#Configurare router on a stick Cisco (802.1q, dhcp, nat, access-list)Configurare router on a stick Cisco (802.1q, dhcp, nat, access-list) Ionel Mocanu Configurare router on a stick Cisco (802.1q, dhcp, nat, access-list) — Ionel Mocanu
Skip to content
 

Configurare router on a stick Cisco (802.1q, dhcp, nat, access-list)

Router on a stick (sau one-armed router) este routerul care ruteaza traficul intr-un mediu VLAN. O singura interfata face parte din doua sau mai multe VLAN-uri. Legatura dintre router si switch se realizeaza printr-un trunk 802.1q.

Pe router se configureaza adresele IP pe interfata externa fa0/0 si pe subinterfetele virtuale fa1/0.100 si fa1/0.200:

Router(config)#hostname GATEWAY
GATEWAY(config)#interface fa 0/0
GATEWAY(config-if)#ip address 192.168.102.254 255.255.255.252
GATEWAY(config-if)#no shut
GATEWAY(config-if)#exit
GATEWAY(config)#interface fa 1/0
GATEWAY(config-if)#no ip address
GATEWAY(config-if)#exit
GATEWAY(config)#interface fa 1/0.100
GATEWAY(config-subif)#encapsulation dot1q 100
GATEWAY(config-subif)#ip address 172.16.40.25 255.255.255.248
GATEWAY(config-subif)#exit
GATEWAY(config)#interface fa 1/0.200
GATEWAY(config-subif)#encapsulation dot1q 200
GATEWAY(config-subif)#ip address 172.30.4.1 255.255.254.0
GATEWAY(config-subif)#exit
GATEWAY(config)#ip route 0.0.0.0 0.0.0.0 fastEthernet 0/0 192.168.102.253
GATEWAY(config)#ip name-server 8.8.8.8
GATEWAY(config)#^Z
GATEWAY#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.102.26 YES manual up up
FastEthernet1/0 unassigned YES manual up up
FastEthernet1/0.100 172.16.40.25 YES manual up up
FastEthernet1/0.200 172.30.4.1 YES manual up up

Pe switch interfata fa0/1 este configurata in modul trunk iar interfetele fa0/2 si fa0/3 in modul access pentru vlan-urile 100 si respectiv 200.

Switch(config)#hostname SWITCH
SWITCH(config)#vlan 100
SWITCH(config-vlan)#name SERVICII
SWITCH(config-vlan)#exit
SWITCH(config)#vlan 200
SWITCH(config-vlan)#name LAN
SWITCH(config-vlan)#exit
SWITCH(config)#interface fa 0/1
SWITCH(config-if)#switchport mode trunk
SWITCH(config-if)#switchport trunk allowed vlan add 100,200
SWITCH(config)#interface fa 0/2
SWITCH(config-if)#switchport mode access
SWITCH(config-if)#switchport access vlan 100
SWITCH(config-if)#exit
SWITCH(config)#interface fa 0/3
SWITCH(config-if)#switchport mode access
SWITCH(config-if)#switchport access vlan 200
SWITCH(config-if)#exit

Pe router se poate configura un server DHCP pentru clientii din VLAN-ul LAN:

GATEWAY(config)#ip dhcp pool LAN
GATEWAY(dhcp-config)#default-router 172.30.4.1
GATEWAY(dhcp-config)#network 172.30.4.0 /23
GATEWAY(dhcp-config)#lease 0 2 52

Pentru ca statiile din cele doua vlan-uri sa aiba acces la Internet se configureaza NAT-ul pe router astfel:

GATEWAY(config)#interface fa 0/0
GATEWAY(config-if)#ip nat outside
GATEWAY(config-if)#exit
GATEWAY(config)#interface fa 1/0.100
GATEWAY(config-subif)#ip nat inside
GATEWAY(config-subif)#exit
GATEWAY(config)#interface fa 1/0.200
GATEWAY(config-subif)#ip nat inside
GATEWAY(config-subif)#exit
GATEWAY(config)#access-list 1 permit 172.16.40.24 0.0.0.7
GATEWAY(config)#access-list 1 permit 172.30.4.0 0.0.1.255
GATEWAY(config)#ip nat inside source list 1 interface fa 0/0 overload

In acest moment statiile din cele doua vlan-uri comunica intrele ele si au acces la Internet. Daca se vrea ca PC-urile din vlan-ul 200 sa acceseze numai anumite servicii din vlan-ul 100 se folosesc access-list-urile extended. Access-list-urile se configureaza respectand regula celor trei per: per interfata, per protocol, per directie (in si out). De exemplu, pentru ca statiile din LAN sa acceseze un server web aflat la 172.16.40.26 se creeaza un access-list care se aplica pe interfata fa1/0.200 in directia inbound:

GATEWAY(config)#ip access-list extended 100
GATEWAY(config-ext-nacl)#remark “PERMIT ONLY WWW”
GATEWAY(config-ext-nacl)#permit tcp 172.30.4.0 0.0.1.255 172.16.40.26 0.0.0.0 eq 80
GATEWAY(config-ext-nacl)#deny ip 172.30.4.0 0.0.1.255 172.16.40.24 0.0.0.7
GATEWAY(config-ext-nacl)#permit ip any any
GATEWAY(config-ext-nacl)#exit
GATEWAY(config)#interface fa 1/0.200
GATEWAY(config-subif)#ip access-group 100 in
GATEWAY(config-subif)#exit
GATEWAY(config)#do show access-list
Standard IP access list 1
10 permit 172.16.40.24, wildcard bits 0.0.0.7 (17 matches)
20 permit 172.30.4.0, wildcard bits 0.0.1.255 (49 matches)
Extended IP access list 100
10 permit tcp 172.30.4.0 0.0.1.255 host 172.16.40.26 (8 matches)
20 deny ip 172.30.4.0 0.0.1.255 172.16.40.24 0.0.0.7 (18 matches)
30 permit ip any any (13 matches)

Pentru salvarea configuratiei se executa comanda:

GATEWAY(config)#do copy run start
Destination filename [startup-config]?
Building configuration…
[OK]

Prin aplicarea acestei liste de acces, statiile din vlan-ul 100 nu mai pot accesa statiile din vlan-ul 200. Putem folosi liste de acces reflexive, pentru ca din vlan-ul 200 sa se poata accesa serverul web, iar de serverul web (172.16.40.26) sa avem ping cu statiile din vlan-ul 200:

GATEWAY(config)# ip access-list extended OUT-PING
GATEWAY(config-ext-nacl)#permit tcp 172.16.40.26 0.0.0.0 eq 80 172.30.4.0 0.0.1.255
GATEWAY(config-ext-nacl)#permit icmp 172.16.40.26 0.0.0.0 172.30.4.0 0.0.1.255 reflect PING
GATEWAY(config-ext-nacl)#permit ip any any
GATEWAY(config-ext-nacl)#exit
GATEWAY(config)# ip access-list extended IN-PING
GATEWAY(config-ext-nacl)#permit tcp 172.30.4.0 0.0.1.255 172.16.40.26 0.0.0.0 eq 80
GATEWAY(config-ext-nacl)#evaluate PING
GATEWAY(config-ext-nacl)#deny ip 172.30.4.0 0.0.1.255 172.16.40.26 0.0.0.0
GATEWAY(config-ext-nacl)#permit ip any any
GATEWAY(config-ext-nacl)#exit
GATEWAY(config)#interface fa 1/0.200
GATEWAY(config-subif)#ip access-group OUT-PING out
GATEWAY(config-subif)#ip access-group IN-PING in
GATEWAY(config-subif)#exit
GATEWAY(config)#do show access-list
Standard IP access list 1
10 permit 172.16.40.24, wildcard bits 0.0.0.7 (96 matches)
20 permit 172.30.4.0, wildcard bits 0.0.1.255 (117 matches)
Extended IP access list 100
10 permit tcp 172.30.4.0 0.0.1.255 host 172.16.40.26 eq www (7 matches)
20 deny ip 172.30.4.0 0.0.1.255 172.16.40.24 0.0.0.7 (15 matches)
30 permit ip any any (311 matches)
Extended IP access list IN-PING
10 permit tcp 172.30.4.0 0.0.1.255 host 172.16.40.26 eq www (9 matches)
20 evaluate PING
30 deny ip 172.30.4.0 0.0.1.255 host 172.16.40.26 (30 matches)
40 permit ip any any (556 matches)
Extended IP access list OUT-PING
10 permit tcp host 172.16.40.26 eq www 172.30.4.0 0.0.1.255 (6 matches)
20 permit icmp host 172.16.40.26 172.30.4.0 0.0.1.255 reflect PING (12 matches)
30 permit ip any any (578 matches)
Reflexive IP access list PING
permit icmp host 172.30.4.4 host 172.16.40.26 (23 matches) (time left 109)

One Comment

Leave a Reply