MIG005 Posted April 13, 2010 Posted April 13, 2010 Значит так, настроил вланы, назначил им интерфейсы прописал роут, на клиентах прописал шлюзы и днс... #клиентские create vlan v102 tag 102 create vlan v103 tag 103 create vlan v104 tag 104 create vlan v105 tag 105 #управляющие create vlan v166 tag 166 create vlan v201 tag 201 #на сервер create vlan v200 tag 200 #на DGS-3650 create ipif i102 192.168.2.254/24 v102 create ipif i103 192.168.3.254/24 v103 create ipif i104 192.168.4.254/24 v104 create ipif i105 192.168.5.254/24 v105 # create ipif i166 192.168.66.254/24 v166 create ipif i200 192.168.0.254/24 v200 create ipif i201 192.168.1.254/24 v201 config vlan default delete 1-30 # config vlan v102 add tagged 1-30 config vlan v103 add tagged 1-30 config vlan v104 add tagged 1-30 config vlan v105 add tagged 1-30 # config vlan v166 add untagged 1-5 config vlan v200 add untagged 31 config vlan v201 add untagged 32 create iproute default 192.168.0.1 -- все работает все всех видят, и-нет есть, далее настраиваю АСЛ цель такая - чтобы v102-v105 видели v200, но не видели друг друга и управляющие сети. -- пробую так: #разрешаем create access_profile ip source 255.255.255.0 dest 255.255.255.0 vlan prof 10 conf access_prof prof 10 add access_id auto ip source 192.168.2.0 dest 192.168.2.0 vlan v102 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.0.0 dest 192.168.2.0 vlan v102 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.2.0 dest 192.168.0.0 vlan v102 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.3.0 dest 192.168.3.0 vlan v103 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.0.0 dest 192.168.3.0 vlan v103 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.3.0 dest 192.168.0.0 vlan v103 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.4.0 dest 192.168.4.0 vlan v104 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.0.0 dest 192.168.4.0 vlan v104 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.4.0 dest 192.168.0.0 vlan v104 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.5.0 dest 192.168.5.0 vlan v105 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.0.0 dest 192.168.5.0 vlan v105 port 1-5 permit conf access_prof prof 10 add access_id auto ip source 192.168.5.0 dest 192.168.0.0 vlan v105 port 1-5 permit #Запрещаем create access_profile ip source 0.0.0.0 dest 0.0.0.0 vlan prof 11 conf access_prof prof 11 add access_id auto ip source 0.0.0.0 dest 0.0.0.0 vlan v102 port 1-5 deny conf access_prof prof 11 add access_id auto ip source 0.0.0.0 dest 0.0.0.0 vlan v103 port 1-5 deny conf access_prof prof 11 add access_id auto ip source 0.0.0.0 dest 0.0.0.0 vlan v104 port 1-5 deny conf access_prof prof 11 add access_id auto ip source 0.0.0.0 dest 0.0.0.0 vlan v105 port 1-5 deny да, никто никого не видет, кроме v200, но и-нет есть только на первом интерфейсе v102, при этом v200 (сервер 192.168.0.1) пингуется со всех интерфейсов и-нет раздается NAT'ом, а вот при таких настройках: create access_profile ip source 255.255.255.0 dest 255.255.255.0 vlan prof 10 conf access_prof prof 10 add access_id auto ip source 192.168.2.0 dest 192.168.2.0 vlan v102 port 1-5, 45-48 permit conf access_prof prof 10 add access_id auto ip source 192.168.0.0 dest 192.168.2.0 vlan v102 port 1-5, 45-48 permit conf access_prof prof 10 add access_id auto ip source 192.168.2.0 dest 192.168.0.0 vlan v102 port 1-5, 45-48 permit create access_profile ip source 255.255.255.0 dest 255.255.255.0 vlan prof 11 conf access_prof prof 11 add access_id auto ip source 192.168.3.0 dest 192.168.3.0 vlan v103 port 1-5, 45-48 permit conf access_prof prof 11 add access_id auto ip source 192.168.0.0 dest 192.168.3.0 vlan v103 port 1-5, 45-48 permit conf access_prof prof 11 add access_id auto ip source 192.168.3.0 dest 192.168.0.0 vlan v103 port 1-5, 45-48 permit create access_profile ip source 255.255.255.0 dest 255.255.255.0 vlan prof 12 conf access_prof prof 12 add access_id auto ip source 192.168.4.0 dest 192.168.4.0 vlan v104 port 1-5, 45-48 permit conf access_prof prof 12 add access_id auto ip source 192.168.0.0 dest 192.168.4.0 vlan v104 port 1-5, 45-48 permit conf access_prof prof 12 add access_id auto ip source 192.168.4.0 dest 192.168.0.0 vlan v104 port 1-5, 45-48 permit create access_profile ip source 255.255.255.0 dest 255.255.255.0 vlan prof 13 conf access_prof prof 13 add access_id auto ip source 192.168.5.0 dest 192.168.5.0 vlan v105 port 1-5, 45-48 permit conf access_prof prof 13 add access_id auto ip source 192.168.0.0 dest 192.168.5.0 vlan v105 port 1-5, 45-48 permit conf access_prof prof 13 add access_id auto ip source 192.168.5.0 dest 192.168.0.0 vlan v105 port 1-5, 45-48 permit и-нет везде появляется, но после 14-ти профилей пишет - DGS-3650:5#create access_profile ip source 255.255.255.0 dest 255.255.255.0 vlan prof 15 Command: create access_profile ip source_ip_mask 255.255.255.0 destination_ip_ma sk 255.255.255.0 vlan profile_id Next possible completions: <value 1-14> DGS-3650:5# DGS-3650:5#conf access_prof prof 15 add access_id auto ip source 192.168.6.0 dest 192.168.6.0 vlan v106 port 1-5, 45-48 permit Command: config access_profile profile_id Next possible completions: <value 1-14> т.е. больше профилей нельзя создать. как ет все разрулить, может использавать другие конфиги нуно? пасиб заранее... Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.