Конфигурация сети такова: пограничный маршрутизатор Cisco 2620XM, к нему транком подключён Cisco Catalyst 3550 Switch, к каталисту соотвественно оконечные хосты (dsl-клиенты, dial-up, сервера, и т. д.). Привожу конфиги с обоих.
Звездочки в ай-пи-адресах - означает внешняя подсеть.Cisco 2620XM:
-----------------------------------------------------------------------------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname domain-main-gw
!
boot-start-marker
boot system flash c2600-ipbasek9-mz.124-8.bin
boot-end-marker
!
logging buffered 32768 informational
no logging console
enable secret 5 ***********************************
enable password 7 ********************************
!
no aaa new-model
!
resource policy
!
clock timezone *** 8
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain list domain.ru
no ip domain lookup
ip domain name domain.ru
ip name-server *.*.116.1
ip name-server *.*.125.3
ip accounting-list 0.0.0.2 255.255.255.252
ip accounting-list 0.0.0.0 255.255.255.0
ip rcmd rsh-enable
ip rcmd remote-host root 192.168.168.2 root enable
ip rcmd remote-host billing 192.168.168.2 billing enable
!
!
!
username bob password 7 *******************
!
!
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
!
!
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
!
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip nat inside
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.0.100 255.255.255.0 secondary
ip address *.*.125.1 255.255.255.0
ip access-group eth in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.168.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 10.10.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface FastEthernet0/0.40
encapsulation dot1Q 40
ip address 10.10.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
interface Serial0/0
bandwidth 2048
ip address *.*.96.218 255.255.255.252
ip access-group in_block in
ip access-group out_block out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
rate-limit input access-group 147 128000 8000 8000 conform-action transmit exceed-action drop
rate-limit input access-group 146 64000 8000 8000 conform-action transmit exceed-action drop
no logging event link-status
no fair-queue
service-policy input mark-inbound-http-hacks
!
interface Serial0/1
ip address *.*.96.218 255.255.255.252
shutdown
!
ip route 0.0.0.0 0.0.0.0 *.*.96.217
ip flow-export source FastEthernet0/0.10
ip flow-export version 9
ip flow-export destination *.*.125.13 9001
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Serial0/0 overload
ip nat inside source static 10.10.1.33 *.*.125.99 extendable
ip nat inside source static 10.10.2.37 *.*.125.199 extendable
ip nat inside source static 10.10.1.45 *.*.125.200 extendable
ip nat inside source static 10.10.2.38 *.*.125.201 extendable
!
ip access-list standard eth
permit *.*.125.199
permit *.*.125.200
permit *.*.125.201
permit *.*.125.30
permit *.*.125.1
permit *.*.125.2
permit *.*.125.3
permit *.*.125.4
permit *.*.125.5
permit *.*.125.6
permit *.*.125.7
permit *.*.125.8
permit *.*.125.9
permit *.*.125.10
permit *.*.125.11
permit *.*.125.12
permit *.*.125.13
permit *.*.125.14
permit *.*.125.45
permit *.*.125.120
permit *.*.125.99
permit 10.0.0.0 0.255.255.255
permit 192.0.0.0 0.255.255.255
!
ip access-list extended in_block
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny udp any any range netbios-ns netbios-ss log
deny tcp any any range 135 139 log
deny tcp any any eq 445 log
deny udp any any eq 31337 log
deny udp any any eq 22 log
deny tcp any any range exec lpd log
deny udp any any eq sunrpc log
deny tcp any any eq sunrpc log
deny udp any any eq xdmcp log
deny tcp any any eq 177 log
deny tcp any any range 6000 6063 log
deny udp any any range 6000 6063 log
deny udp any any range biff syslog log
deny tcp any any eq 11 log
deny udp any any eq tftp log
deny udp any any range snmp snmptrap log
permit ip any any
deny ip host 10.10.10.254 any
deny ip host 10.10.1.254 any
ip access-list extended out_block
permit ip any any
!
logging facility local6
logging source-interface FastEthernet0/0.10
logging *.*.125.3
access-list 1 permit 192.168.0.101
access-list 1 permit 10.10.2.31
access-list 1 permit 10.10.1.31
access-list 1 permit 10.10.1.33
access-list 1 permit 10.10.2.34
access-list 1 permit 10.10.1.32
access-list 1 permit 10.10.2.35
access-list 1 permit 10.10.1.35
access-list 1 permit 10.10.2.32
access-list 1 permit 10.10.2.33
access-list 1 permit 10.10.1.34
access-list 1 permit 10.10.2.38
access-list 1 permit 10.10.1.37
access-list 1 permit 10.10.1.36
access-list 1 permit 10.10.2.36
access-list 1 permit 10.10.1.38
access-list 1 permit 10.10.2.37
access-list 1 permit 10.10.1.41
access-list 1 permit 10.10.2.42
access-list 1 permit 10.10.2.43
access-list 1 permit 10.10.1.43
access-list 1 permit 10.10.1.42
access-list 1 permit 10.10.2.41
access-list 1 permit 10.10.2.46
access-list 1 permit 10.10.1.45
access-list 1 permit 10.10.1.44
access-list 1 permit 10.10.1.47
access-list 1 permit 10.10.2.44
access-list 1 permit 10.10.1.46
access-list 1 permit 10.10.2.45
access-list 1 permit 10.10.1.48
access-list 1 permit 10.10.1.51
access-list 1 permit 10.10.2.48
access-list 1 permit 10.10.1.53
access-list 1 permit 10.10.1.52
access-list 1 permit 192.168.0.8
access-list 1 deny 192.168.0.31
access-list 1 permit 192.168.168.10
access-list 2 deny 10.0.0.0 0.255.255.255
access-list 2 permit any
access-list 100 permit ip host 192.168.0.8 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip host 192.168.0.31 any
access-list 101 deny ip host 192.168.0.8 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 145 permit ip any host *.*.125.5
access-list 146 permit ip any host *.*.125.8
access-list 147 permit ip any host *.*.125.7
snmp-server community technology RO
snmp-server community trap_style RW
snmp-server enable traps tty
route-map 1 permit 10
!
route-map forced-proxy permit 10
match ip address 101
set ip next-hop *.*.125.3
!
!
control-plane
!
!
line con 0
login local
line aux 0
login local
line vty 0
login local
line vty 1
login local
transport input telnet
line vty 2 4
login local
line vty 5 10
login local
rotary 1
transport input pad telnet rlogin mop udptn v120
line vty 11 15
login local
!
ntp clock-period 17246762
ntp server *.*.
125.2
!
end
-----------------------------------------------------------------------------
Cisco Catalyst 3550:
-----------------------------------------------------------------------------
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname domain-main-switch
!
enable secret 5 ***************************
enable password 7 *******************************
!
username bob password 7 *************************
no aaa new-model
clock timezone **** 8
ip subnet-zero
no ip source-route
ip host-routing
!
ip domain-name domain.ru
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
description Trunk link to Cisco 2620XM
switchport trunk encapsulation dot1q
switchport mode trunk
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/2
description LAN
switchport access vlan 10
switchport mode access
no logging event link-status
!
interface FastEthernet0/3
description AS5350 Dial-Up
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
no logging event link-status
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/7
switchport access vlan 20
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/10
switchport access vlan 20
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/12
switchport access vlan 40
switchport mode dynamic desirable
no logging event link-status
spanning-tree portfast
!
interface FastEthernet0/13
description DSLAM ZYXEL ADSL_1
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/14
description DSLAM ZYXEL ADSL_2
switchport access vlan 40
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/15
description DSLAM ZYXEL ADSL_3
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/16
description DSLAM ZYXEL ADSL_4
switchport access vlan 40
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/18
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/19
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/20
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/21
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/22
description Cisco AS5350 120 lines
switchport access vlan 10
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/23
description DSLAM ZYXEL ADSL_5
switchport access vlan 30
switchport mode dynamic desirable
no logging event link-status
!
interface FastEthernet0/24
description Trunk link to Catalyst2950
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
no logging event link-status
shutdown
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
no logging event link-status
!
interface GigabitEthernet0/2
switchport mode dynamic desirable
no logging event link-status
shutdown
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan10
ip address 192.168.0.163 255.255.255.0
no ip route-cache
!
interface Vlan20
no ip address
no ip route-cache
!
interface Vlan30
no ip address
no ip route-cache
!
interface Vlan40
no ip address
no ip route-cache
!
ip default-gateway 192.168.0.100
ip classless
no ip http server
!
!
!
!
logging *.*.125.3
access-list 1 deny 10.0.0.0 0.255.255.255
access-list 1 permit any
access-list 101 deny tcp 10.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
!
control-plane
!
!
line con 0
login local
line vty 0 4
password 7 0313530E0303
login local
line vty 5 15
password 7 044C03030A2D
login local
!
ntp clock-period 17246764
ntp server *.*.125.2
!
end
-----------------------------------------------------------------------------
192.168.0.0/24 - корпоративная сеть.
*.*.125.0/24 - внешняя сеть.
Если допустим кто-то начинает копировать большой объём данных между разными подсетями - маршрутизатор уходит в ступор. Вот и хочу перенести VLANы на каталист, поднять там маршрутизацию и т. д. В связи с этим вопрос: какие грабли меня ожидают? Может кто уже сталкивался с этим - дайте дельные советы и предложения.