.1.1.2

 tunnel mode gre multipoint

 tunnel key 2811

 tunnel protection ipsec profile vpn-1

 Active Router가 Down되거나 회선에 문제가 생겨 통신이 불가능해진 경우 Active Router를 전환하기 위해 사용.

셋팅

HQ_SE_1F_SW1(config-if)#standby 10 track FastEthernet0/6

HQ_SE_1F_SW1(config-if)#standby 10 preempt

결과

HQ_SE_2F_L3_1#show standby brief

P indicates configured to preempt.

|

Interface   Grp   Pri   P   State   Active   Standby       Virtual IP

Vl10          10   150  P  Active   local   192.168.2.29  192.168.2.30

HQ_SE_2F_L3_2#show standby brief

P indicates configured to preempt.

|

Interface   Grp    Pri   P   State    Active        Standby   Virtual IP

Vl10         10     145  P Standby 192.168.2.28   local    192.168.2.30

HQ_SE_2F_L3_1#show standby brief

P indicates configured to preempt.

|

Interface   Grp   Pri   P   State       Active      Standby    Virtual IP

Vl10         10    140  P  Standby 192.168.2.29   local     192.168.2.30

HQ_SE_2F_L3_2#show standby brief

P indicates configured to preempt.

|

Interface   Grp   Pri   P    State     Active     Standby      Virtual IP

Vl10         10    145  P   Active    local     192.168.2.28 192.168.2.30

Gateway의 Path를 이중화해 하나의 링크가 Down되어도 Client들의 서비스에 지장이  없게 한다.

셋팅

HQ_SE_GN_1F_L3_1

interface Vlan10

ip address 192.168.1.28 255.255.255.224

standby 1 ip 192.168.1.30

standby 1 priority 150

standby 1 preempt

!

interface Vlan20

ip address 192.168.1.61 255.255.255.224

standby 2 ip 192.168.1.60

standby 2 priority 145

standby 2 preempt

!

HQ_SE_GN_1F_L3_2

interface Vlan10

ip address 192.168.1.29 255.255.255.224

standby 1 ip 192.168.1.30

standby 1 priority 145

standby 1 preempt

!

interface Vlan20

ip address 192.168.1.62 255.255.255.224

standby 2 ip 192.168.1.60

standby 2 priority 150

standby 2 preempt

!

결과

HQ_SE_GN_1F_L3_1#show standby brief

                     P indicates configured to preempt.

                     |

Interface   Grp    Prio   P  State       Active           Standby           Virtual IP

Vl10          1      150   P  Active      local             192.168.1.29     192.168.1.30

Vl20          2      145   P  Standby   192.168.1.62    local              192.168.1.60

HQ_SE_GN_1F_L3_2#show standby brief

                     P indicates configured to preempt.

                     |

Interface    Grp   Prio   P  State        Active                  Standby         Virtual IP

Vl10           1     145   P  Standby    192.168.1.28          local              192.168.1.30

Vl20           2     150   P  Active       local                   192.168.1.61     192.168.1.60

여러 개의 스패닝트리를 그룹화해 1개의 스패닝트리 처럼 동작하게 하여 프로세서의 소모율을 줄인다.

셋팅

Dispatch_L2_1

spanning-tree mode mst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

spanning-tree vlan 1,10,20,30,40 priority 40960

!

spanning-tree mst configuration

 name mst-1

 instance 1 vlan 1, 10, 20, 30, 40

!

spanning-tree mst 1 priority 40960

!

!

!

!

interface FastEthernet0/1

 switchport mode trunk

!

interface FastEthernet0/2

 switchport mode trunk

!

결과

Dispatch_L2_1#show spanning-tree mst configuration

Name      [mst-1]

Revision  0

Instance  Vlans mapped

--------  -------------------------------------------------------------------

0         2-9,11-19,21-29,31-39,41-4094

1         1,10,20,30,40

----------------------------------------------------------------------------

Dispatch_L2_1#show spanning-tree mst 1

Interface        Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1            Altn BLK 200000     128.1    P2p

Fa0/2            Root FWD 200000   128.2    P2p

Dispatch_L2_2#show spanning-tree mst 1

Interface        Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1            Desg FWD 200000    128.1    P2p

Fa0/3            Root FWD 200000    128.3    P2p

Dispatch_L3_1#show spanning-tree mst 1

Interface        Role Sts Cost      Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/2            Desg FWD 200000    128.2    P2p Pre-STD-Rx

Fa0/3            Desg FWD 200000    128.3    P2p Pre-STD-Rx

수렴 시간(Convergence Time)을 빠르게 하기 위해 사용.

(모든 장비에서 사용 가능한 표준기술)

셋팅

HQ_SE_3F_SW3(config)#spanning-tree rapid-pvst

적용후

L2_1(config)#spanning-tree mode rapid-pvst

08:55:30: setting bridge id (which=3) prio 40970 prio cfg 40960 sysid 10 (on) id A00A.001c.0e5d.c040

08:55:30: RSTP(10): initializing port Fa0/1

08:55:30: RSTP(10): Fa0/1 is now designated

08:55:30: RSTP(10): initializing port Fa0/2

08:55:30: RSTP(10): Fa0/2 is now designated

08:55:30: RSTP(10): transmitting a proposal on Fa0/1

08:55:30: RSTP(10): transmitting a proposal on Fa0/2

08:55:30: RSTP(10): updt roles, superior bpdu on Fa0/1 (synced=0)

08:55:30: RSTP(10): Fa0/1 is now root port

08:55:30: RSTP(10): syncing port Fa0/2

08:55:30: RSTP(10): transmitting a proposal on Fa0/2

08:55:30: RSTP(10): updt roles, superior bpdu on Fa0/2 (synced=0)

08:55:30: RSTP(10): Fa0/2 is now alternate

직접 연결되어 있지 않은 간접링크가 다운되었을때 차단상태(Blocking State)의 포트를 MAX Age(20초)를 생략하고 바로 청취 상태로 변경시켜 기본적인 STP 컨버전스 시간인 50초를 30초로 단축시킨다.

셋팅

HQ_SE_1F_SW1(config)#spanning-tree backbonefast

HQ_SE_1F_SW2(config)#spanning-tree backbonefast

HQ_SE_1F_L3_3(config)#spanning-tree backbonefast

적용 전 (20초)

07:32:04: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:06: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:08: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:10: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:12: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:14: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:16: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:18: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:20: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:32:22: STP: VLAN0010 Fa0/2 -> listening

적용 후 (20초 생략)

07:21:12: STP: VLAN0010 heard root 32778-001d.e6da.d900 on Fa0/2

07:21:12: STP: VLAN0010 Fa0/2 -> listening

07:21:12: STP: VLAN0010 Topology Change rcvd on Fa0/2

07:21:12: STP: VLAN0010 sent Topology Change Notice on Fa0/1

직접 연결된 링크가 다운 되었을 때 차단 상태에 있는 포트를 즉시 전송 상태로 변경 시키기 위해 사용.

셋팅

HQ_SE_1F_SW1(config)#spanning-tree uplinkfast

적용 전 (30초)

03:39:07: STP: VLAN0010 new root port Fa0/2, cost 38

03:39:07: STP: VLAN0010 Fa0/2 -> listening

03:39:09: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

03:39:09: STP: VLAN0010 sent Topology Change Notice on Fa0/2

03:39:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

03:39:22: STP: VLAN0010 Fa0/2 -> learning

03:39:37: STP: VLAN0010 Fa0/2 -> forwarding

적용 후 (5초이내)

03:15:07: STP: VLAN0010 new root port Fa0/2, cost 3038

03:15:07: %SPANTREE_FAST-7-PORT_FWD_UPLINK: VLAN0010 FastEthernet0/2 moved to Forwarding (UplinkFast).

03:15:09: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

03:15:09: STP: VLAN0010 sent Topology Change Notice on Fa0/2

03:15:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

UplinkFast is enabled

Station update rate set to 150 packets/sec.

UplinkFast statistics

-----------------------

Number of transitions via uplinkFast (all VLANs)            : 0

Number of proxy multicast addresses transmitted (all VLANs) : 0

Name                 Interface List

-------------------- ------------------------------------

VLAN0001             Fa0/2(fwd)

VLAN0010             Fa0/2(fwd)