取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

366
查看次数
0
有帮助
6
回复
jialingwang4038
Beginner

关于交换机实例的问题

请问要实现电脑A访问电脑B,应该在cisco3650上怎么配置?下面贴了3650配置。华为防火墙上接口在同一vlan应该是交换口。现在测试下来A可以访问10.129.5.129,不能访问B。

1.png

Current configuration : 5323 bytes
!
! Last configuration change at 06:05:19 UTC Fri Oct 22 2021
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$vPIu$uCVCgt1hokvBU07IVhc7O/
!
username admin privilege 15 password 0 123456
no aaa new-model
switch 1 provision ws-c3650-48ts
!
!
!
!
!
!
!
!
qos queue-softmax-multiplier 100
!
crypto pki trustpoint TP-self-signed-3233026067
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3233026067
revocation-check none
rsakeypair TP-self-signed-3233026067
!
!
crypto pki certificate chain TP-self-signed-3233026067
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323333 30323630 3637301E 170D3139 30383230 30363231
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32333330
32363036 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AFBE 8BBAEB67 61E6E021 731D0D64 0B6AD004 B15565B1 7AB4EFCF 015BFFC9
FB8D548A D3BE66D6 7574A89D 267ED04E FAD297CF FA718411 5841C432 FBC0E75A
B280F6DD DC3072D8 78CD3787 544BAA51 DF11BB62 C764BBA3 F6307755 2285A094
0A8D10F2 1FA72A1A E84DC01E 90037820 59BB0429 C0B05537 9A0E292A 4354CCFB
6F9D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14B7225A 8EB3E212 22CA0BEF 14B4AAFB 0187D615 92301D06
03551D0E 04160414 B7225A8E B3E21222 CA0BEF14 B4AAFB01 87D61592 300D0609
2A864886 F70D0101 05050003 81810071 62576506 E7B05816 BD978753 E7CEFEC7
698BA673 43752D93 86B979A2 38889095 C0109B9D 373B74B7 28C9F9A8 20023844
5A8C2F2A 24ECA6C8 575540D7 9142BBCF 93908371 31817F27 261C2EEE DABE31B1
1A22D895 6856405E 054A485E FB471DE9 81F93CAB 9C7B5E67 83F1E9FC 63978C0F
8E441484 30FD453C 23E270C7 7EF260
quit
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
no ip route-cache
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.50.2 255.255.255.0
no ip route-cache
!
interface Vlan2
ip address 10.129.5.130 255.255.255.0
no ip route-cache
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
!
snmp-server community public RO
snmp-server contact wangjl@china-see.com
snmp-server host 192.168.50.207 zabbixcisco
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 123456
login
transport input ssh
line vty 5 15
login
!
!
monitor session 1 source interface Gi1/0/15
monitor session 1 destination interface Gi1/0/22
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
ap group default-group

1 个已接受解答

已接受的解答
ilay
Rising star

存在的问题:

1. 3650 没有配置ip routing,理论上 A到防火墙是不通的。(我前面回答了你一个类似的问题,也有可能配置是旧的。。)

2. 画的拓扑上面网络是10.129.5.0/26,但3650 G1/0/36配置的是/24的掩码,掩码的问题需要核实一下。

3. 更改完掩码的问题之后,使用交换机ping一下主机B,确认一下是否能通(部分防火墙有限制,同个安全级别的的不同接口有可能默认不通)

基于上面的检查,

如果交换机和B可以通,A——>B还是不通的话,那么需要检查一下B的默认网关和防火墙上关于192.168.50.0/24这个段的路由是否存在

基本上就是这些。//还有一个和问题无关的设置:建议将配置access接口同时配置spanning-tree postfast,加快接口收敛速度。

在原帖中查看解决方案

6 条回复6
ilay
Rising star

存在的问题:

1. 3650 没有配置ip routing,理论上 A到防火墙是不通的。(我前面回答了你一个类似的问题,也有可能配置是旧的。。)

2. 画的拓扑上面网络是10.129.5.0/26,但3650 G1/0/36配置的是/24的掩码,掩码的问题需要核实一下。

3. 更改完掩码的问题之后,使用交换机ping一下主机B,确认一下是否能通(部分防火墙有限制,同个安全级别的的不同接口有可能默认不通)

基于上面的检查,

如果交换机和B可以通,A——>B还是不通的话,那么需要检查一下B的默认网关和防火墙上关于192.168.50.0/24这个段的路由是否存在

基本上就是这些。//还有一个和问题无关的设置:建议将配置access接口同时配置spanning-tree postfast,加快接口收敛速度。

在原帖中查看解决方案

您好,根据您的建议,3650 配置了ip routing,G1/0/36配置为/26的掩码,之后,使用交换机可以ping通主机B,A——>B还是不通的,A到B的默认网关是通的,B——>A是通的。

检查B的默认网关是10.129.5.129,防火墙上关于192.168.50.0/24这个段的路由也存在。


aaa session-id common
switch 1 provision ws-c3650-48ts
!
!
!
!
!
ip routing
!
ip domain-name SEECHINA
!
!
qos queue-softmax-multiplier 100
!
crypto pki trustpoint TP-self-signed-3233026067
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3233026067
revocation-check none
rsakeypair TP-self-signed-3233026067
!
!
crypto pki certificate chain TP-self-signed-3233026067
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface GigabitEthernet1/0/29
!
interface GigabitEthernet1/0/30
!
interface GigabitEthernet1/0/31
!
interface GigabitEthernet1/0/32
!
interface GigabitEthernet1/0/33
!
interface GigabitEthernet1/0/34
!
interface GigabitEthernet1/0/35
!
interface GigabitEthernet1/0/36
switchport access vlan 2
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.50.2 255.255.255.0
!
interface Vlan2
ip address 10.129.5.130 255.255.255.192
!
ip default-gateway 10.129.5.129
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip ssh source-interface Vlan1
ip ssh version 2
!

B——>A可以通证明路由是没有问题的,至少一来一回的包都是正常通过的。这种情况下在防火墙上放行源地址为192.168.50.0/24的流量应该就可以了。

 

~~这样看问题应该在防火墙上是吗,但是防火墙已经放行源地址为192.168.50.0/24的流量了,而且防火墙上接口都在一个trust区域的同一vlan。

嗯,应该是防火墙的事儿,但是具体是那个模块干掉了就不好说了。

如果抛开防火墙,本质上就是两台主机一个交换机进行跨网段通信的问题。现在B->A能通,也就是路由层面完全没有问题,只能看看防火墙上有没有设置的不太恰当的地方了

非常感谢!!

创建
认可您的同行
Content for Community-Ad