之前全局配置过ip routing,目前是各vlan间网关均可以ping通,但其它地址均无法通讯。如vlan20接入一台PC,配置192.168.20.2,255.255.255.0 网关192.168.20.1,ping 192.168.1.199/192.168.9.1/192.168.8.1~~~均可ping通,但无法ping通各vlan接入的主机,在思科模拟器配置过,vlan间可以正常通讯。本人网络小白,没系统学习过网络路由交换知识,还请专家赐教,指点迷津。交换机配置如下:
hostname hnzb-c3560
!
enable password
!
no aaa new-model
system mtu routing 1500
vtp domain hngj
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
ip name-server 192.168.1.199
!
!
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan internal allocation policy ascending
!
vlan 2
name gg
!
vlan 3
name rlcw
!
vlan 4
name jgqt
!
vlan 5
name cdbg
!
vlan 6
name cddd
!
vlan 7
name cjck
!
vlan 8
name jk
!
vlan 9
name vlan9
!
vlan 10
name jiguan
!
vlan 20
!
vlan 30
name fuwuqi
!
vlan 40
name manager
!
vlan 50
name yilou
!
vlan 60
name shouyinzhongxin
!
vlan 70
name chedui
!
vlan 80
name chukou
!
vlan 100,200
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/7
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/8
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode access
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 9
switchport mode access
!
interface FastEthernet0/10
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/11
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/12
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/13
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/14
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/15
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/16
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/17
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/18
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/19
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/20
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
flowcontrol receive desired
spanning-tree portfast trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip access-group 111 in
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 113 in
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip access-group 114 in
!
interface Vlan5
ip address 192.168.5.1 255.255.255.0
ip access-group 115 in
!
interface Vlan6
ip address 192.168.6.1 255.255.255.0
ip access-group 116 in
!
interface Vlan7
ip address 192.168.7.1 255.255.255.0
ip access-group 117 in
!
interface Vlan8
ip address 192.168.8.1 255.255.255.0
ip access-group 118 in
!
interface Vlan9
ip address 192.168.9.1 255.255.255.0
!
interface Vlan10
ip address 192.168.1.199 255.255.255.0
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
interface Vlan60
no ip address
!
interface Vlan70
no ip address
!
router rip
passive-interface Vlan10
passive-interface Vlan20
network 192.168.1.0
!
ip default-gateway 192.168.1.10
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.2
ip route 0.0.0.0 0.0.0.0 192.168.1.10
ip http server
!
access-list 101 deny tcp 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 102 deny tcp 192.168.7.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 111 deny ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 permit ip any any
access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 113 deny ip 192.168.3.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 113 permit ip any any
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 114 deny ip 192.168.4.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 114 permit ip any any
access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 115 deny ip 192.168.5.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 115 permit ip any any
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 116 deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 116 permit ip any any
access-list 117 deny ip 192.168.7.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 117 deny ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 117 deny ip 192.168.7.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 117 deny ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 117 deny ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 117 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 117 permit ip any any
access-list 118 deny ip 192.168.8.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 118 deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 118 deny ip 192.168.8.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 118 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 118 deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 118 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 118 permit ip any any
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
password
login
length 0
line vty 5 15
login
!
end
c3560#
我也是非专科出身,但是根据个人习惯,发现你配置中几处不当配置,不知道是否有影响,可以清掉在做测试
从上往下说。
1、与上联设备或下联设备交互要么不启用VTP,要么设置与上联设备(VTP mode Server)domain一样的域名,domain不同,透明模式依然不能保证正常通信(前提上下联配置trunk模式,access不受影响)
2、端口8下trunk与本征Vlan可以共存,但是不能与access共存
3、端口11-23本征Vlan没必要设置
4、G0/1端口与8口如出一辙
5、inter vlan1 根据IOS版本不同,有所不同,老版本IOS12.0以前的vlan1 shutdown 旗下所有vlan无法通讯,其后版本更新了这个措施
6、route rip 是否本意应该向外发布192.168.0.0
7、在开启IP routing的时候,ip default-gateway是不生效的,各Vlan间靠路由通讯
8、看了你的acl就不觉得奇怪了,你的需求本身就是各Vlan自己通讯,只允许访问缺省,不通是正常的,需要哪个通讯拿掉ip access-group就可以了
以上纯属个人见解,如有不对,敬请谅解。