Есть маршрутизатор cisco 2821.
подняты 4 vlan.
management
open
inside
users
Конфиг ниже.
С показанным конфигом каждый юзер из каждого vlan видит каждого.
Как правильно сделать так, чтобы юзеры из vlan inside, open, users видел только свою подсеть, а админ из сети management видил любую подсеть?
То есть как правильно отключить маршрутизацию между всеми vlan и настроить её между необходимыми?
Как добится того, чего на Cisco ASA добиваются командами
Код: Выделить всё
static (inside,wpa-inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (wpa-inside,inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
Код: Выделить всё
ilding configuration...
Current configuration : 10720 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname c2821
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-17.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging queue-limit
logging buffered 51000 debugging
no logging console
no logging monitor
enable secret 5 $1$4OxJ$h/IDBWLeI99RiDdlLPn/V/
!
no aaa new-model
clock timezone PCTime 3
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.90.1
ip dhcp excluded-address 192.168.100.254
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool inside
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server xxxxxxxxx
!
ip dhcp pool management
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server xxxxxxxxx
!
ip dhcp pool open
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server xxxxxxxxxxx
!
ip dhcp pool users
network 192.168.90.0 255.255.255.0
default-router 192.168.10.1
dns-server xxxxxxxxxxx
!
!
no ip bootp server
ip domain name myhost.ru
ip name-server xxxxxxxxx
vlan ifdescr detail
!
!
!
!
username Admin privilege 15 secret yyyyyyyyyyyyy
archive
log config
logging enable
notify syslog
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
!
interface GigabitEthernet0/0
description VLAN trunk if
no ip address
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
description vlan management
encapsulation dot1Q 1 native
ip address 192.168.100.254 255.255.255.0
ip access-group 104 in
no cdp enable
!
interface GigabitEthernet0/0.10
description hotspot
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
traffic-shape group 110 64000 8000 8000 1000
no cdp enable
!
interface GigabitEthernet0/0.20
description inside
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/0.90
description client2
encapsulation dot1Q 90
ip address 192.168.90.1 255.255.255.0
no cdp enable
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ES_WAN$
ip address 10.10.1.10 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.1.1
!
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
logging facility local3
logging 10.10.1.1
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.10.1.0 0.0.0.255 host 10.10.1.10 eq telnet
access-list 100 permit tcp 10.10.1.0 0.0.0.255 host 10.10.1.10 eq 22
access-list 100 permit tcp 10.10.1.0 0.0.0.255 host 10.10.1.10 eq www
access-list 100 permit tcp 10.10.1.0 0.0.0.255 host 10.10.1.10 eq 443
access-list 100 permit tcp 10.10.1.0 0.0.0.255 host 10.10.1.10 eq cmd
access-list 100 deny tcp any host 10.10.1.10 eq telnet
access-list 100 deny tcp any host 10.10.1.10 eq 22
access-list 100 deny tcp any host 10.10.1.10 eq www
access-list 100 deny tcp any host 10.10.1.10 eq 443
access-list 100 deny tcp any host 10.10.1.10 eq cmd
access-list 100 deny udp any host 10.10.1.10 eq snmp
access-list 100 permit ip any any
access-list 100 permit udp host 10.10.1.10 host 10.10.1.1
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq telnet
access-list 104 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 22
access-list 104 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq www
access-list 104 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq 443
access-list 104 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.254 eq cmd
access-list 104 deny tcp any host 192.168.100.254 eq telnet
access-list 104 deny tcp any host 192.168.100.254 eq 22
access-list 104 deny tcp any host 192.168.100.254 eq www
access-list 104 deny tcp any host 192.168.100.254 eq 443
access-list 104 deny tcp any host 192.168.100.254 eq cmd
access-list 104 deny udp any host 192.168.100.254 eq snmp
access-list 104 permit ip any any
access-list 110 permit ip any any
no cdp run
!
!
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 102 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end