URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 10796
[ Назад ]

Исходное сообщение
"cisco 2620xm + Catalyst 3550 + vlan + routing"

Отправлено kba , 21-Июн-06 10:40 
Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера, и т. д.). Привожу конфиги с обоих.
Звездочки в ай-пи-адресах - означает внешняя подсеть.

Cisco 2620XM:
-----------------------------------------------------------------------------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname domain-main-gw
!
boot-start-marker
boot system flash c2600-ipbasek9-mz.124-8.bin
boot-end-marker
!
logging buffered 32768 informational
no logging console
enable secret 5 ***********************************
enable password 7 ********************************
!
no aaa new-model
!
resource policy
!
clock timezone *** 8
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain list domain.ru
no ip domain lookup
ip domain name domain.ru
ip name-server *.*.116.1
ip name-server *.*.125.3
ip accounting-list 0.0.0.2 255.255.255.252
ip accounting-list 0.0.0.0 255.255.255.0
ip rcmd rsh-enable
ip rcmd remote-host root 192.168.168.2 root enable
ip rcmd remote-host billing 192.168.168.2 billing enable
!
!
!
username bob password 7 *******************
!
!
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
!
!
policy-map mark-inbound-http-hacks
class http-hacks
  set ip dscp 1
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip nat inside
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.0.100 255.255.255.0 secondary
ip address *.*.125.1 255.255.255.0
ip access-group eth in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.168.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.10.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.10.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface Serial0/0
bandwidth 2048
ip address *.*.96.218 255.255.255.252
ip access-group in_block in
ip access-group out_block out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop
rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop
no logging event link-status
no fair-queue
service-policy input mark-inbound-http-hacks
!
interface Serial0/1
ip address *.*.96.218 255.255.255.252
shutdown
!
ip route 0.0.0.0 0.0.0.0 *.*.96.217
ip flow-export source FastEthernet0/0.10
ip flow-export version 9
ip flow-export destination *.*.125.13 9001
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static 10.10.1.33 *.*.125.99 extendable
ip nat inside source static 10.10.2.37 *.*.125.199 extendable
ip nat inside source static 10.10.1.45 *.*.125.200 extendable
ip nat inside source static 10.10.2.38 *.*.125.201 extendable
!
ip access-list standard eth
permit *.*.125.199
permit *.*.125.200
permit *.*.125.201
permit *.*.125.30
permit *.*.125.1
permit *.*.125.2
permit *.*.125.3
permit *.*.125.4
permit *.*.125.5
permit *.*.125.6
permit *.*.125.7
permit *.*.125.8
permit *.*.125.9
permit *.*.125.10
permit *.*.125.11
permit *.*.125.12
permit *.*.125.13
permit *.*.125.14
permit *.*.125.45
permit *.*.125.120
permit *.*.125.99
permit 10.0.0.0 0.255.255.255
permit 192.0.0.0 0.255.255.255
!
ip access-list extended in_block
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   udp any any range netbios-ns netbios-ss log
deny   tcp any any range 135 139 log
deny   tcp any any eq 445 log
deny   udp any any eq 31337 log
deny   udp any any eq 22 log
deny   tcp any any range exec lpd log
deny   udp any any eq sunrpc log
deny   tcp any any eq sunrpc log
deny   udp any any eq xdmcp log
deny   tcp any any eq 177 log
deny   tcp any any range 6000 6063 log
deny   udp any any range 6000 6063 log
deny   udp any any range biff syslog log
deny   tcp any any eq 11 log
deny   udp any any eq tftp log
deny   udp any any range snmp snmptrap log
permit ip any any
deny   ip host 10.10.10.254 any
deny   ip host 10.10.1.254 any
ip access-list extended out_block
permit ip any any
!
logging facility local6
logging source-interface FastEthernet0/0.10
logging *.*.125.3
access-list 1 permit 192.168.0.101
access-list 1 permit 10.10.2.31
access-list 1 permit 10.10.1.31
access-list 1 permit 10.10.1.33
access-list 1 permit 10.10.2.34
access-list 1 permit 10.10.1.32
access-list 1 permit 10.10.2.35
access-list 1 permit 10.10.1.35
access-list 1 permit 10.10.2.32
access-list 1 permit 10.10.2.33
access-list 1 permit 10.10.1.34
access-list 1 permit 10.10.2.38
access-list 1 permit 10.10.1.37
access-list 1 permit 10.10.1.36
access-list 1 permit 10.10.2.36
access-list 1 permit 10.10.1.38
access-list 1 permit 10.10.2.37
access-list 1 permit 10.10.1.41
access-list 1 permit 10.10.2.42
access-list 1 permit 10.10.2.43
access-list 1 permit 10.10.1.43
access-list 1 permit 10.10.1.42
access-list 1 permit 10.10.2.41
access-list 1 permit 10.10.2.46
access-list 1 permit 10.10.1.45
access-list 1 permit 10.10.1.44
access-list 1 permit 10.10.1.47
access-list 1 permit 10.10.2.44
access-list 1 permit 10.10.1.46
access-list 1 permit 10.10.2.45
access-list 1 permit 10.10.1.48
access-list 1 permit 10.10.1.51
access-list 1 permit 10.10.2.48
access-list 1 permit 10.10.1.53
access-list 1 permit 10.10.1.52
access-list 1 permit 192.168.0.8
access-list 1 deny   192.168.0.31
access-list 1 permit 192.168.168.10
access-list 2 deny   10.0.0.0 0.255.255.255
access-list 2 permit any
access-list 100 permit ip host 192.168.0.8 any
access-list 100 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 deny   ip host 192.168.0.31 any
access-list 101 deny   ip host 192.168.0.8 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 145 permit ip any host *.*.125.5
access-list 146 permit ip any host *.*.125.8
access-list 147 permit ip any host *.*.125.7
snmp-server community technology RO
snmp-server community trap_style RW
snmp-server enable traps tty
route-map 1 permit 10
!
route-map forced-proxy permit 10
match ip address 101
set ip next-hop *.*.125.3
!
!
control-plane
!
!
line con 0
login local
line aux 0
login local
line vty 0
login local
line vty 1
login local
transport input telnet
line vty 2 4
login local
line vty 5 10
login local
rotary 1
transport input pad telnet rlogin mop udptn v120
line vty 11 15
login local
!
ntp clock-period 17246762
ntp server *.*.
125.2
!
end
-----------------------------------------------------------------------------

Cisco Catalyst 3550:
-----------------------------------------------------------------------------

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname domain-main-switch
!
enable secret 5 ***************************
enable password 7 *******************************
!
username bob password 7 *************************
no aaa new-model
clock timezone **** 8
ip subnet-zero
no ip source-route
ip host-routing
!
ip domain-name domain.ru
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
description Trunk link to Cisco 2620XM
switchport trunk encapsulation dot1q
switchport mode trunk
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/2
description LAN
switchport access vlan 10
switchport mode access
no logging event link-status
!
interface FastEthernet0/3
description AS5350 Dial-Up
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
no logging event link-status
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/7
switchport access vlan 20
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/10
switchport access vlan 20
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/12
switchport access vlan 40
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/13
description DSLAM ZYXEL ADSL_1
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/14
description DSLAM ZYXEL ADSL_2
switchport access vlan 40
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/15
description DSLAM ZYXEL ADSL_3
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/16
description DSLAM ZYXEL ADSL_4
switchport access vlan 40
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/18
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/19
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/20
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/22
description Cisco AS5350 120 lines
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/23
description DSLAM ZYXEL ADSL_5
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/24
description Trunk link to Catalyst2950
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no logging event link-status
shutdown
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
no logging event link-status
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
no logging event link-status
shutdown
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan10
ip address 192.168.0.163 255.255.255.0
no ip route-cache
!
interface Vlan20
no ip address
no ip route-cache
!
interface Vlan30
no ip address
no ip route-cache
!
interface Vlan40
no ip address
no ip route-cache
!
ip default-gateway 192.168.0.100
ip classless
no ip http server
!
!
!
!
logging *.*.125.3
access-list 1 deny   10.0.0.0 0.255.255.255
access-list 1 permit any
access-list 101 deny   tcp 10.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
!
control-plane
!
!
line con 0
login local
line vty 0 4
password 7 0313530E0303
login local
line vty 5 15
password 7 044C03030A2D
login local
!
ntp clock-period 17246764
ntp server *.*.125.2
!
end
-----------------------------------------------------------------------------

192.168.0.0/24 - корпоративная сеть.
*.*.125.0/24 - внешняя сеть.

Если допустим кто-то начинает копировать большой объём данных между разными подсетями - маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист, поднять там маршрутизацию и т. д. В связи с этим вопрос: какие грабли меня ожидают? Может кто уже сталкивался с этим - дайте дельные советы и предложения.


Содержание

Сообщения в этом обсуждении
"cisco 2620xm + Catalyst 3550 + vlan + routing"
Отправлено sui245 , 21-Июн-06 11:18 
>Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco
>Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера,
>и т. д.). Привожу конфиги с обоих.
>Звездочки в ай-пи-адресах - означает внешняя подсеть.
>
>Cisco 2620XM:
>-----------------------------------------------------------------------------
>version 12.4
>no service pad
>service timestamps debug datetime msec
>service timestamps log datetime msec
>service password-encryption
>no service dhcp
>!
>hostname domain-main-gw
>!
>boot-start-marker
>boot system flash c2600-ipbasek9-mz.124-8.bin
>boot-end-marker
>!
>logging buffered 32768 informational
>no logging console
>enable secret 5 ***********************************
>enable password 7 ********************************
>!
>no aaa new-model
>!
>resource policy
>!
>clock timezone *** 8
>no network-clock-participate slot 1
>no network-clock-participate wic 0
>no ip source-route
>ip cef
>!
>!
>!
>!
>no ip bootp server
>ip domain list domain.ru
>no ip domain lookup
>ip domain name domain.ru
>ip name-server *.*.116.1
>ip name-server *.*.125.3
>ip accounting-list 0.0.0.2 255.255.255.252
>ip accounting-list 0.0.0.0 255.255.255.0
>ip rcmd rsh-enable
>ip rcmd remote-host root 192.168.168.2 root enable
>ip rcmd remote-host billing 192.168.168.2 billing enable
>!
>!
>!
>username bob password 7 *******************
>!
>!
>class-map match-any http-hacks
> match protocol http url "*default.ida*"
> match protocol http url "*x.ida*"
> match protocol http url "*cmd.exe*"
> match protocol http url "*root.exe*"
>!
>!
>policy-map mark-inbound-http-hacks
> class http-hacks
>  set ip dscp 1
>!
>!
>!
>interface Loopback0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
>!
>interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> duplex auto
> speed auto
>!
>interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip nat inside
>!
>interface FastEthernet0/0.10
> encapsulation dot1Q 10
> ip address 192.168.0.100 255.255.255.0 secondary
> ip address *.*.125.1 255.255.255.0
> ip access-group eth in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
>!
>interface FastEthernet0/0.20
> encapsulation dot1Q 20
> ip address 192.168.168.1 255.255.255.0
> ip nat inside
>!
>interface FastEthernet0/0.30
> encapsulation dot1Q 30
> ip address 10.10.1.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
>!
>interface FastEthernet0/0.40
> encapsulation dot1Q 40
> ip address 10.10.2.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
>!
>interface Serial0/0
> bandwidth 2048
> ip address *.*.96.218 255.255.255.252
> ip access-group in_block in
> ip access-group out_block out
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop
>
> rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop
>
> no logging event link-status
> no fair-queue
> service-policy input mark-inbound-http-hacks
>!
>interface Serial0/1
> ip address *.*.96.218 255.255.255.252
> shutdown
>!
>ip route 0.0.0.0 0.0.0.0 *.*.96.217
>ip flow-export source FastEthernet0/0.10
>ip flow-export version 9
>ip flow-export destination *.*.125.13 9001
>!
>no ip http server
>no ip http secure-server
>ip nat inside source list 1 interface Serial0/0 overload
>ip nat inside source static 10.10.1.33 *.*.125.99 extendable
>ip nat inside source static 10.10.2.37 *.*.125.199 extendable
>ip nat inside source static 10.10.1.45 *.*.125.200 extendable
>ip nat inside source static 10.10.2.38 *.*.125.201 extendable
>!
>ip access-list standard eth
> permit *.*.125.199
> permit *.*.125.200
> permit *.*.125.201
> permit *.*.125.30
> permit *.*.125.1
> permit *.*.125.2
> permit *.*.125.3
> permit *.*.125.4
> permit *.*.125.5
> permit *.*.125.6
> permit *.*.125.7
> permit *.*.125.8
> permit *.*.125.9
> permit *.*.125.10
> permit *.*.125.11
> permit *.*.125.12
> permit *.*.125.13
> permit *.*.125.14
> permit *.*.125.45
> permit *.*.125.120
> permit *.*.125.99
> permit 10.0.0.0 0.255.255.255
> permit 192.0.0.0 0.255.255.255
>!
>ip access-list extended in_block
> deny   ip 10.0.0.0 0.255.255.255 any
> deny   ip 127.0.0.0 0.255.255.255 any
> deny   ip 172.16.0.0 0.15.255.255 any
> deny   ip 192.168.0.0 0.0.255.255 any
> deny   udp any any range netbios-ns netbios-ss log
> deny   tcp any any range 135 139 log
> deny   tcp any any eq 445 log
> deny   udp any any eq 31337 log
> deny   udp any any eq 22 log
> deny   tcp any any range exec lpd log
> deny   udp any any eq sunrpc log
> deny   tcp any any eq sunrpc log
> deny   udp any any eq xdmcp log
> deny   tcp any any eq 177 log
> deny   tcp any any range 6000 6063 log
> deny   udp any any range 6000 6063 log
> deny   udp any any range biff syslog log
> deny   tcp any any eq 11 log
> deny   udp any any eq tftp log
> deny   udp any any range snmp snmptrap log
> permit ip any any
> deny   ip host 10.10.10.254 any
> deny   ip host 10.10.1.254 any
>ip access-list extended out_block
> permit ip any any
>!
>logging facility local6
>logging source-interface FastEthernet0/0.10
>logging *.*.125.3
>access-list 1 permit 192.168.0.101
>access-list 1 permit 10.10.2.31
>access-list 1 permit 10.10.1.31
>access-list 1 permit 10.10.1.33
>access-list 1 permit 10.10.2.34
>access-list 1 permit 10.10.1.32
>access-list 1 permit 10.10.2.35
>access-list 1 permit 10.10.1.35
>access-list 1 permit 10.10.2.32
>access-list 1 permit 10.10.2.33
>access-list 1 permit 10.10.1.34
>access-list 1 permit 10.10.2.38
>access-list 1 permit 10.10.1.37
>access-list 1 permit 10.10.1.36
>access-list 1 permit 10.10.2.36
>access-list 1 permit 10.10.1.38
>access-list 1 permit 10.10.2.37
>access-list 1 permit 10.10.1.41
>access-list 1 permit 10.10.2.42
>access-list 1 permit 10.10.2.43
>access-list 1 permit 10.10.1.43
>access-list 1 permit 10.10.1.42
>access-list 1 permit 10.10.2.41
>access-list 1 permit 10.10.2.46
>access-list 1 permit 10.10.1.45
>access-list 1 permit 10.10.1.44
>access-list 1 permit 10.10.1.47
>access-list 1 permit 10.10.2.44
>access-list 1 permit 10.10.1.46
>access-list 1 permit 10.10.2.45
>access-list 1 permit 10.10.1.48
>access-list 1 permit 10.10.1.51
>access-list 1 permit 10.10.2.48
>access-list 1 permit 10.10.1.53
>access-list 1 permit 10.10.1.52
>access-list 1 permit 192.168.0.8
>access-list 1 deny   192.168.0.31
>access-list 1 permit 192.168.168.10
>access-list 2 deny   10.0.0.0 0.255.255.255
>access-list 2 permit any
>access-list 100 permit ip host 192.168.0.8 any
>access-list 100 deny   ip 192.168.0.0 0.0.0.255 any
>access-list 101 deny   ip host 192.168.0.31 any
>access-list 101 deny   ip host 192.168.0.8 any
>access-list 101 permit ip 192.168.0.0 0.0.0.255 any
>access-list 145 permit ip any host *.*.125.5
>access-list 146 permit ip any host *.*.125.8
>access-list 147 permit ip any host *.*.125.7
>snmp-server community technology RO
>snmp-server community trap_style RW
>snmp-server enable traps tty
>route-map 1 permit 10
>!
>route-map forced-proxy permit 10
> match ip address 101
> set ip next-hop *.*.125.3
>!
>!
>control-plane
>!
>!
>line con 0
> login local
>line aux 0
> login local
>line vty 0
> login local
>line vty 1
> login local
> transport input telnet
>line vty 2 4
> login local
>line vty 5 10
> login local
> rotary 1
> transport input pad telnet rlogin mop udptn v120
>line vty 11 15
> login local
>!
>ntp clock-period 17246762
>ntp server *.*.
>125.2
>!
>end
>-----------------------------------------------------------------------------
>
>Cisco Catalyst 3550:
>-----------------------------------------------------------------------------
>
>version 12.2
>no service pad
>service timestamps debug uptime
>service timestamps log uptime
>service password-encryption
>!
>hostname domain-main-switch
>!
>enable secret 5 ***************************
>enable password 7 *******************************
>!
>username bob password 7 *************************
>no aaa new-model
>clock timezone **** 8
>ip subnet-zero
>no ip source-route
>ip host-routing
>!
>ip domain-name domain.ru
>!
>no file verify auto
>spanning-tree mode pvst
>spanning-tree extend system-id
>!
>!
>!
>vlan internal allocation policy ascending
>!
>!
>interface FastEthernet0/1
> description Trunk link to Cisco 2620XM
> switchport trunk encapsulation dot1q
> switchport mode trunk
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/2
> description LAN
> switchport access vlan 10
> switchport mode access
> no logging event link-status
>!
>interface FastEthernet0/3
> description AS5350 Dial-Up
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/4
> switchport access vlan 10
> switchport mode access
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/5
> switchport access vlan 10
> switchport mode access
> no logging event link-status
>!
>interface FastEthernet0/6
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/7
> switchport access vlan 20
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/8
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/9
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/10
> switchport access vlan 20
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/11
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/12
> switchport access vlan 40
> switchport mode dynamic desirable
> no logging event link-status
> spanning-tree portfast
>!
>interface FastEthernet0/13
> description DSLAM ZYXEL ADSL_1
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/14
> description DSLAM ZYXEL ADSL_2
> switchport access vlan 40
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/15
> description DSLAM ZYXEL ADSL_3
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/16
> description DSLAM ZYXEL ADSL_4
> switchport access vlan 40
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/17
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/18
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/19
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/20
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/21
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/22
> description Cisco AS5350 120 lines
> switchport access vlan 10
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/23
> description DSLAM ZYXEL ADSL_5
> switchport access vlan 30
> switchport mode dynamic desirable
> no logging event link-status
>!
>interface FastEthernet0/24
> description Trunk link to Catalyst2950
> switchport trunk encapsulation dot1q
> switchport mode trunk
> switchport nonegotiate
> no logging event link-status
> shutdown
>!
>interface GigabitEthernet0/1
> switchport access vlan 10
> switchport mode access
> no logging event link-status
>!
>interface GigabitEthernet0/2
> switchport mode dynamic desirable
> no logging event link-status
> shutdown
>!
>interface Vlan1
> no ip address
> no ip route-cache
> shutdown
>!
>interface Vlan10
> ip address 192.168.0.163 255.255.255.0
> no ip route-cache
>!
>interface Vlan20
> no ip address
> no ip route-cache
>!
>interface Vlan30
> no ip address
> no ip route-cache
>!
>interface Vlan40
> no ip address
> no ip route-cache
>!
>ip default-gateway 192.168.0.100
>ip classless
>no ip http server
>!
>!
>!
>!
>logging *.*.125.3
>access-list 1 deny   10.0.0.0 0.255.255.255
>access-list 1 permit any
>access-list 101 deny   tcp 10.0.0.0 0.255.255.255 any
>access-list 101 permit ip any any
>!
>control-plane
>!
>!
>line con 0
> login local
>line vty 0 4
> password 7 0313530E0303
> login local
>line vty 5 15
> password 7 044C03030A2D
> login local
>!
>ntp clock-period 17246764
>ntp server *.*.125.2
>!
>end
>-----------------------------------------------------------------------------
>
>192.168.0.0/24 - корпоративная сеть.
>*.*.125.0/24 - внешняя сеть.
>
>Если допустим кто-то начинает копировать большой объём данных между разными подсетями -
>маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист,
>поднять там маршрутизацию и т. д. В связи с этим вопрос:
>какие грабли меня ожидают? Может кто уже сталкивался с этим -
>дайте дельные советы и предложения.

Вот тебе дельный совет,

Грабли будут те же только объём трафика нужен будет чуть побольше особенно если ACL ов много, 3550 свитч не уровня ядра отсюда и все вытекающие



"cisco 2620xm + Catalyst 3550 + vlan + routing"
Отправлено kba , 23-Июн-06 04:32 
>
>Вот тебе дельный совет,
>
>Грабли будут те же только объём трафика нужен будет чуть побольше особенно
>если ACL ов много, 3550 свитч не уровня ядра отсюда и
>все вытекающие


что значит "не уровня ядра"? ядра чего?


"cisco 2620xm + Catalyst 3550 + vlan + routing"
Отправлено kba , 29-Сен-06 09:22 
>>
>>Вот тебе дельный совет,
>>
>>Грабли будут те же только объём трафика нужен будет чуть побольше особенно
>>если ACL ов много, 3550 свитч не уровня ядра отсюда и
>>все вытекающие
>
>
>что значит "не уровня ядра"? ядра чего?


итак. поднял я этот преславутый - InterVLAN Routing. Вроде всё заработало, зависания исчезли. Теперь возникает следующий вопрос - как вообще убрать вланы с маршрутизатора?
Я понял, что нужно сделать следующее:
1) убрать транк с порта каталиста, который идёт на маршрутизатор.
2) перевести порт в L3-маршрутизацию. (no switchport; ip adress bla-bla-bla и т. д.)
3) соответственно на маршрутизаторе убрать все влан-интерфейсы и т. д.

В связи с этим возник вопрос - будет ли работать существующий NAT на маршрутизаторе с внутренних вланов на каталисте?