Исходное сообщение
"Подлый ACL! как заставить его работать?" Отправлено Luxor, 12-Дек-07 12:14
Конфигурационый файл: Current configuration : 19752 bytes ! ! Last configuration change at 08:56:51 UTC Wed Dec 12 2007 by anton ! NVRAM config last updated at 08:56:52 UTC Wed Dec 12 2007 by anton ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname sw1-prom111 ! enable password 7 01100F175804 ! aaa new-model aaa configuration config-username anton ! aaa session-id common errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause sfp-config-mismatch errdisable recovery cause gbic-invalid errdisable recovery cause l2ptguard errdisable recovery cause psecure-violation errdisable recovery cause port-mode-failure errdisable recovery cause dhcp-rate-limit errdisable recovery cause mac-limit errdisable recovery cause unicast-flood errdisable recovery cause vmps errdisable recovery cause storm-control errdisable recovery cause arp-inspection errdisable recovery cause link-monitor-failure errdisable recovery cause oam-remote-failure errdisable recovery cause loopback errdisable recovery interval 60 mls aclmerge delay 100 mls qos ip subnet-zero ip routing ! ip dhcp snooping vlan 20-22,25,27 ip dhcp snooping database flash:/dhcpsnoop.text no ip dhcp snooping verify mac-address ip dhcp snooping vtp mode transparent ! password encryption aes ! vlan internal allocation policy ascending ! vlan 2 name Managment ! vlan 20 name kis1 ! vlan 21 name kis2 ! vlan 22 name KDprogress ! vlan 23 name KiselClients10-5-5 ! vlan 24 name KiselClients10-5-6 ! vlan 25 name BauMarket ! vlan 27 name Kiselevka10-5-4 ! ! class-map match-any Queue1   match access-group name QoS_Punk class-map match-any Queue3   match access-group name QoS_Internet class-map match-any Queue2   match access-group name QoS_WEB class-map match-any Queue4   match access-group name QoS_Critical class-map match-all VBQueue4   match vlan  1-90   match class-map Queue4 class-map match-all VBQueue1   match vlan  1-90   match class-map Queue1 class-map match-all VBQueue3   match vlan  1-90   match class-map Queue3 class-map match-all VBQueue2   match vlan  1-90 match class-map Queue2 ! ! policy-map PB   class Queue1    set dscp cs1   class Queue2    set dscp cs3   class Queue3    set dscp cs5   class Queue4    set dscp cs7 policy-map VB   class VBQueue1    set dscp cs1   class VBQueue2    set dscp cs3   class VBQueue3    set dscp cs5   class VBQueue4    set dscp cs7   class class-default ! ! ! ! ! ! interface FastEthernet0/1 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/2 switchport access vlan 2 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/3 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/4 switchport access vlan 20 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/5 switchport access vlan 20 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,20,21,25 switchport mode trunk ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out no cdp enable service-policy input VB ! interface FastEthernet0/7 switchport access vlan 20 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/8 switchport access vlan 21 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out no cdp enable spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree vlan 21 cost 10 service-policy input VB ! interface FastEthernet0/9 switchport access vlan 21 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/10 switchport access vlan 21 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/11 switchport access vlan 21 switchport mode access ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,27 switchport mode trunk ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/13 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/14 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/15 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,22-24,26 switchport mode trunk ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/16 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/17 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/18 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/19 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/20 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/21 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,2,22,28 switchport mode trunk ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/22 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,22-24,26 switchport mode trunk ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/23 switchport mode dynamic desirable ip arp inspection limit none storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ! interface FastEthernet0/24 switchport trunk encapsulation dot1q switchport mode trunk storm-control broadcast level 10.00 5.00 wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input VB ip dhcp snooping trust ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 no switchport ip arp inspection trust ip address 172.16.3.2 255.255.255.252 speed nonegotiate wrr-queue bandwidth 50 25 25 1 wrr-queue cos-map 1 0 1 2 4 6 wrr-queue cos-map 2 3 wrr-queue cos-map 3 5 wrr-queue cos-map 4 7 priority-queue out service-policy input PB ! interface Vlan1 description default ip address 172.16.11.254 255.255.252.0 ! interface Vlan2 description Managment no ip address ! interface Vlan20 ip address 10.1.0.2 255.255.0.0 ip access-group Kiselevka1 in ip helper-address 172.16.2.2 ! interface Vlan21 ip address 10.2.0.2 255.255.0.0 ip access-group Kiselevka2 in ip helper-address 172.16.2.2 ! interface Vlan22 ip address 10.3.1.1 255.255.255.192 ! interface Vlan23 description KiselClients10-5-5 ip address 10.5.5.1 255.255.255.0 ip access-group HomeClients-24 in ip helper-address 172.16.2.2 ! interface Vlan24 description description KiselClients10-5-6 ip address 10.5.6.1 255.255.255.0 ip access-group HomeClients-24 in ip helper-address 172.16.2.2 ! interface Vlan25 description BauMarket ip address 10.3.1.113 255.255.255.252 ! interface Vlan27 ip address 10.5.4.1 255.255.255.0 ip access-group HomeClients-24 in ip helper-address 172.16.2.2 ! router rip version 2 network 10.0.0.0 network 172.16.0.0 ! ip classless ip forward-protocol udp bootpc ip forward-protocol udp bootps ip route 192.168.254.0 255.255.255.0 172.16.3.1 no ip http server no ip http secure-server ! ! ip access-list extended HomeClients-16 permit tcp any host 172.16.2.2 eq www 443 permit udp any host 172.16.2.2 eq domain permit udp any any eq bootpc permit udp any any eq bootps permit icmp any any deny   ip 10.0.213.0 0.255.0.255 any permit tcp any host 172.16.2.2 range 10050 10180 permit tcp any host 172.16.2.10 eq 1723 permit gre any host 172.16.2.10 permit tcp any host 172.16.2.2 eq 6667 9997 411 smtp pop3 ftp ftp-data permit ip any 172.16.5.0 0.0.0.255 permit tcp any any eq 4000 permit tcp any eq 4000 any permit udp any any eq 4200 permit udp any eq 4200 any permit udp any host 172.16.2.10 eq ntp permit tcp any host 10.1.25.32 eq www ftp ftp-data ip access-list extended HomeClients-24 permit tcp any host 172.16.2.2 eq www 443 permit udp any host 172.16.2.2 eq domain permit udp any any eq bootpc permit udp any any eq bootps permit icmp any any deny   ip 10.0.0.200 0.255.255.55 any permit tcp any host 172.16.2.2 range 10050 10180 permit tcp any host 172.16.2.10 eq 1723 permit gre any host 172.16.2.10 permit tcp any host 172.16.2.2 eq 6667 9997 411 smtp pop3 ftp ftp-data permit ip any 172.16.5.0 0.0.0.255 permit tcp any any eq 4000 permit tcp any eq 4000 any permit udp any any eq 4200 permit udp any eq 4200 any permit udp any host 172.16.2.10 eq ntp permit tcp any host 10.1.25.32 eq www ftp ftp-data ip access-list extended Kiselevka1 permit ip host 10.1.1.42 any permit tcp any any established permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.2 eq www 443 permit udp 10.1.0.0 0.0.255.255 host 172.16.2.2 eq domain deny   ip 10.0.213.0 0.255.0.255 any deny   ip 10.1.213.0 0.0.0.255 any log deny   ip any 10.0.213.0 0.255.0.255 permit tcp any host 172.16.2.2 eq 6697 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255 permit ip 10.1.0.0 0.0.255.255 172.16.5.0 0.0.0.127 permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.10 eq 1723 permit gre 10.1.0.0 0.0.255.255 host 172.16.2.10 permit tcp any any eq 4000 permit tcp any eq 4000 any permit udp any any eq 4200 permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.2 eq ftp-data ftp permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.2 range 10050 10180 permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.2 eq 6667 smtp pop3 log-input permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.3 eq www permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.2 eq 411 permit udp any any eq bootpc bootps permit icmp any any permit tcp host 10.1.8.88 host 172.16.2.1 eq www 443 permit tcp 10.1.0.0 0.0.255.255 host 172.16.2.10 eq 123 permit udp 10.1.0.0 0.0.255.255 host 172.16.2.10 eq ntp permit tcp host 10.1.8.88 host 172.16.2.1 eq 3306 permit udp any eq 4200 any permit tcp host 10.1.1.42 host 172.16.2.2 eq 411 permit tcp host 10.1.1.64 host 172.16.2.254 eq 22 permit tcp host 10.1.1.64 host 172.16.2.2 eq 22 permit tcp host 10.1.1.64 host 172.16.2.10 eq 22 permit tcp host 10.1.1.42 host 172.16.2.254 eq 22 permit tcp host 10.1.1.42 host 172.16.2.2 eq 22 permit tcp host 10.1.1.42 host 172.16.2.10 eq 22 permit tcp host 10.1.1.64 host 172.16.2.1 eq www 443 permit tcp host 10.1.1.42 host 172.16.3.2 eq 22 permit tcp host 10.1.1.64 host 172.16.3.2 eq 22 ip access-list extended Kiselevka2 permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.2 eq www 443 permit udp 10.2.0.0 0.0.255.255 host 172.16.2.2 eq domain deny   ip 10.2.213.0 0.0.0.255 any permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 permit ip 10.2.0.0 0.0.255.255 172.16.5.0 0.0.0.127 permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.10 eq 1723 permit gre 10.2.0.0 0.0.255.255 host 172.16.2.10 permit tcp any any eq 4000 permit tcp any eq 4000 any permit udp any any eq 4200 permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.2 eq ftp-data ftp permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.2 range 10050 10180 permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.2 eq 6667 smtp pop3 permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.3 eq www permit udp any any eq bootpc bootps permit tcp 10.2.0.0 0.0.255.255 host 172.16.2.2 eq 411 permit icmp any any permit udp 10.2.0.0 0.0.255.255 host 172.16.2.10 eq ntp ip access-list extended QoS_Critical permit tcp 172.16.1.0 0.0.0.255 eq 22 telnet www any permit tcp any eq 22 telnet www 172.16.1.0 0.0.0.255 permit tcp 172.16.2.0 0.0.0.255 eq 22 telnet www any permit tcp any eq 22 telnet www 172.16.2.0 0.0.0.255 permit udp any any eq bootpc bootps permit udp any eq bootpc bootps any ip access-list extended QoS_Internet permit tcp any host 172.16.2.10 eq 1723 permit tcp host 172.16.2.10 eq 1723 any permit gre any host 172.16.2.10 permit gre host 172.16.2.10 any ip access-list extended QoS_Punk permit tcp any any eq 4000 permit tcp any eq 4000 any permit udp any any eq 4200 permit tcp any host 172.16.2.2 eq ftp-data ftp permit tcp any host 172.16.2.2 range 10050 10180 permit udp any eq 4200 any ip access-list extended QoS_WEB permit tcp any host 172.16.2.2 eq domain permit tcp host 172.16.2.2 eq domain any permit tcp any host 172.16.2.2 eq www 443 6667 permit tcp host 172.16.2.2 eq www 443 6667 any permit tcp any host 172.16.2.10 eq 123 permit tcp host 172.16.2.10 eq 123 any permit icmp any any permit ip 172.16.5.0 0.0.0.255 any permit ip any 172.16.5.0 0.0.0.255 permit tcp any host 172.16.2.2 eq 411 permit tcp host 172.16.2.2 eq 411 any ! snmp-server community test RW snmp-server host 172.16.2.100 test radius-server source-ports 1645-1646 ! control-plane ! line con 0 line vty 0 4 password 7 line vty 5 15 password 7 ! ntp clock-period 17180357 ntp server 172.16.2.10 end