Иван, прошивки получил. Спасибо.
На 3052 установил.
Но 3052-й как лез со своими запросами к ДХЦП-серверу (поперек 3526), так и лезет. (т.е. запросы от клиента, подключенного к 3526 дублирует 3052 - в тестовой схеме это, конечно, некритично, но если все 30ХХ начнут дублировать все проходящие сквозь них запросы - это будет полный караул)
Конфиги их обоих на предыдущей странице.
У меня еще ряд вопросов появился.
вот схема:
Клиенты получают адреса - все классно. А вот что дальше делать с ними - не пойму.
вопросы вот какие:
1. каким АЦЛ-ом мне грамотно разрешить весь клиентский трафик, при этом запретив как можно больше "чего не надо". Для теста я разрешил все IP - АЦЛ 5 в конфиге. Но мне кажется, что это как-то несекурно.
2. как на циске настроить прохождение клиентского трафика? В моем случае клиентский трафик (10.68.0.0/16) приходит на цискин интерфейс Gi0/1.168 с адресом 10.168.0.1/16. Я на Gi0/1.168 уже и секондери инт вешал (10.68.0.1/16)......
Короче, прошу хелпа, т.к. сам разобраться в маршрутизации пока не могу, а время поджимает.
Вот конфиги:
Код:
#-------------------------------------------------------------------------------
# DGS-3627G Gigabit Ethernet Switch
# Configuration
#
# Firmware: Build 2.40.B75
# Copyright(C) 2008 D-Link Corporation. All rights reserved.
#-------------------------------------------------------------------------------
# STACK
# DOUBLE_VLAN
disable double_vlan
# BASIC
config serial_port auto_logout 10_minutes
enable telnet 23
enable web 80
enable clipaging
# STORM
config traffic trap none
config traffic control 1-27 broadcast disable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
# GM
config sim candidate
disable sim
config sim dp_interval 30
config sim hold_time 100
# GM_H
# SYSLOG
disable syslog
config system_severity log information
config system_severity trap information
config log_save_timing on_demand
# QOS
config scheduling_mechanism strict
config scheduling 0 max_packet 1
config scheduling 1 max_packet 2
config scheduling 2 max_packet 3
config scheduling 3 max_packet 4
config scheduling 4 max_packet 5
config scheduling 5 max_packet 6
config scheduling 6 max_packet 7
config 802.1p user_priority 0 2
config 802.1p user_priority 1 0
config 802.1p user_priority 2 1
config 802.1p user_priority 3 3
config 802.1p user_priority 4 4
config 802.1p user_priority 5 5
config 802.1p user_priority 6 6
config 802.1p user_priority 7 6
enable hol_prevention
config 802.1p default_priority 1-27 0
config bandwidth_control 1-27 rx_rate no_limit tx_rate no_limit
# MIRROR
disable mirror
# TRAF-SEGMENTATION
config traffic_segmentation 1-22,25-27 forward_list all
config traffic_segmentation 23 forward_list 1-23,25-27
config traffic_segmentation 24 forward_list 1-22,24-27
# SSL
disable ssl
enable ssl ciphersuite RSA_with_RC4_128_MD5
enable ssl ciphersuite RSA_with_3DES_EDE_CBC_SHA
enable ssl ciphersuite DHE_DSS_with_3DES_EDE_CBC_SHA
enable ssl ciphersuite RSA_EXPORT_with_RC4_40_MD5
config ssl cachetimeout 600
# PORT
disable jumbo_frame
config ports 1-20 speed auto capability_advertised 1000_full flow_control disable learning enable state enable
config ports 21-24 medium_type copper speed auto capability_advertised 10_half 10_full 100_half 100_full 1000_full flow_control disable learning enable state enable
config ports 21-24 medium_type fiber speed auto capability_advertised 1000_full flow_control disable learning enable state enable
config ports 25-27 speed auto flow_control disable learning enable state enable
# PORT_LOCK
config port_security ports 1-27 admin_state disable max_learning_addr 1 lock_address_mode DeleteOnReset
# SNMPv3
delete snmp community public
delete snmp community private
delete snmp user initial
delete snmp group initial
delete snmp group ReadGroup
delete snmp group WriteGroup
delete snmp view restricted all
delete snmp view CommunityView all
config snmp engineID 800000ab03001cf02052c0
create snmp view restricted 1.3.6.1.2.1.1 view_type included
create snmp view restricted 1.3.6.1.2.1.11 view_type included
create snmp view restricted 1.3.6.1.6.3.10.2.1 view_type included
create snmp view restricted 1.3.6.1.6.3.11.2.1 view_type included
create snmp view restricted 1.3.6.1.6.3.15.1.1 view_type included
create snmp view CommunityView 1 view_type included
create snmp view CommunityView 1.3.6.1.6.3 view_type excluded
create snmp view CommunityView 1.3.6.1.6.3.1 view_type included
create snmp group public v1 read_view CommunityView notify_view CommunityView
create snmp group public v2c read_view CommunityView notify_view CommunityView
create snmp group initial v3 noauth_nopriv read_view restricted notify_view restricted
create snmp group private v1 read_view CommunityView write_view CommunityView notify_view CommunityView
create snmp group private v2c read_view CommunityView write_view CommunityView notify_view CommunityView
create snmp group ReadGroup v1 read_view CommunityView notify_view CommunityView
create snmp group ReadGroup v2c read_view CommunityView notify_view CommunityView
create snmp group WriteGroup v1 read_view CommunityView write_view CommunityView notify_view CommunityView
create snmp group WriteGroup v2c read_view CommunityView write_view CommunityView notify_view CommunityView
create snmp community private view CommunityView read_write
create snmp community public view CommunityView read_only
create snmp user initial initial
# MANAGEMENT
enable snmp traps
enable snmp authenticate_traps
disable snmp
enable snmp linkchange_traps
config snmp system_name D3627G08003
disable rmon
config snmp linkchange_traps ports 1-27 enable
# VLAN
enable pvid auto_assign
config vlan default delete 1-27
config vlan default add untagged 1-20,25-27
config vlan default advertisement enable
create vlan VLAN3 tag 3
config vlan VLAN3 add tagged 21-23 advertisement disable
create vlan VLAN33 tag 33
config vlan VLAN33 add untagged 24 advertisement disable
create vlan VLAN68 tag 68
config vlan VLAN68 add tagged 22 advertisement disable
create vlan VLAN99 tag 99
config vlan VLAN99 add tagged 22 advertisement disable
create vlan VLAN168 tag 168
config vlan VLAN168 add tagged 23 advertisement disable
disable qinq
disable gvrp
config gvrp 1-21,25-27 state disable ingress_checking enable acceptable_frame admit_all pvid 1
config gvrp 22-23 state disable ingress_checking enable acceptable_frame admit_all pvid 68
config gvrp 24 state disable ingress_checking enable acceptable_frame admit_all pvid 33
# PROTOCOL_VLAN
# QINQ
config qinq ports 1-27 missdrop disable tpid 0x8100
create vlan_translation ports 22 cvid 3 add svid 33
create vlan_translation ports 22 cvid 68 replace svid 168
create vlan_translation ports 24 cvid 33 add svid 3
# RSPAN
disable rspan
# 8021X
disable 802.1x
config 802.1x auth_protocol radius_eap
config 802.1x capability ports 1-27 none
config 802.1x auth_parameter ports 1-27 direction both port_control auto quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable
# guestvlan
# TR
# ACL
create access_profile profile_id 4 ip udp src_port_mask 0xFFFF dst_port_mask 0xFFFF
config access_profile profile_id 4 add access_id 22 ip udp src_port 68 dst_port 67 port 22 permit rx_rate no_limit
config access_profile profile_id 4 add access_id 53 ip udp src_port 67 dst_port 68 port 24 permit rx_rate no_limit
create access_profile profile_id 5 ip vlan
config access_profile profile_id 5 add access_id 22 ip vlan VLAN68 port 22 permit rx_rate no_limit
config access_profile profile_id 5 add access_id 23 ip vlan VLAN168 port 23 permit rx_rate no_limit
disable cpu_interface_filtering
# LIMITED_MULTICAST_RANGE
# MULTICAST_VLAN
# FDB
config fdb aging_time 300
# ADDRBIND
config address_binding dhcp_snoop max_entry ports 1 limit no_limit
config address_binding dhcp_snoop max_entry ports 2 limit no_limit
config address_binding dhcp_snoop max_entry ports 3 limit no_limit
config address_binding dhcp_snoop max_entry ports 4 limit no_limit
config address_binding dhcp_snoop max_entry ports 5 limit no_limit
config address_binding dhcp_snoop max_entry ports 6 limit no_limit
config address_binding dhcp_snoop max_entry ports 7 limit no_limit
config address_binding dhcp_snoop max_entry ports 8 limit no_limit
config address_binding dhcp_snoop max_entry ports 9 limit no_limit
config address_binding dhcp_snoop max_entry ports 10 limit no_limit
config address_binding dhcp_snoop max_entry ports 11 limit no_limit
config address_binding dhcp_snoop max_entry ports 12 limit no_limit
config address_binding dhcp_snoop max_entry ports 13 limit no_limit
config address_binding dhcp_snoop max_entry ports 14 limit no_limit
config address_binding dhcp_snoop max_entry ports 15 limit no_limit
config address_binding dhcp_snoop max_entry ports 16 limit no_limit
config address_binding dhcp_snoop max_entry ports 17 limit no_limit
config address_binding dhcp_snoop max_entry ports 18 limit no_limit
config address_binding dhcp_snoop max_entry ports 19 limit no_limit
config address_binding dhcp_snoop max_entry ports 20 limit no_limit
config address_binding dhcp_snoop max_entry ports 21 limit no_limit
config address_binding dhcp_snoop max_entry ports 22 limit no_limit
config address_binding dhcp_snoop max_entry ports 23 limit no_limit
config address_binding dhcp_snoop max_entry ports 24 limit no_limit
config address_binding dhcp_snoop max_entry ports 25 limit no_limit
config address_binding dhcp_snoop max_entry ports 26 limit no_limit
config address_binding dhcp_snoop max_entry ports 27 limit no_limit
config address_binding ip_mac ports 1-27 forward_dhcppkt enable
disable address_binding dhcp_snoop
disable address_binding trap_log
# DhcpServerScreening
config filter dhcp_server port all state disable
config filter dhcp_server illegal_server_log_suppress_duration 5min
config filter dhcp_server trap_log disable
# MAC_ADDRESS_TABLE_NOTIFICATION
disable mac_notification
config mac_notification interval 1 historysize 1
config mac_notification ports 1-27 disable
# STP
config stp version rstp
config stp maxage 20 maxhops 20 forwarddelay 15 txholdcount 3 fbpdu enable hellotime 2 lbd enable lbd_recover_timer 60
config stp priority 32768 instance_id 0
config stp mst_config_id name 00:1C:F0:20:52:C0 revision_level 0
disable stp
config stp ports 1-20 externalCost auto edge false p2p auto state enable lbd disable
config stp mst_ports 1-27 instance_id 0 internalCost auto priority 128
config stp ports 1-20 fbpdu enable
config stp ports 21-27 externalCost auto edge false p2p auto state disable lbd disable
config stp ports 21-27 fbpdu disable
# BPDU_TUNNEL
config bpdu_tunnel ports all type none
disable bpdu_tunnel
# SAFEGUARD_ENGINE
config safeguard_engine state disable utilization rising 30 falling 20 trap_log disable mode fuzzy
# BANNER_PROMP
config command_prompt default
config greeting_message default
# SSH
config ssh algorithm 3DES enable
config ssh algorithm AES128 enable
config ssh algorithm AES192 enable
config ssh algorithm AES256 enable
config ssh algorithm arcfour enable
config ssh algorithm blowfish enable
config ssh algorithm cast128 enable
config ssh algorithm twofish128 enable
config ssh algorithm twofish192 enable
config ssh algorithm twofish256 enable
config ssh algorithm MD5 enable
config ssh algorithm SHA1 enable
config ssh algorithm RSA enable
config ssh algorithm DSA enable
config ssh authmode password enable
config ssh authmode publickey enable
config ssh authmode hostbased enable
config ssh server maxsession 8
config ssh server contimeout 120
config ssh server authfail 2
config ssh server rekey never
disable ssh
# SNTP
enable sntp
config time_zone operator + hour 6 min 0
config sntp primary 10.25.0.19 secondary 0.0.0.0 poll-interval 2880
config dst disable
# LACP
config link_aggregation algorithm ip_source
config lacp_port 1-27 mode passive
# IP
config ipif_mac_mapping ipif System mac_offset 0
config ipif System ipaddress 10.25.88.3/16 vlan VLAN3
config ipif System proxy_arp disable local disable
config ipif_mac_mapping ipif RM99 mac_offset 3
create ipif RM99 10.125.1.3/24 VLAN99 state enable
config ipif RM99 proxy_arp disable local disable
config ipif_mac_mapping ipif RC168 mac_offset 4
create ipif RC168 10.168.0.48/16 VLAN168 state enable
config ipif RC168 proxy_arp disable local disable
config ipif_mac_mapping ipif DHCP33 mac_offset 1
create ipif DHCP33 10.33.0.48/16 VLAN33 state enable
config ipif DHCP33 proxy_arp disable local disable
config ipif_mac_mapping ipif DHCP68 mac_offset 2
create ipif DHCP68 10.68.0.48/16 VLAN68 state enable
config ipif DHCP68 proxy_arp disable local disable
config ipif RM99 ip_mtu 1500
config ipif RC168 ip_mtu 1500
config ipif DHCP33 ip_mtu 1500
config ipif DHCP68 ip_mtu 1500
config ipif System ip_mtu 1500
disable autoconfig
# MCFILTER
config multicast filtering_mode default forward_unregistered_groups
# SNOOP
config igmp_snooping vlan default host_timeout 260 router_timeout 260 leave_timer 2 state disable fast_leave disable
config igmp_snooping querier vlan default query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable
config limited_multicast_addr ports 1-27 state disable
# MLDSNP
config mld_snooping vlan default node_timeout 260 router_timeout 260 done_timer 2 state disable fast_done disable
config mld_snooping querier vlan default query_interval 125 max_response_time 10 robustness_variable 2 last_listener_query_interval 1 state disable
# ACCESS_AUTHENTICATION_CONTROL
config authen_login default method local
config authen_enable default method local_enable
config authen application console login default
config authen application console enable default
config authen application telnet login default
config authen application telnet enable default
config authen application ssh login default
config authen application ssh enable default
config authen application http login default
config authen application http enable default
config authen parameter response_timeout 30
config authen parameter attempt 3
disable authen_policy
# AAA_LOCAL_ENABLE_PASSWORD
# NDP
config ipv6 nd ns ipif System retrans_time 0
config ipv6 nd ra ipif System state disable life_time 1800 reachable_time 1200000 retrans_time 0 hop_limit 64 managed_flag disable other_config_flag disable min_rtr_adv_interval 198 max_rtr_adv_interval 600
config ipv6 nd ns ipif RM99 retrans_time 0
config ipv6 nd ra ipif RM99 state disable life_time 1800 reachable_time 1200000 retrans_time 0 hop_limit 64 managed_flag disable other_config_flag disable min_rtr_adv_interval 198 max_rtr_adv_interval 600
config ipv6 nd ns ipif RC168 retrans_time 0
config ipv6 nd ra ipif RC168 state disable life_time 1800 reachable_time 1200000 retrans_time 0 hop_limit 64 managed_flag disable other_config_flag disable min_rtr_adv_interval 198 max_rtr_adv_interval 600
config ipv6 nd ns ipif DHCP33 retrans_time 0
config ipv6 nd ra ipif DHCP33 state disable life_time 1800 reachable_time 1200000 retrans_time 0 hop_limit 64 managed_flag disable other_config_flag disable min_rtr_adv_interval 198 max_rtr_adv_interval 600
config ipv6 nd ns ipif DHCP68 retrans_time 0
config ipv6 nd ra ipif DHCP68 state disable life_time 1800 reachable_time 1200000 retrans_time 0 hop_limit 64 managed_flag disable other_config_flag disable min_rtr_adv_interval 198 max_rtr_adv_interval 600
# WAC
config wac method local
disable wac
# ARP
config arp_aging time 20
config gratuitous_arp send ipif_status_up disable
config gratuitous_arp send dup_ip_detected disable
config gratuitous_arp learning disable
enable gratuitous_arp ipif RM99 trap
enable gratuitous_arp ipif RM99 log
enable gratuitous_arp ipif System trap
enable gratuitous_arp ipif System log
# ROUTE
config route preference static 60
config route preference rip 100
config route preference ospfIntra 80
config route preference ospfInter 90
config route preference ospfExt1 110
config route preference ospfExt2 115
create iproute default 10.25.0.19 10 primary
# PROUTE
create policy_route name From_Client
config policy_route name From_Client acl profile_id 5 access_id 22 nexthop 10.137.0.1 state enable
create policy_route name From_DHCP
config policy_route name From_DHCP acl profile_id 4 access_id 53 nexthop 10.125.8.3 state enable
create policy_route name To_Client
config policy_route name To_Client acl profile_id 5 access_id 23 nexthop 10.68.0.48 state enable
create policy_route name To_DHCP
config policy_route name To_DHCP acl profile_id 4 access_id 22 nexthop 10.33.0.48 state enable
# LLDP
disable lldp
config lldp message_tx_interval 30
config lldp tx_delay 2
config lldp message_tx_hold_multiplier 4
config lldp reinit_delay 2
config lldp notification_interval 5
config lldp ports 1-27 notification disable
config lldp ports 1-27 admin_status tx_and_rx
# IGMP
config igmp ipif System version 3 query_interval 125 max_response_time 10 robustness_variable 2 state disable
config igmp ipif System last_member_query_interval 1
config igmp ipif RM99 version 3 query_interval 125 max_response_time 10 robustness_variable 2 state disable
config igmp ipif RM99 last_member_query_interval 1
config igmp ipif RC168 version 3 query_interval 125 max_response_time 10 robustness_variable 2 state disable
config igmp ipif RC168 last_member_query_interval 1
config igmp ipif DHCP33 version 3 query_interval 125 max_response_time 10 robustness_variable 2 state disable
config igmp ipif DHCP33 last_member_query_interval 1
config igmp ipif DHCP68 version 3 query_interval 125 max_response_time 10 robustness_variable 2 state disable
config igmp ipif DHCP68 last_member_query_interval 1
# PIMSM
disable pim
config pim cbsr hash_masklen 30
config pim cbsr bootstrap_period 60
config pim register_suppression_time 60
config pim register_probe_time 5
config pim last_hop_spt_switchover never
config pim crp holdtime 150 priority 192
config pim crp wildcard_prefix_cnt 0
config pim ipif System state disable hello 30 jp_interval 60 mode dm dr_priority 1
config pim cbsr ipif System priority -1
config pim ipif RM99 state disable hello 30 jp_interval 60 mode dm dr_priority 1
config pim cbsr ipif RM99 priority -1
config pim ipif RC168 state disable hello 30 jp_interval 60 mode dm dr_priority 1
config pim cbsr ipif RC168 priority -1
config pim ipif DHCP33 state disable hello 30 jp_interval 60 mode dm dr_priority 1
config pim cbsr ipif DHCP33 priority -1
config pim ipif DHCP68 state disable hello 30 jp_interval 60 mode dm dr_priority 1
config pim cbsr ipif DHCP68 priority -1
# DVMRP
disable dvmrp
config dvmrp ipif System metric 1 probe 10 neighbor_timeout 35 state disable
config dvmrp ipif RM99 metric 1 probe 10 neighbor_timeout 35 state disable
config dvmrp ipif RC168 metric 1 probe 10 neighbor_timeout 35 state disable
config dvmrp ipif DHCP33 metric 1 probe 10 neighbor_timeout 35 state disable
config dvmrp ipif DHCP68 metric 1 probe 10 neighbor_timeout 35 state disable
# RIP
disable rip
config rip ipif System tx_mode disable state disable
config rip ipif System rx_mode disable state disable
config rip ipif RM99 tx_mode disable state disable
config rip ipif RM99 rx_mode disable state disable
config rip ipif RC168 tx_mode disable state disable
config rip ipif RC168 rx_mode disable state disable
config rip ipif DHCP33 tx_mode disable state disable
config rip ipif DHCP33 rx_mode disable state disable
config rip ipif DHCP68 tx_mode disable state disable
config rip ipif DHCP68 rx_mode disable state disable
# MD5
# SFLOW
# OSPF
create ospf area 10.125.1.0 type nssa translate enable stub_summary enabled metric 0
config ospf ipif System area 0.0.0.0 priority 1 hello_interval 10 dead_interval 40
config ospf ipif System authentication none metric 1 state enable passive disable
config ospf ipif DHCP33 area 0.0.0.0 priority 1 hello_interval 10 dead_interval 40
config ospf ipif DHCP33 authentication none metric 1 state disable passive disable
config ospf ipif DHCP68 area 0.0.0.0 priority 1 hello_interval 10 dead_interval 40
config ospf ipif DHCP68 authentication none metric 1 state disable passive disable
config ospf ipif RM99 area 10.125.1.0 priority 1 hello_interval 10 dead_interval 40
config ospf ipif RM99 authentication none metric 1 state enable passive disable
config ospf ipif RC168 area 0.0.0.0 priority 1 hello_interval 10 dead_interval 40
config ospf ipif RC168 authentication none metric 1 state disable passive disable
create ospf aggregation 10.125.1.0 10.125.1.0/24 lsdb_type nssa_ext advertise disable
config ospf router_id 10.25.88.3
enable ospf
# DNSR
disable dnsr
config dnsr primary nameserver 0.0.0.0
config dnsr secondary nameserver 0.0.0.0
disable dnsr cache
disable dnsr static
# DHCP_RELAY
disable dhcp_relay
config dhcp_relay hops 4 time 0
config dhcp_relay option_82 state disable
config dhcp_relay option_82 check disable
config dhcp_relay option_82 policy keep
# DHCP_SERVER
config dhcp ping_packets 2
config dhcp ping_timeout 500
disable dhcp_server
# VRRP
config vrrp ipif System authtype none
config vrrp ipif RM99 authtype none
config vrrp ipif RC168 authtype none
config vrrp ipif DHCP33 authtype none
config vrrp ipif DHCP68 authtype none
disable vrrp
disable vrrp ping
#-------------------------------------------------------------------
# End of configuration file for DGS-3627G
#-------------------------------------------------------------------
и конфиг цискиного интерфейса:
[code]
sh run int gi0/1.168
Building configuration...
Current configuration : 553 bytes
!
interface GigabitEthernet0/1.168
description Test
encapsulation dot1Q 168
[code] ip address 10.68.0.1 255.255.0.0 secondary
ip address 10.168.0.1 255.255.0.0
no ip redirects
ip nat inside
ip flow ingress
no ip mroute-cache
ip policy route-map tst2
pppoe enable group global
no snmp trap link-status
no cdp enable
end
[/code]
еще так делал - убирал тут строку
[code]
ip address 10.68.0.1 255.255.0.0 secondary
[/code]
и добавлял
[code]
ip route 10.68.0.0 255.255.0.0 10.168.0.48
[/code]
Может я какие маршруты на 3627-м не прописал еще??????