■ESXiにて特定のvSwitchポートの通信をキャプチャする

《手順1》 キャプチャしたい特定のvSwitchポートのポートナンバーを調べる
[root@user:~] net-stats -l
PortNum Type SubType SwitchName MACAddress ClientName

〜中略〜

67108869 5 9 vSwitch2 00:0c:29:b3:ed:cf 01_CSR1000V(03.13.04.S)


《手順2》 手順1で調べた特定のvSwitchポートナンバーを指定してキャプチャする
※別途wiresharkでキャプチャファイルを見たいときは、-oオプションを付けて出力先ファイルを指定する。
例:pktcap-uw --switchport 67108869 -o /tmp/capture.cap


[root@user:~] pktcap-uw --switchport 67108869
The switch port id is 0x04000005
No server port specifed, select 60535 as the port
Output the packet info to console.
Local CID 2
Listen on port 60535
Accept...Vsock connection from port 1032 cid 2
08:53:30.888874[1] Captured at PortInput point, TSO not enabled, Checksum not offloaded and not verified, VLAN tag 24, length 76.
Segment[0] ---- 76 bytes:
0x0000: 0100 5e00 0002 000c 29b3 edcf 0800 45c0
0x0010: 003e 0000 0000 0111 0041 c0a8 1804 e000
0x0020: 0002 0286 0286 002a 2884 0001 001e 0404
0x0030: 0404 0000 0100 0014 0000 0000 0400 0004
0x0040: 000f 0000 0401 0004 0404 0404
08:53:31.224431[2] Captured at PortInput point, TSO not enabled, Checksum not offloaded and not verified, VLAN tag 14, length 76.
Segment[0] ---- 76 bytes:
0x0000: 0100 5e00 0002 000c 29b3 edcf 0800 45c0
0x0010: 003e 0000 0000 0111 0a41 c0a8 0e04 e000
0x0020: 0002 0286 0286 002a 3284 0001 001e 0404
0x0030: 0404 0000 0100 0014 0000 0000 0400 0004
0x0040: 000f 0000 0401 0004 0404 0404
08:53:31.304819[3] Captured at PortInput point, TSO not enabled, Checksum not offloaded and not verified, VLAN tag 14, length 94.
Segment[0] ---- 94 bytes:
0x0000: 0100 5e00 0005 000c 29b3 edcf 0800 45c0
0x0010: 0050 7f68 0000 0159 8a7b c0a8 0e04 e000
0x0020: 0005 0201 0030 0404 0404 0000 0000 453a
0x0030: 0000 0000 0000 0000 0000 ffff ff00 000a
0x0040: 1201 0000 0028 c0a8 0e01 c0a8 0e04 0101
0x0050: 0101 fff6 0003 0001 0004 0000 0001
08:53:32.676856[4] Captured at PortInput point, TSO not enabled, Checksum not offloaded and not verified, VLAN tag 34, length 94.
Segment[0] ---- 94 bytes:
0x0000: 0100 5e00 0005 000c 29b3 edcf 0800 45c0
0x0010: 0050 7f69 0000 0159 767a c0a8 2204 e000
0x0020: 0005 0201 0030 0404 0404 0000 0000 1934
0x0030: 0000 0000 0000 0000 0000 ffff ff00 000a
0x0040: 1201 0000 0028 c0a8 2203 c0a8 2204 0303
0x0050: 0303 fff6 0003 0001 0004 0000 0001
08:53:33.83841[5] Captured at PortInput point, TSO not enabled, Checksum not offloaded and not verified, VLAN tag 34, length 76.
Segment[0] ---- 76 bytes:
0x0000: 0100 5e00 0002 000c 29b3 edcf 0800 45c0
0x0010: 003e 0000 0000 0111 f640 c0a8 2204 e000
0x0020: 0002 0286 0286 002a 1e84 0001 001e 0404
0x0030: 0404 0000 0100 0014 0000 0000 0400 0004
0x0040: 000f 0000 0401 0004 0404 0404

■ESXi5.5でsnmptrapを実装した。

esxcli system snmp set --communities public
esxcli system snmp set --targets 192.168.0.1@162/public
esxcli system snmp set --loglevel=warning
esxcli system snmp set --enable true
esxcli system snmp set --notraps=1.3.6.1.4.1.6876.4.90.0.401,1.3.6.1.4.1.6876.4.1.0.3,1.3.6.1.4.1.6876.4.1.0.4




※下記オブジェクトに関して、発報しないように抑止した。
vmwCimOmHeartbeat 1.3.6.1.4.1.6876.4.90.0.401
vmwVmHBLost 1.3.6.1.4.1.6876.4.1.0.3
vmwVmHBDetected 1.3.6.1.4.1.6876.4.1.0.4




~ # esxcli system snmp get
Authentication:
Communities: public
Enable: true
Engineid: xxxxxxxxxxxxxxxxxxxxxxxx
Hwsrc: indications
Largestorage: true
Loglevel: warning
Notraps: 1.3.6.1.4.1.6876.4.1.0.3, 1.3.6.1.4.1.6876.4.1.0.4, 1.3.6.1.4.1.6876.4.90.0.401
Port: 161
Privacy:
Remoteusers:
Syscontact:
Syslocation:
Targets: 192.168.0.1@162 public
Users:
V3targets:

■CatalystのIOSアップグレード(入れ替え)

※事前にVLAN1にip addressを設定、fa0/1にvlan1をアサインしておく。
※tftpサーバは3CDを使用した。
flash:の空き容量に注意
 ここをクリアしていないと転送してるように見えるが、
 実際は失敗している。

Switch#delete /force /recursive flash:
 ⇒flash:の中身を全て強制的に消去

Switch#sh flash:

Directory of flash:/

No files in directory

32514048 bytes total (32513024 bytes free)




Switch#archive tar /xtract tftp://20.20.20.2/c3560-ipservicesk9-mz.122-55.SE6.tar flash:
 ⇒tftpサーバから転送する.tar ファイルを上書きコピーして、すべてのファイルを抽出
 ⇒copy tftp flashなどで、flash:にtarをuploadしてから抽出しようとすると、容量が少なくなり失敗する可能性が高い。
Loading c3560-ipservicesk9-mz.122-55.SE6.tar from 20.20.20.2 (via Vlan1): !
c3560-ipservicesk9-mz.122-55.SE6 (directory)
c3560-ipservicesk9-mz.122-55.SE6/html (directory)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/layers.js (1616 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/topbannernofpv.shtml (18990 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/stylesheet.css (22059 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/appsui.js (1749 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/frmwrkResource.htm (950 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/more.txt (62 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/preflight.js (17300 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/xsetup.js (71430 bytes)
c3560-ipservicesk9-mz.122-55.SE6/html/en (directory)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/re_framework.js (6052 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/troubleshooting_Browser.htm (3477 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/re_xsetup.js (23012 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/charset.js (333 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/re_fpv_title.js (3795 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/troubleshooting_OS.htm (2891 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/re_preflight.js (3853 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/en/troubleshooting_JavaScript.htm (8346 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/setup_report.htm (12811 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/empty.htm (313 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/reloadstatus.shtml (846 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/charset.js (333 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/helpframework.js (865 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/title.js (577 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/back.htm (515 bytes)
c3560-ipservicesk9-mz.122-55.SE6/html/help (directory)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/help/help.htm (900 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/help/xsetup_help.htm (896 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/help/xsetstd.htm (19342 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/help/xsetinit.htm (13252 bytes)!
extracting c3560-ipservicesk9-mz.122-55.SE6/html/help/xsetip.htm (6314 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/help/helptoolbar.shtml (9571 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/toolbar.js (6383 bytes)
c3560-ipservicesk9-mz.122-55.SE6/html/images (directory)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_button_left.gif (298 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/informational16.gif (1045 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/up_arrow.gif (837 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/question.gif (405 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/ip_fig1.gif (7769 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/tab_bg_active.gif (827 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/tab_left_inactive.gif (919 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/spacer.gif (49 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbarButtonDownLeft.gif (187 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_back.gif (908 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/warning_big.gif (296 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/top_left.gif (45 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/down_arrow.gif (837 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/top_right.gif (45 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/bottom_left.gif (45 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbarGradient3px.gif (519 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_help.gif (1077 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbarButtonDownRight.gif (188 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbarButtonDownTile.gif (157 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbarGradient.gif (262 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/swrefresh.gif (773 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/confirm.gif (515 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/tab_bg_inactive.gif (931 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/logo.gif (1706 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_button_right.gif (295 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_forward.gif (906 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/fatal_error_big.gif (271 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_refresh.gif (1189 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/tab_right_inactive.gif (922 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/ip_fig2.gif (7003 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/tab_right_active.gif (862 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_button_tile.gif (160 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/toolbar_print.gif (1183 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/tab_left_active.gif (852 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/images/bottom_right.gif (45 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/bottombanner.htm (4108 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/nsback.htm (519 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/xsetup.shtml (107459 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/express-setup.htm (6825 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/sitewide.js (12467 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/framework.js (25715 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/sorttable.js (48234 bytes)!
extracting c3560-ipservicesk9-mz.122-55.SE6/html/forms.js (13756 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/html/xhome.htm (6960 bytes)
extracting c3560-ipservicesk9-mz.122-55.SE6/c3560-ipservicesk9-mz.122-55.SE6.bin (12752912 bytes)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
extracting c3560-ipservicesk9-mz.122-55.SE6/info (522 bytes)
c3560-ipservicesk9-mz.122-55.SE6 (directory)
extracting c3560-ipservicesk9-mz.122-55.SE6/info (524 bytes)
extracting info (111 bytes)
[OK - 13338624 bytes]




Switch#sh flash

Directory of flash:/

2 drwx 192 Mar 1 1993 00:16:58 +00:00 c3560-ipservicesk9-mz.122-55.SE6
83 -rwx 111 Mar 1 1993 00:16:59 +00:00 info

32514048 bytes total (19213312 bytes free)




Switch#dir flash:c3560-ipservicesk9-mz.122-55.SE6
Directory of flash:/c3560-ipservicesk9-mz.122-55.SE6/

3 drwx 1792 Mar 1 1993 00:10:26 +00:00 html
81 -rwx 12752912 Mar 1 1993 00:16:58 +00:00 c3560-ipservicesk9-mz.122-55.SE6.bin
82 -rwx 524 Mar 1 1993 00:16:59 +00:00 info

32514048 bytes total (19213312 bytes free)




Switch#verify flash:c3560-ipservicesk9-mz.122-55.SE6/c3560-ipservicesk9-mz.122-55.SE6.bin
Verified flash:c3560-ipservicesk9-mz.122-55.SE6/c3560-ipservicesk9-mz.122-55.SE6.bin





Switch(config)#boot system flash:c3560-ipservicesk9-mz.122-55.SE6/c3560-ipservicesk9-mz.122-55.SE6.bin





Switch#sh boot
BOOT path-list : flash:c3560-ipservicesk9-mz.122-55.SE6/c3560-ipservicesk9-mz.122-55.SE6.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
Switch#




Switch#wr

■RSTP(L2SW×3)


■検証1:RSTPを設定して動作を確認する
    ⇒各SWにRSTPを設定する

    ⇒各SWのRSTPにおけるポートの役割を確認する

    ⇒SW1_2950のfa0/2側のケーブルを抜線

    ⇒再び、各SWのRSTPにおけるポートの役割を確認する

    ⇒debugを確認する


■SW1_2950投入コンフィグ
conf t
!
vlan 100
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100 priority 4096
!
int fa0/1
switchport mode access
switchport access vlan 100
!
int fa0/2
switchport mode access
switchport access vlan 100
!
end


■SW2_2950投入コンフィグ
conf t
!
vlan 100
!
spanning-tree mode rapid-pvst
!
int fa0/1
switchport mode access
switchport access vlan 100
!
int fa0/2
switchport mode access
switchport access vlan 100
!
end


■SW3_2950投入コンフィグ
conf t
!
vlan 100
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100 priority 8192
!
int fa0/1
switchport mode access
switchport access vlan 100
!
int fa0/2
switchport mode access
switchport access vlan 100
!
end


■検証1:RSTPを設定して動作を確認する
    ⇒各SWのRSTPにおけるポートの役割を確認する
SW1_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4196 (priority 4096 sys-id-ext 100)
Address 000e.3854.be00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p


SW2_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000d.bc1d.c100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p


SW3_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8292 (priority 8192 sys-id-ext 100)
Address 000d.2903.e680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p


    ⇒SW1_2950のfa0/2側のケーブルを抜線

    ⇒再び、各SWのRSTPにおけるポートの役割を確認する
SW1_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4196 (priority 4096 sys-id-ext 100)
Address 000e.3854.be00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p


SW2_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000d.bc1d.c100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p


SW3_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 38
Port 2 (FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8292 (priority 8192 sys-id-ext 100)
Address 000d.2903.e680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/2 Root FWD 19 128.2 P2p


    ⇒debugを確認する
SW3_2950#debug spanning-tree events
Spanning Tree event debugging is on
SW3_2950#
00:15:37: RSTP(100): updt roles, root port Fa0/1 is going down
00:15:37: RSTP(100): we become the root bridge
00:15:37: RSTP(100): updt roles, superior bpdu on Fa0/2 (synced=0)
00:15:37: RSTP(100): Fa0/2 is now root port
00:15:37: RSTP(100): synced Fa0/2
00:15:37: RSTP(100): transmitting an agreement on Fa0/2 as a response to a proposal

■RSTP(L2SW×3/HUB×1)


■検証1:RSTPを設定して動作を確認する
    ⇒各SWにRSTPを設定する

    ⇒各SWのRSTPにおけるポートの役割を確認する

    ⇒SW1_2950のfa0/1側のケーブルを抜線

    ⇒SW3_2950のfa0/2側のケーブルを抜線

    ⇒再び、各SWのRSTPにおけるポートの役割を確認する

    ⇒debugを確認する


■SW1_2950投入コンフィグ
conf t
!
vlan 100
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100 priority 4096
!
int fa0/1
switchport mode access
switchport access vlan 100
!
int fa0/2
switchport mode access
switchport access vlan 100
!
end


■SW2_2950投入コンフィグ
conf t
!
vlan 100
!
spanning-tree mode rapid-pvst
!
int fa0/1
switchport mode access
switchport access vlan 100
!
int fa0/2
switchport mode access
switchport access vlan 100
!
end


■SW3_2950投入コンフィグ
conf t
!
vlan 100
!
spanning-tree mode rapid-pvst
spanning-tree vlan 100 priority 8192
!
int fa0/1
switchport mode access
switchport access vlan 100
!
int fa0/2
switchport mode access
switchport access vlan 100
!
int fa0/3
switchport mode access
switchport access vlan 100
!
end


■検証1:RSTPを設定して動作を確認する
    ⇒各SWのRSTPにおけるポートの役割を確認する
SW1_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4196 (priority 4096 sys-id-ext 100)
Address 000e.3854.be00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p


SW2_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000d.bc1d.c100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p


SW3_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8292 (priority 8192 sys-id-ext 100)
Address 000d.2903.e680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/3 Back BLK 19 128.3 P2p

    ⇒SW1_2950のfa0/1側のケーブルを抜線

    ⇒SW3_2950のfa0/2側のケーブルを抜線

    ⇒再び、各SWのRSTPにおけるポートの役割を確認する
SW1_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4196 (priority 4096 sys-id-ext 100)
Address 000e.3854.be00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/2 Desg FWD 19 128.2 P2p


SW2_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 38
Port 2 (FastEthernet0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 000d.bc1d.c100
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/2 Root FWD 19 128.2 P2p


SW3_2950#sh spanning-tree

VLAN0100
Spanning tree enabled protocol rstp
Root ID Priority 4196
Address 000e.3854.be00
Cost 19
Port 1 (FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 8292 (priority 8192 sys-id-ext 100)
Address 000d.2903.e680
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

                                • ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p
Fa0/3 Desg FWD 19 128.3 P2p


    ⇒debugを確認する
SW2_2950#debug spanning-tree events
01:48:32: RSTP(100): updt roles, root port Fa0/1 is going down
01:48:32: RSTP(100): Fa0/2 is now root port
01:48:37: RSTP(100): Fa0/2 rcvd info expired
01:48:37: RSTP(100): updt roles, information on root port Fa0/2 expired
01:48:37: RSTP(100): we become the root bridge
01:48:37: RSTP(100): Fa0/2 is now designated
01:48:37: RSTP(100): updt roles, superior bpdu on Fa0/2 (synced=0)
01:48:37: RSTP(100): Fa0/2 is now root port
01:48:37: RSTP(100): synced Fa0/2
01:48:37: RSTP(100): transmitting an agreement on Fa0/2 as a response to a proposal

■プライベートVLAN


※DSW3_3560を下位L2SW想定として使用


■プライベートVLAN設定におけるポイント
    ⇒VTPはtransparent modeに設定する(L2SWならびに上位L3SW)
    ⇒上位L3SWのSVIはプライマリVLANのみを設定(隔離VLANとコミュニティVLANのSVIは設定しない。)


■DSW3_3560投入コンフィグ
conf t
!
vtp mode transparent
!
vlan 100
private-vlan primary
exit
!
vlan 10
private-vlan isolated
exit
!
vlan 20
private-vlan community
exit
!
vlan 100
private-vlan association 10,20
exit
!
int gi0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 100 10,20
no shut
exit
!
int range fa0/1 - 2
switchport mode private-vlan host
switchport private-vlan host-association 100 10
no shut
exit
!
int range fa0/3 - 4
switchport mode private-vlan host
switchport private-vlan host-association 100 20
no shut
exit
!
end


■DSW1_3750投入コンフィグ
conf t
!
ip routing
!
vtp mode transparent
!
vlan 100
!
int gi1/0/1
switchport mode access
switchport access vlan 100
no shut
!
int fa1/0/1
no switchport
ip address 10.0.0.1 255.255.255.0
no shut
!
int vlan 100
private-vlan mapping add 10,20
ip address 172.16.100.1 255.255.255.0
no shut
!
router eigrp 100
network 172.16.100.0 0.0.0.255
network 10.0.0.0 0.0.0.255
!
end


DSW3_3560#sh vlan private-vlan

Primary Secondary Type Ports

              • --------- ----------------- ------------------------------------------

100 10 isolated Fa0/1, Fa0/2, Gi0/1
100 20 community Fa0/3, Fa0/4, Gi0/1

■PACL(mac access-listを関連付け)


■検証1:PACLでvlan101の特定PC(ホストC)からのARPパケットを拒否する
    ⇒mac access-listをPACLで物理インターフェイスに適用
    ⇒特定PC(ホストC)のarp tableを確認する
    ⇒特定PC(ホストC)からLinux端末へpingを実施
    ⇒再度、特定PC(ホストC)のarp tableを確認する
    ⇒ARPパケット拒否の対象ではない他PC(ホストB)から、Linux端末へpingを実施
    ⇒他PC(ホストB)のarp tableを確認する
    ⇒他PC(ホストB)から特定PCへpingを実施


■DSW3_3560投入コンフィグ
conf t
!
ip routing
!
enable secret ccnp
!
vlan 101
!
int loopback 0
ip address 1.1.1.1 255.255.255.255
!
int fa0/1
switchport mode access
switchport access vlan 101
mac access-group deny-arp in
no shut
!
int fa0/2
switchport mode access
switchport access vlan 101
mac access-group deny-arp in
no shut
!
int fa0/3
switchport mode access
switchport access vlan 101
mac access-group deny-arp in
no shut
!
int vlan 101
ip address 172.16.101.1 255.255.255.0
no shut
exit
!
mac access-list extended deny-arp
deny host 001d.7298.f312 0000.0000.0000 ffff.ffff.ffff 0x0806 0x0
permit any any
exit
!
line vty 0 4
password cisco
login
!
end


■検証1:PACLでvlan101の特定PC(ホストC)からのARPパケットを拒否する
    ⇒特定PC(ホストC)のarp tableを確認する
C:\Documents and Settings\administrator.EXAMPLE>arp -a
No ARP Entries Found


    ⇒特定PC(ホストC)からLinux端末へpingを実施
C:\Documents and Settings\administrator.EXAMPLE>ping 172.16.101.100

Pinging 172.16.101.100 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.101.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


    ⇒再度、特定PC(ホストC)のarp tableを確認する
C:\Documents and Settings\administrator.EXAMPLE>arp -a
No ARP Entries Found


    ⇒ARPパケット拒否の対象ではない他PC(ホストB)から、Linux端末へpingを実施
C:\Documents and Settings\otherPC>ping 172.16.101.100

Pinging 172.16.101.100 with 32 bytes of data:

Reply from 172.16.101.100: bytes=32 time<1ms TTL=64
Reply from 172.16.101.100: bytes=32 time<1ms TTL=64
Reply from 172.16.101.100: bytes=32 time<1ms TTL=64
Reply from 172.16.101.100: bytes=32 time<1ms TTL=64

Ping statistics for 172.16.101.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


    ⇒他PC(ホストB)のarp tableを確認する
C:\Documents and Settings\otherPC>arp -a

Interface: 172.16.101.150 --- 0x3
Internet Address Physical Address Type
172.16.101.1 f4-ac-c1-1f-f6-c1 dynamic
172.16.101.100 00-16-d3-c2-44-b2 dynamic


    ⇒他PC(ホストB)から特定PCへpingを実施
C:\Documents and Settings\otherPC>ping 172.16.101.200

Pinging 172.16.101.200 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.101.200:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

                                                                                                • -

DSW3_3560#sh access-lists

Extended MAC access list deny-arp
deny host 001d.7298.f312 any 0x806 0x0
permit any any (3 matches)


DSW3_3560#sh mac access-group
Interface FastEthernet0/1:
Inbound access-list is deny-arp
Outbound access-list is not set
Interface FastEthernet0/2:
Inbound access-list is deny-arp
Outbound access-list is not set
Interface FastEthernet0/3:
Inbound access-list is deny-arp
Outbound access-list is not set