GE1とGE2のセグメントを同一にしたいのですが、IX2215側でコマンド受け付けてくれません GE1側の先はTVレコ−ダがついていて、GE2側の先はPC数台とTVを接続しています 下記の様にコマンド流したいのですが % 192.168.60.1 is assigned as primary address on GigaEthernet2.3 と出て不可能です 皆様、解決方法をどうぞご教授を
interface GigaEthernet1.0 ip address 192.168.60.1/24 no shutdown
interface GigaEthernet2.3 encapsulation dot1q 60 tpid 8100 auto-connect ip address 192.168.60.1/24 ip dhcp binding vlan60 no shutdown 0517anonymous2016/12/27(火) 16:38:06.13ID:???>>516 同一セグメントにしたいインタフェースを同一ブリッジグループに設定 IPアドレスはブリッジ用仮想インタフェースに振る
bridge irb enable
interface GigaEthernet1.0 bridge-group 1 no shutdown
interface GigaEthernet2.3 encapsulation dot1q 60 tpid 8100 auto-connect ip dhcp binding vlan60 bridge-group 1 no shutdown
interface BVI0 ip address 192.168.60.1/24 bridge-group 1 no shutdown 0518anonymous2016/12/27(火) 18:19:28.61ID:??? ゴメン >>517を修正 ip dhcp binding vlan60 もBVI0インタフェースの方に設定ね 05195162016/12/27(火) 18:22:17.32ID:???>>517
interface GigaEthernet2.1 encapsulation dot1q 20 tpid 8100 auto-connect ip address 192.168.1.1/24 ip dhcp binding vlan2 no shutdown ! interface GigaEthernet2.2 encapsulation dot1q 10 tpid 8100 auto-connect ip address 192.168.100.1/24 ip proxy-arp ip dhcp binding lan no shutdown ! interface GigaEthernet2.3 encapsulation dot1q 60 tpid 8100 auto-connect no ip address ip dhcp binding vlan60 bridge-group 1 no shutdown 0523anon2016/12/30(金) 01:48:15.23ID:??? 上の続き
ip access-list a deny ip src 192.168.100.0/24 dest 192.168.1.0/24 ip access-list a permit ip src any dest any ip access-list b deny ip src 192.168.1.0/24 dest 192.168.100.0/24 ip access-list b permit ip src any dest any
telnet制限は セグメント指定なら ip access-list telnet permit ip src 192.168.100.0/24 dest any
管理用PC限定なら ip access-list telnet permit ip src 192.168.100.1/32 dest any のどちらか
そんで telnet-server ip access-list telnet 0526anonymous2016/12/30(金) 09:39:40.95ID:??? セグメント間通信禁止は ip access-list a deny ip src 192.168.100.0/24 dest 192.168.1.0/24 ip access-list a deny ip src 192.168.60.0/24 dest 192.168.1.0/24 ip access-list a permit ip src any dest any ip access-list b deny ip src 192.168.1.0/24 dest 192.168.100.0/24 ip access-list b deny ip src 192.168.60.0/24 dest 192.168.100.0/24 ip access-list b permit ip src any dest any ip access-list c deny ip src 192.168.1.0/24 dest 192.168.60.0/24 ip access-list c deny ip src 192.168.100.0/24 dest 192.168.60.0/24 ip access-list c permit ip src any dest any 0527anonymous2016/12/30(金) 09:39:49.25ID:??? 続き interface GigaEthernet2.1 encapsulation dot1q 20 tpid 8100 auto-connect ip address 192.168.1.1/24 ip dhcp binding vlan2 ip filter a 10 in no shutdown
interface GigaEthernet2.2 encapsulation dot1q 10 tpid 8100 auto-connect ip address 192.168.100.1/24 ip proxy-arp ip dhcp binding lan ip filter b 10 in no shutdown
interface BVI0 ip address 192.168.60.1/24 ip dhcp binding vlan60 ip filter c 10 in bridge-group 1 no shutdown
>>518でも書いたけど DHCPのバインドもBVIインタフェースにね 0528anonymous2016/12/30(金) 09:48:36.03ID:???>>527でフィルタのinとoutの方向間違った.... 死んできます 0529anonymous2016/12/30(金) 10:23:19.13ID:??? この方がスッキリしていい ip access-list a deny ip src any dest 192.168.100.0/24 ip access-list a deny ip src any dest 192.168.60.0/24 ip access-list a permit ip src any dest any ip access-list b deny ip src any dest 192.168.1.0/24 ip access-list b deny ip src any dest 192.168.60.0/24 ip access-list b permit ip src any dest any ip access-list c deny ip src any dest 192.168.1.0/24 ip access-list c deny ip src any dest 192.168.100.0/24 ip access-list c permit ip src any dest any
interface GigaEthernet2.1 ip filter a 10 in
interface GigaEthernet2.2 ip filter b 10 in
interface BVI0 ip filter c 10 in 0530anon2016/12/31(土) 02:12:52.63ID:???>>525-529
ip access-list c deny ip src 192.168.1.0/24 dest 192.168.60.0/24 ip access-list c deny ip src 192.168.100.0/24 dest 192.168.60.0/24 ip access-list c permit ip src any dest any 0531anonymous2016/12/31(土) 11:10:05.94ID:??? あ〜 アクセスリスト名に「c」は使えなかった(ip access-list cacheという別コマンドになる) 実機で試してなくてゴメンね
コマンド結果は以下です。 RouterA(config)# sh ike sa ISAKMP SA - 1 configured, 0 created RouterA(config)# sh ipsec sa IPsec SA - 1 configured, 0 created Interface is Tunnel0.0 Key policy map name is ipsec-policy Tunnel mode, 4-over-4, autokey-map Local address is unknown Remote address is unknown Outgoing interface is GigaEthernet0.0 Interface MTU is 1500, path MTU is 1500 Inbound: <NONE> Outbound: <NONE> Perfect forward secrecy is off 0549anonymous2017/01/13(金) 23:10:57.99ID:???>>548 全然SA出来てないね
ここで、*****の部分はランダムな値が入るけど、装置Aと装置Bとで対となる値となるので 要確認ね 0560anonymous2017/01/15(日) 10:23:08.94ID:??? RouterA(config)# sh ike sa ISAKMP SA - 1 configured, 1 created Local address is 10.10.10.10, port is 500 Remote address is 20.20.20.20, port is 500 IKE policy name is ike-policy Direction is initiator Initiator's cookie is 0x**************** Responder's cookie is 0x**************** Exchange type is main mode State is established