IP DHCP Snooping + IP Source Guard + ARP Snooping

IP DHCP Snooping on VLAN1 
config:
(conf)#ip dhcp snooping
(conf)#ip dhcp snooping vlan 1
(conf)#ip dhcp snooping database flash: dhcp-snooping
(conf)#ip dhcp snooping information option

(在連接DHCP伺服器的介面啟用Snooping信任)
(conf-int)#ip dhcp snooping trust

(在連接用戶端的介面啟用Snooping流量限制)
(conf-int)#ip dhcp snooping limit rate 100

IP Source Guard + DHCP IP Binding check
config:
(conf-int)#switchport mode access
(conf-int)#switchport access vlan 1
(conf-int)#ip verify source

IP Source Guard + DHCP IP&Mac address binding check
config:
(conf-int)#switchport mode access
(conf-int)#switchport access vlan 1
(conf-int)#ip verify source port-security

IP Source Guard static + IP&Mac address&Interface binding check
config:
(conf)#ip source binding 001d.7286.48ac vlan 1 192.168.168.20 interface gigabitethernet 0/1

show:
--Static and dynamic binding
(檢視DHCP Snooping的自動綁定與IP Source的手動綁定)
#show ip source binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1D:72:86:48:AC   192.168.168.20   infinite static                1 GE 0/10
00:04:76:C6:A0:03   192.168.168.22   683222  dhcp-snooping   1 GE 0/5
00:04:76:AB:EC:6C   192.168.168.23   684066  dhcp-snooping   1 GE 0/6
00:04:76:9C:CA:46   192.168.168.21   683080  dhcp-snooping   1 GE 0/7
Total number of bindings: 4

#show ip verify source
(檢視DHCP Snooping與IP Source Guard的比對狀態與結果)
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/5      ip               inactive-no-snooping-vlan
Gi0/6      ip               inactive-no-snooping-vlan
Gi0/7      ip               active       permit-all                                     1
Gi0/8      ip               active       deny-all                                        1
Gi0/9      ip-mac        inactive-no-snooping-vlan
Gi0/10     ip-mac       active       192.168.168.20   permit-all           1 
Gi0/11     ip-mac       active       deny-all               deny-all              1
Gi0/12     ip-mac       inactive-no-snooping-vlan

IP ARP Snooping
config:
(conf)#ip arp inspection vlan 1
(conf)#ip arp inspection validate src-mac dst-mac ip

(在連接DHCP伺服器的介面啟用ARP Inspection信任)
(conf-int)#ip arp inspection trust

(在連接用戶端的介面啟用ARP Inspection流量限制)
(conf-int)#ip arp snooping limit rate 100

(建立全域的ARP Inspection ACL白名單)
(conf)#ip arp inspection filter white-list vlan 1
(conf)#arp access-list white-list
(conf-arp-nacl)#permit ip host 192.168.168.20 mac host 001d.7286.48ac

(設定errdisable的介面狀態自動復原)
(conf)#errdisable recovery cause arp-inspection
(conf)#errdisable recovery interval 30

show:
#show ip arp inspection vlan 1
(檢視ARP Inspection的設定狀態)
Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

Vlan     Configuration    Operation   ACL Match          Static ACL
----     -------------    ---------   ---------          ----------
    1     Disabled         active    white-list         No

Vlan     ACL Logging      DHCP Logging      Probe Logging
----     -----------      ------------      -------------
    1     Deny             Deny              Off  

#show ip arp inspection interfaces
(檢視ARP Inspection的介面模式與允許傳輸流量) 
 Interface        Trust State     Rate (pps)    Burst Interval
---------------  -----------     ----------    --------------
Gi0/9            Untrusted               15                 1
Gi0/10           Untrusted               15                 1
Gi0/11           Untrusted               15                 1
Gi0/12           Untrusted               15                 1
Gi0/13           Untrusted              100                 1
Gi0/14           Untrusted              100                 1
Gi0/15           Untrusted              100                 1
Gi0/16           Untrusted              100                 1
Gi0/17           Untrusted               15                 1
Gi0/18           Trusted               None               N/A
Gi0/19           Untrusted               15                 1
Gi0/20           Untrusted               15                 1

#show errdisable recovery
(檢視啟用errdisable的自動復原原因與時間)
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Enable
bpduguard                    Disabled
channel-misconfig            Disabled
dhcp-rate-limit              Disabled
dtp-flap                     Disabled
gbic-invalid                 Disabled
inline-power                 Disabled
link-flap                    Disabled
mac-limit                    Disabled
loopback                     Disabled
pagp-flap                    Disabled
port-mode-failure            Disabled
psecure-violation            Disabled
security-violation           Disabled
sfp-config-mismatch          Disabled
small-frame                  Disabled
storm-control                Disabled
udld                         Disabled
vmps                         Disabled

Timer interval: 30 seconds

#sh interfaces status err-disabled
(檢視進入errdisable狀態的介面與原因) 
Port      Name               Status       Reason               Err-disabled Vlans
Gi0/14                       err-disabled arp-inspection

Cisco device config tracking, archive & roolback

tracking config:
(conf)#archive
(conf-archive)#log config (啟用runngung-config比對)
(conf-archive)#path flash:/rollback (指定RollBack的備份位置)
(conf-archive-log-config)#logging enable (啟用設定檔稽核紀錄)
(conf-archive-log-config)#loging size 500 (預設紀錄100筆資訊，修改為500筆)
(conf-archive-log-config)#hidekeys (隱藏稽核記錄中的密碼欄位)
(conf-archive-log-config)#notify syslog (選項，可配合將資訊匯出到syslog server)
(conf)#logging host 10.10.10.10 (選項，指定要匯出的syslog主機IP)

show:
#show archive log config all (顯示輸入過的設定檔內容) 
idx   sess           user@line      Logged command
    1     1        console@console  |  logging enable
    2     1        console@console  |  logging size 500
    3     1        console@console  |  hidekeys
    4     1        console@console  |  notify syslog
    5     4        console@console  |router ospf 1
    6     4        console@console  | network 1.1.1.1 0.0.0.0 area 0
    7     5        console@console  |archive
    8     5        console@console  | log config
    9     5        console@console  |  no notify syslog

archive & rollback config:
#archive config (封存現在的running-config狀態)
#show archive (列出可還原的封存點)
#more flash:/rollback-1 (顯示封存點內容)
#configure replace flash:/rollback-1 (還原到running-config到特定的封存點)

show:
#show archive (列出封存點)
There are currently 6 archive configurations saved.
The next archive file will be named flash:/rollback-6
Archive #  Name
   0       
   1       flash:/rollback-1
   2       flash:/rollback-2
   3       flash:/rollback-3
   4       flash:/rollback-4
   5       flash:/rollback-5 <- Most Recent

#show archive config differences (比對startup-config與running-config的差異並顯示)
Contextual Config Diffs:
router ospf 1
+network 5.5.5.5 0.0.0.0 area 0
router ospf 1
-network 7.7.7.7 0.0.0.0 area 0
-network 8.8.8.8 0.0.0.0 area 0

#show archive config incremental-diffs flash:rollback-6
(比對running-config與封存點的差異並顯示)
!List of Commands:
end
!No changes were found

#more flash:/rollback-1 (顯示封存點的內容)
(archive的running-config內容)

Cisco Switch save logging message in flash

當設備發生問題時，IT人員通常需要連到設備去檢查最後的事件資訊，但如果設備自行/人為的重開機了，那麼這些訊息將會消失，因此可以透過下列指令將logging的資訊儲存一份在flash中，如此一來縱使設備重開機了，依然能夠從儲存在flash中的事件訊息來進行問題查測。

config:
(conf)#logging file (儲存位置) (儲存檔案大小) (儲存的訊息類型)

example:
(conf)#logging file flash:/syslog 4096 debugging

show:
# more flash:/syslog (顯示儲存在flash的logging資訊)