◆L3 스위치 inter-Vlan 설정 (Cisco SG300-28, System Mode = Layer 3)
Switch Management IP : 192.168.1.254 (Default)
Management PC // IP: 192.168.1.10 Subnet: 255.255.255.0 Gateway: 192.168.1.254
PC#1 // IP: 10.10.10.101 Subnet: 255.255.255.0 Gateway: 10.10.10.254 - VLAN 10
PC#2 // IP: 192.168.10.101 Subnet: 255.255.255.0 Gateway: 192.168.10.254 - VLAN 1
GUI mode (In your web browser, type in http://192.168.1.254)
STEP 1. Creating VLANs & Assign a VLAN to a port
VLAN Management - Create VLAN
Click the Add button. A new window will appear to Create a new VLAN.
Type in 10 in the VLAN ID space and click Apply.
VLAN Management - Interface Settings
Select g25 and click Edit at the bottom of the page.
This will configure Port 25.
Set interface 2 to Access, and click Apply
VLAN Management - Port to VLAN
Filter: VLAN ID equals to 10 and click Go.
Check the PVID box on port 25, and click Apply. (g25 / Access / Untagged / PVID)
Click on Port VLAN Membership Table at the bottom of that page.
This will lead you to the Port VLAN Membership page on the VLAN Management menu.
Here we will see that Port 25 is now a member of VLAN 10, as you have just configured it.
STEP 2. Create the IP interfaces for VLAN 1 and VLAN 10.
We will assign the following :
192.168.10.254 to VLAN 1
10.10.10.254 to VLAN 10
IP Configuration - IPv4 Interface
Notice that the Interface that is saved for an address obtained by DHCP is present in the list.
VLAN 1 / DHCP / 0.0.0.0 / 255.255.255.255 / Not reveived
We will not need this interface, so it is advisable to delete it.
To do so, simply click that entry and choose Delete.
Add the interfaces discussed above, by clicking Add and applying the following information :
VLAN: 1
IP Address Type: Static IP Address
IP Address: 192.168.10.254
Mask: 255.255.255.0
*Connectivity to your PC will stop once the IP address has changed.
Change the static IP address of your Management PC to 192.168.10.101.
Configure the Default gateway to 192.168.10.254, which is now the address for VLAN 1 on the switch.
In your web browser, type in http://192.168.10.254
IP Configuration - IPv4 Interface
notice that the new interface for VLAN 1 has been changed to 192.168.10.254.
Create another IP interface for VLAN 10.
VLAN: 10
IP Address Type: Static IP Address
IP Address: 10.10.10.254
Mask: 255.255.255.0
PC#1's IP Address to 10.10.10.101
IP Configuration - IPv4 Static Routers
In this page you can see the new Static IP Addresses that were created.
192.168.10.0 / 24 / Local
10.10.10.0 / 24 / Local
Now let's test connectivity between the 2 PCs, that are on different IP subnets.
Form a command prompt on PC#1(10.10.10.101),
ping the following address and verify that communication is successful:
ping 192.168.10.254 // this verifies communication with VLAN 1 IP address of the switch
ping 10.10.10.254 // this verifies communication with VLAN 10 IP address of the switch
ping 192.168.10.101 // this is PC#2's IP address. This verifies successful communication between both PCs, and that routing is present.
Form a command prompt on PC#2(192.168.10.101),
ping the following address and verify that communication is successful:
ping 192.168.10.254 // this verifies communication with VLAN 1 IP address of the switch
ping 10.10.10.254 // this verifies communication with VLAN 10 IP address of the switch
ping 10.10.10.101 // this is PC#1's IP address. This verifies successful communication between both PCs, and that routing is present.
This demo basically shows that 2 separate networks were created, without the use of a router.
◆Security - Access Control Lists (ACL)
1. Create an Access Control List (ACL)
Access Control - IPv4-Based ACL
Click Add
Enter a name for this Access Control List in the ACL List window.
Enter a name that is relevant to the operation you will be configuring,
such as "DenyAll".
Note that many ACLs can be configured at any given time,
therefore it's inportant to differentiate your ACL name so you will remember its funtionality.
Click Apply, then Close
2. Create an Access Control Entity (ACE), which is bound to an ACL
IPv4-Based ACE
Click Add to Create a new traffic filter for the ACL we have just created.
The ACE page appears.
Notice that the ACL name is DenyAll.
We will assign to this ACE attributes that filter all incoming traffic into a given port.
Assign the following values to this page:
Priority: 1
Action: Deny
Protocol: Any
Source IP Address: Any
Destination IP Address: Any
Type of Service: Any
Click Apply, then Close to save your ACE
Return to the IPv4-Based ACE page,
where the ACE you've created will appear in the designated rows.
3. Bind the ACL to an interface
Go to ACL Binding and select port 25. Click Edit
Check the Select IPv4-Based ACL checkbox,
and select the ACL you want to bind the port to.
In our case there is only one option and that is DenyAll
We will apply these changes in the next section,
when we will see Access Control List in action.
Keep this window open.
4. Show how the Access Control rules we've created com into action
Now revert to the Switch's management interface and click Apply on the ACL Binding window.
You will be returned to the ACL Binding page,
where you can see that port 25 is bound to the ACL DenyAll
This filter basically blocks anything from entering this port.
Now let's un-bind the ACL form port 25.
Click the port 25 checkbox and click Clear.
================================================================================================
CLI menu
#Serial Port
Data Rate: 115200
Data Bits: 8
Parity: None
Stop Bits: 1
STP 타이머 변경 - 시간단축
SW(config)# spanning-tree vlan 10 hello-time [sec: Default 2 sec]
SW(config)# spanning-tree vlan 10 max-age [sec: Default 20 sec]
SW(config)# spanning-tree vlan 10 forward-time [sec: Default 15 sec]
SW(config)# spanning-tree vlan 10 forward-time 10 // Listening 10초 & Learning 10초
STP Portfast - 단계생략
*설정 전 : 장비 연결 --> Listening(15sec) --> Learning(15sec) --> Forwarding(총30초)
*설정 후 : 장비 연결 --> Forwarding
*PC, Server와 같은 단말 장비가 연결되는 Port는 Portfast기능을 사용하여 빠른 Forwarding이 가능
SW(config)# spanning-tree portfast default // 모든 Port에 enable
SW(config)# interface gi 15 // 특정 Port에 enable
SW(config-if)# switchport mode access
SW(config-if)# spanning-tree bpduguard enable // Portfast에 의한 Loop 방지
SW(config-if)# spanning-tree portfast
*BPDU guard : BPDU guard를 설정한 Interface로 BPDU가 입력되면, 해당 Port를 Shutdown 상태로 전환 (Loop 방지)
*err-disable : 해당Port가 shutdown 상태로 전환된 상태 --> 해당Port shutdown --> noshutdown 으로 복구
*errdisable recovery : errdisable 상태가 되었을 경우 Switch가 특정 시간이 지나면, 해당 Port를 정상적으로 복구하는 기능
SW(config)# errdisable recovery cause [errdisable 원인 선택]
SW(config)# errdisable recovery interval <Sec>
ip routing
ip route 0.0.0.0 0.0.0.0 192168.10.1
