forum.opennet.ru

Составление сообщения

Исходное сообщение

"cisco 2620xm + Catalyst 3550 + vlan + routing"
Отправлено sui245, 21-Июн-06 11:18

>Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco
>Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера,
>и т. д.). Привожу конфиги с обоих.
>Звездочки в ай-пи-адресах - означает внешняя подсеть.
>
>Cisco 2620XM:
>-----------------------------------------------------------------------------
>version 12.4
>no service pad
>service timestamps debug datetime msec
>service timestamps log datetime msec
>service password-encryption
>no service dhcp
>!
>hostname domain-main-gw
>!
>boot-start-marker
>boot system flash c2600-ipbasek9-mz.124-8.bin
>boot-end-marker
>!
>logging buffered 32768 informational
>no logging console
>enable secret 5 ***********************************
>enable password 7 ********************************
>!
>no aaa new-model
>!
>resource policy
>!
>clock timezone *** 8
>no network-clock-participate slot 1
>no network-clock-participate wic 0
>no ip source-route
>ip cef
>!
>!
>!
>!
>no ip bootp server
>ip domain list domain.ru
>no ip domain lookup
>ip domain name domain.ru
>ip name-server *.*.116.1
>ip name-server *.*.125.3
>ip accounting-list 0.0.0.2 255.255.255.252
>ip accounting-list 0.0.0.0 255.255.255.0
>ip rcmd rsh-enable
>ip rcmd remote-host root 192.168.168.2 root enable
>ip rcmd remote-host billing 192.168.168.2 billing enable
>!
>!
>!
>username bob password 7 *******************
>!
>!
>class-map match-any http-hacks
> match protocol http url "*default.ida*"
> match protocol http url "*x.ida*"
> match protocol http url "*cmd.exe*"
> match protocol http url "*root.exe*"
>!
>!
>policy-map mark-inbound-http-hacks
> class http-hacks
>  set ip dscp 1
>!
>!
>!
>interface Loopback0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
>!
>interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> duplex auto
> speed auto
>!
>interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip nat inside
>!
>interface FastEthernet0/0.10
> encapsulation dot1Q 10
> ip address 192.168.0.100 255.255.255.0 secondary
> ip address *.*.125.1 255.255.255.0
> ip access-group eth in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
>!
>interface FastEthernet0/0.20
> encapsulation dot1Q 20
> ip address 192.168.168.1 255.255.255.0
> ip nat inside
>!
>interface FastEthernet0/0.30
> encapsulation dot1Q 30
> ip address 10.10.1.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
>!
>interface FastEthernet0/0.40
> encapsulation dot1Q 40
> ip address 10.10.2.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
>!
>interface Serial0/0
> bandwidth 2048
> ip address *.*.96.218 255.255.255.252
> ip access-group in_block in
> ip access-group out_block out
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop
>
> rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop
>
> no logging event link-status
> no fair-queue
> service-policy input mark-inbound-http-hacks
>!
>interface Serial0/1
> ip address *.*.96.218 255.255.255.252
> shutdown
>!
>ip route 0.0.0.0 0.0.0.0 *.*.96.217
>ip flow-export source FastEthernet0/0.10
>ip flow-export version 9
>ip flow-export destination *.*.125.13 9001
>!
>no ip http server
>no ip http secure-server
>ip nat inside source list 1 interface Serial0/0 overload
>ip nat inside source static 10.10.1.33 *.*.125.99 extendable
>ip nat inside source static 10.10.2.37 *.*.125.199 extendable
>ip nat inside source static 10.10.1.45 *.*.125.200 extendable
>ip nat inside source static 10.10.2.38 *.*.125.201 extendable
>!
>ip access-list standard eth
> permit *.*.125.199
> permit *.*.125.200
> permit *.*.125.201
> permit *.*.125.30
> permit *.*.125.1
> permit *.*.125.2
> permit *.*.125.3
> permit *.*.125.4
> permit *.*.125.5
> permit *.*.125.6
> permit *.*.125.7
> permit *.*.125.8
> permit *.*.125.9
> permit *.*.125.10
> permit *.*.125.11
> permit *.*.125.12
> permit *.*.125.13
> permit *.*.125.14
> permit *.*.125.45
> permit *.*.125.120
> permit *.*.125.99
> permit 10.0.0.0 0.255.255.255
> permit 192.0.0.0 0.255.255.255
>!
>ip access-list extended in_block
> deny   ip 10.0.0.0 0.255.255.255 any
> deny   ip 127.0.0.0 0.255.255.255 any
> deny   ip 172.16.0.0 0.15.255.255 any
> deny   ip 192.168.0.0 0.0.255.255 any
> deny   udp any any range netbios-ns netbios-ss log
> deny   tcp any any range 135 139 log
> deny   tcp any any eq 445 log
> deny   udp any any eq 31337 log
> deny   udp any any eq 22 log
> deny   tcp any any range exec lpd log
> deny   udp any any eq sunrpc log
> deny   tcp any any eq sunrpc log
> deny   udp any any eq xdmcp log
> deny   tcp any any eq 177 log
> deny   tcp any any range 6000 6063 log
> deny   udp any any range 6000 6063 log
> deny   udp any any range biff syslog log
> deny   tcp any any eq 11 log
> deny   udp any any eq tftp log
> deny   udp any any range snmp snmptrap log
> permit ip any any
> deny   ip host 10.10.10.254 any
> deny   ip host 10.10.1.254 any
>ip access-list extended out_block
> permit ip any any
>!
>logging facility local6
>logging source-interface FastEthernet0/0.10
>logging *.*.125.3
>access-list 1 permit 192.168.0.101
>access-list 1 permit 10.10.2.31
>access-list 1 permit 10.10.1.31
>access-list 1 permit 10.10.1.33
>access-list 1 permit 10.10.2.34
>access-list 1 permit 10.10.1.32
>access-list 1 permit 10.10.2.35
>access-list 1 permit 10.10.1.35
>access-list 1 permit 10.10.2.32
>access-list 1 permit 10.10.2.33
>access-list 1 permit 10.10.1.34
>access-list 1 permit 10.10.2.38
>access-list 1 permit 10.10.1.37
>access-list 1 permit 10.10.1.36
>access-list 1 permit 10.10.2.36
>access-list 1 permit 10.10.1.38
>access-list 1 permit 10.10.2.37
>access-list 1 permit 10.10.1.41
>access-list 1 permit 10.10.2.42
>access-list 1 permit 10.10.2.43
>access-list 1 permit 10.10.1.43
>access-list 1 permit 10.10.1.42
>access-list 1 permit 10.10.2.41
>access-list 1 permit 10.10.2.46
>access-list 1 permit 10.10.1.45
>access-list 1 permit 10.10.1.44
>access-list 1 permit 10.10.1.47
>access-list 1 permit 10.10.2.44
>access-list 1 permit 10.10.1.46
>access-list 1 permit 10.10.2.45
>access-list 1 permit 10.10.1.48
>access-list 1 permit 10.10.1.51
>access-list 1 permit 10.10.2.48
>access-list 1 permit 10.10.1.53
>access-list 1 permit 10.10.1.52
>access-list 1 permit 192.168.0.8
>access-list 1 deny   192.168.0.31
>access-list 1 permit 192.168.168.10
>access-list 2 deny   10.0.0.0 0.255.255.255
>access-list 2 permit any
>access-list 100 permit ip host 192.168.0.8 any
>access-list 100 deny   ip 192.168.0.0 0.0.0.255 any
>access-list 101 deny   ip host 192.168.0.31 any
>access-list 101 deny   ip host 192.168.0.8 any
>access-list 101 permit ip 192.168.0.0 0.0.0.255 any
>access-list 145 permit ip any host *.*.125.5
>access-list 146 permit ip any host *.*.125.8
>access-list 147 permit ip any host *.*.125.7
>snmp-server community technology RO
>snmp-server community trap_style RW
>snmp-server enable traps tty
>route-map 1 permit 10
>!
>route-map forced-proxy permit 10
> match ip address 101
> set ip next-hop *.*.125.3
>!
>!
>control-plane
>!
>!
>line con 0
> login local
>line aux 0
> login local
>line vty 0
> login local
>line vty 1
> login local
> transport input telnet
>line vty 2 4
> login local
>line vty 5 10
> login local
> rotary 1
> transport input pad telnet rlogin mop udptn v120
>line vty 11 15
> login local
>!
>ntp clock-period 17246762
>ntp server *.*.
>125.2
>!
>end
>-----------------------------------------------------------------------------
>
>Cisco Catalyst 3550:
>-----------------------------------------------------------------------------
>
>version 12.2
>no service pad
>service timestamps debug uptime
>service timestamps log uptime
>service password-encryption
>!
>hostname domain-main-switch
>!
>enable secret 5 ***************************
>enable password 7 *******************************
>!
>username bob password 7 *************************
>no aaa new-model
>clock timezone **** 8
>ip subnet-zero
>no ip source-route
>ip host-routing
>!
>ip domain-name domain.ru
>!
>no file verify auto
>spanning-tree mode pvst
>spanning-tree extend system-id
>!
>!
>!
>vlan internal allocation policy ascending
>!
>!
>interface FastEthernet0/1
> description Trunk link to Cisco 2620XM
> switchport trunk encapsulation dot1q
> switchport mode trunk
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/2
> description LAN
> switchport access vlan 10
> switchport mode access
> no logging event link-status
>!
>interface FastEthernet0/3
> description AS5350 Dial-Up
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/4
> switchport access vlan 10
> switchport mode access
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/5
> switchport access vlan 10
> switchport mode access
> no logging event link-status
>!
>interface FastEthernet0/6
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/7
> switchport access vlan 20
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/8
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/9
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/10
> switchport access vlan 20
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/11
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/12
> switchport access vlan 40
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/13
> description DSLAM ZYXEL ADSL_1
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/14
> description DSLAM ZYXEL ADSL_2
> switchport access vlan 40
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/15
> description DSLAM ZYXEL ADSL_3
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/16
> description DSLAM ZYXEL ADSL_4
> switchport access vlan 40
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/17
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/18
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/19
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/20
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/21
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/22
> description Cisco AS5350 120 lines
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/23
> description DSLAM ZYXEL ADSL_5
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/24
> description Trunk link to Catalyst2950
> switchport trunk encapsulation dot1q
> switchport mode trunk
> switchport nonegotiate
> no logging event link-status
> shutdown
>!
>interface GigabitEthernet0/1
> switchport access vlan 10
> switchport mode access
> no logging event link-status
>!
>interface GigabitEthernet0/2
> switchport mode dynamic desirable
> no logging event link-status
> shutdown
>!
>interface Vlan1
> no ip address
> no ip route-cache
> shutdown
>!
>interface Vlan10
> ip address 192.168.0.163 255.255.255.0
> no ip route-cache
>!
>interface Vlan20
> no ip address
> no ip route-cache
>!
>interface Vlan30
> no ip address
> no ip route-cache
>!
>interface Vlan40
> no ip address
> no ip route-cache
>!
>ip default-gateway 192.168.0.100
>ip classless
>no ip http server
>!
>!
>!
>!
>logging *.*.125.3
>access-list 1 deny   10.0.0.0 0.255.255.255
>access-list 1 permit any
>access-list 101 deny   tcp 10.0.0.0 0.255.255.255 any
>access-list 101 permit ip any any
>!
>control-plane
>!
>!
>line con 0
> login local
>line vty 0 4
> password 7 0313530E0303
> login local
>line vty 5 15
> password 7 044C03030A2D
> login local
>!
>ntp clock-period 17246764
>ntp server *.*.125.2
>!
>end
>-----------------------------------------------------------------------------
>
>192.168.0.0/24 - корпоративная сеть.
>*.*.125.0/24 - внешняя сеть.
>
>Если допустим кто-то начинает копировать большой объём данных между разными подсетями -
>маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист,
>поднять там маршрутизацию и т. д. В связи с этим вопрос:
>какие грабли меня ожидают? Может кто уже сталкивался с этим -
>дайте дельные советы и предложения.
Вот тебе дельный совет,
Грабли будут те же только объём трафика нужен будет чуть побольше особенно если ACL ов много, 3550 свитч не уровня ядра отсюда и все вытекающие

Исходное сообщение
"cisco 2620xm + Catalyst 3550 + vlan + routing" Отправлено sui245, 21-Июн-06 11:18
>Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco >Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера, >и т. д.). Привожу конфиги с обоих. >Звездочки в ай-пи-адресах - означает внешняя подсеть. > >Cisco 2620XM: >----------------------------------------------------------------------------- >version 12.4 >no service pad >service timestamps debug datetime msec >service timestamps log datetime msec >service password-encryption >no service dhcp >! >hostname domain-main-gw >! >boot-start-marker >boot system flash c2600-ipbasek9-mz.124-8.bin >boot-end-marker >! >logging buffered 32768 informational >no logging console >enable secret 5 ********************************* >enable password 7 **************************** >! >no aaa new-model >! >resource policy >! >clock timezone * 8 >no network-clock-participate slot 1 >no network-clock-participate wic 0 >no ip source-route >ip cef >! >! >! >! >no ip bootp server >ip domain list domain.ru >no ip domain lookup >ip domain name domain.ru >ip name-server ..116.1 >ip name-server ..125.3 >ip accounting-list 0.0.0.2 255.255.255.252 >ip accounting-list 0.0.0.0 255.255.255.0 >ip rcmd rsh-enable >ip rcmd remote-host root 192.168.168.2 root enable >ip rcmd remote-host billing 192.168.168.2 billing enable >! >! >! >username bob password 7 ******************* >! >! >class-map match-any http-hacks > match protocol http url "default.ida" > match protocol http url "x.ida" > match protocol http url "cmd.exe" > match protocol http url "root.exe" >! >! >policy-map mark-inbound-http-hacks > class http-hacks > set ip dscp 1 >! >! >! >interface Loopback0 > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp >! >interface FastEthernet0/0 > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > duplex auto > speed auto >! >interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip nat inside >! >interface FastEthernet0/0.10 > encapsulation dot1Q 10 > ip address 192.168.0.100 255.255.255.0 secondary > ip address ..125.1 255.255.255.0 > ip access-group eth in > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside >! >interface FastEthernet0/0.20 > encapsulation dot1Q 20 > ip address 192.168.168.1 255.255.255.0 > ip nat inside >! >interface FastEthernet0/0.30 > encapsulation dot1Q 30 > ip address 10.10.1.1 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside >! >interface FastEthernet0/0.40 > encapsulation dot1Q 40 > ip address 10.10.2.1 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside >! >interface Serial0/0 > bandwidth 2048 > ip address ..96.218 255.255.255.252 > ip access-group in_block in > ip access-group out_block out > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat outside > rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop > > rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop > > no logging event link-status > no fair-queue > service-policy input mark-inbound-http-hacks >! >interface Serial0/1 > ip address ..96.218 255.255.255.252 > shutdown >! >ip route 0.0.0.0 0.0.0.0 ..96.217 >ip flow-export source FastEthernet0/0.10 >ip flow-export version 9 >ip flow-export destination ..125.13 9001 >! >no ip http server >no ip http secure-server >ip nat inside source list 1 interface Serial0/0 overload >ip nat inside source static 10.10.1.33 ..125.99 extendable >ip nat inside source static 10.10.2.37 ..125.199 extendable >ip nat inside source static 10.10.1.45 ..125.200 extendable >ip nat inside source static 10.10.2.38 ..125.201 extendable >! >ip access-list standard eth > permit ..125.199 > permit ..125.200 > permit ..125.201 > permit ..125.30 > permit ..125.1 > permit ..125.2 > permit ..125.3 > permit ..125.4 > permit ..125.5 > permit ..125.6 > permit ..125.7 > permit ..125.8 > permit ..125.9 > permit ..125.10 > permit ..125.11 > permit ..125.12 > permit ..125.13 > permit ..125.14 > permit ..125.45 > permit ..125.120 > permit ..125.99 > permit 10.0.0.0 0.255.255.255 > permit 192.0.0.0 0.255.255.255 >! >ip access-list extended in_block > deny ip 10.0.0.0 0.255.255.255 any > deny ip 127.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny udp any any range netbios-ns netbios-ss log > deny tcp any any range 135 139 log > deny tcp any any eq 445 log > deny udp any any eq 31337 log > deny udp any any eq 22 log > deny tcp any any range exec lpd log > deny udp any any eq sunrpc log > deny tcp any any eq sunrpc log > deny udp any any eq xdmcp log > deny tcp any any eq 177 log > deny tcp any any range 6000 6063 log > deny udp any any range 6000 6063 log > deny udp any any range biff syslog log > deny tcp any any eq 11 log > deny udp any any eq tftp log > deny udp any any range snmp snmptrap log > permit ip any any > deny ip host 10.10.10.254 any > deny ip host 10.10.1.254 any >ip access-list extended out_block > permit ip any any >! >logging facility local6 >logging source-interface FastEthernet0/0.10 >logging ..125.3 >access-list 1 permit 192.168.0.101 >access-list 1 permit 10.10.2.31 >access-list 1 permit 10.10.1.31 >access-list 1 permit 10.10.1.33 >access-list 1 permit 10.10.2.34 >access-list 1 permit 10.10.1.32 >access-list 1 permit 10.10.2.35 >access-list 1 permit 10.10.1.35 >access-list 1 permit 10.10.2.32 >access-list 1 permit 10.10.2.33 >access-list 1 permit 10.10.1.34 >access-list 1 permit 10.10.2.38 >access-list 1 permit 10.10.1.37 >access-list 1 permit 10.10.1.36 >access-list 1 permit 10.10.2.36 >access-list 1 permit 10.10.1.38 >access-list 1 permit 10.10.2.37 >access-list 1 permit 10.10.1.41 >access-list 1 permit 10.10.2.42 >access-list 1 permit 10.10.2.43 >access-list 1 permit 10.10.1.43 >access-list 1 permit 10.10.1.42 >access-list 1 permit 10.10.2.41 >access-list 1 permit 10.10.2.46 >access-list 1 permit 10.10.1.45 >access-list 1 permit 10.10.1.44 >access-list 1 permit 10.10.1.47 >access-list 1 permit 10.10.2.44 >access-list 1 permit 10.10.1.46 >access-list 1 permit 10.10.2.45 >access-list 1 permit 10.10.1.48 >access-list 1 permit 10.10.1.51 >access-list 1 permit 10.10.2.48 >access-list 1 permit 10.10.1.53 >access-list 1 permit 10.10.1.52 >access-list 1 permit 192.168.0.8 >access-list 1 deny 192.168.0.31 >access-list 1 permit 192.168.168.10 >access-list 2 deny 10.0.0.0 0.255.255.255 >access-list 2 permit any >access-list 100 permit ip host 192.168.0.8 any >access-list 100 deny ip 192.168.0.0 0.0.0.255 any >access-list 101 deny ip host 192.168.0.31 any >access-list 101 deny ip host 192.168.0.8 any >access-list 101 permit ip 192.168.0.0 0.0.0.255 any >access-list 145 permit ip any host ..125.5 >access-list 146 permit ip any host ..125.8 >access-list 147 permit ip any host ..125.7 >snmp-server community technology RO >snmp-server community trap_style RW >snmp-server enable traps tty >route-map 1 permit 10 >! >route-map forced-proxy permit 10 > match ip address 101 > set ip next-hop ..125.3 >! >! >control-plane >! >! >line con 0 > login local >line aux 0 > login local >line vty 0 > login local >line vty 1 > login local > transport input telnet >line vty 2 4 > login local >line vty 5 10 > login local > rotary 1 > transport input pad telnet rlogin mop udptn v120 >line vty 11 15 > login local >! >ntp clock-period 17246762 >ntp server .. >125.2 >! >end >----------------------------------------------------------------------------- > >Cisco Catalyst 3550: >----------------------------------------------------------------------------- > >version 12.2 >no service pad >service timestamps debug uptime >service timestamps log uptime >service password-encryption >! >hostname domain-main-switch >! >enable secret 5 ************************* >enable password 7 *************************** >! >username bob password 7 ********************* >no aaa new-model >clock timezone ** 8 >ip subnet-zero >no ip source-route >ip host-routing >! >ip domain-name domain.ru >! >no file verify auto >spanning-tree mode pvst >spanning-tree extend system-id >! >! >! >vlan internal allocation policy ascending >! >! >interface FastEthernet0/1 > description Trunk link to Cisco 2620XM > switchport trunk encapsulation dot1q > switchport mode trunk > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/2 > description LAN > switchport access vlan 10 > switchport mode access > no logging event link-status >! >interface FastEthernet0/3 > description AS5350 Dial-Up > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/4 > switchport access vlan 10 > switchport mode access > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/5 > switchport access vlan 10 > switchport mode access > no logging event link-status >! >interface FastEthernet0/6 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/7 > switchport access vlan 20 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/8 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/9 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/10 > switchport access vlan 20 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/11 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/12 > switchport access vlan 40 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/13 > description DSLAM ZYXEL ADSL_1 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/14 > description DSLAM ZYXEL ADSL_2 > switchport access vlan 40 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/15 > description DSLAM ZYXEL ADSL_3 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/16 > description DSLAM ZYXEL ADSL_4 > switchport access vlan 40 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/17 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/18 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/19 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/20 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/21 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/22 > description Cisco AS5350 120 lines > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/23 > description DSLAM ZYXEL ADSL_5 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/24 > description Trunk link to Catalyst2950 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport nonegotiate > no logging event link-status > shutdown >! >interface GigabitEthernet0/1 > switchport access vlan 10 > switchport mode access > no logging event link-status >! >interface GigabitEthernet0/2 > switchport mode dynamic desirable > no logging event link-status > shutdown >! >interface Vlan1 > no ip address > no ip route-cache > shutdown >! >interface Vlan10 > ip address 192.168.0.163 255.255.255.0 > no ip route-cache >! >interface Vlan20 > no ip address > no ip route-cache >! >interface Vlan30 > no ip address > no ip route-cache >! >interface Vlan40 > no ip address > no ip route-cache >! >ip default-gateway 192.168.0.100 >ip classless >no ip http server >! >! >! >! >logging ..125.3 >access-list 1 deny 10.0.0.0 0.255.255.255 >access-list 1 permit any >access-list 101 deny tcp 10.0.0.0 0.255.255.255 any >access-list 101 permit ip any any >! >control-plane >! >! >line con 0 > login local >line vty 0 4 > password 7 0313530E0303 > login local >line vty 5 15 > password 7 044C03030A2D > login local >! >ntp clock-period 17246764 >ntp server ..125.2 >! >end >----------------------------------------------------------------------------- > >192.168.0.0/24 - корпоративная сеть. >..125.0/24 - внешняя сеть. > >Если допустим кто-то начинает копировать большой объём данных между разными подсетями - >маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист, >поднять там маршрутизацию и т. д. В связи с этим вопрос: >какие грабли меня ожидают? Может кто уже сталкивался с этим - >дайте дельные советы и предложения. Вот тебе дельный совет, Грабли будут те же только объём трафика нужен будет чуть побольше особенно если ACL ов много, 3550 свитч не уровня ядра отсюда и все вытекающие

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>>Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco >>Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера, >>и т. д.). Привожу конфиги с обоих. >>Звездочки в ай-пи-адресах - означает внешняя подсеть. >> >>Cisco 2620XM: >>----------------------------------------------------------------------------- >>version 12.4 >>no service pad >>service timestamps debug datetime msec >>service timestamps log datetime msec >>service password-encryption >>no service dhcp >>! >>hostname domain-main-gw >>! >>boot-start-marker >>boot system flash c2600-ipbasek9-mz.124-8.bin >>boot-end-marker >>! >>logging buffered 32768 informational >>no logging console >>enable secret 5 ********************************* >>enable password 7 **************************** >>! >>no aaa new-model >>! >>resource policy >>! >>clock timezone * 8 >>no network-clock-participate slot 1 >>no network-clock-participate wic 0 >>no ip source-route >>ip cef >>! >>! >>! >>! >>no ip bootp server >>ip domain list domain.ru >>no ip domain lookup >>ip domain name domain.ru >>ip name-server ..116.1 >>ip name-server ..125.3 >>ip accounting-list 0.0.0.2 255.255.255.252 >>ip accounting-list 0.0.0.0 255.255.255.0 >>ip rcmd rsh-enable >>ip rcmd remote-host root 192.168.168.2 root enable >>ip rcmd remote-host billing 192.168.168.2 billing enable >>! >>! >>! >>username bob password 7 ******************* >>! >>! >>class-map match-any http-hacks >> match protocol http url "default.ida" >> match protocol http url "x.ida" >> match protocol http url "cmd.exe" >> match protocol http url "root.exe" >>! >>! >>policy-map mark-inbound-http-hacks >> class http-hacks >> set ip dscp 1 >>! >>! >>! >>interface Loopback0 >> no ip address >> no ip redirects >> no ip unreachables >> no ip proxy-arp >>! >>interface FastEthernet0/0 >> no ip address >> no ip redirects >> no ip unreachables >> no ip proxy-arp >> duplex auto >> speed auto >>! >>interface FastEthernet0/0.1 >> encapsulation dot1Q 1 native >> ip nat inside >>! >>interface FastEthernet0/0.10 >> encapsulation dot1Q 10 >> ip address 192.168.0.100 255.255.255.0 secondary >> ip address ..125.1 255.255.255.0 >> ip access-group eth in >> no ip redirects >> no ip unreachables >> no ip proxy-arp >> ip nat inside >>! >>interface FastEthernet0/0.20 >> encapsulation dot1Q 20 >> ip address 192.168.168.1 255.255.255.0 >> ip nat inside >>! >>interface FastEthernet0/0.30 >> encapsulation dot1Q 30 >> ip address 10.10.1.1 255.255.255.0 >> no ip redirects >> no ip unreachables >> no ip proxy-arp >> ip nat inside >>! >>interface FastEthernet0/0.40 >> encapsulation dot1Q 40 >> ip address 10.10.2.1 255.255.255.0 >> no ip redirects >> no ip unreachables >> no ip proxy-arp >> ip nat inside >>! >>interface Serial0/0 >> bandwidth 2048 >> ip address ..96.218 255.255.255.252 >> ip access-group in_block in >> ip access-group out_block out >> no ip redirects >> no ip unreachables >> no ip proxy-arp >> ip nat outside >> rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop >> >> rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop >> >> no logging event link-status >> no fair-queue >> service-policy input mark-inbound-http-hacks >>! >>interface Serial0/1 >> ip address ..96.218 255.255.255.252 >> shutdown >>! >>ip route 0.0.0.0 0.0.0.0 ..96.217 >>ip flow-export source FastEthernet0/0.10 >>ip flow-export version 9 >>ip flow-export destination ..125.13 9001 >>! >>no ip http server >>no ip http secure-server >>ip nat inside source list 1 interface Serial0/0 overload >>ip nat inside source static 10.10.1.33 ..125.99 extendable >>ip nat inside source static 10.10.2.37 ..125.199 extendable >>ip nat inside source static 10.10.1.45 ..125.200 extendable >>ip nat inside source static 10.10.2.38 ..125.201 extendable >>! >>ip access-list standard eth >> permit ..125.199 >> permit ..125.200 >> permit ..125.201 >> permit ..125.30 >> permit ..125.1 >> permit ..125.2 >> permit ..125.3 >> permit ..125.4 >> permit ..125.5 >> permit ..125.6 >> permit ..125.7 >> permit ..125.8 >> permit ..125.9 >> permit ..125.10 >> permit ..125.11 >> permit ..125.12 >> permit ..125.13 >> permit ..125.14 >> permit ..125.45 >> permit ..125.120 >> permit ..125.99 >> permit 10.0.0.0 0.255.255.255 >> permit 192.0.0.0 0.255.255.255 >>! >>ip access-list extended in_block >> deny ip 10.0.0.0 0.255.255.255 any >> deny ip 127.0.0.0 0.255.255.255 any >> deny ip 172.16.0.0 0.15.255.255 any >> deny ip 192.168.0.0 0.0.255.255 any >> deny udp any any range netbios-ns netbios-ss log >> deny tcp any any range 135 139 log >> deny tcp any any eq 445 log >> deny udp any any eq 31337 log >> deny udp any any eq 22 log >> deny tcp any any range exec lpd log >> deny udp any any eq sunrpc log >> deny tcp any any eq sunrpc log >> deny udp any any eq xdmcp log >> deny tcp any any eq 177 log >> deny tcp any any range 6000 6063 log >> deny udp any any range 6000 6063 log >> deny udp any any range biff syslog log >> deny tcp any any eq 11 log >> deny udp any any eq tftp log >> deny udp any any range snmp snmptrap log >> permit ip any any >> deny ip host 10.10.10.254 any >> deny ip host 10.10.1.254 any >>ip access-list extended out_block >> permit ip any any >>! >>logging facility local6 >>logging source-interface FastEthernet0/0.10 >>logging ..125.3 >>access-list 1 permit 192.168.0.101 >>access-list 1 permit 10.10.2.31 >>access-list 1 permit 10.10.1.31 >>access-list 1 permit 10.10.1.33 >>access-list 1 permit 10.10.2.34 >>access-list 1 permit 10.10.1.32 >>access-list 1 permit 10.10.2.35 >>access-list 1 permit 10.10.1.35 >>access-list 1 permit 10.10.2.32 >>access-list 1 permit 10.10.2.33 >>access-list 1 permit 10.10.1.34 >>access-list 1 permit 10.10.2.38 >>access-list 1 permit 10.10.1.37 >>access-list 1 permit 10.10.1.36 >>access-list 1 permit 10.10.2.36 >>access-list 1 permit 10.10.1.38 >>access-list 1 permit 10.10.2.37 >>access-list 1 permit 10.10.1.41 >>access-list 1 permit 10.10.2.42 >>access-list 1 permit 10.10.2.43 >>access-list 1 permit 10.10.1.43 >>access-list 1 permit 10.10.1.42 >>access-list 1 permit 10.10.2.41 >>access-list 1 permit 10.10.2.46 >>access-list 1 permit 10.10.1.45 >>access-list 1 permit 10.10.1.44 >>access-list 1 permit 10.10.1.47 >>access-list 1 permit 10.10.2.44 >>access-list 1 permit 10.10.1.46 >>access-list 1 permit 10.10.2.45 >>access-list 1 permit 10.10.1.48 >>access-list 1 permit 10.10.1.51 >>access-list 1 permit 10.10.2.48 >>access-list 1 permit 10.10.1.53 >>access-list 1 permit 10.10.1.52 >>access-list 1 permit 192.168.0.8 >>access-list 1 deny 192.168.0.31 >>access-list 1 permit 192.168.168.10 >>access-list 2 deny 10.0.0.0 0.255.255.255 >>access-list 2 permit any >>access-list 100 permit ip host 192.168.0.8 any >>access-list 100 deny ip 192.168.0.0 0.0.0.255 any >>access-list 101 deny ip host 192.168.0.31 any >>access-list 101 deny ip host 192.168.0.8 any >>access-list 101 permit ip 192.168.0.0 0.0.0.255 any >>access-list 145 permit ip any host ..125.5 >>access-list 146 permit ip any host ..125.8 >>access-list 147 permit ip any host ..125.7 >>snmp-server community technology RO >>snmp-server community trap_style RW >>snmp-server enable traps tty >>route-map 1 permit 10 >>! >>route-map forced-proxy permit 10 >> match ip address 101 >> set ip next-hop ..125.3 >>! >>! >>control-plane >>! >>! >>line con 0 >> login local >>line aux 0 >> login local >>line vty 0 >> login local >>line vty 1 >> login local >> transport input telnet >>line vty 2 4 >> login local >>line vty 5 10 >> login local >> rotary 1 >> transport input pad telnet rlogin mop udptn v120 >>line vty 11 15 >> login local >>! >>ntp clock-period 17246762 >>ntp server .. >>125.2 >>! >>end >>----------------------------------------------------------------------------- >> >>Cisco Catalyst 3550: >>----------------------------------------------------------------------------- >> >>version 12.2 >>no service pad >>service timestamps debug uptime >>service timestamps log uptime >>service password-encryption >>! >>hostname domain-main-switch >>! >>enable secret 5 ************************* >>enable password 7 *************************** >>! >>username bob password 7 ********************* >>no aaa new-model >>clock timezone ** 8 >>ip subnet-zero >>no ip source-route >>ip host-routing >>! >>ip domain-name domain.ru >>! >>no file verify auto >>spanning-tree mode pvst >>spanning-tree extend system-id >>! >>! >>! >>vlan internal allocation policy ascending >>! >>! >>interface FastEthernet0/1 >> description Trunk link to Cisco 2620XM >> switchport trunk encapsulation dot1q >> switchport mode trunk >> no logging event link-status >> spanning-tree portfast >>! >>interface FastEthernet0/2 >> description LAN >> switchport access vlan 10 >> switchport mode access >> no logging event link-status >>! >>interface FastEthernet0/3 >> description AS5350 Dial-Up >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >> spanning-tree portfast >>! >>interface FastEthernet0/4 >> switchport access vlan 10 >> switchport mode access >> no logging event link-status >> spanning-tree portfast >>! >>interface FastEthernet0/5 >> switchport access vlan 10 >> switchport mode access >> no logging event link-status >>! >>interface FastEthernet0/6 >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/7 >> switchport access vlan 20 >> switchport mode dynamic desirable >> no logging event link-status >> spanning-tree portfast >>! >>interface FastEthernet0/8 >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >> spanning-tree portfast >>! >>interface FastEthernet0/9 >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/10 >> switchport access vlan 20 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/11 >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/12 >> switchport access vlan 40 >> switchport mode dynamic desirable >> no logging event link-status >> spanning-tree portfast >>! >>interface FastEthernet0/13 >> description DSLAM ZYXEL ADSL_1 >> switchport access vlan 30 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/14 >> description DSLAM ZYXEL ADSL_2 >> switchport access vlan 40 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/15 >> description DSLAM ZYXEL ADSL_3 >> switchport access vlan 30 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/16 >> description DSLAM ZYXEL ADSL_4 >> switchport access vlan 40 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/17 >> switchport access vlan 30 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/18 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/19 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/20 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/21 >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/22 >> description Cisco AS5350 120 lines >> switchport access vlan 10 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/23 >> description DSLAM ZYXEL ADSL_5 >> switchport access vlan 30 >> switchport mode dynamic desirable >> no logging event link-status >>! >>interface FastEthernet0/24 >> description Trunk link to Catalyst2950 >> switchport trunk encapsulation dot1q >> switchport mode trunk >> switchport nonegotiate >> no logging event link-status >> shutdown >>! >>interface GigabitEthernet0/1 >> switchport access vlan 10 >> switchport mode access >> no logging event link-status >>! >>interface GigabitEthernet0/2 >> switchport mode dynamic desirable >> no logging event link-status >> shutdown >>! >>interface Vlan1 >> no ip address >> no ip route-cache >> shutdown >>! >>interface Vlan10 >> ip address 192.168.0.163 255.255.255.0 >> no ip route-cache >>! >>interface Vlan20 >> no ip address >> no ip route-cache >>! >>interface Vlan30 >> no ip address >> no ip route-cache >>! >>interface Vlan40 >> no ip address >> no ip route-cache >>! >>ip default-gateway 192.168.0.100 >>ip classless >>no ip http server >>! >>! >>! >>! >>logging ..125.3 >>access-list 1 deny 10.0.0.0 0.255.255.255 >>access-list 1 permit any >>access-list 101 deny tcp 10.0.0.0 0.255.255.255 any >>access-list 101 permit ip any any >>! >>control-plane >>! >>! >>line con 0 >> login local >>line vty 0 4 >> password 7 0313530E0303 >> login local >>line vty 5 15 >> password 7 044C03030A2D >> login local >>! >>ntp clock-period 17246764 >>ntp server ..125.2 >>! >>end >>----------------------------------------------------------------------------- >> >>192.168.0.0/24 - корпоративная сеть. >>..125.0/24 - внешняя сеть. >> >>Если допустим кто-то начинает копировать большой объём данных между разными подсетями - >>маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист, >>поднять там маршрутизацию и т. д. В связи с этим вопрос: >>какие грабли меня ожидают? Может кто уже сталкивался с этим - >>дайте дельные советы и предложения. > Вот тебе дельный совет, > Грабли будут те же только объём трафика нужен будет чуть побольше особенно > если ACL ов много, 3550 свитч не уровня ядра отсюда и > все вытекающие
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру