求助啊，关于三层交换做策略后，vlan间互访的问题。

panghuihui · 发表于 2013-7-18 10:03:36

求助啊，三层交换机上做了策略后，vlan8和9与其他段间不能互访了，麻烦大大们帮忙看看如何修改。本来是想：vlan8和9单独走一条线路，其他线路走一条，vlan间还是可以互访。以下是配置：

!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname 4507R
!
boot-start-marker
boot system flash cat4500e-entservicesk9-mz.151-2.SG.bin
boot system flash cat4500e-lanbase-mz.122-53.SG2.bin
boot-end-marker
!
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$X86Y$IvetDHRfz5TYftKgpOrZq1
!
no aaa new-model
!
no ip domain-lookup
ip dhcp snooping vlan 4-10
ip dhcp snooping
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 172.16.2.1 172.16.2.10
ip dhcp excluded-address 172.16.3.1 172.16.3.10
ip dhcp excluded-address 172.16.4.1 172.16.4.10
ip dhcp excluded-address 172.16.5.1 172.16.5.50
ip dhcp excluded-address 172.16.6.1 172.16.6.50
ip dhcp excluded-address 172.16.7.1 172.16.7.50
ip dhcp excluded-address 172.16.5.200 172.16.5.254
ip dhcp excluded-address 172.16.6.200 172.16.6.254
ip dhcp excluded-address 172.16.5.51 172.16.5.102
ip dhcp excluded-address 172.16.8.1 172.16.8.50
!
ip dhcp pool vlan4
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 0 0 1
!
ip dhcp pool vlan5
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 180
!
ip dhcp pool vlan6
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 180
!
ip dhcp pool vlan7
network 172.16.4.0 255.255.255.0
default-router 172.16.4.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 180
!
ip dhcp pool vlan8
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 0 6
!
ip dhcp pool vlan9
network 172.16.6.0 255.255.255.0
default-router 172.16.6.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 0 6
!
ip dhcp pool vlan10
network 172.16.7.0 255.255.255.0
default-router 172.16.7.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 180
!
ip dhcp pool 172.16.5.0/24
lease 10
!
ip dhcp pool vlan14
network 172.16.8.0 255.255.255.0
default-router 172.16.8.1
netbios-name-server 192.168.2.50
dns-server 219.141.136.10
lease 180
!
!
ipv6 multicast rpf use-bgp
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause port-mode-failure
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause pppoe-ia-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause arp-inspection
errdisable recovery cause link-monitor-failure
errdisable recovery cause oam-remote-failure
errdisable recovery interval 30
power redundancy-mode redundant
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode rpr
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet1
vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
!
interface GigabitEthernet1/1
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/2
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/3
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/4
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/5
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/6
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/7
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/8
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/9
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/10
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/11
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/12
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/13
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/14
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/15
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/16
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/17
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet1/18
switchport mode trunk
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface TenGigabitEthernet3/1
!
interface TenGigabitEthernet3/2
!
interface GigabitEthernet3/3
!
interface GigabitEthernet3/4
!
interface GigabitEthernet3/5
!
interface GigabitEthernet3/6
!
interface GigabitEthernet6/1
switchport access vlan 5
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/2
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/3
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/4
switchport access vlan 14
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/5
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/6
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/7
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/8
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/9
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/10
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/11
switchport access vlan 14
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet6/12
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet6/13
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/14
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/15
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/16
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/17
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/18
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/19
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/20
switchport access vlan 4
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/21
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/22
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/23
switchport access vlan 3
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/24
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/25
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/26
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/27
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/28
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/29
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/30
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/31
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/32
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/33
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/34
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/35
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/36
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/37
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/38
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/39
switchport access vlan 9
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/40
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/41
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/42
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/43
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/44
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/45
switchport access vlan 15
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/46
switchport access vlan 8
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/47
description TO-ASA
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet6/48
description TO-ASA
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
ip address 192.168.100.2 255.255.255.0
ip access-group Virus out
ip policy route-map ac1300
!
interface Vlan3
ip address 192.168.2.1 255.255.255.0
ip access-group Virus out
!
interface Vlan4
ip address 172.16.1.1 255.255.255.0
ip access-group Virus out
!
interface Vlan5
ip address 172.16.2.1 255.255.255.0
ip access-group Virus out
!
interface Vlan6
ip address 172.16.3.1 255.255.255.0
ip access-group Virus out
!
interface Vlan7
ip address 172.16.4.1 255.255.255.0
ip access-group Virus out
!
interface Vlan8
ip address 172.16.5.1 255.255.255.0
ip access-group Virus out
!
interface Vlan9
ip address 172.16.6.1 255.255.255.0
ip access-group Virus out
!
interface Vlan10
ip address 172.16.7.1 255.255.255.0
ip access-group Virus out
!
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip access-group Virus out
!
interface Vlan12
ip address 192.168.12.1 255.255.255.0
ip access-group Virus out
!
interface Vlan13
ip address 192.168.13.1 255.255.255.0
ip access-group Virus out
!
interface Vlan14
ip address 172.16.8.1 255.255.255.0
ip access-group Virus out
!
interface Vlan15
ip address 192.168.1.2 255.255.255.0
ip route-cache policy
ip policy route-map ac1600
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 172.16.9.0 255.255.255.0 192.168.1.1
ip route 192.168.1.0 255.255.255.0 192.168.100.1
ip route 192.168.20.0 255.255.255.0 192.168.100.1
ip route 192.168.101.0 255.255.255.0 192.168.100.1
!
ip access-list extended Virus
deny tcp any any eq 27665
deny tcp any any eq 16660
deny tcp any any eq 65000
deny tcp any any eq 33270
deny tcp any any eq 39168
deny tcp any any eq 6711
deny tcp any any eq 6712
deny tcp any any eq 6776
deny tcp any any eq 6667
deny tcp any any eq 6669
deny tcp any any eq 2222
deny tcp any any eq 135
deny tcp any any eq 136
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 139
deny tcp any any eq 580
deny tcp any any eq 4444
deny tcp any any eq 5554
deny tcp any any eq 5900
deny tcp any any eq 9996
deny tcp any any eq 3332
deny tcp any any eq 1068
deny tcp any any eq 1434
deny tcp any any eq 6000
deny tcp any any eq 445
deny udp any any eq 31335
deny udp any any eq 27444
deny udp any any eq 135
deny udp any any eq 136
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ss
deny udp any any eq 4444
deny udp any any eq 445
permit ip any any
!
access-list 101 permit ip host 172.16.5.144 any
access-list 101 permit ip host 172.16.5.145 any
access-list 101 permit ip 172.16.5.0 0.0.0.255 any
access-list 101 permit ip 172.16.6.0 0.0.0.255 any
access-list 101 permit ip 172.16.8.0 0.0.0.255 any
access-list 101 permit ip 172.16.9.0 0.0.0.255 any
access-list 102 permit ip host 172.16.2.254 any
!
route-map ac1300 permit 10
match ip address 101
set ip next-hop 192.168.100.1
!
route-map ac1600 permit 20
match ip address 102
set ip next-hop 192.168.1.1
!
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host 192.168.1.10 public
!
!
line con 0
stopbits 1
line vty 0 4
password sinosoft651
login
line vty 5 15
password sinosoft651
login
!
!
monitor session 1 source interface Gi6/24
monitor session 1 destination interface Gi6/22
monitor session 1 filter packet-type good rx
end

皖教育厅长 · 发表于 2013-7-19 11:15:46

wp940208 · 发表于 2013-7-20 08:53:54

你拓扑都不给，给那么多配置谁看呢

love粑粑 · 发表于 2013-7-22 22:26:04

我是来赚金币的

dsn0371 · 发表于 2013-7-24 17:20:48

love粑粑发表于 2013-7-22 22:26

登录/注册后可看大图

我是来赚金币的

极品菜鸟 · 发表于 2013-7-25 13:58:59

没拓扑一堆配置。。伤不起

crystal8700 · 发表于 2013-7-26 15:29:38

这么长！

小鬼自学 · 发表于 2013-7-27 19:27:22

没有拓扑怎么看啊。

cklive77 · 发表于 2013-7-28 11:44:26

你这个全是命令，策略的内容是什么 !？

疯疯癫癫1111 · 发表于 2013-7-31 09:44:21

快乐每一天 · 发表于 2013-8-1 14:36:58

我看了这个配置没有问题应该能通的你怎么测试出不通的

zjf54788595 · 发表于 2013-8-4 12:03:46

都不懂说啥

账号		自动登录	找回密码
密码			论坛注册

求助啊，关于三层交换做策略后，vlan间互访的问题。

客服中心

投诉建议