871 e acl su VLAN
Inviato: lun 28 set , 2009 11:36 pm
Ciao a tutti, ho un router cisco 871 sul quale ho configurato 3 vlan.
VLAN 1 è la rete di amministrazione
VLAN 10 è la rete per i visitatori
VLAN 20 è la rete privata
Al momento tutte le VLAN comunicano tra di loro senza problemi, ma vorrei bloccare l'accesso:
da VLAN 10 verso VLAN 1
da VLAN 20 verso VLAN 1
Tutte le altre direzioni devono rimanere aperte.
Come posso applicare queste regole sulle VLAN? ho visto alcuni esempi che usano le VLAN maps, ma su questo router non sono riconosciuti questi comandi....
questa la mia configurazione attuale
version 12.4
no parser cache
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
logging monitor informational
enable secret 5 <password>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login admin local
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.10.1 10.1.10.99
ip dhcp excluded-address 10.1.20.1 10.1.20.99
!
ip dhcp pool VLAN1
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
domain-name domain.lan
lease 7
!
ip dhcp pool VLAN10
import all
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
domain-name domain.lan
lease 7
!
ip dhcp pool VLAN20
import all
network 10.1.20.0 255.255.255.0
default-router 10.1.20.1
domain-name domain.lan
lease 7
!
!
no ip bootp server
no ip domain lookup
ip domain name domain.lan
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 tcp
login block-for 60 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 <password>
!
no crypto isakmp enable
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh rsa keypair-name ROUTER.domain.lan
ip ssh version 2
!
!
!
interface FastEthernet0
description LAN
switchport mode trunk
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN port - Link to bridge xDSL
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description ADMIN Network
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description GUEST Network
ip address 10.1.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description PRIVATE Network
ip address 10.1.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip access-group 102 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <account>
ppp chap password 7 <password>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 Vlan1
ip route 10.1.10.0 255.255.255.0 Vlan10
ip route 10.1.20.0 255.255.255.0 Vlan20
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 1 permit 10.1.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
* * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
All change are logged...
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
^C
banner login ^CC
* * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
^C
!
line con 0
login authentication admin
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 5 0
privilege level 15
login authentication admin
transport input ssh
!
scheduler max-task-time 5000
end
VLAN 1 è la rete di amministrazione
VLAN 10 è la rete per i visitatori
VLAN 20 è la rete privata
Al momento tutte le VLAN comunicano tra di loro senza problemi, ma vorrei bloccare l'accesso:
da VLAN 10 verso VLAN 1
da VLAN 20 verso VLAN 1
Tutte le altre direzioni devono rimanere aperte.
Come posso applicare queste regole sulle VLAN? ho visto alcuni esempi che usano le VLAN maps, ma su questo router non sono riconosciuti questi comandi....
questa la mia configurazione attuale
version 12.4
no parser cache
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
logging monitor informational
enable secret 5 <password>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login admin local
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.10.1 10.1.10.99
ip dhcp excluded-address 10.1.20.1 10.1.20.99
!
ip dhcp pool VLAN1
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
domain-name domain.lan
lease 7
!
ip dhcp pool VLAN10
import all
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
domain-name domain.lan
lease 7
!
ip dhcp pool VLAN20
import all
network 10.1.20.0 255.255.255.0
default-router 10.1.20.1
domain-name domain.lan
lease 7
!
!
no ip bootp server
no ip domain lookup
ip domain name domain.lan
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 tcp
login block-for 60 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 <password>
!
no crypto isakmp enable
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh rsa keypair-name ROUTER.domain.lan
ip ssh version 2
!
!
!
interface FastEthernet0
description LAN
switchport mode trunk
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN port - Link to bridge xDSL
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
description ADMIN Network
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description GUEST Network
ip address 10.1.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
description PRIVATE Network
ip address 10.1.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip access-group 102 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <account>
ppp chap password 7 <password>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 Vlan1
ip route 10.1.10.0 255.255.255.0 Vlan10
ip route 10.1.20.0 255.255.255.0 Vlan20
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 1 permit 10.1.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
* * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
All change are logged...
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
^C
banner login ^CC
* * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
^C
!
line con 0
login authentication admin
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 5 0
privilege level 15
login authentication admin
transport input ssh
!
scheduler max-task-time 5000
end