>Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco >Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера, >и т. д.). Привожу конфиги с обоих. >Звездочки в ай-пи-адресах - означает внешняя подсеть. > >Cisco 2620XM: >----------------------------------------------------------------------------- >version 12.4 >no service pad >service timestamps debug datetime msec >service timestamps log datetime msec >service password-encryption >no service dhcp >! >hostname domain-main-gw >! >boot-start-marker >boot system flash c2600-ipbasek9-mz.124-8.bin >boot-end-marker >! >logging buffered 32768 informational >no logging console >enable secret 5 *********************************** >enable password 7 ******************************** >! >no aaa new-model >! >resource policy >! >clock timezone *** 8 >no network-clock-participate slot 1 >no network-clock-participate wic 0 >no ip source-route >ip cef >! >! >! >! >no ip bootp server >ip domain list domain.ru >no ip domain lookup >ip domain name domain.ru >ip name-server *.*.116.1 >ip name-server *.*.125.3 >ip accounting-list 0.0.0.2 255.255.255.252 >ip accounting-list 0.0.0.0 255.255.255.0 >ip rcmd rsh-enable >ip rcmd remote-host root 192.168.168.2 root enable >ip rcmd remote-host billing 192.168.168.2 billing enable >! >! >! >username bob password 7 ******************* >! >! >class-map match-any http-hacks > match protocol http url "*default.ida*" > match protocol http url "*x.ida*" > match protocol http url "*cmd.exe*" > match protocol http url "*root.exe*" >! >! >policy-map mark-inbound-http-hacks > class http-hacks > set ip dscp 1 >! >! >! >interface Loopback0 > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp >! >interface FastEthernet0/0 > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > duplex auto > speed auto >! >interface FastEthernet0/0.1 > encapsulation dot1Q 1 native > ip nat inside >! >interface FastEthernet0/0.10 > encapsulation dot1Q 10 > ip address 192.168.0.100 255.255.255.0 secondary > ip address *.*.125.1 255.255.255.0 > ip access-group eth in > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside >! >interface FastEthernet0/0.20 > encapsulation dot1Q 20 > ip address 192.168.168.1 255.255.255.0 > ip nat inside >! >interface FastEthernet0/0.30 > encapsulation dot1Q 30 > ip address 10.10.1.1 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside >! >interface FastEthernet0/0.40 > encapsulation dot1Q 40 > ip address 10.10.2.1 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat inside >! >interface Serial0/0 > bandwidth 2048 > ip address *.*.96.218 255.255.255.252 > ip access-group in_block in > ip access-group out_block out > no ip redirects > no ip unreachables > no ip proxy-arp > ip nat outside > rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop > > rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop > > no logging event link-status > no fair-queue > service-policy input mark-inbound-http-hacks >! >interface Serial0/1 > ip address *.*.96.218 255.255.255.252 > shutdown >! >ip route 0.0.0.0 0.0.0.0 *.*.96.217 >ip flow-export source FastEthernet0/0.10 >ip flow-export version 9 >ip flow-export destination *.*.125.13 9001 >! >no ip http server >no ip http secure-server >ip nat inside source list 1 interface Serial0/0 overload >ip nat inside source static 10.10.1.33 *.*.125.99 extendable >ip nat inside source static 10.10.2.37 *.*.125.199 extendable >ip nat inside source static 10.10.1.45 *.*.125.200 extendable >ip nat inside source static 10.10.2.38 *.*.125.201 extendable >! >ip access-list standard eth > permit *.*.125.199 > permit *.*.125.200 > permit *.*.125.201 > permit *.*.125.30 > permit *.*.125.1 > permit *.*.125.2 > permit *.*.125.3 > permit *.*.125.4 > permit *.*.125.5 > permit *.*.125.6 > permit *.*.125.7 > permit *.*.125.8 > permit *.*.125.9 > permit *.*.125.10 > permit *.*.125.11 > permit *.*.125.12 > permit *.*.125.13 > permit *.*.125.14 > permit *.*.125.45 > permit *.*.125.120 > permit *.*.125.99 > permit 10.0.0.0 0.255.255.255 > permit 192.0.0.0 0.255.255.255 >! >ip access-list extended in_block > deny ip 10.0.0.0 0.255.255.255 any > deny ip 127.0.0.0 0.255.255.255 any > deny ip 172.16.0.0 0.15.255.255 any > deny ip 192.168.0.0 0.0.255.255 any > deny udp any any range netbios-ns netbios-ss log > deny tcp any any range 135 139 log > deny tcp any any eq 445 log > deny udp any any eq 31337 log > deny udp any any eq 22 log > deny tcp any any range exec lpd log > deny udp any any eq sunrpc log > deny tcp any any eq sunrpc log > deny udp any any eq xdmcp log > deny tcp any any eq 177 log > deny tcp any any range 6000 6063 log > deny udp any any range 6000 6063 log > deny udp any any range biff syslog log > deny tcp any any eq 11 log > deny udp any any eq tftp log > deny udp any any range snmp snmptrap log > permit ip any any > deny ip host 10.10.10.254 any > deny ip host 10.10.1.254 any >ip access-list extended out_block > permit ip any any >! >logging facility local6 >logging source-interface FastEthernet0/0.10 >logging *.*.125.3 >access-list 1 permit 192.168.0.101 >access-list 1 permit 10.10.2.31 >access-list 1 permit 10.10.1.31 >access-list 1 permit 10.10.1.33 >access-list 1 permit 10.10.2.34 >access-list 1 permit 10.10.1.32 >access-list 1 permit 10.10.2.35 >access-list 1 permit 10.10.1.35 >access-list 1 permit 10.10.2.32 >access-list 1 permit 10.10.2.33 >access-list 1 permit 10.10.1.34 >access-list 1 permit 10.10.2.38 >access-list 1 permit 10.10.1.37 >access-list 1 permit 10.10.1.36 >access-list 1 permit 10.10.2.36 >access-list 1 permit 10.10.1.38 >access-list 1 permit 10.10.2.37 >access-list 1 permit 10.10.1.41 >access-list 1 permit 10.10.2.42 >access-list 1 permit 10.10.2.43 >access-list 1 permit 10.10.1.43 >access-list 1 permit 10.10.1.42 >access-list 1 permit 10.10.2.41 >access-list 1 permit 10.10.2.46 >access-list 1 permit 10.10.1.45 >access-list 1 permit 10.10.1.44 >access-list 1 permit 10.10.1.47 >access-list 1 permit 10.10.2.44 >access-list 1 permit 10.10.1.46 >access-list 1 permit 10.10.2.45 >access-list 1 permit 10.10.1.48 >access-list 1 permit 10.10.1.51 >access-list 1 permit 10.10.2.48 >access-list 1 permit 10.10.1.53 >access-list 1 permit 10.10.1.52 >access-list 1 permit 192.168.0.8 >access-list 1 deny 192.168.0.31 >access-list 1 permit 192.168.168.10 >access-list 2 deny 10.0.0.0 0.255.255.255 >access-list 2 permit any >access-list 100 permit ip host 192.168.0.8 any >access-list 100 deny ip 192.168.0.0 0.0.0.255 any >access-list 101 deny ip host 192.168.0.31 any >access-list 101 deny ip host 192.168.0.8 any >access-list 101 permit ip 192.168.0.0 0.0.0.255 any >access-list 145 permit ip any host *.*.125.5 >access-list 146 permit ip any host *.*.125.8 >access-list 147 permit ip any host *.*.125.7 >snmp-server community technology RO >snmp-server community trap_style RW >snmp-server enable traps tty >route-map 1 permit 10 >! >route-map forced-proxy permit 10 > match ip address 101 > set ip next-hop *.*.125.3 >! >! >control-plane >! >! >line con 0 > login local >line aux 0 > login local >line vty 0 > login local >line vty 1 > login local > transport input telnet >line vty 2 4 > login local >line vty 5 10 > login local > rotary 1 > transport input pad telnet rlogin mop udptn v120 >line vty 11 15 > login local >! >ntp clock-period 17246762 >ntp server *.*. >125.2 >! >end >----------------------------------------------------------------------------- > >Cisco Catalyst 3550: >----------------------------------------------------------------------------- > >version 12.2 >no service pad >service timestamps debug uptime >service timestamps log uptime >service password-encryption >! >hostname domain-main-switch >! >enable secret 5 *************************** >enable password 7 ******************************* >! >username bob password 7 ************************* >no aaa new-model >clock timezone **** 8 >ip subnet-zero >no ip source-route >ip host-routing >! >ip domain-name domain.ru >! >no file verify auto >spanning-tree mode pvst >spanning-tree extend system-id >! >! >! >vlan internal allocation policy ascending >! >! >interface FastEthernet0/1 > description Trunk link to Cisco 2620XM > switchport trunk encapsulation dot1q > switchport mode trunk > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/2 > description LAN > switchport access vlan 10 > switchport mode access > no logging event link-status >! >interface FastEthernet0/3 > description AS5350 Dial-Up > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/4 > switchport access vlan 10 > switchport mode access > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/5 > switchport access vlan 10 > switchport mode access > no logging event link-status >! >interface FastEthernet0/6 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/7 > switchport access vlan 20 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/8 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/9 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/10 > switchport access vlan 20 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/11 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/12 > switchport access vlan 40 > switchport mode dynamic desirable > no logging event link-status > spanning-tree portfast >! >interface FastEthernet0/13 > description DSLAM ZYXEL ADSL_1 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/14 > description DSLAM ZYXEL ADSL_2 > switchport access vlan 40 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/15 > description DSLAM ZYXEL ADSL_3 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/16 > description DSLAM ZYXEL ADSL_4 > switchport access vlan 40 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/17 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/18 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/19 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/20 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/21 > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/22 > description Cisco AS5350 120 lines > switchport access vlan 10 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/23 > description DSLAM ZYXEL ADSL_5 > switchport access vlan 30 > switchport mode dynamic desirable > no logging event link-status >! >interface FastEthernet0/24 > description Trunk link to Catalyst2950 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport nonegotiate > no logging event link-status > shutdown >! >interface GigabitEthernet0/1 > switchport access vlan 10 > switchport mode access > no logging event link-status >! >interface GigabitEthernet0/2 > switchport mode dynamic desirable > no logging event link-status > shutdown >! >interface Vlan1 > no ip address > no ip route-cache > shutdown >! >interface Vlan10 > ip address 192.168.0.163 255.255.255.0 > no ip route-cache >! >interface Vlan20 > no ip address > no ip route-cache >! >interface Vlan30 > no ip address > no ip route-cache >! >interface Vlan40 > no ip address > no ip route-cache >! >ip default-gateway 192.168.0.100 >ip classless >no ip http server >! >! >! >! >logging *.*.125.3 >access-list 1 deny 10.0.0.0 0.255.255.255 >access-list 1 permit any >access-list 101 deny tcp 10.0.0.0 0.255.255.255 any >access-list 101 permit ip any any >! >control-plane >! >! >line con 0 > login local >line vty 0 4 > password 7 0313530E0303 > login local >line vty 5 15 > password 7 044C03030A2D > login local >! >ntp clock-period 17246764 >ntp server *.*.125.2 >! >end >----------------------------------------------------------------------------- > >192.168.0.0/24 - корпоративная сеть. >*.*.125.0/24 - внешняя сеть. > >Если допустим кто-то начинает копировать большой объём данных между разными подсетями - >маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист, >поднять там маршрутизацию и т. д. В связи с этим вопрос: >какие грабли меня ожидают? Может кто уже сталкивался с этим - >дайте дельные советы и предложения. Вот тебе дельный совет, Грабли будут те же только объём трафика нужен будет чуть побольше особенно если ACL ов много, 3550 свитч не уровня ядра отсюда и все вытекающие
|