先日の連日の徹夜で体調不良が続いており一切IXを触っていなかったのですが、明日から何とかIX弄れそうです 設定完了後に、またご報告させて頂きます。 ありがとうござます 0078anonymous@fusianasan2022/07/11(月) 09:34:48.36ID:???>>77 拠点Bのコンフィグ修正箇所 interface GigaEthernet2:1.0 ip filter b 10 out bridge-group 1 no shutdown interface BVI5 bridge-group 1 no shutdown interface Tunnel2.0 bridge-group 1 no shutdown A拠点とB拠点のDHCPサーバ(プロトコル67〜68)、DHCPv6(プロトコル546〜547) を分割する場合 ip access-list dhcp-sec deny udp src any sport range 67 68 dest any dport range 67 68 ip access-list dhcpv6-sec deny udp src any sport range 546 547 dest any dport range 546 547 ip access-list dhcp-pass permit ip src any dest any interface Tunnel2.0 ip filter dhcp-sec 1 in ip filter dhcpv6-sec 2 in ip filter dhcp-pass 100 in no shutdown
以下のB拠点のコンフィグにて、 自局のPPPOE接続からでていく構成、IPアクセスリストにて、UDP500、ESPパケットのみ の通信が出来る構成を採用されているようです。 ip route default GigaEthernet0.1 ip access-list flt-list1 permit udp src 111.222.333.444/32 sport eq 500 dest any dport eq 500 ip access-list flt-list1 permit 50 src 111.222.333.444/32 dest any interface GigaEthernet0.1 encapsulation pppoe auto-connect ppp binding plala ip address ipcp ip napt enable ip napt static GigaEthernet0.1 udp 500 ip napt static GigaEthernet0.1 50 ip filter flt-list1 1 in 0084anonymous@fusianasan2022/07/14(木) 01:16:23.37ID:???>>81 >>83
続きです。 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 80 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 443 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 25 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 587 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 143 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 993 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 995 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport any dest any dport eq 8080 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 80 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 443 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 25 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 587 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 143 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 993 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 995 ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport any dest any dport eq 8080
route-map r-map permit 10 match ip address access-list etherip-isp1 set ip next-hop 192.168.101.253
ip route default GigaEthernet0.1 ip route default 192.168.101.253 distance 50 0086anonymous@fusianasan2022/07/14(木) 01:23:51.62ID:???>>81 >>83
ip access-list flt-list1 permit udp src any sport eq 4500 dest any dport eq 4500 ip access-list flt-list1 permit udp src any sport eq 1701 dest any dport eq 1701
interface GigaEthernet0.1 ip napt static GigaEthernet0.1 udp 4500 ip napt static GigaEthernet0.1 udp 1701
あとまた質問で申し訳ございませんが、 ..>>83 に書かれてある、ip filter flt-list1 1 in は削除で宜しいでしょうか?? >>88 で書かれてある ip access-list flt-list1 permit udp src any sport eq 4500 dest any dport eq 4500 ip access-list flt-list1 permit udp src any sport eq 1701 dest any dport eq 1701
interface GigaEthernet0.1 ip napt static GigaEthernet0.1 udp 4500 ip napt static GigaEthernet0.1 udp 1701 を入れても、interface GigaEthernet0.1 から ip filter flt-list1 1 in を削除しない限り、B拠点の端末はインタ-ネット側へ出ていけない様です。
ids ip type all action discard ids ip type ip-header action detect ids ip type icmp action detect ids ip type udp action detect ids ip type tcp action detect ids ip type ftp action detect ids logging-interval 10 0103anonymous@fusianasan2022/07/17(日) 14:47:19.30ID:???>>99 >>102
ip access-list etherip-isp1 permit tcp src 192.168.101.0/24 sport 22 dest any dport eq 50000 ip access-list etherip-isp1 permit udp src 192.168.101.0/24 sport 22 dest any dport eq 50000 0104anonymous@fusianasan2022/07/17(日) 16:37:00.59ID:???>>100 >>101 IXルーターと配下のL3スイッチにてVLANを構成し、IXルーター側にてDHCP機能を 配信する場合には、 IXルーターのGE2.0-I/Fに物理IPアドレスを設定(10.1.1.254/23) でしょうか、複合サブネットになっていますので、運用方法によりBVIの機能を併用する形になってしまいますが、 GE2.0-I/Fに物理IPアドレス配下にサブインターフェイスとして、タグVLANのインターフェイスを追加して、そのタグVLANのインターフェイスに 個別のDHCP機能を紐付ける形になりますが、宜しいでしょうか? 以下設定例です。 ip dhcp profile dhcp1 assignable-range 10.1.0.100 10.1.0.109 default-gateway 10.1.1.254 dns-server 10.1.1.254 ip dhcp profile dhcp2 assignable-range 10.1.11.1-10.1.11.99 default-gateway 10.1.11.254 dns-server 10.1.11.254 ip dhcp profile dhcp3 assignable-range 10.1.13.1-10.1.13.99 default-gateway 10.1.13.254 dns-server 10.1.13.254 ip dhcp profile dhcp4 assignable-range 10.1.21.1 10.1.21.99 default-gateway 10.1.21.254 dns-server 94.140.14.14 94.140.15.15 ip dhcp profile dhcp5 assignable-range 10.1.31.1 10.1.31.99 default-gateway 10.1.31.254 dns-server 94.140.14.14 94.140.15.15 interface GigaEthernet2.0 description LAN1 ip address 10.1.1.254/23 no shutdown 0105anonymous@fusianasan2022/07/17(日) 16:38:34.09ID:???>>100 >>104 続きです。 interface GigaEthernet2:1.0 description VLAN1 encapsulation dot1q vlan1 ip address 10.1.11.254/23 ip proxy-arp ip dhcp binding dhcp1 ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown interface GigaEthernet2:2.0 description VLAN2 encapsulation dot1q vlan2 ip address 10.1.21.254/23 ip dhcp binding dhcp2 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown 0106anonymous@fusianasan2022/07/17(日) 16:39:26.88ID:???>>100 >>105 続きです。 interface GigaEthernet2:3.0 description VLAN3 encapsulation dot1q vlan3 ip address 10.1.13.254/23 ip dhcp binding dhcp3 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown interface GigaEthernet2:4.0 description VLAN4 encapsulation dot1q vlan 4 ip address 10.1.21.254/23 ip dhcp binding dhcp4 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown interface GigaEthernet2:5.0 description VLAN5 encapsulation dot1q vlan 5 ip address 10.1.31.254/23 ip dhcp binding dhcp5 ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out no shutdown 0107anonymous@fusianasan2022/07/17(日) 16:40:33.56ID:???>>100 >>106 続きです。 ntp ip enable ntp server 10.1.1.9 priority 254 ntp master 10 ntp retry 3 ntp interval 3600 ip access-list all-forward permit ip src any dest any 0108anonymous@fusianasan2022/07/17(日) 16:45:34.45ID:??? 長々とここに貼るなよ。 0109anonymous@fusianasan2022/07/17(日) 16:46:35.45ID:???>>100 >>107
interface Vlan2 ip address 10.1.1.1 255.255.254.0 ip helper-address 10.1.11.255 ! interface Vlan10 ip address 10.1.11.254 255.255.254.0 ip helper-address 10.1.1.254 ip directed-broadcast 101 ! interface Vlan12 ip address 10.1.13.254 255.255.254.0 ip access-group vlan12 in ip helper-address 10.1.1.254 ! interface Vlan20 ip address 10.1.21.254 255.255.254.0 ip access-group vlan20 in ip helper-address 10.1.1.254 ! interface Vlan30 ip address 10.1.31.254 255.255.254.0 ip access-group vlan30 in ip helper-address 10.1.1.254 0113anonymous@fusianasan2022/07/17(日) 19:15:40.42ID:???>>112
続き interface BVI1 ip address 10.1.1.254/23 ip address 10.1.11.252/23 secondary ip address 10.1.11.252/23 secondary ip address 10.1.13.252/23 secondary ip address 10.1.21.252/23 secondary ip address 10.1.31.252/23 secondary ip proxy-arp ip filter all-forward 65000 in ip filter all-forward 65000 out bridge-group 1 no shutdown
GE2.0-I/Fは、ブリッジインターフェイスにするため、IPアドレスは削除 interface GigaEthernet2.0 no ip address 10.1.1.254/23 bridge-group 1