Re: [cisco-ttl] Re: ATM - Cozuldu...

From: A.Murat BAYRAM (mbayram_at_yyu.edu.tr)
Date: Thu Oct 23 2003 - 12:16:04 GMT

  • Next message: ZaferP_at_koc.net: "RE: _[cisco-ttl]_router_ama_frame-relay_switch_görünümlü"

    myoların firewall kurallarindan gecmesi (veya gecmemesi) sorun degildi.
    Hatta zaten gectigini de belirtmistim, ancak gatewayden disari
    cikamiyorlardi. Simdi firewall kurallarindan gecmiyor, ama gatewayin bir
    fastethernet interfaceinden switche yapilan patchleme ile intranete de
    erisilebiliyor.
    Ama sunu itiraf etmeden gecemeyecegim, tepeden tirnaga sistemimizin yeniden
    gozden gecirilmesi kacinilmaz. Bilhassa firewall cifit carsisi gibi oldu.
    Zaman zaman tikanip kaliyor, o tikaninca tum sistem dogal olarak tikaniyor.

    Bu arada, websense'in cisco pix monitoring destegi var. Bunu kullanan var
    mi? Tavsiye eder misiniz?

    > mMurat hocam sorunun, myo larını firewall kurallarından geçirmek
    > olduğunu sanıyorduk.
    >
    > ilker bey in söylediği şekilde olmadı mı?
    >
    >
    > --- In cisco-ttl_at_yahoogroups.com, "A.Murat BAYRAM" <mbayram_at_y...>
    > wrote:
    > > Merhaba
    > > 7200'e nat tanimlayarak sorun cozuldu. Boylece MYO'lar firewall
    > uzerinden
    > > degil, routerdaki nat tanimlamalari uzerinden cikiyorlar,
    > intraneti de > fastethernet0/1 uzerinden goruyorlar.... > Saygilar...
    > >
    > > > Daha once de acikladigim gibi, switch uzerinde iki vlan
    > olusturun > > (Vlan X & Y). VlanX'e PIX'in internal interface'ini
    > VlanY'ye > > external interface'ini koyun. 7200 uzerinde her iki
    > vlan icin > > subinterface tanimlayip switch ile aralarinda trunk
    olusturun.
    > > >
    > > > MYO'lardan gelen paketleri PBR ile VlanX uzerinden PIX'e
    > > > yonlendirin, PIX bu paketleri firewall kurallarindan gecirip,
    > > > VlanY'den 7200'e geri gonderecektir. Oradan da Internet'e
    > cikisi > saglarsiniz. > > > > Ihtiyac duyacaginiz tum
    > konfigurasyon orneklerini, www.cisco.com'da > > ilgili anahtar
    > kelimelerle arattiginizda bulabilirsiniz. > > > > Ilker > > > >
    > A.Murat BAYRAM wrote: > > > Merhaba, > > > > > > Merkezimizden
    > uzak birimlere 7200 router ile ATM > > > baglanti mevcut. ayni hat
    > uzerinden ayni zamanda ULAKNET'e bagliyiz. Pix > > > Firewall
    > kullaniyoruz. Ancak diger birimleri iceri yonlendirdikten sonra >
    > > > disariya cikamiyorlar. Birimlerin routerindan ulaknetin bagli
    > oldugu > > > 193.140.0.134 > > > bacagina ping atilabiliyor, ancak
    > bu routerlardan disariya trace > > > yapildiginda mesela; > > >
    > MUS_SAGLIK_MYO#trace 212.156.4.4 > > > > > > Type escape sequence
    > to abort. > > > Tracing the route to 212.156.4.4 > > > > > > 1
    > 10.200.30.1 64 msec 68 msec 64 msec > > > 2 * * * > > >
    > seklinde devam ediyor. Buradaki kullancilarin disari erisebilmeleri
    > icin > > > iceriye proxy server kurmak zorunda kaldik, proxyde
    > sorun cikinca > > > baglantilari da kesilmis oluyor. > > > İlker
    > Temir Bey dot1q destegi olan bir switch kullaniyorsak, > > >
    > fastethernet0/0da iki subinterface tanimlayip bunlardan birini
    > switchte > > > firewall internal, digerini de externala koymamizi
    > onermisti. 6006 core > > > switch kullaniyoruz. sh ver asagidaki
    > sekilde.. Boylece birimlerden > (yani > > > Meslek Yuksek
    > Okullarindan -MYO-) gelen trafigi 7200 uzerinde PBR (ip > policy
    > > > > route-map) kullanarak firewall'in internal ayagina
    > yonlendirirsiniz. Bu > > > yontemle MYO'lari bir anlamda internal
    > networkunuzun parcasi haline > getirmis > > > olursunuz demisti.
    > > > > > > > VYY_6506 sh ver > > > WS-C6006 Software, Version NmpSW:
    > 5.5(1) > > > Copyright (c) 1995-2000 by Cisco Systems
    > > > > NMP S/W compiled on Jun 8 2000, 21:09:45 > > > > > > System
    > Bootstrap Version: 5.3(1) > > > > > > Hardware Version: 2.0 Model:
    > WS-C6006 Serial #: TBA04510859 > > > > > > Mod Port Model
    > Serial # Versions > > > --- ---- ------------------- --------
    > --- -----------------------
    > ---------
    > > -----
    > > > > -
    > > > > 1 2 WS-X6K-SUP1A-2GE SAD05020DAT Hw : 7.0
    > > > > Fw : 5.3(1)
    > > > > Fw1: 5.4(2)
    > > > > Sw : 5.5(1)
    > > > > Sw1: 5.5(1)
    > > > > L3 Switching Engine SAD05020F26 Hw : 1.1
    > > > > 3 16 WS-X6416-GBIC SAD043609TJ Hw : 1.2
    > > > > Fw : 5.4(2)
    > > > > Sw : 5.5(1)
    > > > > 4 48 WS-X6348-RJ-45 SAL044111CT Hw : 1.4
    > > > > Fw : 5.4(2)
    > > > > Sw : 5.5(1)
    > > > > 15 1 WS-F6K-MSFC2 SAD05020HPZ Hw : 1.1
    > > > > Fw : 12.1(2)E,
    > > > > Sw : 12.1(2)E,
    > > > >
    > > > > DRAM FLASH NVRAM
    > > > > Module Total Used Free Total Used Free Total
    > Used Free
    > > > > ------ ------- ------- ------- ------- ------- ------- ----- -
    > -- -- ----- > > > 1 65408K 38689K 26719K 16384K 6925K
    > 9459K 512K 230K 282K > > > > > > Uptime is 237 days, 21 hours,
    > 7 minutes > > > ------------------------------------------------
    > --------- > > > > > > Peki bunun icin, hem 7200'e hem switche
    > uygulayabilecegimiz bir > konfigurasyon > > > ornegi yardiminda
    > bulunabilir misiniz? > > > 7200 routerin sh ver ciktisi ve confu
    > ile bir Yuksek Okulun confu > asagidaki > > > sekilde... > > >
    > > > > > > >> > > > >> > VanYYU#sh ver > > >> > Cisco Internetwork
    > Operating System Software > > >> > IOS (tm) 7200 Software (C7200-IS-
    > M), Version 12.1(9)E3, EARLY > DEPLOYMENT > > >> > RELEASE
    > SOFTWARE (fc1) > > >> > TAC Support: http://www.cisco.com/tac > > >>
    > > Copyright (c) 1986-2002 by cisco Systems, Inc. > > >> > Compiled
    > Mon 11-Feb-02 20:39 by eaarmas > > >> > Image text-base: 0x60008950,
    > data-base: 0x61178000 > > >> > > > >> > ROM: System Bootstrap,
    > Version 12.2(4r)B2, RELEASE SOFTWARE
    > (fc2) > > >> > BOOTLDR: 7200 Software (C7200-KBOOT-M), Version
    > 12.1(8a)E, EARLY > > > > > > DEPLOYMENT > > > > > >> > RELEASE
    > SOFTWARE (fc1) > > >> > > > >> > VanYYU uptime is 2 weeks, 2 hours,
    > 35 minutes > > >> > System returned to ROM by reload
    > > > >> > System restarted at 10:43:52 UTC Sun Aug 31 2003 > > >> >
    > System image file is "disk0:c7200-is-mz.121-9.E3.bin" > > >> > > >
    > >> > cisco 7206VXR (NPE400) processor (revision A) with
    > 114688K/16384K > bytes > > > > > > of > > > > > >> > memory. >
    > > >> > Processor board ID 26807173 > > >> > R7000 CPU at 350Mhz,
    > Implementation 39, Rev 3.3, 256KB L2, 4096KB L3 > > > > > > Cache
    > > > > > > >> > 6 slot VXR midplane, Version 2.6 > > >> > > > >> >
    > Last reset from power-on > > >> > G.703/E1 software, Version 1.0. >
    > > >> > G.703/JT2 software, Version 1.0. > > >> > Bridging software.
    > > > >> > X.25 software, Version 3.0.0. > > >> > 2 FastEthernet/IEEE
    > 802.3 interface(s) > > >> > 4 Serial network interface(s) > > >> > 1
    > ATM network interface(s) > > >> > 125K bytes of non-volatile
    > configuration memory. > > >> > > > >> > 47040K bytes of ATA PCMCIA
    > card at slot 0 (Sector size 512 bytes). > > >> > 8192K bytes of
    > Flash internal SIMM (Sector size 256K). > > >> > Configuration
    > register is 0x2102 > > >> > -----------------------------------------
    > ------------- > > >> > VanYYU# sh run > > >> > > > >> > Building
    configuration...
    > > > >> >
    > > > >> > Current configuration : 2238 bytes
    > > > >> > !
    > > > >> > ! Last configuration change at 12:37:19 UTC Sun Sep 14 2003
    > > > >> > ! NVRAM config last updated at 11:46:27 UTC Sun Sep 14 2003
    > > > >> > !
    > > > >> > version 12.1
    > > > >> > service timestamps debug uptime
    > > > >> > service timestamps log uptime
    > > > >> > service password-encryption
    > > > >> > !
    > > > >> > hostname VanYYU
    > > > >> > !
    > > > >> > enable password 7 *********
    > > > >> > !
    > > > >> > ip subnet-zero
    > > > >> > ip cef
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> >
    > > > >> > !
    > > > >> > interface FastEthernet0/0
    > > > >> > description connected to FIREWALL OUTSIDE
    > > > >> > ip address 193.255.143.254 255.255.255.0
    > > > >> > duplex auto
    > > > >> > speed auto
    > > > >> > !
    > > > >> > interface FastEthernet0/1
    > > > >> > description buradan core switche bir baglanti yaptik
    > > > >> > ip address 10.100.0.200 255.255.255.0
    > > > >> > duplex auto
    > > > >> > speed auto
    > > > >> > !
    > > > >> > interface Serial2/0
    > > > >> > no ip address
    > > > >> > encapsulation atm-dxi
    > > > >> > no keepalive
    > > > >> > serial restart-delay 0
    > > > >> > !
    > > > >> > interface Serial2/1
    > > > >> > no ip address
    > > > >> > shutdown
    > > > >> > serial restart-delay 0
    > > > >> > !
    > > > >> > interface Serial2/2
    > > > >> > no ip address
    > > > >> > shutdown
    > > > >> > serial restart-delay 0
    > > > >> > !
    > > > >> > interface Serial2/3
    > > > >> > no ip address
    > > > >> > shutdown
    > > > >> > serial restart-delay 0
    > > > >> > !
    > > > >> > interface ATM3/0
    > > > >> > bandwidth 8129
    > > > >> > ip address 193.140.0.134 255.255.255.252
    > > > >> > no atm sonet ilmi-keepalive
    > > > >> > no atm ilmi-keepalive
    > > > >> > pvc 0/34
    > > > >> > protocol ip 193.140.0.133
    > > > >> > encapsulation aal5snap
    > > > >> > !
    > > > >> > !
    > > > >> > interface ATM3/0.1 point-to-point
    > > > >> > description Bitlis MYO
    > > > >> > ip address 10.200.50.1 255.255.255.0
    > > > >> > pvc 0/151
    > > > >> > protocol ip 10.200.50.2
    > > > >> > encapsulation aal5snap
    > > > >> > !
    > > > >> > !
    > > > >> > interface ATM3/0.2 point-to-point
    > > > >> > description Mus MYO
    > > > >> > ip address 10.200.30.1 255.255.255.0
    > > > >> > pvc 0/35
    > > > >> > protocol ip 10.200.30.2
    > > > >> > broadcast
    > > > >> > encapsulation aal5snap
    > > > >> > !
    > > > >> > !
    > > > >> > interface ATM3/0.3 point-to-point
    > > > >> > description Hakkari MYO
    > > > >> > ip address 10.200.40.1 255.255.255.0
    > > > >> > pvc 0/36
    > > > >> > protocol ip 10.200.40.2
    > > > >> > broadcast
    > > > >> > encapsulation aal5snap
    > > > >> > !
    > > > >> > !
    > > > >> > interface Virtual-Template2
    > > > >> > no ip address
    > > > >> > !
    > > > >> > router eigrp 100
    > > > >> > network 10.0.0.0
    > > > >> > no auto-summary
    > > > >> > no eigrp log-neighbor-changes
    > > > >> > !
    > > > >> > ip classless
    > > > >> > ip route 0.0.0.0 0.0.0.0 193.140.0.133
    > > > >> > ip route 10.200.0.0 255.255.0.0 10.100.0.254
    > > > >> > no ip http server
    > > > >> > !
    > > > >> > ip access-list logging interval 3
    > > > >> > snmp-server community *** RO
    > > > >> > snmp-server community *** RW
    > > > >> > snmp-server contact webmaster_at_y...
    > > > >> > snmp-server host 10.140.0.5 ****
    > > > >> > banner login ^CWelcome Van Yuzuncu Yil Universitesi
    > Router^C > > >> > ! > > >> > line con 0 > > >> > line aux 0 > > >> >
    > line vty 0 4 > > >> > exec-timeout 0 0 > > >> > password 7 ***********
    > > > >> > login
    > > > >> > line vty 5 15
    > > > >> > password 7 ***********
    > > > >> > login
    > > > >> > !
    > > > >> > end
    > > > >> >
    > > > >> > -----------------------------------------------------------
    > --
    > --------
    > > > >> > MUS_SAGLIK_MYO#sh run
    > > > >> > Building configuration...
    > > > >> >
    > > > >> > Current configuration : 1894 bytes
    > > > >> > !
    > > > >> > version 12.1
    > > > >> > service timestamps debug uptime
    > > > >> > service timestamps log uptime
    > > > >> > no service password-encryption
    > > > >> > !
    > > > >> > hostname MUS_SAGLIK_MYO
    > > > >> > !
    > > > >> > enable password ****
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > memory-size iomem 25
    > > > >> > ip subnet-zero
    > > > >> > no ip finger
    > > > >> > no ip domain-lookup
    > > > >> > !
    > > > >> > !
    > > > >> > !
    > > > >> > interface Serial0
    > > > >> > no ip address
    > > > >> > encapsulation frame-relay IETF
    > > > >> > frame-relay lmi-type ansi
    > > > >> > !
    > > > >> > interface Serial0.1 point-to-point
    > > > >> > ip address 10.200.30.2 255.255.255.0
    > > > >> > frame-relay interface-dlci 35
    > > > >> > !
    > > > >> > interface Serial1
    > > > >> > no ip address
    > > > >> > no keepalive
    > > > >> > shutdown
    > > > >> > !
    > > > >> > interface FastEthernet0
    > > > >> > ip address 10.1.30.254 255.255.255.0
    > > > >> > speed auto
    > > > >> > !
    > > > >> > router eigrp 100
    > > > >> > network 10.0.0.0
    > > > >> > no auto-summary
    > > > >> > no eigrp log-neighbor-changes
    > > > >> > !
    > > > >> > ip classless
    > > > >> > ip route 0.0.0.0 0.0.0.0 10.100.0.5 (bu pix'in ipsi)
    > > > >> > no ip http server
    > > > >> > !
    > > > >> > snmp-server community *** RW
    > > > >> > snmp-server community *** RO
    > > > >> > banner login ^CMUS SAGLiK^C
    > > > >> > !
    > > > >> > line con 0
    > > > >> > transport input none
    > > > >> > line aux 0
    > > > >> > line vty 0 4
    > > > >> > password ***
    > > > >> > login
    > > > >> > !
    > > > >> > end
    > > > >> >
    > > > >
    > > > >
    > > > > Tesekkurler...
    > > > >
    > > > >
    > > > >
    > > > > Bu listenin Cisco Systems ile dogrudan herhangi bir
    > baglantisi > bulunmamaktadir. > > > > > > Listeden cikmak için
    > cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir > e-posta
    > gönderebilirsiniz. > > > > > > Your use of Yahoo! Groups is
    > subject to > http://docs.yahoo.com/info/terms/ > > > > > > > >
    > > Bu listenin Cisco Systems ile dogrudan herhangi bir baglantisi >
    > > bulunmamaktadir. > > > > Listeden cikmak için cisco-ttl-
    > unsubscribe_at_yahoogroups.com adresine > > bir e-posta
    > gönderebilirsiniz. > > > > Your use of Yahoo! Groups is subject to
    > > > http://docs.yahoo.com/info/terms/ > ------- End of Original
    > Message -------
    >
    >
    >
    > Yahoo! Groups Sponsor
    >
    > ADVERTISEMENT
    >
    >
    > Bu listenin Cisco Systems ile dogrudan herhangi bir baglantisi
    > bulunmamaktadir.
    >
    > Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine
    > bir e-posta gönderebilirsiniz.
    >
    > Your use of Yahoo! Groups is subject to the Yahoo! Terms of
    > Service.
    ------- End of Original Message -------

    ------------------------ Yahoo! Groups Sponsor ---------------------~-->
    Rent DVDs from home.
    Over 14,500 titles. Free Shipping
    & No Late Fees. Try Netflix for FREE!
    http://us.click.yahoo.com/mk9osC/hP.FAA/3jkFAA/26EolB/TM
    ---------------------------------------------------------------------~->

    Bu listenin Cisco Systems ile dogrudan herhangi bir baglantisi bulunmamaktadir.

    Listeden cikmak için cisco-ttl-unsubscribe_at_yahoogroups.com adresine bir e-posta gönderebilirsiniz.

    Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



    This archive was generated by hypermail 2.1.5 : Thu Oct 23 2003 - 16:36:01 GMT