Tag: ios

二十四口思科c2950交换机

网上买了一只二手的二十四口铁盒子2950交换机,成色还不错,拆开看了下(太好拆了,我本来以为会很难拆的),出厂日期是二零零六年,线路板完好,电源模块成色也很新,就是灰尘多了点,风扇声音巨~~~大,看样子风扇是快要坏了,相当幸运的是,这个风扇的型号和以前公司遗留下来的服务器风扇一模一样,于是我很简单的就把新的风扇换了上去,运作顺畅,清理了一下灰尘,嗯,这一转手卖个七八百应该不成问题,接下来就是升级交换机的操作系统,也就是著名的IOS(Internetwork Operating System),铁盒子公司一直声称他们是卖软件的,我觉得好像也是,交换机里面的芯片不是英特尔就是博通,接口不是安普就是欧姆龙,除了铁盒子外面写了个cisco systems,就木有哪里有标志了。


下面我们来升级2950的IOS,准备工作:在我得电脑上开启tftpd服务,下载最新版本的2950IOS。

铁盒子屁股上写了个出厂IOS版本号EA1B,登录进去系统看看,果然是c2950-i6q4l2-mz.121-22.EA1b.Bin,说明这个铁盒子从来没有升级过,首先我们需要备份一下原来的IOS,万一升级失败了也好恢复,在CLI里面命令如下:

copy flash:/c2950-i6q4l2-mz.121-22.EA1b.Bin tftp

然后输入你电脑的IP地址就可以了,在几十秒钟后,电脑上tftpd的目录就可以看到传输过来的旧版IOS了。

如果配置文件中加了很多选项,那么最好也备份下config.Txt,步骤雷同。
接下来删除html管理器的目录,如果你不需要通过http来进行管理的话,也是要删除的,因为要删除了才能不通过它来管理嘛,如果不删除,那就是旧版本的html管理器配上新版本的IOS,那可不一定会发生什么神奇的事情,在CLI里面命令如下:

delete /r flash:/html

然后确认就可以了。

接下来检查一下剩余的flash空间,一般来说2950交换机的flash空间都比较小,只有八个MB,而新的IOS最小也有四个MB,我下载带加密功能的新版IOS(c2950-i6k2l2q4-tar.121-22.EA13.tar)有五点六个MB,所以,我们必须要删除原有IOS才能安装新的IOS,你看像现在新的2960交换机,flash有两百五十六个MB,可以放好多个不同的IOS哦~那么,删除旧版IOS的命令如下:

delete flash:/c2950-i6q4l2-mz.121-22.EA1b.Bin

到这一步,你就千万不能断电了,要是断电了,嘿嘿,哈哈,该贝斯。
接下来我们把新的IOS通过tftp协议传输到交换机上,例如我开启tftpd电脑的IP地址是192.168.1.99,然后在CLI里面命令如下:

archive tar /xtract tftp://192.168.1.99/c2950-i6k2l2q4-tar.121-22.EA13.tar flash:

接下来交换机会解压缩tar包,将bin文件放到根目录,将html管理器解压缩到根目录,直到重新出现#号提示符,IOS升级完成,然后我们需要重启一下交换机,看是否真正升级成功,在命令行下输入reload即可。

再次登录进入交换机,我们输入命令查看一下系统版本信息,可以看到,操作系统已经成功升级为Version 12.1(22)EA13带cryptographic功能的IOS。

c2950>sh ver
Cisco Internetwork Operating System Software
IOS ™ C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA13, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by cisco Systems, Inc.
Compiled Fri 27-Feb-09 22:20 by amvarma
Image text-base: 0×80010000, data-base: 0×80680000

ROM: Bootstrap program is C2950 boot loader

c2950 uptime is 3 hours, 44 minutes
System returned to ROM by power-on
System restarted at 11:31:18 Taipei Wed Apr 14 2010
System image file is “flash:/c2950-i6k2l2q4-mz.121-22.EA13.bin”

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

cisco WS-C2950-24 (RC32300) processor (revision R0) with 19912K bytes of memory.
Processor board ID FOC0903T099
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:13:1A:50:2B:00
Motherboard assembly number: 73-5781-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC0902454E
Power supply serial number: DAB0851NHZ0
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FOC0903T099
Configuration register is 0xF

总的来说,铁盒子的效率比TP-LINK这样的家用产品要高,一百个MB的网络,传输速度一度可以达到20M/s,完全不符合规律。

Cisco Switch Portfast

我早就发现了局域网自动分配地址的速度很慢,只是问题不够明显。虽然问题不明显,但我一直在思考这个问题,经过我英明的分析和搜索,原来这个问题是早有案例的……

Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml#cnf2k

—高科技分隔线—
Introduction
This document addresses initial connectivity delays that occur when workstations that are connected to switches have one of these two issues:
*Unable to log in to a network domain, either Microsoft Windows NT or Novell
*Unable to obtain a DHCP address
The steps in this document are easy to implement and address the most common causes of workstation connectivity delays that you encounter during the workstation initialization/startup phase.
—高科技分隔线—

Spanning Tree
If you have recently migrated from a hub environment to a switch environment, startup connectivity delays can appear because a switch works much differently than a hub. A switch provides connectivity at the data link layer, not at the physical layer. The switch uses a bridging algorithm in order to decide if packets that are received on a port need to be transmitted out other ports. The bridging algorithm is susceptible to physical loops in the network topology. Because of this susceptibility to loops, switches run the protocol STP that causes loops to be eliminated in the topology. When you run STP, all ports that are included in the spanning tree process become active much slower than they otherwise become active as STP detects and blocks loops. A bridged network that has physical loops, without STP, breaks. Despite the time that the process involves, STP is beneficial. STP that runs on Catalyst switches is an industry-standard specification (IEEE 802.1D).

After a port on the switch has linked and joined the bridge group, STP runs on that port. A port that runs STP can be in one of five states:

*blocking
*listening
*learning
*forwarding
*disabled

STP dictates that the port starts out blocking, and then immediately moves through the listening and learning phases. By default, the port spends approximately 15 seconds listening and 15 seconds learning. During the listening state, the switch tries to determine where the port fits in the spanning tree topology. The switch especially wants to know whether this port is part of a physical loop. If the port is part of a loop, the port can be chosen to go into blocking mode. The blocking mode means that the port does not send or receive user data in order to eliminate loops. If the port is not part of a loop, the port proceeds to the learning state, in which the port learns which MAC addresses live off this port. This entire STP initialization process takes about 30 seconds.

If you connect a workstation or a server with a single NIC card or an IP phone to a switch port, the connection cannot create a physical loop. These connections are considered leaf nodes. There is no reason to make the workstation wait 30 seconds while the switch checks for loops if the workstation cannot cause a loop. Cisco added the PortFast or fast-start feature. With this feature, the STP for this port assumes that the port is not part of a loop and immediately moves to the forwarding state and does not go through the blocking, listening, or learning states. This command does not turn STP off. This command makes STP skip a few initial steps (unnecessary steps, in this circumstance) on the selected port.
—高科技分隔线—

用中文来说,上面这一段话可以解读为:处于OSI二层的STP协议定义了一个交换机的端口的五种状态,你看上面有blocking,listening,learning,forwarding,disabled这么些状态,显然只有forwarding状态才是工作状态,而一个交换机端口从加电开始,先要经过listening,learning,forwarding这么个顺序来启动,主要是为了检测端口上有木有环路,以免造成网络风暴而致堵塞,看看需不需要blocking。

遗憾的是,这每个过程至少需要十五秒的时间,于是就造成了dhcp超时,以致于电脑获取不到IP地址,而电脑重启之后问题就解决了,是因为这个端口已经进入了forwarding状态,那莫这个问题应该怎么来解决呢?

这篇文档中说到,Cisco added the PortFast or fast-start feature,思科添加了一个portfast功能,跳过listening,learning,直接进入forwarding状态。

那莫,如何开启portfast呢?这就太简单了,如图所示:

conf t
interface fastEthernet 0/1
spanning-tree portfast

那莫,为什么原有的STP协议中没有把这么方便的一个功能加进去呢?看上面那么大一段Warning就知道了~啊,原来是loops的后果很坏很严重……开启了portfast的端口只能接一个网络设备,也就是说,在开启了portfast得端口上,如果出现了环路,哇,居然可以network cannot recover,不过对于我们这种小型办公网络而言,最多也就是个网速超慢……总之呢,就是开启了portfast的端口,是不能接交换机,路由器,集线器等等设备的,也就是说,只能有一个NIC,一个MAC地址(当然是同时)。

—还是高科技分隔线—
Caution: Never use the PortFast feature on switch ports that connect to other switches, hubs, or routers. These connections can cause physical loops, and spanning tree must go through the full initialization procedure in these situations. A spanning tree loop can bring your network down. If you turn on PortFast for a port that is part of a physical loop, there can be a window of time when packets are continuously forwarded (and can even multiply) in such a way that the network cannot recover.
—还是高科技分隔线—

这篇文档居然还无聊地对端口up时间做了个benchmark(请参考原文中Timing Tests on the Catalyst 2900XL段落),结果是可以把三十秒的时间缩短为一秒……效果还是很明显的,等于是把网线插入电脑就可以上网了,零等待~

于是我把办公室那个交换机的portfast功能也打开了,明天上班看下效果……当然,连服务器和无线AP以及上行防火墙的端口显然是不能打开的……