2004.6.28( 月 ) 쏘넷 KT 운영자교육 - Cisco Catalyst6509 - 송동석 sds@sawnet.co.kr 1
순서 Part I......2H : 현재운용중인기본 Configuration 내용설명 1. 망구성도 2. 일반기능관련 3. Interface 관련 4. Routing 관련 5. 보안관련 Part II........4H : 기업용중형장비운용관련사항설명 1. Spervisor Engine RPR+ mode 2. LACP / Etherchannel Trunk 구성 3. Environments 관련 4. Password Recovery 5. Configuration file backup 6. Rate Limit 2
Part I Part I......2H : 현재운용중인기본 Configuration 내용설명 1. 망구성도 2. 일반기능관련 3. Interface 관련 4. Routing 관련 5. 보안관련 Part II........4H : 기업용중형장비운용관련사항설명 1. Spervisor Engine RPR+ mode 2. LACP / Etherchannel Trunk 구성 3. Environments 관련 4. Password Recovery 5. Configuration file backup 6. Rate Limit 3
기업형기업형 I-1. 망 (Express) 구성도 Metro 중용량 ST200 / M40e Kornet 집선형집선형 Metro 중용량 Switch RS-38000 Metro 집선 Switch Catalyst6509 기업용집선및가입자수용용 Catalyst6509 N-Topia Switch (Alpine 3808, Cisco 6506) 기업용소형 V6124F 가입자스위치 V6108F Metro 소용량 ( 게임방용 ) 가입자스위치 - 다산 V51xx, V5324, V5216F -Locus 4032, 4124 -Cisco 3550 가입자스위치 V6108F 가입자스위치 V6108F 4
Booting Sequence I-2. 일반기능관련 C6509(config)# hostname [hostname] HOSTNAME설정 -> hostname 지정정책에준하여설정. C6509(config)# clock timezone kst 9 Clock timezone 설정 C6509(config)# boot system flash sup-bootflash:[c6sup22-pk2s-mz.121-13.e8.bin] C6509(config)# boot system flash slavesup-bootflash: C6509(config)# boot system flash slot0: IOS를 Load하기위한 Bootdevice설정 Boot Image Device설정 ( 순차적으로 Search) 1. Master Supervisor Engine flash-memory의 IOS image 2. Slave Supervisor Engine flash-memory의 IOS image 3. Master Supervisor Engine flash-mem-card의 IOS image 5
I-2. 일반기능관련 Log message C6509(config)#service timestamps debug datetime localtime C6509(config)#service timestamps log datetime localtime Local time을기준으로 syslog에쌓이도록설정 C6509(config)#logging trap debugging debugging 정보까지 log server 에보냄 C6509(config)#logging [ip-address] Debug Level 의 log 정보를 syslog Server(60.0.0.1) 로전송 C6509(config)#logging source-interface [GigabitEthernet3/1] log 정보를 syslog Server 로전송시 Source ip address 를 Giga3/1 의 IP add. 로나타나게함. C6509(config)#logging buffered [size] logging 정보를저장 size 지정, 기본 : 4096byte 6
I-2. 일반기능관련 Show Show Log Log command command Catalyst6509#show log Syslog logging: enabled (0 messages dropped, 85 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 75 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 158 messages logged Exception Logging: size (4096 bytes) Trap logging: level informational, 182 message lines logged Logging to 211.111.111.11, 182 message lines logged Log Buffer (8192 bytes): *Jun 10 10:18:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet4/16, changed state to down --- 이하생략 --- 7
I-2. 일반기능관련 SNMP C6509(config)# access-list 77 permit 50.1.1.1 SNMP 접근제한설정 C6509(config)# snmp-server host [ip-address] [community명] C6509(config)# snmp-server community [community명] RO 77 SNMP Server및 trap설정 Access List 77에정의된 Source에서 Polling을요청할경우 GET에관련된정보만 Source에게전송 8
I-3. Interface 설정관련 상위단과연결되는 Uplink Interface configuration C6509(config)# interface GigabitEthernet3/1 C6509(config-if)# description UP_RS38K#1_Direct 인터페이스에대한 Description설정 C6509(config-if)# ip address 10.1.1.2 255.255.255.252 IP Address 설정 C6509(config-if)# logging event link-status Link 상태가변화될경우 Syslog 로저장및 Console 로 Event 발생 C6509(config-if)# speed nonegotiate 1Gbps Full Duplex 로 Manual 하게정의 9
I-3. Interface 설정관련 N-topia S/W 와연결된 Down link interface configuration C6509(config)# interface GigabitEthernet4/1 C6509(config-if)# description Down_N-topia#1 인터페이스에대한 Description설정 C6509(config-if)# ip address 30.1.1.1 255.255.255.252 IP Address 설정 C6509(config-if)# logging event link-status Link 상태가변화될경우 Syslog 로저장및 Console 로 Event 발생 C6509(config-if)# speed nonegotiate 1Gbps Full Duplex 로 Manual 하게정의 100M Fx interface 의경우 duplex full 필수설정 C6509(config)# ip verify unicast source reachable-via rx allow-self-ping RPF(Reverse Path Forwarding) 적용 세부설명은 I-5 항참조 10
I-4. Routing 관련 Default Route configuration C6509(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.1 C6509(config)# ip route 0.0.0.0 0.0.0.0 20.1.1.1 상위단장비 (RS38K/ST200등) 와연결된 Up-Link Interface의 Next-hop IP로 Default Route설정 Static Route/Black-hole configuration C6509(config)# ip route 30.1.1.0 255.255.255.252 Null0 모든 serial 구간의 connected 정보의 null0 static 처리. ( 기업용메트로의경우, multi-link 가입자의수용 interface들은반드시제외 ) C6509(config)# ip route 100.1.1.0 255.255.255.0 30.1.1.2 가입자정보의 static routing 처리. 가입자수용회선의 link down시위의 serial 구간의 null0 static 처리로, routes looping은방지. 11
Global configuration C6509(config)#service nagle I-5. 보안관련 John Nagle 알고리즘적용 (TCP 혼잡제어기능설정 ) C6509(config)#no service pad PAD(packet assembler/disassembler) Service 비활성화설정 C6509(config)# no ip bootp server bootp Protocol 비활성화 C6509(config)#service tcp-keepalives-in TCP Session 에대한 Keep alive 적용설정 C6509(config)#enable secret [password] Enable Password 설정 C6509(config)#service password-encryption Password 암호화 C6509(config)# no cdp run Cisco Discovery Protocol 비활성화 12
I-5. 보안관련 Telnet C6509(config)# access-list 1 permit 218.144.1 telnet 접속제한시 permit 할 ip 들에대한 acl 선언 C6509(config)# line vty 0 4 C6509(config-line)# password [password] login password를설정 C6509(config-line)# exec-timeout 30 0 idle time이 30분간지속될경우자동으로 logout C6509(config-line)# access-class 1 in access list 1에정의된 source만 telnet 접속을허용 13
I-5. 보안관련 DoS Attack 방지 C6509(config)# access-list 103 deny udp any any eq 1434 C6509(config)# access-list 103 deny udp any neq netbios-ns any eq netbios-ns C6509(config)# access-list 103 deny tcp any any eq 445 C6509(config)# access-list 103 deny tcp any any eq 4444 C6509(config)# access-list 103 deny 255 any any C6509(config)# access-list 103 deny 0 any any C6509(config)# access-list 103 permit ip any any Access-list 설정 C6509(config)# interface range gi3/1 8, gi4/1 8 C6509(config-if)# ip access-group 103 in interface 에 Access-List 적용 14
Interface mode 설정 I-5. 보안관련 C6509(config-if)# no ip redirects ICMP Message Type 5 비활성화 C6509(config-if)# no ip unreachables ICMP Message Type 3 비활성화 C6509(config-if)# no ip proxy-arp Proxy-arp 기능비활성화 C6509(config-if)# mls ip directed-broadcast exclude-router 외부로부터자신의 Local Interface 의 Broadcast Address 로입력될경우 Discard. 15
I-5. 보안관련 16
I-5. 보안관련 RPF(Reverse Path Forwarding) C6509(config-if)# ip verify unicast source reachable-via rx allow-self-ping RPF를통한IP 변조방지기술 Cisco CEF의 FIB table을이용table에없는ip가 Source로유입시 Drop 1 번으로들어온패킷이라 내가직접가서 1 번에서왔는지조사해봐야지. S D data i/f 1 i/f 2 i/f 3 20.20.1.1 로 Spoofing sh ip cef fa4/1 Prefix Next Hop Interface 1.1.1.0/24 1.1.200.1 FastEthernet4/1 1.1.2.0/24 1.1.200.1 FastEthernet4/1 1.1.3.0/24 1.1.200.1 FastEthernet4/1 1.1.4.0/24 1.1.200.1 FastEthernet4/1 1.1.5.0/24 1.1.200.1 FastEthernet4/1 1.1.7.0/24 1.1.200.1 FastEthernet4/1 Drop 17
RPF- 엄격한적용 I-5. 보안관련 i/f 2 Fwd!! i/f 2 Drop!! i/f 1 i/f 1 i/f 3 i/f 3 S D data FIB: S -> i/f 1 S D data FIB: S -> i/f 2,3 IP 변조방지기술 -RPF Cat6509(config)#ip cef (cef enable 시키기 ) Cat6509(config-if)# ip verify unicast reverse-path Cat6509(config-if)# ip verify unicast source reachable-via rx allow-default 18
RPF- Loose 한적용 I-5. 보안관련 i/f 1 i/f 2 Fwd!! i/f 2 Drop!! i/f 1 i/f 3 i/f 3 S D data FIB: S -> i/f 2,3 S D data FIB: Null.. IP 변조방지기술 -RPF Cat6509(config)#ip cef (cef enable 시키기 ) Cat6509(config-if)# ip verify unicast source reachable-via any 19
I-5. 보안관련 RPF- 처리현황확인 GJ_ent6509_1#show mls statistics Statistics for Earl in Module 1 L2 Forwarding Engine Total packets Switched : 571196320 Drop!! L3 Forwarding Engine Total Packets Bridged : 6296320 Total Packets FIB Switched : 599653791 Total Packets ACL Routed : 0 Total Packets Netflow Switched : 0 Total Mcast Packets Switched/Routed : 358011 Total ip packets with TOS changed : 2882838 Total ip packets with COS changed : 0 Total non ip packets COS changed : 0 Total packets dropped by ACL : 0 Total packets dropped by Policing : 0 Total Unicast RPF failed packets : 106469 Errors MAC/IP length inconsistencies : 0 Short IP packets received : 0 IP header checksum errors : 0 MAC/IPX length inconsistencies : 0 Short IPX packets received : 0 20
RPF- default(no RPF) I-5. 보안관련 Fwd!! Dest. Add. 를기준으로 Packet 전송 설정설정확인 C6509-SW-2#sh run in gi 3/3 Building configuration... Current configuration : 93 bytes! interface GigabitEthernet3/3 ip address 192.1.1.254 255.255.255.0 speed nonegotiate end C6509-SW-2#sh ip route 168.1.1.1 % Network not in table C6509-SW-2#sh ip route 0.0.0.0 Routing entry for 0.0.0.0/0, supernet Known via "static", distance 1, metric 0, candidate default path Routing Descriptor Blocks: * 10.1.1.5 Route metric is 0, traffic share count is 1 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 365273768 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 365273768 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 365273768 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 365273768 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 365273768 21
I-5. 보안관련 RPF- reachable via rx mode(without allow-default) Drop!! UnicastRPF 기능을설정한경우라우터는패킷의 Source Add. 정보를우선적으로보유하고있는라우팅정보와비교를한후전송여부를결정 168.1.1.0/24 네트워크에대한 R/info. 가없으므로패킷은 Drop 됨. 설정설정확인 C6509-SW-2(config)#in gi 3/3 C6509-SW-2(config-if)#ip verify unicast source reachable-via rx C6509-SW-2(config-if)#^Z C6509-SW-2#sh ip route 168.1.1.0 % Network not in table C6509-SW-2#sh run in gi 3/3 Building configuration... Current configuration : 136 bytes! interface GigabitEthernet3/3 ip address 192.1.1.254 255.255.255.0 ip verify unicast source reachable-via rx speed nonegotiate end C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 383053322 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 385754534 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 386844651 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 387832005 22
I-5. 보안관련 RPF- reachable via rx mode (with allow-default) Fwd!! 168.1.1.0/24 네트워크에대한 R/info. 가없으므로 allow-default 옵션을사용하여패킷의전송여부를결정 이때 Default Routing 정보에대한 Next Hop Add 가패킷을수신한 interf. 와동일하므로패킷은전송됨. 설정설정확인 C6509-SW-2#sh ip route 168.1.1.0 % Network not in table C6509-SW-2#sh ip route 0.0.0.0 Routing entry for 0.0.0.0/0, supernet Known via "static", distance 1, metric 0, candidate default path Routing Descriptor Blocks: * 192.1.1.1 Route metric is 0, traffic share count is 1 C6509-SW-2#sh run in gi 3/3 Building configuration... Current configuration : 150 bytes! interface GigabitEthernet3/3 ip address 192.1.1.254 255.255.255.0 ip verify unicast source reachable-via rx allow-default speed nonegotiate end C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 1150772287 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 1150772287 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 1150772287 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 1150772287 C6509-SW-2#sh mls statistics inc RPF Total Unicast RPF failed packets : 1150772287 23
I-5. 보안관련 RPF- reachable via any mode Fwd!! 특정인터페이스에인입되는 Packet 의 Src Add. 정보가라우팅정보에존재하면, R/info. 의 Next Hop Interface 가해당 intf 와일치하지않은경우에도 Packet 을 Forwarding 24
I-5. 보안관련 RPF : allow-self-ping option 미설정시미설정시 C6509-SW-1#sh run in vlan 1 Building configuration... Current configuration : 152 bytes! interface Vlan1 ip address 10.1.1.5 255.255.255.252 ip verify unicast source reachable-via rx ip router isis isis circuit-type level-2-only end C6509-SW-1#ping 10.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:... Success rate is 0 percent (0/5) C6509-SW-1#conf t Enter configuration commands, one per line. End with CNTL/Z. C6509-SW-1(config)#in vlan 1 C6509-SW-1(config-if)#ip verify uni source reach rx allow-self-ping C6509-SW-1(config-if)#^Z C6509-SW-1#ping 10.1.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:!!!!! 설정이후설정이후 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 25
Part II Part I......2H : 현재운용중인기본 Configuration 내용설명 1. 망구성도 2. 일반기능관련 3. Interface 관련 4. Routing 관련 5. 보안관련 Part II........4H : 기업용중형장비운용관련사항설명 1. Spervisor Engine RPR+ mode 2. LACP / Etherchannel Trunk 구성 3. Environments 관련 4. Password Recovery 5. Configuration file backup 6. Rate Limit 26
II-1. Supervisor Engine RPR+ mode Default Configuration Catalyst6509#show run Building configuration... Current configuration : 21279 bytes! version 12.1 --- 중략--- hostname Catalyst6509 boot system flash sup-bootflash: boot system flash slavesup-bootflash: boot system flash slot0: enable password 7 121E0F41475B55! --- 중략 --- redundancy mode rpr-plus main-cpu auto-sync running-config auto-sync standard! 27
II-1. Supervisor Engine RPR+ mode Route Processor Redundancy Plus mode Catalyst6509# show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ -- 1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-S2U-MSFC2 SAL0718CRQ2 2 2 Catalyst 6000 supervisor 2 (Standby) WS-X6K-S2U-MSFC2 SAL0718CRP9 3 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL0719CX2Q 4 24 24 port 100FX Single mode WS-X6324-100FX-SM SAL0719D46Y Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ 1 0008.7dc9.38d8 to 0008.7dc9.38d9 4.2 6.1(3) 7.5(0.6)HUB1 Ok 2 0008.7dc9.38c8 to 0008.7dc9.38c9 4.2 6.1(3) 7.5(0.6)HUB1 Ok 3 000c.ceb5.06c0 to 000c.ceb5.06cf 5.3 6.3(1) 7.5(0.6)HUB1 Ok 4 000c.ce64.d018 to 000c.ce64.d02f 3.3 5.4(2) 7.5(0.6)HUB1 Ok Mod Sub-Module Model Serial Hw Status --- --------------------------- --------------- --------------- ------- 1 Policy Feature Card 2 WS-F6K-PFC2 SAL0719CSL5 3.3 Ok 1 Cat6k MSFC 2 daughterboard WS-F6K-MSFC2 SAL0718CE8R 2.5 Ok 2 Policy Feature Card 2 WS-F6K-PFC2 SAL0719CSM4 3.3 Ok 2 Cat6k MSFC 2 daughterboard WS-F6K-MSFC2 SAL0719CS4D 2.5 Ok Mod Online Diag Status --- ------------------- 1 Pass 2 Pass 3 Pass 4 Pass 28
II-1. Supervisor Engine RPR+ mode Supervisor Engine Architecture MSFC2 The Multi-Layer Switch Feature Card (MSFC) Is an Optional Daughter Card Which Is an IOS-Based Routing Engine PFC2 The Policy Feature Card (PFC) Is a Daughter Card Which Is an ASIC Complex for Hardware-Based Forwarding and Features The Supervisor, Itself, Contains the Baseboard, Backplane Connections, Sup DRAM/Flash, and Switch Processor 29
II-1. Supervisor Engine RPR+ mode Supervisor components DRAM (Sup.E) Flash (Sup.E.) 맨밑의 PCB 에위치 (Suptervisor Engine) Power Supply Processor DRAM (MSFC) Flash (MSFC) Heatsink ASIC TCAM Static RAM Memory 30
II-1. Supervisor Engine RPR+ mode Supervisor components 31
II-1. Supervisor Engine RPR+ mode Route Processor Redundancy Plus mode Primary (Active) Secondary (Stanby) RPR+ RPR+ mode mode 구동구동 Press RETURN to get started! 00:00:08: %OIR-SP-STDBY-6-CONSOLE: Changing console ownership to route processor --- 중략 --- 00:00:48: %PFREDUN-SP-STDBY-6-STANDBY: Initializing for RPR-PLUS mode --- 중략 --- 00:02:17: %PFREDUN-SP-STDBY-6-STANDBY: Ready for RPR-PLUS mode Catalyst6509> Syncronization Syncronization Catalyst6509 #write Building configuration... 00:51:38: %SYS-5-CONFIG_I: Configured from console by console[ok] C6509_KJ# 00:51:42: %PFINIT-SP-5-CONFIG_SYNC: Sync'ing the startup configuration to the standby Router 32
II-1. Supervisor Engine RPR+ mode RPR+ RPR+ mode mode 확인확인 Catalyst6509#show redundancy states my state = 13 -ACTIVE peer state = 8 -STANDBY HOT Mode = Duplex Unit = Primary Unit ID = 1 Redundancy Mode (Operational) = Route Processor Redundancy Plus Redundancy Mode (Configured) = Route Processor Redundancy Plus Split Mode = Disabled Manual Swact = Enabled Communications = Up client count = 11 client_notification_tmr = 30000 milliseconds keep_alive TMR = 9000 milliseconds keep_alive count = 0 keep_alive threshold = 18 RF debug mask = 0x0 33
II-2. LACP / Etherchannel(Trunk) 구성 LACP(Link Aggregation Control Protocol, IEEE802.3ad) G3/10~12 LACP LACP configuration configuration C6509# config terminal C6509(config)# interface range Giga 3/10-12 C6509(config-if-range)# no shutdown C6509(config-if-range)# channel-group 1 mode active C6509(config-if-range)# channel-protocol lacp C6509# config terminal C6509(config)# interface Port-channel 1 C6509(config-if)# no shutdown C6509(config-if)# ip address 30.1.1.1 255.255.255.252 C6509(config-if)# end C6509(config)# Port-Channel Load-balance src-dst-ip C6509(config)# end interface Port-channel1 ip address 200.200.1.1 255.255.255.0! --- 중략 --- interface GigabitEthernet3/10 no ip address speed nonegotiate channel-group 1 mode active channel-protocol lacp! interface GigabitEthernet3/11 no ip address speed nonegotiate channel-group 1 mode active channel-protocol lacp 34
II-2. LACP / Etherchannel(Trunk) 구성 IEEE 802.3ad Link Aggregation Application Presentation Session Link Aggregation applies to the MAC Layer Which is a sub component of the Data Link Layer Used to bind together physical ports to represent a single logical port Transport Network Data Link Physical LLC MAC Physical Higher Layers (MAC Client) LINK AGGREGATION SUBLAYER MAC Control (Optional) MAC MAC Control (Optional) MAC Physical 35
II-2. LACP / Etherchannel(Trunk) 구성 KT Express Service 활용 (Cat6509 to V61xx) Port-Channel 10 30.1.1.1/30 #1 fa4/17 Cat6509 Cat6509측 Configuration Configuration fa4/18 Cat6509(config)#int r fa4/17-18 Cat6509(config-if-range)#channel-group 10 mode on Creating a port-channel interface Port-channel 10 Cat6509(config-if-range)#channel-protocol pagp Cat6509(config-if-range)#end Cat6509(config)# int port-channel 10 Cat6509(config-if)#ip add 30.1.1.1 255.255.255.252 Cat6509(config-if)#duplex full Cat6509(config-if)#end Router#show run int port-channel 10 Building configuration... Current configuration : 82 bytes interface Port-channel10 ip address 30.1.1.1 255.255.255.252 duplex full End Cat6509(config)#port-channel load-balance src-dst-ip #2 lacp aggregator add 0 30.1.1.2/30(br1) 36
II-2. LACP / Etherchannel(Trunk) 구성 V61xx V61xx 측 Configuration Configuration V6124(bridge)#set lacp system interface br1 V6124(bridge)#set lacp aggregator add 0 V6124(bridge)#set lacp port add 1-2 V6124(bridge)#set lacp port mode 1-2 active V6124# show lacp aggregator AGGR PRIORITY MEMBER PARTNER ---- ------------------ ------------ ---- 0 0x8000.00D0CB0A8BDE 000C860EA000 1(o)-2(o) V6124# show lacp port PORT AGGR KEY ACTIVITY PARTNER ENABLE ---- ---- --- -------- ------- ------ 01 0 1 ACTIVE 273 ENABLE 02 0 1 ACTIVE 274 ENABLE V6124# show lacp aggregator 0 Aggregator eth19 Id : 1 Individual: FALSE ready : TRUE actor info mac : 00D0CB0A8BDE admin : 0x1000 oper : 0x100A priority : 0x8000 partner info mac : 000C860EA000 oper : 0x12 priority : 0x8000 Aggregator Member list member # : 2 1(o)-2(o) 37
II-2. LACP / Etherchannel(Trunk) 구성 V6124# show run Building configuration... Current configuration: hostname V6124! bridge! set vlan pvid 1-8 1 set vlan pvid 9-10 9! set vlan create br1 set vlan create br9! set vlan add br1 1-8 untagged set vlan add br9 9-10 untagged! set lacp system interface br1! set lacp aggregator add 0! set lacp port add 1-2!! interface no shutdown lo! interface no shutdown br1! interface no shutdown br9! interface br1 ip address 30.1.1.2/30! interface br9 ip address 20.1.1.2/30! ip route 0.0.0.0/0 30.1.1.1! qos! no snmp! 38
II-2. LACP / Etherchannel(Trunk) 구성 Cat6509 Cat6509 설정설정확인확인 Catalyst6509#show ip interface brief Interface IP-Address OK? Method Status Protocol Vlan1 77.5.40.57 YES TFTP up up GigabitEthernet1/1 unassigned YES TFTP up down --- 중략 --- FastEthernet4/23 unassigned YES TFTP administratively down down FastEthernet4/24 unassigned YES TFTP administratively down down Port-channel10 30.1.1.1 YES unset up up Loopback0 7.7.7.7 YES TFTP up up Load Load Balancing Balancing확인확인 V6124# ping 30.1.1.1 PING 30.1.1.1 (30.1.1.1) from 18.1.1.2 : 56(84) bytes of data. 64 bytes from 30.1.1.1: icmp_seq=0 ttl=254 time=1.2 ms 64 bytes from 30.1.1.1: icmp_seq=1 ttl=254 time=0.4 ms ---- 중략 --- 64 bytes from 30.1.1.1: icmp_seq=17 ttl=254 time=18.9 ms 64 bytes from 30.1.1.1: icmp_seq=18 ttl=254 time=0.6 ms 64 bytes from 30.1.1.1: icmp_seq=19 ttl=254 time=0.3 ms ---- 중략 --- 64 bytes from 30.1.1.1: icmp_seq=59 ttl=254 time=0.3 ms 64 bytes from 30.1.1.1: icmp_seq=60 ttl=254 time=0.3 ms 64 bytes from 30.1.1.1: icmp_seq=61 ttl=254 time=0.3 ms --- 30.1.1.1 ping statistics --- 62 packets transmitted, 61 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.6/18.9 ms #2 Interface 의 Cable 제거시통신단절없음 39
Air Flow II-3. Environments 관련 40
II-3. Environments 관련 내부온도확인 Catalyst6509#show env status backplane: operating clock count: 2 operating VTT count: 3 fan-tray 1: fan-tray 1 fan-fail: OK VTT 1: VTT 1 OK: OK VTT 1 outlet temperature: 33C VTT 2: VTT 2 OK: OK VTT 2 outlet temperature: 33C VTT 3: VTT 3 OK: OK VTT 3 outlet temperature: 34C clock 1: clock 1 OK: OK, clock 1 clock-inuse: in-use clock 2: clock 2 OK: OK, clock 2 clock-inuse: not-in-use power-supply 1: power-supply 1 fan-fail: OK power-supply 1 power-output-fail: OK power-supply 2: power-supply 2 fan-fail: OK power-supply 2 power-output-fail: OK --- 우측계속 --- module 1: module 1 power-output-fail: OK module 1 outlet temperature: 29C module 1 device-2 temperature: 39C RP 1 outlet temperature: 38C RP 1 inlet temperature: 37C EARL 1 outlet temperature: 36C EARL 1 inlet temperature: 28C module 2: module 2 power-output-fail: OK module 2 outlet temperature: 28C module 2 device-2 temperature: 37C EARL 2 outlet temperature: 35C EARL 2 inlet temperature: 28C module 3: module 3 power-output-fail: OK module 3 outlet temperature: 44C module 3 inlet temperature: 27C module 4: module 4 power-output-fail: OK module 4 outlet temperature: 31C module 4 inlet temperature: 31C module 5: module 5 power-output-fail: OK module 5 outlet temperature: 30C module 5 inlet temperature: 30C 41
운용상주의사항 II-3. Environments 관련 현실태 : 통상 C6509가보관된 Rack의사면밀폐상태에서사용함. 권고 : o 장비실실내온도적정온도유지및원활한환기실시 o Rack Door 개방으로 Air flow저해요소제거 장비설정임계치 (threshold) 이하유지 / Monitoring 온도관련 System 영향사항 각모듈별사전정의된임계치 (threshold) 초과시 Alram출력 threshold#1 초과시 : Minor Alram출력 threshold#2 초과시 : Major Alram출력 42
II-3. Environments 관련 Module 별 Threshold value Catalyst6509#show env alarm thresholds environmental alarm thresholds: power-supply 1 fan-fail: OK threshold #1 for power-supply 1 fan-fail: (sensor value!= 0) is system minor alarm power-supply 1 power-output-fail: OK threshold #1 for power-supply 1 power-output-fail: (sensor value!= 0) is system minor alarm --- 중략 --- module 2 power-output-fail: OK threshold #1 for module 2 power-output-fail: (sensor value!= 0) is system minor alarm module 2 outlet temperature: 28C threshold #1 for module 2 outlet temperature: (sensor value >= 50) is system minor alarm threshold #2 for module 2 outlet temperature: (sensor value >= 65) is system major alarm module 2 device-2 temperature: 37C threshold #1 for module 2 device-2 temperature: (sensor value >= 60) is system minor alarm threshold #2 for module 2 device-2 temperature: (sensor value >= 75) is system major alarm --- 이하생략 --- 43
사례 -1 원인원인 II-3. Environments 관련 00:19:16: %C6KENV-SP-4-MINORTEMPALARM: RP 2/0 inlet temperature threshold 1 has exceeded normal operating temperature range. 00:19:16: %C6KENV-SP-4-MINORTEMPALARM: RP 1/0 inlet temperature threshold 1 has exceeded normal operating temperature range. 증상 Catalyst6509#show module Mod Ports Card Type --- ----- -------------------------------------- ------------------ ----------- Model Serial No. 1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-S2U-MSFC2 SAL0718CQ39 2 2 Catalyst 6000 supervisor 2 (Standby) WS-X6K-S2U-MSFC2 SAL0718CRQ1 3 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL0719CU7E 4 16 SFM-capable 16 port 1000mb GBIC WS-X6516-GBIC SAL0719CX2L Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 0009.1245.feec to 0009.1245.feed 4.2 6.1(3) 7.5(0.6)HUB9 MinFail 2 0009.1245.ff1c to 0009.1245.ff1d 4.2 6.1(3) 7.5(0.6)HUB9 MinFail 3 000c.ceb5.0620 to 000c.ceb5.062f 5.3 6.3(1) 7.5(0.6)HUB9 Ok 4 000c.ceb5.0970 to 000c.ceb5.097f 5.3 6.3(1) 7.5(0.6)HUB9 Ok --- 다음장계속 --- 44
사례 -1 II-3. Environments 관련 Mod Sub-Module Model Serial Hw Status --- --------------------------- --------------- --------------- ------- ------- 1 Policy Feature Card 2 WS-F6K-PFC2 SAL0719CSM5 3.3 MinFail 1 Cat6k MSFC 2 daughterboard WS-F6K-MSFC2 SAL0719CS2V 2.5 MinFail 2 Policy Feature Card 2 WS-F6K-PFC2 SAL0719CSK9 3.3 MinFail 2 Cat6k MSFC 2 daughterboard WS-F6K-MSFC2 SAL0719CS5S 2.5 MinFail Mod Online Diag Status --- ------------------- 1 Pass 2 Pass 3 Pass 4 Pass 45
사례 -2 원인원인 II-3. Environments 관련 23:01:07 %C6KENV-SP-STDBY-4-MINORTEMPALARM: VTT 1 outlet temperature threshold 1 has exceeded normal operating temperature range. 23:01:08 %C6KENV-SP-STDBY-2-MAJORTEMPALARM: VTT 1 outlet temperature threshold 2 has 증상 exceeded allowed operating temperature range. 23:01:08 %C6KENV-SP-STDBY-2-SHUTDOWN_SCHEDULED: shutdown for VTT1 scheduled in 60seconds 23:02:07 %C6KENV-SP-STDBY-2-SHUTDOWN: shutdown VTT 1 now because of outlet temperature. Jun 01 10:37:24: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. Jun 01 10:37:19: %CPU_MONITOR-6-NOT_HEARD: CPU_MONITOR messages have not been heard for 150 seconds [1/1] Jun 01 10:37:20: %RPC-2-FAILED: Failed to send RPC request c6k_sp_environmental:env_get_sensor_value_sp -Traceback= 4041C118 40416AFC 408A0830 408A43EC 40B3ACA4 408A0B5C 4041C610 4041C518 4033E4A4 4033E7C0 40255ADC 40255AC8 Jun 01 10:37:25: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 46
온도상승시험 시험시험조건 II-3. Environments 관련 측정전 : C6509 가보관된 Rack 의사면 Door 닫음.( 현장운용상황과동일 ) 측정간 : 전 / 후 Door 개방, 온도측정 (Rack 내부 온도계사용, 장비내부 show env tem all 명령사용 ) 시험시험결과결과-Rack 시험시험결과결과 -장비 -장비 47
II-4. Password Recovery 개요및 P/W Recovery Procedure 주의사항주의사항 P/W 변경등 Config 변경후반드시저장실시 Cat6509 Supervisor Enginge 의 Booting Process 이해필요 - Cat6509 는 Multi-layer Switch 임. - Cat6500 의경우 Booting 시 image decompressing 이두번일어남 (SP, RP) - 장비의모든설정 / 동작은 RP(=MSFC, Route Processor) 가주관하므로 P/W 변경은 RP 에서만 실시해야함. 순서 Console연결 / CLI 접속 장비 rebooting(cold) rom-monitor 상태에서 Config-register값변경 Rebooting(warm) CLI상에서 Password 변경, Configuration복구 Config-register값재변경 / 저장 Reload 48
II-4. Password Recovery Supervisor Engine Architecture SP, RP 의구분 MSFC2 The Multi-Layer Switch Feature Card (MSFC) Is an Optional Daughter Card Which Is an IOS-Based Routing Engine PFC2 The Policy Feature Card (PFC) Is a Daughter Card Which Is an ASIC Complex for Hardware-Based Forwarding and Features The Supervisor, Itself, Contains the Baseboard, Backplane Connections, Sup DRAM/Flash, and Switch Processor 49
rom-monitor 접속 주의사항주의사항 II-4. Password Recovery SP(switch processor) booting 후 RP(route processor) 시작전 Break signal 입력 RP 의 rom-monitor 에 access 함. SP/RP SP/RP의부팅진행부팅진행여부판단방법 SP 시작시 image decompressing 과정전아래메시지출력됨. 00:03:26: %OIR-SP-6-CONSOLE: Changing console ownership to switch processor RP 시작시 SP image decompressing 과정후아래메시지출력됨. 00:00:03: %OIR-6-CONSOLE: Changing console ownership to route processor 50
II-4. Password Recovery 1. 아래처럼 RP 준비확인 2. 터미널자체의 Break signal 입력 ( 권장 ) 혹은 Control+Break key 를직접입력 (Hyper Termal) 3. rommon1> prompt 출력시까지수회입력 51
Config-register Config-register 값변경변경입력입력 command : confreg 0x2142 II-4. Password Recovery 총 16 bits 중 6 번째 bit 가 0 이면 0x0, 1 이면 0x4 가되어전체값은 0x2102/0x2142 로구분된다. Booting 시 NVRAM 을읽지않으며자동적으로그안의 startup-config 를참조치않음. 6 th bit value 0 (2) : Use NVRAM (=0x0) 1 (2) : Ignore NVRAM (=0x4) Boot Field 0x0: stays at the bootstrap prompt 0x1: Boot from ROM 0x2~F : Boot from Flash or N/W 52
Rebooting II-4. Password Recovery 53
II-4. Password Recovery Password 변경, Configuration 복구 / 저장 초기초기상태로상태로Booting Booting됨을됨을확인 --- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: n Press RETURN to get started! 00:01:57: RP: Currently running ROMMON from S (Gold) region 00:02:13: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-pk2s-m), Version 12.1(13)E8, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ----- 중략 ----- Router> Router>en Router# Router#show version Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-pk2s-m), Version 12.1(13)E8, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) --- 중략 --- System image file is "sup-bootflash:c6sup22-pk2s-mz.121-13.e8.bin" --- 중략 --- Configuration register is 0x2142 54
Router#dir nvram: Directory of nvram:/ 1 -rw- 5420 <no date> startup-config 2 ---- 5 <no date> private-config 3 -rw- 5420 <no date> underlying-config 391160 bytes total (385683 bytes free) Router# Router# copy start running-config Destination filename [running-config]? 5552 bytes copied in 1.784 secs (3112 bytes/sec) Cat6509#conf t Enter configuration commands, one per line. End with CNTL/Z. Cat6509(config)# enable secret kt_6509 Cat6509(config)# end Cat6509# Configuration Configuration 복구복구 II-4. Password Recovery 55
config-register 원상태로재변경 / 저장 Config-register Config-register 원상태변경원상태변경 // 저장저장 Cat6509(config)# config-register 0x2102 Cat6509(config)#end Cat6509# show version --- 중략 --- Configuration register is 0x2142 (will be 0x2102 at next reload) Cat6509#write Building configuration... [OK] Cat6509# Cat6509>en Password: Cat6509# Rebooting Rebooting후확인확인 Cat6509#show version ----- 중략 ----- Configuration register is 0x2102 II-4. Password Recovery 56
II-5. Configuration Backup 저장된 Config File 확인 Catalyst6509#dir system: Directory of system:/ 2 dr-x 0 <no date> memory 1 -rw- 3021 <no date> running-config 11 dr-x 0 <no date> vfiles No space information available Backup Catalyst6509#dir nvram: Directory of nvram:/ 1 -rw- 3021 <no date> startup-config 2 ---- 0 <no date> private-config 3 -rw- 0 <no date> underlying-config 391160 bytes total (388087 bytes free) Catalyst6509#copy running-config slot0: Destination filename [running-config]? backup_20040628 3021 bytes copied in 0.428 secs (7058 bytes/sec) Catalyst6509# show slot0: -#- ED ----type---- --crc--- -seek-- nlen -length- -----date/time------ name 1.. unknown AA27D007 11B0234 29 18416052 Jun 18 2004 05:28:42 c6sup22-pk2s-mz.121-13.e8.bin 2.. unknown B597155E 134D8A4 25 1693168 Jun 18 2004 05:36:59 c6msfc2-boot-mz.121-8a.ex 3.. config 3AC94BEF 134E4F4 14 3021 Jun 28 2004 11:05:49 backup_20040628 Backup 된 config file 로복구하기 Catalyst6509#copy slot0:backup_20040628 running-config 57
개요 II-6. Rate Limit Rate Limit의목적 KT가제공하고있는기업용솔루션에각기업의사용량에적절한대역폭을할당 한정된 Up-link의대역폭을효율적으로사용 Outgoing Traffic 특성 가입자로부터발생되는트래픽 (to Web) Source Address 고정 End User Internet 접속을위한불특정다수의 Destination Address Source Address Classification을위하여가입자네트워크별 ACL 생성 ( 가입자별대역폭할당 Rate Limit 적용 ) Incoming Traffic 특성 Internet의불특정다수네트워크로부터발생되는트래픽 (to User) Source Address 불특정다수 Destination Address 고정 End User Destination Address Classification을위하여가입자네트워크별 ACL 생성 ( 가입자별대역폭할당 Rate Limit 적용 ) 58
II-6. Rate Limit Token Bucket Rate Limiting Algorithm : Overview burst traffic에대해서 shape로조절 트래픽을조절하기위해token을사용 트래픽이 token 유무에따라흐름제어를받음 큰 burst traffic을조절할수없는 leaky bucket algorithm 개선 고속도로통행료를지불해야만고속도로를진입할수있는방식 59
II-6. Rate Limit Token Bucket Rate Limiting Algorithm : Cisco Case Token Bucket Depth CIR / PIR Normal burst size R token = Rate / 4000 4000 is fixed time interval by Cisco. User cannot modify the time interval A number of packets equal in represent to the packet size are removed from the bucket Rate Limit Police 를이용하여서비스제공시, Burst Size 값을조정하여 Congestion 에의한 packet drop 량을줄임으로써 application 의전송속도및 Quality 를보장 60
II-6. Rate Limit 용어의정의 Outgoing Traffic : 가입자를기준으로가입자로부터발생되어외부 인터넷으로흐르는트래픽 Incoming Traffic : 외부인터넷으로부터가입자로흐르는트래픽 Inbound Traffic : 포트를기준으로인입되는트래픽 Internet Cat.6509 가입자단말 61
II-6. Rate Limit Rate Limit 의도해 가입자 C 네트웍이며, 10M Rate Limit 가입자 B 네트웍이며, 5M Rate Limit 가입자 A 네트웍이며, 1M Rate Limit gi 3/1 업링크포트 gi 3/1 에적용된 Incoming Traffic (Incoming Traffic 의 Inbound Traffic 만 RL 적용됨 ) Cat.6509 fa 4/2 fa 4/1 가입자포트 fa 4/1, 4/2 에적용된 Outgoing Traffic (Outgoing Traffic 의 Inbound Traffic 만 RL 적용됨 ) 가입자 A 네트웍이며, 1M Rate Limit 가입자 B 네트웍이며, 5M Rate Limit 가입자 C 네트웍이며, 10M Rate Limit 62
II-6. Rate Limit Configuration Step QoS Enable Rate Limit 을위한 QoS Feature Enable ACL 작성 Class-map 작성 Policy-map 작성 가입자별트래픽을구분하기위한단계 가입자별 Access-list 설정 설정된 ACL를속도별로구분한 Class-map과연동설정 PFC Policer에의해 inbound 패킷에 Drop 또는 Mark Down등의정책적용 구분되어진 Class-map에 Police를적용 Police-map에서 Class-map별속도제한설정 인터페이스에적용 정의된 Police 를실제적용시킬인터페이스에 Enable 63
II-6. Rate Limit Confuguration Guide : Enabling PFC QoS Globally QoS Feature 를적용하기위해반드시사전 QoS 가 Enable 되어야함 Configuration Command Cat6509#configure terminal Cat6509(config)#mls qos Cat6509(config)end Verification Command Cat6509 #show mls qos 64
II-6. Rate Limit Confuguration Guide : ACL 작성 -1 속도별가입자 Network 에대한 ACL 를생성 ACL 번호는 Extended ACL 번호를사용 Outgoing Traffic 에대한 ACL 에서는 Source IP 가가입자네트웍이며, Destination IP 가불특정 IP 인 any 가됨 Incoming Traffic 에대한 ACL 에서는 Source IP 가불특정 IP 인 any 가되며, Destination IP 가가입자네트웍이됨 주의 각각의가입자별트래픽을구분하기위해반드시별개의 ACL 을설정해야함 동일가입자에대해서는 incoming / outgoing ACL 번호가동일해야함 65
II-6. Rate Limit Confuguration Guide : ACL 작성 -2 KTF라는기업이 Network를 192.1.1.0/24를사용하고있는예 Configuration Command Cat6509 #configure terminal Cat6509(config)#access-list 2001 permit ip 192.1.1.0 0.0.0.255 any 상위망으로가는가입자트래픽에대한 ACL (Destination이고정되지않은트래픽 ) Extended 번호가 2001이며소스네트웍이 192.1.1.0/24와목적지주소는상관없이허용함 Cat6509(config)#access-list 2001 permit ip any 192.1.1.0 0.0.0.255 가입자로가는상위망트래픽에대한 ACL (Source가고정되지않은트래픽 ) Extended 번호가 2001이며소스네트웍은상관없고, 목적지주소는가입자네트웍만허용함 Cat6509(config)end Verification Command Cat6509 #show ip access-list 66
II-6. Rate Limit Confuguration Guide : Class-map 작성 -1 설정된 ACL을속도별로구분한 Class-map 작성 Supervisor Engine 내부의 PFC Policer에의해실제 incoming packet에 Drop 또는 Mark Down등의 Police를적용 Class-map에부여되는이름은 Readable 하게명명 예 : class-map KTF_2001_1M -> 회사명은 KTF, access-list는 2001, 속도는 1M 67
II-6. Rate Limit Confuguration Guide : Class-map 작성 -2 KTF라는기업이1M에대해서비스를제공하기위해Class-map을설정하는경우 Configuration Command Cat6509 #configure terminal Cat6509(config)#class-map KTF_2001_1M KTF라는회사에대해설정된 ACL 2001에의해 1M에대한속도분류 Cat6509(config-cmap)#match access-group 2001 생성된 class-map 프롬프트에서 access-group을지정 Verification Command Cat6509 #show class-map KTF_2001_1M 68
II-6. Rate Limit Confuguration Guide : Policy-map 작성 -1 Traffic 별로실제속도를제한하기위한설정 한개의 Police-map 만을실제 Interface 에적용할수있음 Interface 에적용된하나의 Police-map 은여러개의서로다른 class-map 을포함할수있음 한개의 Police-map 에여러개의 class-map 을사용하여각 class-map 마다각기다른 R.L 적용 Policy-map 에부여되는이름은 Readable 하게명명 Burst Size 산출공식 ( 첨부 1 참조 ) Burst Size = (Rate * 1.5 / 8bits) 예 ) 2M Rate Limit 에대한 Burst size = 2000000*1.5/8 = 3750000 bytes 69
II-6. Rate Limit Confuguration Guide : Policy-map 작성 -2 Configuration Command Cat6509 #configure terminal Cat6509(config)#police-map From_User_To_Internet 트래픽방향이가입자에서부터인터넷임을알수있게 police-map의이름명명 Cat6509(config-pmap)#class KTF_2001_1M 기설정된 KTF_2001_1M에대해 police-map에서정의 Cat6509(config-pmap-c)#police 1000000 187500 187500 conform-action transmit exceed-action drop 속도는 1000000 bps, burst size는 187500으로설정하며, 초과되는트래픽은 drop Cat6509(config-pmap-c)#end Cat6509 # Verification Command Cat6509 #show police-map From_User_To_Internet 70
II-6. Rate Limit Confuguration Guide : Interface 적용 설정한 Police를실제적용하기위해가입자수용포트에 R.L. Policy 적용 Configuration Command Cat6509 #configure terminal Cat6509(config)#interface fa 4/1 Cat6509(config-if)#service-policy input From_User_To_Internet R.L. 를서비스하기위해기설정된 From_User_To_Internet 이라는정책설정 Cat6509(config-pmap-c)#end Cat6509 # Verification Command Cat6509 #show run interface fa 4/1 71
제약사항 Backbone (Internet) Incoming Traffic 제한 II-6. Rate Limit Inbound Traffic에대해서만적용가능 가입자포트에 Outgoing Traffic Rate Limit 설정 업링크포트에 Incoming Traffic Rate Limit 설정 6124 Catalyst 6509 Traffic Flow Outgoing Traffic 제한 6108 Extended Access-list Type 100-199 : packet filtering 적용시운용 2000 2699 : Rate Limit 적용시운용 Access-list Number 사용에제약은없으나용도별로각각구분하여운용하는것이관리측면에서용이 주 ) 이문서에서사용하는 Outgoing / Incoming Traffic 의방향은가입자 Network 장비를기준 으로설명한다 192.1.1.0/24 Speed 10 M 192.2.2.0/24 Speed 5 M 72
제약사항 II-6. Rate Limit 다수의가입자에대해동일속도의 Rate Limit를적용할경우 속도가동일하여도 ACL과 Class-map은각가입자마다다르게생성을해야함 만일다수의가입자에대해 1개의 ACL을구성하는경우다수의가입자가 1개의 Rate Limit 설정에적용됨 ( 예 ) 3개의다른가입자가 1M 속도에적용되며 1개의 ACL로구성될경우 3개의가입자들이 1M의대역폭을나누어쓰는격이됨 73
대표속도별 Burst Size 표 II-6. Rate Limit 속도 Burst Size Configuration Command 1M 187500 * Burst Size = (Rate * 1.5 / 8bits) Police 1000000 187500 187500 conform-action transmit exceed-action drop 2M 375000 3M 562500 4M 750000 5M 937500 10M 1875000 20M 3750000 30M 5625000 Police 1000000 375000 375000 conform-action transmit exceed-action drop Police 1000000 562500 562500 conform-action transmit exceed-action drop Police 1000000 750000 750000 conform-action transmit exceed-action drop Police 1000000 937500 937500 conform-action transmit exceed-action drop Police 1000000 1875000 1875000 conform-action transmit exceed-action drop Police 1000000 3750000 3750000 conform-action transmit exceed-action drop Police 1000000 5625000 5625000 conform-action transmit exceed-action drop 74
II-6. Rate Limit 개통예제 -Case1 ( 최초 R/L 설정 ) 망구성및기본정책 Internet 가입자정보 회사명 : KTF, 10.1.1.0/24 회사명 : KTLinkus, 20.1.1.0/24 gi 3/1 포트정보 Cat.6509 Uplink port : gigabitethernet 3/1 KTF : fastethernet 4/1 fa 4/2 fa 4/1 KTLinkus : fastethernet 4/2 Rate Limit 정보 KTF : 1M KTLinkus 20.1.1.0/24 KTF 10.1.1.0/24 KTLinkus : 5M Uplink port : 1M and 5M 75
II-6. Rate Limit 개통예제 -Case1 ( 최초 R/L 설정 ) Configuration QoS enable 설정 Cat6509(config)#mls qos ACL 설정 Cat6509(config)#access-list 2001 permit ip 10.1.1.0 0.0.0.255 any Cat6509(config)#access-list 2001 permit ip any 10.1.1.0 0.0.0.255 Cat6509(config)#access-list 2002 permit ip 20.1.1.0 0.0.0.255 any Cat6509(config)#access-list 2002 permit ip any 20.1.1.0 0.0.0.255 Class-map 설정 Cat6509(config)#class-map KTF_2001_1M Cat6509(config-cmap)#match access-group 2001 Cat6509(config-cmap)#exit Cat6509(config)#class-map KTLinkus_2002_5M Cat6509(config-cmap)#match access-group 2002 Cat6509(config-cmap)#exit 76
II-6. Rate Limit 개통예제 -Case1 ( 최초 R/L 설정 ) Configuration KTF의 policy-map 설정 Cat6509(config)#policy-map KTF Cat6509(config-pmap)#class KTF_2001_1M Cat6509(config-pmap-c)#police 1000000 187500 187500 confirm-action transmit exceed-action drop Cat6509(config-pmap)#exit KTLinkus 의 Police-map 설정 Cat6509(config)#policy-map KTLinkus Cat6509(config-pmap)#class KTLinkus_2002_5M Cat6509(config-pmap-c)#police 5000000 937500 937500 confirm-action transmit exceed-action drop Cat6509(config-pmap)#exit 77
II-6. Rate Limit 개통예제 -Case1 ( 최초 R/L 설정 ) Configuration Uplink 포트의 policy-map 설정 Cat6509(config)#policy-map From_Internet_To_User Cat6509(config-pmap)#class KTF_2001_1M Cat6509(config-pmap-c)#police 1000000 187500 187500 confirm-action transmit exceed-action drop Cat6509(config-pmap)#exit Cat6509(config-pmap)#class KTLinkus_2002_5M Cat6509(config-pmap-c)#police 5000000 937500 937500 confirm-action transmit exceed-action drop Cat6509(config-pmap)#exit 78
II-6. Rate Limit 개통예제 -Case1 ( 최초 R/L 설정 ) Configuration 각포트마다 service-police 설정 Cat6509(config)#interface gi 3/1 -> Uplink port 적용 Cat6509(config-if)#service-police input From_Internet_To_User Cat6509(config-if)#interface fa 4/1 -> fa 4/1 port 적용 Cat6509(config-if)#service-police input KTF_2001_1M Cat6509(config-if)#interface fa 4/2 -> fa 4/2 port 적용 Cat6509(config-if)#service-police input KTLinkus_2002_5M 79
II-6. Rate Limit 개통예제 -Case2 ( 기존설정에새로운가입자설정 ) 망구성및기본정책 Internet 가입자정보 회사명 : KTF, 10.1.1.0/24 회사명 : KTLinkus, 20.1.1.0/24 회사명 : KTH, 30.1.1.0/24 gi 3/1 포트정보 Cat.6509 Uplink port : gigabitethernet 3/1 KTF : fastethernet 4/1 fa 4/3 fa 4/2 fa 4/1 KTLinkus : fastethernet 4/2 KTH : fastethernet 4/3 Rate Limit 정보 KTF : 1M KTH 30.1.1.0/24 KTLinkus 20.1.1.0/24 KTF 10.1.1.0/24 KTLinkus : 5M KTH : 2M Uplink port : 1M, 2M and 5M 80
II-6. Rate Limit 개통예제 -Case2 ( 기존설정에새로운가입자설정 ) Configuration ACL 설정 ( 새로추가되는가입자에대한 ACL 설정 ) Cat6509(config)#access-list 2003 permit ip 30.1.1.0 0.0.0.255 any Cat6509(config)#access-list 2003 permit ip any 30.1.1.0 0.0.0.255 class-map 설정 ( 새로추가되는가입자에대한 class-map 설정 ) Cat6509(config)#class-map KTH_2003_2M Cat6509(config-cmap)#match access-group 2003 81
II-6. Rate Limit 개통예제 -Case2 ( 기존설정에새로운가입자설정 ) Configuration police-map 설정 Cat6509(config)#policy-map KTH -> fa 4/3에적용할 police-map 설정 Cat6509(config-pmap)#class KTH_2003_2M Cat6509(config-pmap-c)#police 2000000 37500 37500 confirm-action transmit exceed-action drop Cat6509(config-pmap-c)#exit Cat6509(config-pmap)#exit Cat6509(config)#policy-map From_Internet_To_User -> gi 3/1에적용할 police-map 설정 Cat6509(config-pmap)#class KTH_2003_2M Cat6509(config-pmap-c)#police 2000000 37500 37500 confirm-action transmit exceed-action drop 82
II-6. Rate Limit 개통예제 -Case2 ( 기존설정에새로운가입자설정 ) Configuration 각포트마다 service-police 설정 Cat6509(config)#interface gi 3/1 -> Uplink port에재적용 Cat6509(config-if)#service-police input From_Internet_To_User Cat6509(config-if)#interface fa 4/3 -> fa 4/3 port 적용 Cat6509(config-if)#service-police input KTH 83
망구성및기본정책 가입자정보 Internet II-6. Rate Limit 개통예제 -Case3 ( 기존설정에신규가입자가 fa 4/2 에추가 ) 회사명 : KTF, 10.1.1.0/24 회사명 : KTLinkus, 20.1.1.0/24 회사명 : KTH, 30.1.1.0/24 gi 3/1 포트정보 Cat.6509 Uplink port : gigabitethernet 3/1 KTF : fastethernet 4/1 V61xx fa 4/2 fa 4/1 KTLinkus : fastethernet 4/2 KTH : fastethernet 4/2 Rate Limit 정보 KTF : 1M KTH 30.1.1.0/24 KTLinkus 20.1.1.0/24 KTF 10.1.1.0/24 KTLinkus : 5M KTH : 2M Uplink port : 1M, 2M and 5M 84
II-6. Rate Limit 개통예제 -Case3 ( 기존설정에신규가입자가 fa 4/2 에추가 ) Configuration ACL 설정 ( 새로추가되는가입자에대한 ACL 설정 ) Cat6509(config)#access-list 2003 permit ip 30.1.1.0 0.0.0.255 any Cat6509(config)#access-list 2003 permit ip any 30.1.1.0 0.0.0.255 class-map 설정 ( 새로추가되는가입자에대한 class-map 설정 ) Cat6509(config)#class-map KTH_2003_2M Cat6509(config-cmap)#match access-group 2003 85
II-6. Rate Limit 개통예제 -Case3 ( 기존설정에신규가입자가 fa 4/2 에추가 ) Configuration police-map 설정 Cat6509(config)#policy-map KTLinkus -> fa 4/2 에적용할 police-map 설정 Cat6509(config-pmap)#class KTH_2003_2M Cat6509(config-pmap-p)#police 2000000 37500 37500 confirm-action transmit Cat6509(config-pmap-p)#exit Cat6509(config-pmap)#exit exceed-action drop Cat6509(config)#policy-map From_Internet_To_User -> gi 3/1 에적용할 police-map 설정 Cat6509(config-pmap)#class KTH_2003_2M Cat6509(config-pmap-c)#police 2000000 37500 37500 confirm-action transmit exceed-action drop 주의사항 (6509 한 intf 에여러 user 가가입된경우 ) - Policy-map 명칭을회사명으로는지양 ( 위에서도 KTLinkus 라는 policy-map 에 KTH user 가포함됨으로써혼란우려 ) - 주로 V6124 연결시해당되겠으니최초가입자수용시부터공통적인명칭사용 86
II-6. Rate Limit 개통예제 -Case3 ( 기존설정에신규가입자가 fa 4/2 에추가 ) Configuration 각포트마다 service-police 설정 Cat6509(config)#interface gi 3/1 -> Uplink port에재적용 Cat6509(config-if)#service-police input From_Internet_To_User Cat6509(config-if)#interface fa 4/2 -> fa 4/2 port 적용 Cat6509(config-if)#service-police input KTLinkus 87