Re: [cisco-ttl] cisco 4006 switch- IP - MAC esleme

From: Serhat Erkan <serhaterkan_at_....>
Date: Wed Nov 08 2006 - 21:34:49 EET


2 i┼člem gerekli.
1. Portlara static MAC ataman, o portta ba┼čka MAC adresli birinin ├žal─▒┼čmas─▒n─▒ engeller. (Gerekli olmayabilir) 2. ─░lk router hangisi ise (4006) static arp tan─▒mlaman sorunu ├ž├Âzer. Ama basit├že e─čer switchler 24l├╝k ise 8x24=192 adet static arp tan─▒m─▒ demektir veya DHCP ile sadece ├Ânceden belirlenmi┼č MAC'lara yine ├Ânceden belirlenmi┼č IP'ler atanabilir.

Sayg─▒lar,

On 11/8/06, belgin sarper <belginsarper@yahoo.com> wrote:
>
> Merhaba,
>
> Asagidaki gibi bir topoloji ve bununla ilgili bir problem var. Yardimci
> olabilirseniz sevinirim.
>
> Uclarda Cisco 2950, toplam 8 adet
> Merkezde Cisco Catalyst 4006 switch with L3 module. Switch uzerinde toplam
> 8 adet fiber port ve 32 adet ethernet portu mevcut.
> 2950 ler fiber ile 4006 ya gelmektedir. 4006 da toplanip cikis firewalla (
> fw ethernet portlarindan birine bagli) firewall uzerinden cisco 7206 ya ve
> internete
> Her fiber porta bagli olan bacaklarda VLAN lar tan├Żml├Ż. Agdaki
> kullanicilara sabit ip verilmistir. Herhangi bir domain yapisi yoktur.
> Amacimiz kullanicilarin ip lerini degistirmesini engellemek. Bunun icin
> firewall uzerinde IP-MAC eslemesi yapmak istiyoruz. Ancak switch L3 de
> calistigi icin butun kullanicilarin MAC leri switchin fiber girisine kadar
> geliyor, ancak firewall tarafina dogal olarak gecmiyor.
> Birincisi IP-MAC esleme 2950 veya 4006 uzerinde yapilabilir mi?
> ├Łkincisi MAC leri nasil gecirebilirim firewalla ?
> Bu konuda yardimci olursaniz sevinirim.
>
> Tesekkurler.
>
> Gerekli bilgiler:
>
> Cisco 2950
>
> Cisco Internetwork Operating System Software
> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE
> SOFTWARE (fc1)
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes
> of memory.
> Processor board ID FOC0733Z20G
> Last reset from system-reset
> Running Enhanced Image
> 24 FastEthernet/IEEE 802.3 interface(s)
> 2 Gigabit Ethernet/IEEE 802.3 interface(s)
>
> Cisco 4006
>
> Cisco Internetwork Operating System Software
> IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(7)W5(15d)
> RELEASE SOFTWARE
> Copyright (c) 1986-2000 by cisco Systems, Inc
>
>
> Firewall Portchannel 1.8 de.
>
> Config on 4006
>
> version 12.0
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> !
> ip subnet-zero
> !
> !
> !
> interface Port-channel1
> bandwidth 1000000
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> load-interval 30
> hold-queue 300 in
> !
> interface Port-channel1.1
> encapsulation dot1Q 1
> ip address xxxx 255.255.255.128 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.192 secondary
> ip address xxxx 255.255.255.192 secondary
> ip address xxxx 255.255.255.192
> no ip redirects
> no ip directed-broadcast
> ip accounting output-packets
> no ip mroute-cache
> !
> interface Port-channel1.2
> encapsulation dot1Q 2
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 182 in
> ip access-group 182 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.3
> encapsulation dot1Q 3
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.4
> encapsulation dot1Q 4
> ip address xxxx 255.255.255.0
> ip access-group 182 in
> ip access-group 182 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.5
> encapsulation dot1Q 5
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.6
> encapsulation dot1Q 6
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.7
> encapsulation dot1Q 7
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.8
> encapsulation dot1Q 8
> ip address xxxx 255.255.255.128 secondary
> ip address xxxx 255.255.255.192 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.24
> encapsulation dot1Q 24
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.25
> encapsulation dot1Q 25
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.99
> encapsulation dot1Q 99 native
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface FastEthernet1
> no ip address
> no ip directed-broadcast
> !
> interface GigabitEthernet1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface GigabitEthernet2
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface GigabitEthernet3
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> no negotiation auto
> channel-group 1
> !
> interface GigabitEthernet4
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> no negotiation auto
> channel-group 1
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 xxxx
> ip route xxxx 255.255.255.248 Port-channel1.24
> ip route xxxx 255.255.255.255 Port-channel1.1
> ip route xxxx 255.255.255.255 Port-channel1.1
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.128 Port-channel1.1
> ip route xxxx 255.255.255.255 Port-channel1.8
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.2
> ip route xxxx 255.255.255.255 Port-channel1.2
> ip route xxxx 255.255.255.255 Port-channel1.2
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> !
> access-list 112 permit ip any any
> access-list 112 permit tcp any any
> access-list 112 permit udp any any
> access-list 182 deny tcp any any eq 445
> access-list 182 deny tcp any any eq 135
> access-list 182 deny tcp any any eq 137
> access-list 182 deny udp any any eq netbios-ns
> access-list 182 permit ip any any
> access-list 199 permit ip xxxx 0.0.0.255 any
> arp 127.0.0.2 0002.fc2a.2800 ARP
> !
> end
>
> ---------------------------------
> Sponsored Link
>
> Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate
> new house payment
>
> [Non-text portions of this message have been removed]
>
>
>

[Non-text portions of this message have been removed] Received on Thu Nov 9 12:02:48 2006

This archive was generated by hypermail 2.1.8 : Thu Nov 09 2006 - 12:02:49 EET