Доброго дня, вечера, ночи и возможно утра! Есть у меня Cisco 1721 без модулей. Выполняет роль шлюза для множества подсетей. Обратил внимание на то что с любой подсети с любой машины можно пинговать не только шлюз этой самой подсети но и других то же, а мне этого не хотелось бы. Подскажите как мне реализовать так, что бы каждая Так же обеспокоился безопасностью сетей вообще. Цель - изоляция друг от друга но если нужно маршрутизация между отдельными IP-адрессами. Уважаемые мною специалисты, ознакомьтесь с действующим конфигом и поделитесь вашими соображениями! Буду рад нашей дискуссии. =) ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 5 ЧЧЧ enable password ЧЧЧ ! no aaa new-model ip subnet-zero ! ! ip name-server ЧЧ.ЧЧ.ЧЧ.ЧЧ ! ip flow-cache timeout inactive 60 ip flow-cache timeout active 10 ip cef ! username ЧЧЧ privilege 15 password 0 ЧЧЧ username ЧЧЧ privilege 15 password 0 ЧЧЧ ! ! ! ! interface FastEthernet0 no ip address ip route-cache policy ip route-cache flow ip policy route-map MAP speed auto full-duplex no cdp enable ! interface FastEthernet0.80 encapsulation dot1Q 80 ip address 10.80.80.252 255.255.255.0 ip nat inside ! interface FastEthernet0.257 encapsulation dot1Q 257 ip address 192.168.4.37 255.255.255.0 ip nat outside ! interface FastEthernet0.801 encapsulation dot1Q 801 ip address 10.80.1.1 255.255.255.0 ip nat inside ! interface FastEthernet0.802 encapsulation dot1Q 802 ip address 10.80.2.1 255.255.255.0 ! interface FastEthernet0.803 encapsulation dot1Q 803 ip address 10.80.3.1 255.255.255.0 ip nat inside ! interface FastEthernet0.804 encapsulation dot1Q 804 ip address 10.80.4.1 255.255.255.0 ! interface FastEthernet0.805 encapsulation dot1Q 805 ip address 10.80.5.1 255.255.255.0 ! interface FastEthernet0.806 encapsulation dot1Q 806 ip address 10.80.6.1 255.255.255.0 ip nat inside ! interface FastEthernet0.807 encapsulation dot1Q 807 ip address 10.80.7.1 255.255.255.0 ip nat inside ! interface FastEthernet0.808 encapsulation dot1Q 808 ip address 10.80.8.1 255.255.255.0 ip nat inside ! interface FastEthernet0.809 encapsulation dot1Q 809 ip address 10.80.9.1 255.255.255.0 ! interface FastEthernet0.810 encapsulation dot1Q 810 ip address 10.80.10.1 255.255.255.0 ip nat inside ! interface FastEthernet0.811 encapsulation dot1Q 811 ip address 10.80.11.1 255.255.255.0 ip nat inside ! interface FastEthernet0.812 encapsulation dot1Q 812 ip address 10.80.12.1 255.255.255.0 ! interface FastEthernet0.813 encapsulation dot1Q 813 ip address 10.80.13.1 255.255.255.0 ip nat inside ! interface FastEthernet0.814 encapsulation dot1Q 814 ip address 10.80.14.1 255.255.255.0 ! interface FastEthernet0.815 encapsulation dot1Q 815 ip address 10.80.15.1 255.255.255.0 ip nat inside ! interface FastEthernet0.816 encapsulation dot1Q 816 ip address 10.80.16.1 255.255.255.0 ! interface FastEthernet0.817 encapsulation dot1Q 817 ip address 10.80.17.1 255.255.255.0 ip nat inside ! interface FastEthernet0.818 encapsulation dot1Q 818 ip address 10.80.18.1 255.255.255.0 ip nat inside ! interface FastEthernet0.819 encapsulation dot1Q 819 ip address 10.80.19.1 255.255.255.0 ip nat inside ! interface FastEthernet0.820 encapsulation dot1Q 820 ip address 10.80.20.1 255.255.255.0 ip nat inside ! interface FastEthernet0.821 encapsulation dot1Q 821 ip address 10.80.21.1 255.255.255.0 ! interface FastEthernet0.822 encapsulation dot1Q 822 ip address 10.80.22.1 255.255.255.0 ip nat inside ! interface FastEthernet0.823 encapsulation dot1Q 823 ip address 10.80.23.1 255.255.255.0 ip nat inside ! interface FastEthernet0.850 encapsulation dot1Q 850 ip address 10.80.51.1 255.255.255.0 ! interface FastEthernet0.875 encapsulation dot1Q 875 ip address 10.80.75.1 255.255.255.0 ! interface FastEthernet0.880 ! ip nat pool pool1 192.168.4.200 192.168.4.200 prefix-length 24 ip nat inside source list 5 pool pool1 overload ip classless ip route 0.0.0.0 0.0.0.0 192.168.4.10 ip route 10.80.1.0 255.255.255.0 192.168.4.10 ip route 10.80.1.144 255.255.255.255 10.80.1.60 ip route 10.80.3.0 255.255.255.0 192.168.4.10 ip route 10.80.6.0 255.255.255.0 192.168.4.10 ip route 10.80.7.0 255.255.255.0 192.168.4.10 ip route 10.80.8.0 255.255.255.0 192.168.4.10 ip route 10.80.10.0 255.255.255.0 192.168.4.10 ip route 10.80.11.0 255.255.255.0 192.168.4.10 ip route 10.80.13.0 255.255.255.0 192.168.4.10 ip route 10.80.15.0 255.255.255.0 192.168.4.10 ip route 10.80.17.0 255.255.255.0 192.168.4.10 ip route 10.80.18.0 255.255.255.0 192.168.4.10 ip route 10.80.19.0 255.255.255.0 192.168.4.10 ip route 10.80.20.0 255.255.255.0 192.168.4.10 ip route 10.80.22.0 255.255.255.0 192.168.4.10 ip route 10.80.23.0 255.255.255.0 192.168.4.10 ip route 10.80.80.0 255.255.255.0 192.168.4.10 ip http server ip http authentication local ip flow-export version 5 ip flow-export destination 192.168.4.10 20001 ! access-list 5 permit 10.80.1.0 0.0.0.255 access-list 5 permit 10.80.6.0 0.0.0.255 access-list 5 permit 10.80.7.0 0.0.0.255 access-list 5 permit 10.80.11.0 0.0.0.255 access-list 5 permit 10.80.80.0 0.0.0.255 access-list 5 permit 10.80.19.0 0.0.0.255 access-list 5 permit 10.80.20.0 0.0.0.255 access-list 5 permit 10.80.15.0 0.0.0.255 access-list 5 permit 10.80.17.0 0.0.0.255 access-list 5 permit 10.80.13.0 0.0.0.255 access-list 5 permit 10.80.8.0 0.0.0.255 access-list 5 permit 10.80.23.0 0.0.0.255 access-list 5 permit 10.80.22.0 0.0.0.255 access-list 5 permit 10.80.10.0 0.0.0.255 access-list 5 permit 10.80.18.0 0.0.0.255 access-list 5 permit 10.80.3.0 0.0.0.255 access-list 101 permit ip any 10.80.80.0 0.0.0.255 access-list 101 permit ip any 10.80.1.0 0.0.0.255 access-list 101 permit ip any 10.80.6.0 0.0.0.255 access-list 101 permit ip any 10.80.7.0 0.0.0.255 access-list 101 permit ip any 10.80.11.0 0.0.0.255 access-list 101 permit ip any 10.80.19.0 0.0.0.255 access-list 101 permit ip any 10.80.20.0 0.0.0.255 access-list 101 permit ip any 10.80.15.0 0.0.0.255 access-list 101 permit ip any 10.80.17.0 0.0.0.255 access-list 101 permit ip any 10.80.13.0 0.0.0.255 access-list 101 permit ip any 10.80.8.0 0.0.0.255 access-list 101 permit ip any 10.80.23.0 0.0.0.255 access-list 101 permit ip any 10.80.22.0 0.0.0.255 access-list 101 permit ip any 10.80.10.0 0.0.0.255 access-list 101 permit ip any 10.80.18.0 0.0.0.255 access-list 101 permit ip any 10.80.3.0 0.0.0.255 access-list 102 permit ip host 10.80.17.250 host 10.80.1.60 access-list 102 permit ip host 10.80.1.60 host 10.80.17.250 access-list 103 deny ip any any access-list 103 permit ip any host 10.80.1.217 access-list 103 permit ip host 10.80.1.217 any route-map MAP permit 10 match ip address 101 set interface FastEthernet0 ! snmp-server community public RO ! line con 0 line aux 0 no exec line vty 0 4 password rfhbpvf94 login ! end
|