GE1とGE2のセグメントを同一にしたいのですが、IX2215側でコマンド受け付けてくれません GE1側の先はTVレコ−ダがついていて、GE2側の先はPC数台とTVを接続しています 下記の様にコマンド流したいのですが % 192.168.60.1 is assigned as primary address on GigaEthernet2.3 と出て不可能です 皆様、解決方法をどうぞご教授を
interface GigaEthernet1.0 ip address 192.168.60.1/24 no shutdown
interface GigaEthernet2.3 encapsulation dot1q 60 tpid 8100 auto-connect ip address 192.168.60.1/24 ip dhcp binding vlan60 no shutdown 0517anonymous2016/12/27(火) 16:38:06.13ID:???>>516 同一セグメントにしたいインタフェースを同一ブリッジグループに設定 IPアドレスはブリッジ用仮想インタフェースに振る
bridge irb enable
interface GigaEthernet1.0 bridge-group 1 no shutdown
interface GigaEthernet2.3 encapsulation dot1q 60 tpid 8100 auto-connect ip dhcp binding vlan60 bridge-group 1 no shutdown
interface BVI0 ip address 192.168.60.1/24 bridge-group 1 no shutdown 0518anonymous2016/12/27(火) 18:19:28.61ID:??? ゴメン >>517を修正 ip dhcp binding vlan60 もBVI0インタフェースの方に設定ね 05195162016/12/27(火) 18:22:17.32ID:???>>517
interface GigaEthernet2.1 encapsulation dot1q 20 tpid 8100 auto-connect ip address 192.168.1.1/24 ip dhcp binding vlan2 no shutdown ! interface GigaEthernet2.2 encapsulation dot1q 10 tpid 8100 auto-connect ip address 192.168.100.1/24 ip proxy-arp ip dhcp binding lan no shutdown ! interface GigaEthernet2.3 encapsulation dot1q 60 tpid 8100 auto-connect no ip address ip dhcp binding vlan60 bridge-group 1 no shutdown 0523anon2016/12/30(金) 01:48:15.23ID:??? 上の続き
ip access-list a deny ip src 192.168.100.0/24 dest 192.168.1.0/24 ip access-list a permit ip src any dest any ip access-list b deny ip src 192.168.1.0/24 dest 192.168.100.0/24 ip access-list b permit ip src any dest any
telnet制限は セグメント指定なら ip access-list telnet permit ip src 192.168.100.0/24 dest any
管理用PC限定なら ip access-list telnet permit ip src 192.168.100.1/32 dest any のどちらか
そんで telnet-server ip access-list telnet 0526anonymous2016/12/30(金) 09:39:40.95ID:??? セグメント間通信禁止は ip access-list a deny ip src 192.168.100.0/24 dest 192.168.1.0/24 ip access-list a deny ip src 192.168.60.0/24 dest 192.168.1.0/24 ip access-list a permit ip src any dest any ip access-list b deny ip src 192.168.1.0/24 dest 192.168.100.0/24 ip access-list b deny ip src 192.168.60.0/24 dest 192.168.100.0/24 ip access-list b permit ip src any dest any ip access-list c deny ip src 192.168.1.0/24 dest 192.168.60.0/24 ip access-list c deny ip src 192.168.100.0/24 dest 192.168.60.0/24 ip access-list c permit ip src any dest any 0527anonymous2016/12/30(金) 09:39:49.25ID:??? 続き interface GigaEthernet2.1 encapsulation dot1q 20 tpid 8100 auto-connect ip address 192.168.1.1/24 ip dhcp binding vlan2 ip filter a 10 in no shutdown
interface GigaEthernet2.2 encapsulation dot1q 10 tpid 8100 auto-connect ip address 192.168.100.1/24 ip proxy-arp ip dhcp binding lan ip filter b 10 in no shutdown
interface BVI0 ip address 192.168.60.1/24 ip dhcp binding vlan60 ip filter c 10 in bridge-group 1 no shutdown
>>518でも書いたけど DHCPのバインドもBVIインタフェースにね 0528anonymous2016/12/30(金) 09:48:36.03ID:???>>527でフィルタのinとoutの方向間違った.... 死んできます 0529anonymous2016/12/30(金) 10:23:19.13ID:??? この方がスッキリしていい ip access-list a deny ip src any dest 192.168.100.0/24 ip access-list a deny ip src any dest 192.168.60.0/24 ip access-list a permit ip src any dest any ip access-list b deny ip src any dest 192.168.1.0/24 ip access-list b deny ip src any dest 192.168.60.0/24 ip access-list b permit ip src any dest any ip access-list c deny ip src any dest 192.168.1.0/24 ip access-list c deny ip src any dest 192.168.100.0/24 ip access-list c permit ip src any dest any
interface GigaEthernet2.1 ip filter a 10 in
interface GigaEthernet2.2 ip filter b 10 in
interface BVI0 ip filter c 10 in 0530anon2016/12/31(土) 02:12:52.63ID:???>>525-529
ip access-list c deny ip src 192.168.1.0/24 dest 192.168.60.0/24 ip access-list c deny ip src 192.168.100.0/24 dest 192.168.60.0/24 ip access-list c permit ip src any dest any 0531anonymous2016/12/31(土) 11:10:05.94ID:??? あ〜 アクセスリスト名に「c」は使えなかった(ip access-list cacheという別コマンドになる) 実機で試してなくてゴメンね
コマンド結果は以下です。 RouterA(config)# sh ike sa ISAKMP SA - 1 configured, 0 created RouterA(config)# sh ipsec sa IPsec SA - 1 configured, 0 created Interface is Tunnel0.0 Key policy map name is ipsec-policy Tunnel mode, 4-over-4, autokey-map Local address is unknown Remote address is unknown Outgoing interface is GigaEthernet0.0 Interface MTU is 1500, path MTU is 1500 Inbound: <NONE> Outbound: <NONE> Perfect forward secrecy is off 0549anonymous2017/01/13(金) 23:10:57.99ID:???>>548 全然SA出来てないね
ここで、*****の部分はランダムな値が入るけど、装置Aと装置Bとで対となる値となるので 要確認ね 0560anonymous2017/01/15(日) 10:23:08.94ID:??? RouterA(config)# sh ike sa ISAKMP SA - 1 configured, 1 created Local address is 10.10.10.10, port is 500 Remote address is 20.20.20.20, port is 500 IKE policy name is ike-policy Direction is initiator Initiator's cookie is 0x**************** Responder's cookie is 0x**************** Exchange type is main mode State is established 0561anonymous2017/01/15(日) 10:23:36.76ID:???>>560の続き Authentication method is pre-shared Encryption algorithm is aes-128 Hash algorithm is sha1 DH group is modp768, lifetime is 28782 seconds #ph1 success: 1, #ph1 failure: 0 #ph1 hash err: 0, #ph1 timeout: 0, #ph1 resend: 0 #ph2 success: 1, #ph2 failure: 0 #ph2 hash err: 0, #ph2 timeout: 0, #ph2 resend: 0 0562anonymous2017/01/15(日) 10:23:54.66ID:??? RouterA(config)# sh ipsec sa IPsec SA - 1 configured, 2 created Interface is Tunnel0.0 Key policy map name is ipsec-policy Tunnel mode, 4-over-4, autokey-map Local address is 10.10.10.10 Remote address is 20.20.20.20 Outgoing interface is GigaEthernet0.0 Interface MTU is 1438, path MTU is 1500 Inbound: ESP, SPI is 0x********(**********) Transform is ESP-AES-128-HMAC-SHA-96 Remaining lifetime is 28778 seconds Replay detection support is on Outbound: ESP, SPI is 0x********(**********) Transform is ESP-AES-128-HMAC-SHA-96 Remaining lifetime is 28778 seconds Replay detection support is on Perfect forward secrecy is off 0563anonymous2017/01/15(日) 15:04:37.88ID:??? 久しぶりに優しいネットを見たw 0564あ2017/01/17(火) 02:57:04.14ID:??? いやほんとありがたいよ 自分も何度か助けて貰ってるし、このスレには感謝してます 0565あ2017/01/17(火) 02:58:29.61ID:??? アドバイスしてくれる人とこのスレに感謝ですわ 0566anonymous@ai126202162244.64.access-internet.ne.jp2017/01/17(火) 07:12:53.38ID:JyVRipg9 anonymaousさん 取得してきました。
RouterA(config)# sh conf hostname RouterA timezone +09 00 ip ufs-cache enable ip route 20.20.20.0/24 10.10.10.1 ip route 192.168.1.0/24 Tunnel0.0 ip nat pool pool1 192.168.0.1 192.168.0.254 ip access-list list1 permit ip src 172.16.0.0/24 dest 192.168.1.0/24 ip access-list list2 permit ip src 172.16.0.0/24 dest any ike policy ike-policy peer 20.20.20.20 key himitsukagi default ipsec autokey-map ipsec-policy list1 peer 20.20.20.20 default ipsec local-id ipsec-policy 192.168.0.0/24 ipsec remote-id ipsec-policy 192.168.1.0/24 device GigaEthernet0 device GigaEthernet1 device GigaEthernet2 device BRI0 isdn switch-type hsd128k device USB0 shutdown 0567anonymous@ai126202162244.64.access-internet.ne.jp2017/01/17(火) 07:14:35.27ID:JyVRipg9 interface GigaEthernet0.0 ip address 10.10.10.10/24 no shutdown interface GigaEthernet1.0 no ip address shutdown interface GigaEthernet2.0 ip address 172.16.0.254/24 no shutdown interface BRI0.0 encapsulation ppp no auto-connect no ip address shutdown interface USB-Serial0.0 encapsulation ppp no auto-connect no ip address shutdown interface Loopback0.0 no ip address interface Null0.0 no ip address interface Tunnel0.0 tunnel mode ipsec no ip address ip nat enable ip nat dynamic list list2 pool pool1 ipsec policy tunnel ipsec-policy out no shutdown RouterA(config)# 0568anonymous@ai126202162244.64.access-internet.ne.jp2017/01/17(火) 07:14:55.16ID:JyVRipg9 RouterB(config)# sh conf Using 1538 out of 524288 bytes hostname RouterBtimezone +09 00 logging buffered 131072 logging subsystem all warn logging timestamp datetime ip ufs-cache enable ip route 10.10.10.0/24 20.20.20.1 ip route 192.168.0.0/24 Tunnel0.0 ip dhcp enable ip access-list list1 permit ip src 192.168.1.0/24 dest 192.168.0.0/24 ip access-list web-http-acl permit ip src any dest 192.168.1.254/32 ike policy ike-policy peer 10.10.10.10 key himitsukagi default ipsec autokey-map ipsec-policy list1 peer 10.10.10.10 default ipsec local-id ipsec-policy 192.168.1.0/24 ipsec remote-id ipsec-policy 192.168.0.0/24 http-server ip access-list web-http-acl http-server ip enable 0569anonymous@ai126202162244.64.access-internet.ne.jp2017/01/17(火) 07:15:58.39ID:JyVRipg9 web-console interface lan1 GigaEthernet1.0 ip dhcp profile web-dhcp-gigaethernet1.0 dns-server 192.168.1.254 device GigaEthernet0 device GigaEthernet1 interface GigaEthernet0.0 ip address 20.20.20.20/24 no shutdown interface GigaEthernet1.0 ip address 192.168.1.254/24 ip dhcp binding web-dhcp-gigaethernet1.0 no shutdown interface Loopback0.0 no ip address interface Null0.0 no ip address interface Tunnel0.0 tunnel mode ipsec no ip address ipsec policy tunnel ipsec-policy out no shutdown RouterB(config)#