Config Switch 2960

[daysleeper]

Salve a tutti,
devo configurare un 2960 con 3 vlan la cui utilità è quella semplicemente di tenere separate tre reti diverse e questo è quello che ho creato:
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname switch2960
!
enable secret xxxxxxxxxxxxxx
!
ip subnet-zero
!
vtp mode transparent
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1,4,100 priority 28672
!
!
!
!
vlan 10
name inside2
!
vlan 20
name inet
!
vlan 30
name server
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

interface FastEthernet0/4
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

!
interface FastEthernet0/8
switchport access vlan 10
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

!
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

!
interface FastEthernet0/10
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

!
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown

interface FastEthernet0/12
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/13
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/14
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/15
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/16
switchport access vlan 20
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/18
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/19
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/17
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/18
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/19
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/20
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/21
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/22
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/23
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface FastEthernet0/24
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface GigabitEthernet0/1
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface GigabitEthernet0/2
switchport access vlan 30
switchport mode access
no cdp enable
spanning-tree portfast
spanning-tree guard root
no shutdown
!
interface Vlan 10
ip address 10.0.0.4 255.255.255.240
no ip route-cache
no shutdown
!
interface Vlan 20
no ip address
no ip route-cache
no shutdown

interface Vlan 30
no ip address
no ip route-cache
no shutdown
!
access-list 1 permit xxxxxxxxxxxxxx
access-list 1 permit xxxxxxxxxxxxxx
access-list 1 permit xxxxxxxxxxxxxx
access-list 1 permit xxxxxxxxxxxxxx
access-list 1 permit xxxxxxxxxxxxxx
access-list 1 permit xxxxxxxxxxxxxx
access-list 1 permit xxxxxxxxxxxxxx

ip default-gateway 10.0.0.1
no ip http server
!
line con 0
line vty 0 4
password xxxxxxxxxxxxxx
login
line vty 5 15
login
!
!
end
la prima vlan va collegata alla inside di un pix e ci andranno collegati due server, mentre sulla seconda vlan ci andrà collegata la outside dello stesso pix e due cavi che vengono dal provider, mentre la terza l'ho lasciata diciamo di scorta e per il momento non ci andrà nulla.
Ho configurato come defualt gateway la inside del pix e ho dato alla vlan 10 un ip address in modo da poter raggiungere da remoto lo switch, sulla access-list ho semplicemente configurato gli ip che possono collegarsi allo switch.
Manca qualcosa o ho sbagliato qualcosa secondo voi?

[daniele103]

Non hai applicato l'access-list a nessuna interfaccia.
ciao

[daysleeper]

Se volessi applicare quella access-list a una vlan mi basta aggiungere sulla vlan che mi interessa la seguente riga:
ip access-group 1 in

perchè devo permettere a gli indirizzi specificati di entrare giusto?

[daniele103]

Applicando l'ACL permetti gli ip o le reti che sono indicati come permit dalla access-list 1, tutti gli altri sono negati implicitamente, se non la applichi lo switch non fa alcun filtro.
Sicuramente il comando di access-group può essere applicato sotto le interfacce fastethernet, non sono sicuro si possa apllicare sotto le int vlan, provalo, nel caso nulla ti vieta di applicarlo a tutte le fast del tuo switch.

[daniele103]

Scusa dimenticavo, forse lo hai già scaricato, ti giro un link di un doc cisco che può esserti utile:
http://www.cisco.com/en/US/docs/switche ... #wp2774755

[daysleeper]

Ti ringrazio ma ho deciso di non mettere acl sullo switch perchè tanto sarà il pix a decidere gli accessi.
Ora devo sperare che la conf del pix l'ho fatta giusta!!!