ho un 877 con alcune vlan (tutte in access).
Debbo fare in modo che dalla Vlan10 si possa accedere alla vlan20 ma non viceversa......
877 controllo traffico tra Vlan
Moderatore: Federico.Lagni
-
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
-
Gianremo.Smisek
- Messianic Network master
- Messaggi: 1159
- Iscritto il: dom 11 mar , 2007 2:23 pm
- Località: Termoli
ehm... se non erro l'877 non supporta le VACL ...
-
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
Quindi tutti vedono tutti e non c'e' rimedio????
-
Gianremo.Smisek
- Messianic Network master
- Messaggi: 1159
- Iscritto il: dom 11 mar , 2007 2:23 pm
- Località: Termoli
eh misa' proprio di si'... d'altronde e' un router SOHO ... per non dire casalingo 
-
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
Cazzo,mi rifiuto.....debbo inventare qualcosa.......
-
Gianremo.Smisek
- Messianic Network master
- Messaggi: 1159
- Iscritto il: dom 11 mar , 2007 2:23 pm
- Località: Termoli
metterci davanti un multilayer tipo un 3550/3560 e gestire tutto con delle pVLAN?
-
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
Ahemm il router sta a casa mia... pensandoci bene un 7200 in salone farebbe una certa scena.....
-
Gianremo.Smisek
- Messianic Network master
- Messaggi: 1159
- Iscritto il: dom 11 mar , 2007 2:23 pm
- Località: Termoli
immagina un 6500 enel ringrazia -
zot
- Messianic Network master
- Messaggi: 1274
- Iscritto il: mer 17 nov , 2004 1:13 am
- Località: Teramo
- Contatta:
a sto punto preferisco questi...ci dicono col divano.
-
giubbe
- n00b
- Messaggi: 19
- Iscritto il: dom 28 feb , 2010 7:39 am
- Località: Castel Guelfo
zot ha scritto:Quindi tutti vedono tutti e non c'e' rimedio????
Io , con il 877, ho il problema contrario: vorrei poter accedere da vlan1 a vlan2 e non il contrario,
ma, adesso nessuna delle 2 vlan vede l'altra ; sono 2 reti separate
-
Gianremo.Smisek
- Messianic Network master
- Messaggi: 1159
- Iscritto il: dom 11 mar , 2007 2:23 pm
- Località: Termoli
se dall'host di vlan2 pinghi l'ip dell'interfaccia vlan1, quest'ultima non risponde? 
are you sure?
are you sure?
chiedo scusa-
Gianremo.Smisek
- Messianic Network master
- Messaggi: 1159
- Iscritto il: dom 11 mar , 2007 2:23 pm
- Località: Termoli
no problem
-
giubbe
- n00b
- Messaggi: 19
- Iscritto il: dom 28 feb , 2010 7:39 am
- Località: Castel Guelfo
10.0.0.0 è la Vlan1 e pinga Vlan2
10.0.10.0 è la Vlan2 e non pinga Vlan1
Credo di esserci riuscito , con il 877
Prova e fammi sapere
version 12.4
no service pad
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R877
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.120
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool Vlan1
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 62.149.128.4 62.149.132.4
lease 0 2
!
ip dhcp pool Vlan2
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 62.149.128.4 62.149.132.4
lease 0 2
!
!
no ip domain lookup
ip name-server 62.149.128.4
ip name-server 62.149.132.4
ip inspect name CONTROLLO tcp
ip inspect name CONTROLLO udp
ip inspect name CONTROLLO cuseeme
ip inspect name CONTROLLO ftp
ip inspect name CONTROLLO tftp
ip inspect name CONTROLLO rcmd
ip inspect name CONTROLLO realaudio
ip inspect name CONTROLLO smtp
ip inspect name CONTROLLO h323
ip inspect name CONTROLLO dns
ip inspect name CONTROLLO icmp
ip inspect name CONTROLLO imap
ip inspect name CONTROLLO rtsp
ip inspect name CONTROLLO sqlnet
ip inspect name CONTROLLO streamworks
ip inspect name CONTROLLO vdolive
ip inspect name CONTROLLO pop3
!
multilink bundle-name authenticated
!
!
username giubbe privilege 15 password 0 xxxxxxxxx
!
!
archive
log config
hidekeys
!
!
!
class-map match-all facebook
match protocol http host "*facebook*"
!
!
policy-map nofacebook
class facebook
drop
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description Internal network
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect CONTROLLO in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description Guest network
ip address 10.0.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect CONTROLLO in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip access-group PERMESSI in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect CONTROLLO out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxx
ppp pap sent-username xxxxxxxxxxxxx password 0 xxxxxxxxx
service-policy output nofacebook
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list standard ACL-VTY
permit 10.0.0.0 0.0.0.255
!
ip access-list extended PERMESSI
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit icmp any any administratively-prohibited
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit udp host 62.149.128.4 eq domain any
permit udp host 62.149.132.4 eq domain any
permit udp host 192.43.244.18 eq ntp any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.240.0.0 0.15.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 224.0.0.0 0.15.255.255 any
deny ip any host 255.255.255.255
deny icmp any any echo
deny ip any any log
!
logging facility local2
logging 10.0.0.30
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 100 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
dialer-list 1 protocol ip list 1
no cdp run
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class ACL-VTY in
login local
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end
10.0.10.0 è la Vlan2 e non pinga Vlan1
Credo di esserci riuscito , con il 877
Prova e fammi sapere
version 12.4
no service pad
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname R877
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
clock timezone MET 1
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.120
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool Vlan1
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 62.149.128.4 62.149.132.4
lease 0 2
!
ip dhcp pool Vlan2
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 62.149.128.4 62.149.132.4
lease 0 2
!
!
no ip domain lookup
ip name-server 62.149.128.4
ip name-server 62.149.132.4
ip inspect name CONTROLLO tcp
ip inspect name CONTROLLO udp
ip inspect name CONTROLLO cuseeme
ip inspect name CONTROLLO ftp
ip inspect name CONTROLLO tftp
ip inspect name CONTROLLO rcmd
ip inspect name CONTROLLO realaudio
ip inspect name CONTROLLO smtp
ip inspect name CONTROLLO h323
ip inspect name CONTROLLO dns
ip inspect name CONTROLLO icmp
ip inspect name CONTROLLO imap
ip inspect name CONTROLLO rtsp
ip inspect name CONTROLLO sqlnet
ip inspect name CONTROLLO streamworks
ip inspect name CONTROLLO vdolive
ip inspect name CONTROLLO pop3
!
multilink bundle-name authenticated
!
!
username giubbe privilege 15 password 0 xxxxxxxxx
!
!
archive
log config
hidekeys
!
!
!
class-map match-all facebook
match protocol http host "*facebook*"
!
!
policy-map nofacebook
class facebook
drop
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description Internal network
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect CONTROLLO in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description Guest network
ip address 10.0.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect CONTROLLO in
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip access-group PERMESSI in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect CONTROLLO out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxx
ppp chap password 0 xxxxxxxx
ppp pap sent-username xxxxxxxxxxxxx password 0 xxxxxxxxx
service-policy output nofacebook
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list standard ACL-VTY
permit 10.0.0.0 0.0.0.255
!
ip access-list extended PERMESSI
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit icmp any any administratively-prohibited
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit udp host 62.149.128.4 eq domain any
permit udp host 62.149.132.4 eq domain any
permit udp host 192.43.244.18 eq ntp any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.240.0.0 0.15.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 224.0.0.0 0.15.255.255 any
deny ip any host 255.255.255.255
deny icmp any any echo
deny ip any any log
!
logging facility local2
logging 10.0.0.30
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 100 deny ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
dialer-list 1 protocol ip list 1
no cdp run
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class ACL-VTY in
login local
!
scheduler max-task-time 5000
sntp server 192.43.244.18
end
-
giubbe
- n00b
- Messaggi: 19
- Iscritto il: dom 28 feb , 2010 7:39 am
- Località: Castel Guelfo
Oppssss !! ho visto che paolomat aveva già risolto il quesito in un'altra parte del forum : http://www.ciscoforums.it/viewtopic.php?f=22&t=26215
Con l'ACL estesa 100, regolo il traffico nell'interfaccia Vlan2.
Con l'ACL estesa 100, regolo il traffico nell'interfaccia Vlan2.
