參考網站

http://articles.techrepublic.com.com/5100-10878_11-6125413.html
Chances are good that most of you know what an Ethernet MAC address is. But what you might not know is what you can do with MAC addresses in the Cisco IOS.

An Ethernet MAC address uniquely identifies every Ethernet device in the world. Each vendor that creates network devices (e.g., Ethernet NICs, wireless devices, routers, and switches) preprograms these addresses into their devices.

A MAC address can go by other names, including physical address (in Windows), Ethernet address, and hardware address. Whatever you call it, this address is a 12-character hexadecimal string. Here are some examples:

  • 1234.5678.90ab
  • 12-34-56-78-90-ab
  • 12.34.56.78.90.ab

Determine your MAC address

In Windows, you can find out your MAC address using the ipconfig /all command. Listing A offers an example.

In the command's output, you can find the MAC address under the Physical Address listing. You can find out similar information from the switch this PC connects to using the show mac-address-table command. Here's an example:

Switch# show mac-address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0014.1c40.b080    STATIC      CPU
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0cdd.dddd    STATIC      CPU
   1    000f.1fd3.d85a    DYNAMIC     Fa0/14

On a Cisco router, you can find out which MAC addresses your interfaces use with the show interfaces command. Here's an example:

RouterB# show interfaces
Ethernet0/0 is up, line protocol is up 
Hardware is AmdP2, address is 0003.e39b.9220 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8

On the second line of each interface, you'll see the hardware address line with the BIA (burned in address). In this case, the hardware address is 0003.e39b.9220.

Each Ethernet interface on a Cisco router has its own Ethernet MAC address. Special devices such as routers and switches have a number of special built-in addresses such as the four displayed above in the show mac-address-table output; these are the lines with the STATIC type listed.

Change my MAC address

Changing your MAC address from the default is what we call MAC spoofing. This term has a negative connotation because its more popular uses are for improper activities, particularly wireless network hacking. However, MAC spoofing does have legitimate uses, such as testing MAC filtering.

To change your MAC address on a Cisco router, use the mac-address command while in Interface Configuration Mode. Just use the command with the new MAC address—it's that simple. Here's an example:

RouterB# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
RouterB(config)# int e0/0
RouterB(config-if)# mac-address 0000.0000.0001
RouterB(config-if)#^Z
RouterB#
RouterB# show int e0/0
Ethernet0/0 is up, line protocol is up 
Hardware is AmdP2, address is 0000.0000.0001 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8

After changing the MAC address, you can view the new one using the show interfacecommand.

Filter traffic based on MAC address

Let's say that, through a protocol analyzer, you find a device sending unwanted traffic on your network. It looks like this device is multi-homed—that is, it's sending traffic from multiple IP addresses.

You could find the switch port it's on using the show mac-address-table command and perform a shutdown on the port. But what if it connects to a hub with other devices or comes from some network not under your control?

Another option is to filter the traffic on the router or switch using a MAC address filter. Here's an example.

Cat3750Switch(config)# mac access-list ext filtermac 
Cat3750Switch(config-ext-macl)# deny host 0000.0000.0001 any
Cat3750Switch(config-ext-macl)# permit any any
Cat3750Switch(config-ext-macl)# exit
Cat3750Switch(config)# int g1/0/40
Cat3750Switch(config-if)# mac access-group filtermac in

In this example—using a Cisco Catalyst 3750 Gigabit Ethernet switch—we created an extended named MAC address access control list called filtermac. This ACL denies all traffic with a source MAC address of 0000.0000.0001 and permits all other traffic. We then applied this MAC address ACL to Gigabit Ethernet interface 1/0/40, which prevents traffic from entering that port from any device with that MAC address, no matter what the IP address.

Keep in mind that filtering by MAC addresses is not a security measure—someone can easily change the MAC address in your operating system.

For more information on MAC address ACLs, check out Cisco's Creating Named MAC Extended ACLs documentation. Do you have a good switch configuration recommendation that you want to share? What other switch topics would you like to see covered in this column? Share your thoughts in this article's discussion.
========================================================================================
ROUTE
何謂ROUTE

Router 就好像是一台電腦,跟大家現在用的 PC 並沒有什麼太多不一樣的地方。只是在使用的地方不同,Route是在做Pack Routung Switch的工作,PC是在個人多運算的工作。就工作的硬體架構上,它一樣有個 CPU 、有用來跑程式的 DRAM、取代傳統硬碟的 Flash Memory (主要作用在於存放它的作業系統),另外它也有存放開機程式的 ROM (PC ROM 裡面放的是 BIOSBasic Input Output Systen)、Router 放的則是一個精簡版的 IOS)

什麼是 IOS 呢?IOS Internetwork Operating System 的簡寫,它的使用者界面是傳統文字模式命令列的操作界面(也有支援web的介面,要另外安裝軟體),就跟以前 PC 的作業系統 DOS 沒兩樣,DOS Disk Operating System 的簡寫,主要任務就在管理檔案、磁碟,而 IOS 的功能只是專門處理 Internetwork 的任務,差別就是如此。有人說 DOS 難學難用,同樣的,也很多人對 IOS 做出了同樣的評語。目前 IOS 的指令已經超過 2,400 以上,每個指令加上個別的參數,可能的指令組合已經遠遠超過一萬種了。

 

Router 的主要功能在 Internetwork-pack-switch 方面,所以它在設計的時候就沒有使用鍵盤、螢幕這些輸出、輸入裝置,它有的就是簡簡單單的 RS-232 介面,一般都是透過這個介面完成 Router 最初步的設定,這個介面我們管它叫做 Console Port(如圖一),

 

(圖一)

 

用來接到一般的終端機 Terminal (或者跑終端機模擬程式的 PC,像 HyperTermTelixNetTerm 這些都可以將 PC 模擬成終端機),透過終端機的鍵盤,管理者可以下達指令給 RouterRouter 則將一些指令執行的結果透過終端機的螢幕傳達給管理者。另外 Router 通常還有一個用來接數據機的 RS-232 介面,這個介面叫 AUX Port,它跟 CONSOLE Port 比較起來多了兩條用來控制MODEM 傳輸的訊號線,其他的就都一樣了,我們一樣可以把這個 Port 接到終端機,做跟 CONSOLE Port 一樣的事。

 

Router 就像是一部只有網路卡的 PC,而且通常不只一片網路卡,比較高階的 Router 通常可以有上百種的網路介面同時運作、進行資料的交換所謂的模組功能(module)。更具體的來說,一部 PC 只要插上多片網路卡,執行適當的軟體,一樣可以當 Router 來使用。一般 Router 常見的網路介面有 EthernetFast EthernetGigabit EthernetToken RingFDDISerial (SynchronousAsynchronous)ISDNATM;一般 PC 同樣也都可以找到這些介面卡。Router 由於有大量網路介面的需求,所以通常會把許多網路介面做在一起,成為一個 Module(所謂Module就是模組,因應不同的功能,使用不同的Module,增加使用的方便與擴充的能力),我們就根據我們實際的需要,選購符合規格的 Module 插在 Router 上面就行了。當然一些 Router Module 都已經固定了,那麼它就不能抽換了(如圖一),例如最常看到的 1601,它的就是固定的一個 Serial (High Speed) 介面,以及一個 Ethernet 介面,不能增加也不能移除,例外再加一個擴充的Module(可擴充ISDN-ModuleSerial-ModuleEthernet-Module...等)。

 

ROUTER設定。

1. CISCO ROUTER必須是正常的(電源測試是可以開機的,是可以進入特權模式的excisco#。)。

2. ISP提供的IP-Rangeex192.168.1.0/24)。

3. ISP提供的serial 0-IPex192.168.2.1/30)。

4. ISP提供的連結的協定(exHDLC)。

再來是要完成以下的設定,ROUTER就可以連上網了(請先looptest實體線路是正常的)。

1. 設定Ethernet IP,也就是內部電腦的通訊閘(gatewary)。

cisco#configure terminal

cisco(config)#interface ethernet 0

cisco(config-if)#ip address 192.168.1.1 255.255.255.0

2. 設定serial-portIP

cisco#configure terminal

cisco(config)#interface serial 0

cisco(config-if)#ip address 192.168.2.2 255.255.255.252

3. 設定serial-port的通訊協定。

cisco#configure terminal

cisco(config)#interface serial 0

cisco(config-if)#encapsulation hdlc

4. 設定ROUTING TABLE

cisco#configure terminal

cisco(config)#ip route 0.0.0.0. 0.0.0.0 serial 0

5. 設定ROUTER的密碼(建議設定)。

cisco#configure terminal

cisco(config)#enable password cisco

6. 設定ROUTER access-list(看公司需求來決定,不設定也可以)。

設定都已完成了,再來就是如何Dbuge

我們可以使用show的指令來觀察查各介面的狀況,如下:

以下是serial0-port各訊息的說明:

cisco(boot)#show interfaces serial 0

1Serial0 is down, 2line protocol is down

Hardware is QUICC Serial

Internet address is 192.168.2.2/30

3MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation HDLC, loopback not set, 4keepalive set (10 sec)

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Queueing strategy: fifo

Output queue 0/40, 0 drops; input queue 0/75, 0 drops

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

50 packets input,6 0 bytes,7 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

80 input errors, 0 CRC, 0 frame, 0 overrun, 90 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 95 interface resets

0 output buffer failures, 0 output buffers swapped out

100 carrier transitions

DCD=up DSR=up DTR=down RTS=down CTS=up

1. 代表著這個介面在硬體是up有作用的,down表示無作用。

2. 著個欄位代表著軟體程序是否能夠掌控線路的通訊協定。

3. 表示介面平寬頻的設定值,是給routing protocol在選擇路徑的參搞考值。

4. 代表keeplive是否有設定。

5. 系統接收到沒有錯誤封包的總數。

6. 系統接收到完全沒有錯誤的位元組總數。

7. 接受的封包,卻因為系統內部緩衝區空間不足,而不得不都丟棄的封包數量。

8. Rountgiantsno bufferCRCframeoverrun以及ignored這些相關的加總。

9. 在這個介面所忽略的封包,因為介面的硬體的緩衝區偏低,瞬間的雜訊也會影響ignore計數器增加。

10. serial介面CD信號被改變的次數。

也可以使用ping的指令來確認是否有與對點連結,如下:

cisco#ping 192.168.2.1

 

在一般的設定上,只要完成ethernetserialip設定與routing tableserial-protocol的設定,設定完成後應該是可以相互連結了,如果在連結上還有問題,再使用一些dbuge的指令,因該都可以查得出來問題在哪裡

 

 
Cisco administration 101: Understanding Ethernet MAC addresses
by David "Davis CCIE, MCSE+I, SCSA" | Oct 12, 2006 8:43:00 PM

Tags: Network technology, NETWORKING, David Davis CCIE, MCSE+I, SCSA..., MAC address, Ethernet, MAC, Ethernet MAC, STATIC CPU, Cisco Systems Inc., Cisco Routers and Management Newsletter

7 comment(s) Email Share Digg Yahoo! Buzz Twitter Facebook Google del.icio.us StumbleUpon Reddit Newsvine Technorati LinkedIn Save Print Recommend 11
Takeaway: While you're probably familiar with Ethernet MAC addresses, how much do you know about working with them in the Cisco IOS? In this edition of Cisco Routers and Switches, David Davis tells you how to determine the MAC address, change it, and use it to filter traffic.

People who read this, also read...
IP and Mac addresses for thin clients
dhcp problem
Transparent bridging with Cisco's Catalyst 5000 switches
MAC Address filtering
Mac address tracing or detection on a cisco network
Chances are good that most of you know what an Ethernet MAC address is. But what you might not know is what you can do with MAC addresses in the Cisco IOS.

An Ethernet MAC address uniquely identifies every Ethernet device in the world. Each vendor that creates network devices (e.g., Ethernet NICs, wireless devices, routers, and switches) preprograms these addresses into their devices.

A MAC address can go by other names, including physical address (in Windows), Ethernet address, and hardware address. Whatever you call it, this address is a 12-character hexadecimal string. Here are some examples:

1234.5678.90ab
12-34-56-78-90-ab
12.34.56.78.90.ab
Determine your MAC address
In Windows, you can find out your MAC address using the ipconfig /all command. Listing A offers an example.

In the command's output, you can find the MAC address under the Physical Address listing. You can find out similar information from the switch this PC connects to using the show mac-address-table command. Here's an example:

Switch# show mac-address-table
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0014.1c40.b080 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000f.1fd3.d85a DYNAMIC Fa0/14
On a Cisco router, you can find out which MAC addresses your interfaces use with the show interfaces command. Here's an example:

RouterB# show interfaces
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0003.e39b.9220 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8
On the second line of each interface, you'll see the hardware address line with the BIA (burned in address). In this case, the hardware address is 0003.e39b.9220.

Each Ethernet interface on a Cisco router has its own Ethernet MAC address. Special devices such as routers and switches have a number of special built-in addresses such as the four displayed above in the show mac-address-table output; these are the lines with the STATIC type listed.

Change my MAC address
Changing your MAC address from the default is what we call MAC spoofing. This term has a negative connotation because its more popular uses are for improper activities, particularly wireless network hacking. However, MAC spoofing does have legitimate uses, such as testing MAC filtering.

To change your MAC address on a Cisco router, use the mac-address command while in Interface Configuration Mode. Just use the command with the new MAC address—it's that simple. Here's an example:

RouterB# conf t
Enter configuration commands, one per line. End with CNTL/Z.
RouterB(config)# int e0/0
RouterB(config-if)# mac-address 0000.0000.0001
RouterB(config-if)#^Z
RouterB#
RouterB# show int e0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0000.0000.0001 (bia 0003.e39b.9220)
Internet address is 1.1.1.1/8
After changing the MAC address, you can view the new one using the show interfacecommand.

Filter traffic based on MAC address
Let's say that, through a protocol analyzer, you find a device sending unwanted traffic on your network. It looks like this device is multi-homed—that is, it's sending traffic from multiple IP addresses.

You could find the switch port it's on using the show mac-address-table command and perform a shutdown on the port. But what if it connects to a hub with other devices or comes from some network not under your control?

Another option is to filter the traffic on the router or switch using a MAC address filter. Here's an example.

Cat3750Switch(config)# mac access-list ext filtermac
Cat3750Switch(config-ext-macl)# deny host 0000.0000.0001 any
Cat3750Switch(config-ext-macl)# permit any any
Cat3750Switch(config-ext-macl)# exit
Cat3750Switch(config)# int g1/0/40
Cat3750Switch(config-if)# mac access-group filtermac inIn this example—using a Cisco Catalyst 3750 Gigabit Ethernet switch—we created an extended named MAC address access control list called filtermac. This ACL denies all traffic with a source MAC address of 0000.0000.0001 and permits all other traffic. We then applied this MAC address ACL to Gigabit Ethernet interface 1/0/40, which prevents traffic from entering that port from any device with that MAC address, no matter what the IP address.

Keep in mind that filtering by MAC addresses is not a security measure—someone can easily change the MAC address in your operating system.

For more information on MAC address ACLs, check out Cisco's Creating Named MAC Extended ACLs documentation. Do you have a good switch configuration recommendation that you want to share? What other switch topics would you like to see covered in this column? Share your thoughts in this article's discussion.

Miss a column?
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.